You can deploy the MBAM client during operating system deployment by using the Lite Touch Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, MDT installs the client automatically, which ensures that that the encryption is started or completed
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 37
before users receive their device and is protected before they start the device for the first time. The MBAM client will be ready for use before users log on to the device for the first time.
Windows 8 includes the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a disk volume.
By default, MDT automatically performs Used Disk Space Only encryption when enabling BitLocker for Windows 8 deployments to reduce the length of time required to deploy Windows 8.
The following sections describe the steps necessary to complete each task in the Deployment Workbench:
1. Ensure that partitions on targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices.
3. Add the MBAM client to the Applications node of your deployment share.
4. Configure the MBAM client application to hide it from users in the Deployment Wizard. 5. Add an Install Application step to your existing operating system task sequences. 6. Configure the MDT BitLocker-related configuration settings.
7. Immediately initiate encryption by using the MBAM client during tasks sequences.
For more information about using MDT to install applications during operating system deployment, see the MDT documentation.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 38
Step 1: Ensure that partitions on targeted devices are configured for BitLocker
Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or for devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, LTI automatically resizes and creates the necessary partitions to support BitLocker, if there is sufficient available disk space.
Step 2: Enable the TPM on targeted devices
Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even across models within a device manufacturer.
By default, LTI performs BitLocker pre-provisioning for new device, refresh device, and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:
Run in Windows PE, then you can support BitLocker pre-provisioning Only run in a Windows operating system, then you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre- provisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before the Enable BitLocker (Offline) task sequence step.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 39
To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support)
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the State Restore group immediately before the Enable BitLocker task sequence step.
For more information on enabling the TPM, see Enable the TPM.
Step 3: Add the MBAM client application
When you add an application to your MDT deployment share, you must specify the command that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client
installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version.
The command you specify for MBAM client installation must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction. If you do not include this command-line option, the Setup program stalls the deployment process to wait for user interaction.
To add the MBAM client to your deployment share
1. In the Deployment Workbench, click Applications under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 40
3. Complete each page of the New Application Wizard:
Page
Steps
Application Type 1. Click Application with source files. 2. Click Next.
Select the Application without source files or elsewhere on
the network check box if you already have the installation files
in a network share. For more information, see the section, “Create a New Application That Is Deployed from Another Network Share,” in the MDT documentation.
Details 1. In the Application Name box, type MBAM Client 64-bit. 2. Click Next.
The remaining text boxes on this page are optional and
informational only. Although they do not affect deployment of the MBAM client, completing the remaining text boxes can prove useful later when you are maintaining the deployment share.
Source 1. In the Source directory box, type the path of the \MBAM\Installers\2.0\x64 folder that contains MbamClientSetup.exe.
The Source directory box supports autocomplete, but you can click Browse to locate the files.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 41
Page
Steps
Destination 1. In the Specify the name of the directory that should be
created box, optionally edit the name of the folder that the
New Application Wizard will create in the deployment share. The wizard suggests a name based on the publisher, name, and version that you provided on the Details page.
2. Click Next.
Command Details 1. In the Command line box, type the command you want to run to install the MBAM client—for example:
MbamClientSetup.exe.exe /q
2. Click Next.
Summary 1. In the Details area, review the information that the Add New Application Wizard collected.
2. Click Next.
Progress 1. Monitor the wizard’s progress as it adds the application to your deployment share.
Confirmation 1. Review the results, and then click Finish.
If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New Application Wizard, changing the following:
In step 1, in Application Name, type MBAM Client 32-bit. In step 3, browse to the \MBAM\Installers\2.0\x86 folder.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 42
Step 4: Configure the application
After adding the application to your MDT deployment share, configure it to hide the application in the Deployment Wizard from users so they cannot prevent installation during deployment by selecting the Hide this application in the Deployment Wizard check box. Hiding the
application prevents the user from selecting the application, which could create errors in the deployment process, because the application would try to install twice and one installation would return a failure code.
To customize the MBAM client in your deployment share
1. In the Applications node of the deployment share, right-click the MBAM client application that you previously added, and then click Properties.
2. On the General tab of the application’s Properties dialog box, select the Hide this
application in the Deployment Wizard check box.
3. Click OK.
Step 5: Edit task sequences
Install the MBAM client application during operating system deployment by adding it to task sequences. By adding the MBAM client to your existing task sequences, you can install the agent automatically, with no interaction from the user. This method helps to ensure that the MBAM client is available immediately, before users log on to the computer.
To install the MBAM client in an LTI task sequence
1. In the Deployment Workbench, click Task Sequences under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).
2. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Properties.
3. On the Task Sequence tab of the task sequence’s Properties dialog box, click the Install
Applications task sequence step.
This step is in the State Restore group. The task sequence editor adds the new task sequence step immediately after this step.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 43
5. Click the new Install Application task sequence step that you just added, then perform the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click Install a single application, click Browse, click the MBAM client application in the Select An Item dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box. Select this check box only if you want the task sequence to continue running if the MBAM client fails to install during operating system deployment.
Click OK to close the task sequence’s Properties dialog box.
Step 6: Configure MDT BitLocker-related settings
You can configure BitLocker-related settings by using one the following methods in LTI: MDT properties specified in the CustomSettings.ini file or the MDT database (MDT DB)
The benefit of this method is that you can prevent configuration errors by making the configuration settings in advance. This allows you to bypass the BitLocker page in the Deployment Wizard. The following are the MDT properties that you must set to fully automate BitLocker configuration for LTI deployments and bypass the BitLocker page: BDEDriveLetter BDEDriveSize BDEInstall BDEInstallSuppress BDERecoveryKey TPMOwnerPassword OSDBitLockerStartupKeyDrive OSDBitLockerWaitForEncryption
For more information these MDT properties, see the corresponding sections in the MDT document Toolkit Reference.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 44
The BitLocker page in the Deployment Wizard (shown in Figure 5)
The benefit of this method is that you can provide the BitLocker configuration settings at the time of deployment. This allows the user performing the deployment to make BitLocker configuration changes as required on a device-by-device basis at the time of deployment.