Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted
computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process will be discussed in the section, System Center 2012 Configuration Manager Application Model.
Installation during operating system deployment. This method installs the MBAM
client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process is discussed in this section.
You can deploy the MBAM client during operating system deployment by using the Zero Touch Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, ZTI and UDI install the client automatically, which ensures that that the encryption is started or completed before users receive their device and the device is protected before users starts it for the first time.. The MBAM client will be ready for use before users log on to the device for the first time.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 46
Windows 8 includes the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a disk volume.
By default, MDT automatically performs Used Disk Space Only encryption when enabling BitLocker for Windows 8 deployments to reduce the length of time required to deploy Windows 8.
The following tasks describe the steps necessary to complete each task: 1. Ensure that partitions on targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices.
3. Create and share a content folder for the MBAM client installation files.
4. Create a System Center 2012 Configuration Manager application for the MBAM client installation.
5. Distribute the System Center 2012 Configuration Manager application to the distribution points.
6. Deploy the System Center 2012 Configuration Manager application to the targeted computers.
7. Add an Install Application step to your existing operating system task sequences. 8. Configure the MDT BitLocker-related configuration settings.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 47
For more information about using MDT to install applications during operating system deployment, see the MDT documentation.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker
Before you can use MBAM, you need to ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, MDT automatically resizes and creates the necessary partitions to support BitLocker (if there is sufficient available disk space) after the operating system has been deployed in the State Restore group.
If you want ZTI and UDI to automatically create the appropriate partitions for the refresh device deployment scenario in ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.
Step 2: Enable the TPM on targeted devices
Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The scripts or software for enabling the TPM are different for each device manufacturer and
sometimes even different across models within a device manufacturer.
By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 48
Run in Windows PE, then you can support BitLocker pre-provisioning Run only in a Windows operating system, you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence
If you want to use BitLocker pre-provisioning for the refresh device deployment scenario for ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker pre- provisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before the Pre-provision BitLocker task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support)
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 49
2. Create an MDT Application that contains the software in the previous step.
3. Install the application created in the previous step by using the Install Application task sequence step.
Place the Install Application task sequence step in the State Restore group immediately before the Enable BitLocker task sequence step.
Step 3: Share the installation content
When you create a System Center 2012 Configuration Manager application, you must specify a source for the application content. The source must be a network share that is accessible to System Center 2012 Configuration Manager, because System Center 2012 Configuration Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 13 describes.
To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.