Bitlocker Deployment Guide

Microsoft BitLocker

Administration and

Monitoring

Deployment Guide

Microsoft BitLocker Administration and Monitoring (MBAM) is an

enterprise-scalable solution for managing BitLocker technologies, such as BitLocker Drive

Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop

Optimization Pack, helps you improve security compliance on devices by

simplifying the process of provisioning, managing, and supporting

BitLocker-protected devices. This guide helps you choose a deployment method for

MBAM and provides step-by-step instructions for each method.

MBAM DEPLOYMENT GUIDE | INTRODUCTION 1

Introduction

Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on computers and removable drives running the Windows 8 or Windows 7 operating systems and Windows to Go. Microsoft BitLocker Administration and Monitoring (MBAM) version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software

Assurance, makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives.

For BitLocker To Go–protected drives, BitLocker stores the recovery keys but does not monitor encryption.

The key benefits of using MBAM to manage BitLocker technologies include:

 Simplified provisioning and management. BitLocker deployment is easier with MBAM,

because MBAM can be integrated with existing automated provisioning and deployment processes to ensure that existing and new devices are protected. You can provision BitLocker as a part of or after operating system deployment, then use Group Policy settings for ongoing BitLocker management and compliance enforcement.

 Improved compliance and reporting. Encryption and protection of sensitive

information are essential to organizational compliance programs. MBAM includes built-in reports that provide the current BitLocker encryption status of devices. MBAM also audits access to BitLocker recovery keys and can provide reports on who accessed specific recovery key information.

 Reduced support effort. A customized MBAM Control Panel app replaces the default

BitLocker Control Panel item and allows users to manage local MBAM and BitLocker configuration. Secure, web-based recovery key management portals allow help desk staff

MBAM DEPLOYMENT GUIDE | INTRODUCTION 2

and users recover BitLocker-enabled devices. Together, the customized Control Panel app and these portals allow users and IT staff to perform common tasks, such starting the encryption process or managing the BitLocker PIN, without you having to grant administrative rights to the managed devices. Enabling self-service support helps reduce BitLocker-related help desk tickets by empowering users and making IT staff more efficient and effective.

To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker Administration and Monitoring content on the Microsoft Desktop Optimization Pack website. This guide describes how to deploy MBAM, with a focus on automating the deployment and configuration of the MBAM client to managed devices. It first describes the MBAM components. Then, it shows you how to prepare for deployment and provides step-by-step instructions for deploying the MBAM client by using the following tools and technologies:

 Group Policy software installation

 Microsoft Deployment Toolkit (MDT) 2012

 Microsoft System Center 2012 Configuration Manager  Scripted installation (e.g., command prompt)

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 3

MBAM components

MBAM uses a client–server model to manage BitLocker. You can deploy MBAM in either a stand-alone or MBAM Configuration Manager topology. Each topology is discussed in subsequent sections.

MBAM stand-alone topology

You use the MBAM stand-alone topology (illustrated in Figure 1) when your organization does not have an existing System Center Configuration Manager infrastructure. In this topology, MBAM and Microsoft SQL Server provide all the necessary components. If your organization has a System Center Configuration Manager infrastructure, see MBAM Configuration Manager topology.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 4

Figure 1. MBAM stand-alone topology

Table 1 describes the computers and devices in this topology and provides a brief description of MBAM components and the role of each computer and device.

Table 1. Computers and devices in the MBAM stand-alone topology

Computer or device

Description

Administration and Monitoring Server

The following features are installed on this server:  Administration and Monitoring Server. The

Administration and Monitoring Server feature is installed on a machine running the Windows Server operating system and consists of the Administration and Monitoring website, which includes the reports and the Help Desk Portal, and the monitoring web services.

 Self-Service Portal. The Self-Service Portal is

installed on a machine running Windows Server. The portal enables users on client computers to

independently log on to a website, where they can obtain a key to recover a locked BitLocker volume.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 5

Computer or device

Description

Database Server The following features are installed on this server:  Recovery Database. The Recovery Database is

installed on a machine running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.

 Compliance and Audit Database. The Compliance

and Audit Database is installed on a machine running Windows Server and a supported instance of

SQL Server. This database stores compliance data for MBAM client computers, which is used primarily for reports that Microsoft SQL Server Reporting Services hosts.

 Compliance and Audit Reports. The Compliance

and Audit Reports are installed on a machine running Windows Server and a supported instance of

SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and

Monitoring website or directly from the SQL Server Reporting Services server.

Management workstation The following feature is installed on the Management workstation, which can be a computer running Windows Server or a client operating system:

 Policy Template. The Policy Template consists of

Group Policy settings that define MBAM

implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management

workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 6

Computer or device

Description

Managed device The MBAM client is installed on the managed Windows device and has the following characteristics:

 Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise

 Collects the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives

 Collects compliance data for the computer and passes the data to the reporting system

Active Directory Domain Services (AD DS) domain controller

The following feature is installed on the domain controller:

 Policy Template. The Policy Template consists of

Group Policy settings that define MBAM

implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management

workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer.

MBAM Configuration Manager topology

Use the MBAM Configuration Manager topology (illustrated in Figure 2) when your organization has an existing System Center Configuration Manager infrastructure. In this topology, the MBAM components are distributed across the MBAM Administration and Monitoring Server,

SQL Server, and System Center Configuration Manager. In this topology, System Center Configuration Manger runs some of the MBAM components. MBAM supports System Center 2012 Configuration Manager with Service Pack 1 (SP1), System Center 2012

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 7

Configuration Manager, and Microsoft System Center Configuration Manager 2007 infrastructures.

Windows to Go is not supported when you install the System Center Configuration Manager topology with System Center Configuration Manager 2007.

If your organization does not have a System Center Configuration Manager infrastructure, see MBAM stand-alone topology.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 8

Figure 2. MBAM Configuration Manager topology

The placement of the MBAM components in the MBAM Configuration Manager topology is similar to the MBAM stand-alone topology. Table 2 describes the computers and devices in the MBAM Configuration Manager topology (illustrated in Figure 2) and provides a brief description of the MBAM components and role of each computer and device.

Table 2. Computers and devices in the MBAM Configuration Manager

topology

Computer or device

Description

Administration and Monitoring Server

The following features are installed on this server:  Administration and Monitoring Server. The

Administration and Monitoring Server feature is installed on a machine running Windows Server and consists of the Administration and Monitoring website, which includes the reports, the Help Desk Portal, and the monitoring web services.

 Self-Service Portal. The Self-Service Portal is

installed on a machine running Windows Server. It enables users on client computers to independently log on to a website, where they can obtain a key to recover a locked BitLocker volume.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 9

Computer or device

Description

Database Server The following features are installed on this server:  Recovery Database. The Recovery Database is

installed on a machine running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.

 Audit Database. The Audit Database is installed on a

machine running Windows Server and a supported instance of SQL Server. This database stores audit activity data for MBAM client computers that have accessed recovery data.

Configuration Manager Primary Site Server

The Configuration Manager Site Server collects the hardware inventory information from client computers and is used to report the BitLocker compliance of client computers. The following features are installed on this server:

 Compliance Reports. The Compliance Reports are

installed on the machine running the Reporting Services point site system role. They provide MBAM reports that you can access from the Configuration Manager console or directly from the SQL Server Reporting Services server on the Reporting Services point.

 Audit Reports. The Compliance and Audit Reports

are installed on a machine running Windows Server and a supported instance of SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and Monitoring website or directly from the SQL Server Reporting Services server.

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 10

Computer or device

Description

Management workstation The following feature is installed on the Management workstation, which can be run Windows Server or a client operating system:

 Policy Template. The Policy Template consists of

Group Policy settings that define MBAM

implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management

workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer.

 Configuration Manager console. The Configuration

Manager console is used to view MBAM reports. Managed device The MBAM client and Configuration Manager client are

installed on the managed Windows device and have the following characteristics:

 Use Group Policy to enforce the BitLocker encryption of client computers in the enterprise

 Collect the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives

 Enable System Center Configuration Manager to collect hardware compatibility data about client computers

 Enable System Center Configuration Manager to report compliance information

MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 11

Computer or device

Description

AD DS domain controller The following feature is installed on the domain controller:

 Policy Template. The Policy Template consists of

Group Policy settings that define MBAM

implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management

workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer.

MBAM DEPLOYMENT GUIDE | PREPARING FOR DEPLOYMENT 12

Preparing for deployment

MBAM requires the following services and features for both the stand-alone and Configuration Manager topologies:

 AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain

members.

 SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery

information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more information on SQL Server requirements, see the section, “SQL Server Database

Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on Microsoft TechNet. For more information about deploying SQL Server in the:

 Stand-alone topology, see Deploying MBAM in the stand-alone topology

 Configuration Manager topology, see Deploying MBAM in the Configuration Manager topology

 Group Policy. You manage MBAM client configuration by using Group Policy settings.

MBAM allows you to manage BitLocker and MBAM settings from a single template. For more information, see Deploying the MBAM Group Policy settings.

 Web server (Microsoft Internet Information Services [IIS]). The Administration and

Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the Web Server (IIS) server role.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 13

Deploying the MBAM server

You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration Manager topology. You will deploy the MBAM server components on different computers (virtual or physical) depending on your scale requirements and the MBAM deployment topology you choose.

Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two computers to MBAM—one for running MBAM web server components and one for running SQL Server.

You can deploy MBAM in a single-server configuration. However, this configuration is recommended for use only in test environments. For production environments, Microsoft recommends that you use the two-server deployment configuration.

Select the MBAM deployment topology

Which MBAM deployment topology you choose is based on whether you have System Center Configuration Manager. Use the information in Table 3 to determine which MBAM deployment topology is right for you.

Table 3. MBAM deployment topologies and when to select them

Topology

Description

Stand-alone topology Select this topology when your organization does not have an existing System Center Configuration Manager infrastructure or is not planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 14

Topology

Description

Configuration Manager topology

Select this topology when your organization has an existing System Center Configuration Manager infrastructure or is planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM. MBAM supports System Center 2012 Configuration Manager with SP1, System Center 2012 Configuration Manager, and System Center Configuration Manager 2007.

Deploy MBAM in the stand-alone topology

Deploying MBAM in the stand-alone topology typically uses two computers (physical or virtual) for the MBAM components. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but

recommended only for lab or evaluation environments or small production environments. The MBAM stand-alone topology is illustrated in Figure 1 in the section, “MBAM stand-alone topology,“ earlier in this guide.

To deploy MBAM in the stand-alone topology, perform the following steps: 1. Deploy a supported version of SQL Server on the designated computer.

For more information about the versions of SQL Server that MBAM supports, see the section, “SQL Server Database Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

2. Configure SQL Server to support encrypted connections to the SQL Server Database Engine (optional).

If you plan to secure communication between the MBAM client and the web services, you should also secure communication to the SQL Server Database Engine by enabling encrypted connections to it. For more information about how to do so, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager). 3. Ensure that the computer that will run the MBAM web server components has the

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 15

The MBAM Web Server Installation Wizard automatically checks prerequisites before installing the MBAM web server components.

For more information about MBAM server prerequisites, see the section, “Installation Prerequisites for MBAM Server Features,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is included with MBAM.

4. Install the MBAM server components.

For more information about how to install the MBM server components in the MBAM stand-alone topology, see the section, “How to Install and Configure MBAM on Distributed Servers,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is included with MBAM.

Deploy MBAM in the Configuration Manager topology

Deploying MBAM in the Configuration Manager topology typically uses two computers (physical or virtual) for the MBAM components. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but recommended only for lab or evaluation environments or small production environments. In addition, this topology requires a System Center Configuration Manager infrastructure. MBAM has no additional system requirements for System Center Configuration Manager beyond the standard system requirements. For more information about the system requirements for:

 System Center 2012 Configuration Manager, see Supported Configurations for Configuration Manager

 System Center Configuration Manager 2007, see Configuration Manager Supported Configurations

To deploy MBAM in the Configuration Manager topology, perform the following steps: 1. Deploy a supported version of SQL Server.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 16

For more information about the versions of SQL Server that MBAM supports, see the sections, “SQL Server Database Requirements” and “SQL Server Processor, RAM, and Disk Space Requirements,” in the Microsoft BitLocker Administration and Monitoring 2

Administrator’s Guide, which is available on TechNet.

2. Configure the System Center Configuration Manager permissions required to install MBAM.

For more information about how to do so, see the section, “Required Permissions to Install the MBAM Server,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

3. Edit and import the configuration.mof file.

For more information about how to do so, see the section, “Edit the Configuration.mof File,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

4. Edit and import the sm_def.mof file.

For more information about how to do so, see the section, “Create or Edit the Sms_def.mof File,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

5. Install the MBAM web server components.

For more information about how to install the MBM web server components in the MBAM Configuration Manager topology, see the section, “How to Install MBAM with the Configuration Manager Topology,” in the Microsoft BitLocker Administration and

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 17

Deploying the MBAM Group Policy settings

You use Group Policy settings to manage the MBAM client, and MBAM includes an

administrative template that you use to configure these settings. When you use the template, a Group Policy object (GPO) containing the MBAM client Group Policy settings will be created; you then link this GPO to the appropriate organizational units (OUs) in your AD DS hierarchy at which point the policies will be deployed to the applicable members of the OU.

Install the MBAM Group Policy administrative template

MBAM includes a Group Policy administrative template that exposes all of the BitLocker and MBAM client configuration settings in the Group Policy Editor. Install the MBAM Group Policy administrative template on every computer from which you manage MBAM Group Policy, such as domain controllers or administrative workstations. You can also install the Group Policy administrative template in the Active Directory central store.

You install the MBAM Group Policy Template by running the MBAM Server Setup Wizard (MbamSetup.exe), which is in the \MBAM\Installers\x64 folder on the MBAM source media. To install the MBAM Group Policy templates, select only the Policy Template feature on the Select

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 18

Figure 3. The Select features to install wizard page

For more information on how to install the MBAM Group Policy template, see the section, “How to Install the MBAM 2.0 Group Policy Template,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Create the MBAM Group Policy settings

The MBAM Group Policy administrative template defines policy settings for the MBAM client. Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy settings you need. For example, if you have two groups within your organization that will have different configurations for BitLocker, create two GPOs—one for each group of settings. You can

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 19

also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and a PIN.

MBAM Group Policy settings are in the Group Policy Management Editor under Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management). Table 4 lists the categories of MBAM Group Policy settings and provides a brief description of each. For more information on the MBAM Group Policy settings, see the section, “Planning for MBAM 2.0 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Table 4. MBAM Group Policy setting categories

Category

Description

Global Used to configure global BitLocker settings, such as the drive encryption method and cypher strength and whether a unique

organizational identifier will be used. These settings are located in the root of the MBAM Group Policy settings hierarchy.

Client

Management

Used to configure the client management aspects of the MBAM client, such as the configuration of the MBAM services that the client uses. These settings are located in the Client Management node. Fixed Drive Used to configure the settings that affect encryption of fixed drives,

such as denying Write access to fixed drives not protected by BitLocker or choosing how BitLocker-protected fixed drives can be recovered. These settings are located in the Fixed Drive node. Operating

System Drive

Used to configure the settings that affect the operating system drive, such as requiring users to encrypt the operating system drive and the methods for recovering BitLocker-protected operating system drives. These settings are located in the Client Management node.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 20

Category

Description

Removable Drive

Used to configure the settings that affect encryption of fixed drives, such as controlling the use of BitLocker on removable drives or choosing how BitLocker-protected removable drives can be

recovered. These settings are located in the Removable Drive node.

Configure the MBAM Group Policy settings in the GPOs that you have created (based on the information in Table 4), and then link those GPOs to the OUs that contain the devices you will use MBAM to manage. For more information on the MBAM Group Policy settings and the suggested configuration, see the section, “Planning for MBAM 2.0 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

Manage MBAM user exemptions

In some instances, users may need to be exempt from protecting their drives protected by BitLocker. For example, users may bring their own devices as a part of a bring-your-own-device initiative and do not want their devices to be BitLocker protected. You can exempt users from MBAM enforcement of automatic BitLocker protection by using the Allow the user to be

exempted from BitLocker encryption Group Policy setting, which is under User

Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).

To exempt users from MBAM enforcement of automatic BitLocker protection, perform the following steps:

1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to

be exempted from BitLocker encryption Group Policy setting.

2. Create a domain security group, such as MBAM Exempt Users, that contains the user accounts of the users to be exempted.

3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the MBAM Exempt Users domain security group (created in step 2) by using GPO security filtering, as shown in Figure 4.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 21

Figure 4. Configuring GPO security filtering

For more information on how to perform GPO security filtering for a specific group, see Using Security Filtering to Apply GPOs to Selected Groups.

4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the devices to be managed reside.

For more information on how to manage MBAM user exemptions, see the section, “How to Manage User BitLocker Encryption Exemptions,” in the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide, which is available on TechNet.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 22

Deploying the MBAM client

You must install the MBAM client on each BitLocker-enabled device you will use MBAM to manage. The client is available in 64-bit and 32-bit versions that are stored in the

\MBAM\Installers\2.0\x64 and \MBAM\Installers\2.0\x86 folders, respectively, on the MBAM source media. Select the appropriate version based on the target operating system.

The MBAM client installation files include:

 MbamClientSetup.exe. This Setup program contains the MBAM client and is

appropriate for methods that require an .exe file, such as scripted installation. This program passes any installer properties you use on its command line to the Windows Installer package file.

 MBAMClient.msi. This Windows Installer package contains the MBAM client and is

appropriate for deployment methods that require an .msi file, such as Group Policy software deployment.

You can easily deploy the MBAM client by using almost any software or operating system deployment tool. Table 5 lists the deployment methods that this guide describes and offers suggestions for when to use each. You can also use a combination of these methods. For example, you could use MDT to deploy the MBAM client during operating system deployment and use Group Policy to deploy the MBAM client to existing computers.

To drive consistency across MBAM client installations, use highly automated techniques to perform MBAM client deployments. For example, if you choose command-line deployment, ensure that you automate installation by using scripts (e.g., Windows PowerShell or batch scripts).

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 23

Table 5. Choosing a deployment method

Method

Use this method when

Group Policy  You do not use an electronic software deployment (ESD) solution, such as System Center Configuration Manager or MDT

 You already deploy software by using Group Policy

 You want to deploy the MBAM client to existing computers  You want to deploy the MBAM client after operating

system images are deployed

 Computers have high-speed, persistent connections to the network share containing the installation files

MDT 2012  You use MDT for operating system deployment

 You want to deploy the MBAM client during operating system deployment

System Center Configuration Manager

 You already use System Center Configuration Manager for application and operating system deployment

 You want to use one tool to deploy the MBAM client to existing computers or during operating system

deployment

 Computers have high-speed, persistent connections to the distribution points in which the MBAM client installation files reside

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 24

Method

Use this method when

Scripted Installation  You want to script installation as part of operating system installation, and you are not using MDT or System

Center Configuration Manager

 You want to deploy the MBAM client by using a non-Microsoft ESD system

 Computers might not have high-speed, persistent connections to the enterprise network, and installation from local media might be required

BitLocker partition configuration requirements

BitLocker requires that the partitions on the targeted devices be configured properly to support BitLocker. Ensure that the targeted devices have the correct partition configuration to support BitLocker prior to deploying the MBAM client.

BitLocker requires the following partitions:

 System partition. This unencrypted partition is used to start the target device. The system

partition must have a minimum of 100 MB of space, but larger partitions are recommended. If the system partition is 300 MB or larger, the Windows Recovery Environment is

automatically copied to the partition when BitLocker is enabled. By default, MDT automatically creates a 512-MB system partition.

 Windows partition. This encrypted partition contains the Windows operating system,

applications, and user data. It must meet the minimum required available disk space for the desired operating system.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 25

In addition to the BitLocker partition requirements, the device may have requirements such as those for Unified Extensible Firmware Interface (UEFI). For more information on the recommended partition configuration for BIOS and UEFI devices, see “5.1 Create a DiskPart script” in Basic Windows Deployment Step-by-Step Guide.

For new device deployments or when you are replacing an existing device with a new device, the operating system deployment process automatically creates the appropriate partitions. This is true if you are performing the deployment by using the operating system deployment media or by using automated processes such as MDT or System Center 2012 Configuration Manager. However, in refresh device deployment scenarios, the existing device may have a partition configuration that is inappropriate for BitLocker—for example, refreshing the Windows XP operating system on an existing device with Windows 8. In these scenarios, you may need to repartition the drive to support BitLocker before performing operating system deployment and deploying the MBAM client. Ensure that you create the partitions based on the

recommendations in the “5.1 Create a DiskPart script” in Basic Windows Deployment Step-by-Step Guide.

For more information about how MDT creates disk partitions, see the section, “Review the Default Partition Configuration Created by MDT,” in the MDT document Using the Microsoft Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is discussed in the sections for each MBAM client deployment method.

TPM and MBAM client deployment

The TPM is a microchip that stores the private portion of security keys that are kept separate from the memory that the operating system controls. BitLocker uses these keys to encrypt data. BitLocker and MBAM have the following dependencies on the TPM:

 The TPM must be physically enabled. The TPM must be physically enabled on the targeted

device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI on the device or by using scripts to automate the process.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 26

 Have MBAM take ownership of the TPM. Taking ownership of the TPM allows MBAM to

provide users with a file they can use to reset the TPM on their device. However, it is not required that MBAM own the TPM. Windows can automatically provision and take ownership of the TPM, which allows the TPM management within Windows. If Windows owns the TPM, MBAM will be unable to help users reset the TPM on their device.

Enable the TPM

BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software and process for enabling TPM at the hardware level is unique for each device hardware

manufacturer and sometimes within models. For fully automated deployment, such as MDT or System Center Configuration Manager, ensure that the TPM for the device is physically enabled within the BIOS or UEFI prior to image deployment.

In addition, enabling the TPM may require that the administrator password for the BIOS or UEFI be configured. Some hardware vendor tools allow you to temporarily set the administrator password, enable the TPM, and then remove the password. Please consult the documentation from the hardware vendor specific to the BIOS or UEFI for the device.

Most hardware vendors provide software that allows you to enable the TPM from the command line. For information about the software for enabling a TPM from a command line, contact each specific hardware vendor.

For information on how to run the software to enable the TPM from a command line for each deployment method, see the step for enabling the TPM on targeted devices in the following sections:

 Group Policy software installation  LTI in MDT 2012

 ZTI and UDI in MDT 2012

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 27

 Scripted installation

Set the ownership of the TPM

The TPM can have only one owner. Configure TPM ownership based on the operating system on the target device. Table 6 lists the operating systems and the recommendation for configuring TPM ownership.

Table 6. Operating systems and ownership of the TPM

Operating system

Ownership

Windows 8 Use only one of the following :

 MBAM owns the TPM. If MBAM has ownership, then

MBAM can be used to help reset the TPM.

 Windows 8 owns the TPM. If Windows 8 has ownership,

then the user can use Windows 8 to help reset the TPM.

Windows 7 MBAM owns the TPM, which allows MBAM can be used to help reset the TPM.

TPM and BitLocker pre-provisioning

BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows operating system deployment. BitLocker pre-provisioning occurs while in the Windows Preinstallation Environment (Windows PE) version 4.0 by using the Manage-bde.exe BitLocker command-line utility. Automated operating system deployment methods, such as MDT and System Center 2012 Configuration Manager with SP1 automatically preform BitLocker pre-provisioning for Windows 8 and Windows 7 if the TPM is enabled.

To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following methods:

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 28

 Manually configuring the BIOS or UEFI. This method requires that the user performing

the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually enabled, the operating system deployment can go on as normal.

 Automatically by running a script or other software. Most device vendors have

scripts or software that allows you to enable the TPM automatically. However, these scripts or other software may need to run in a full Windows operating system (not in Windows PE). In instances where the script or software is unable to run in Windows PE and you require fully automated deployment, you cannot use BitLocker pre-provisioning. If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating system is deployed and the full operating system is running. The length of time to encrypt after the operating system is deployed depends on the operating system, as shown in Table 7.

Table 7. Operating system and encryption behavior after the operating

system is deployed

Operating system

Encryption behavior

Windows 8 Can use the Used Disk Space Only feature to reduce the amount of time needed to encrypt the drive. This is the default behavior for MDT task sequences.

Windows 7 Can only encrypt the entire volume, which will take longer than the Used Disk Space Only feature in Windows 8.

Configure the MBAM client to immediately initiate encryption during

task sequences

If you deploy the MBAM client during operating system deployment, that client does not immediately initiate encryption by default, because the MBAM client is typically configured by Group Policy settings. That configuration occurs after the operating system is deployed and the user starts it for the first time. As a result, the targeted device may be in an unprotected state the first time the user starts the device, and MBAM will not have saved the recovery keys and other secrets.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 29

To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys, configure the MBAM client to immediately initiate encryption during the operating system task sequence.

Configuring the MBAM client to immediately initiate encryption during a task sequence is applicable only when the MBAM client is being deployed as part of operating system deployment. However, you could also

perform these steps manually on an existing device and immediately initiate encryption and the saving of recovery keys in MBAM.

Step 1: Create the registry import files

You must create the following registry import files:

 AddMBAMRegEntries.reg. This file adds the necessary registry entries to configure the

MBAM client to immediately initiate BitLocker encryption and store the recovery keys in MBAM.

 RemoveMBAMRegEntries.reg. This file removes the registry entries that the

AddMBAMRegEntries.reg file adds. After this file runs, the registry will be ready for normal configuration by using the MBAM Group Policy settings.

To create a registry import file that configures the MBAM client to immediately initiate encryption during a task sequence

1. Install the MBAM client on a device that has not yet been encrypted.

2. Stop the MBAM client by typing the following command at an elevated command prompt:

NET STOP MBAMAGENT

3. Import the registry template file MBAMDeploymentKeyTemplate.reg located in \Program Files\Microsoft\MDOP.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 30

4. Start RegEdit.exe, and make the following registry changes in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM:

a. Modify the KeyRecoveryServiceEndPoint registry setting to use the URL for your MBAM server.

b. Add a new key NoStartupDelay as a DWORD with a value of 1.

5. Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM registry subkey to the AddMBAMRegEntries.reg file by using RegEdit.exe.

To create a registry import file that removes the MBAM registry entries

1. Copy the AddMBAMRegEntries.reg file to the RemoveMBAMRegEntries.reg file.

2. In Microsoft Notepad, make the following changes to the RemoveMBAMRegEntries.reg file, and then save the file:

a. Leave the "Installed"=dword:00000001 line untouched.

b. For all other registry keys in the file, replace everything after the equal sign (+) with a minus sign (−).

For example, change “NoStartupDelay”=dword:00000001 to

“NoStartupDelay”=-.

For more information on how to create registry files, see How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file.

Step 2: Create a script to automate the MBAM client immediately initiating encryption

Create a script to automate the MBAM client immediately initiating encryption during a task sequence. You can create such a script by using either Windows PowerShell or Microsoft Visual Basic Scripting Edition (VBScript). You run this script in the task sequence for your automated deployments in MDT or System Center Configuration Manager.

The high-level steps that the script must perform are as follows: 1. Determine whether the MBAM client has been installed. 2. Stop the MBAM client service.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 31

4. Start the MBAM client service.

5. Verify that encryption has started on the desired disk volume. 6. Import the RemoveMBAMRegEntries.reg file.

7. Restart the MBAM client service.

For an example of how to implement a script that performs these functions, see the section, “Automating the process with a script,” in the TechNet article, Using MBAM to start BitLocker Encryption in a Task Sequence.

Step 3: Add a task sequence step to run the script

You must add a task sequence step to run the script immediately after the task sequence step to install the MBAM client. The type of task sequence step you add is based on how you created the script. For example, if you created the script by using Windows PowerShell, then add a Run

PowerShell Script task sequence step. If you used VBScript, then add a Run Command Line

task sequence step.

Group Policy software installation

You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a network share for the MBAM client installation files, and then create a GPO that installs the appropriate Windows Installer package file on each computer.

To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to target computers in a particular security group or computers that are running Windows 8 or Windows 7.

You cannot use command-line options when you use Group Policy to deploy the MBAM client. In this scenario, the easiest way to configure the MBAM client is to use the MBAM Client Policy administrative template. Alternatively, you can create a transform for the MBAM client Windows Installer package files and apply that transform when you create the GPO.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 32

Step 1: Ensure that partitions on targeted devices are configured for BitLocker

Before you can enable encryption with MBAM, you must ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Group Policy software installation–based deployments are always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment, as described in the section, BitLocker partition configuration

requirements in this guide.

If the partitions on a targeted device are not configured properly for BitLocker deployment, consider refreshing the operating system on the device to create the proper partitions. For more information, see the section Lite Touch Installation in MDT 2012 or Zero Touch Installation and User-Driven Installation in MDT 2012.

Step 2: Enable the TPM on targeted devices

Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The process for enabling the TPM is different for each device manufacturer and sometimes even across models within a device manufacturer. The high-level process for automatically enabling the TPM is as follows:

1. Package the vendor-specific software for enabling TPM as an .msi package.

In some instances, the vendor-specific software may be scripts and cannot be easily packaged as an .msi file. In these instances, use one of the other methods for enabling TPM.

2. Create a network shared folder that contains the .msi package created in the previous step.

3. Create a GPO to install the .msi package (such as Enable TPM Policy).

4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a WMI query to determine whether the TPM is enabled on targeted devices.

5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if applicable.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 33

Step 3: Share the installation files

You must create a network share that contains the MBAM client Setup files. This network share must be accessible to all computers on which you want to install the MBAM client. Grant Read access to the Domain Computers group or to the Authenticated Users group.

To create and share a folder for the MBAM client installation files

1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM Client Setup is the name of the folder you are creating to contain the MBAM client installation files.

2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 8 describes. To configure NTFS file system permissions, right-click the folder, click

Properties, and then click Advanced on the Security tab.

Table 8. NTFS file system permissions for the MBAM client setup

folder

Account

Permissions

Applies to

Administrators Full control This folder, subfolders, and files Authenticated Users Read and Execute This folder, subfolders, and files

3. Share the folder MBAM_Client_Setup by using the permissions that Table 9 describes. To configure share permissions, right-click the folder, click Properties, and then click the

Sharing tab.

Table 9. Share permissions for the MBAM client setup folder

Account

Permissions

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 34

4. Copy the \MBAM\Installers\2.0 folder structure from the MBAM distribution media to \\SERVER\MBAM_Client_Setup.

The \MBAM\Installers\2.0 folder structure includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire \MBAM\Installers\2.0 folder structure so that both versions are available for deployment.

Step 4: Create a GPO to install the MBAM client

You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a client running the Remote Server Administration Tools. You can create a GPO that installs only the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of your MBAM policies in one location. The steps in this section install both the x64 and x86 agents by using a single GPO, allowing Group Policy to determine the correct version to install.

To create and edit a GPO to deploy the x64 and x86 MBAM client

1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client Installation):

a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click

New.

b. In the Name box, type MBAM Client Installation, and then click OK. 2. In the navigation pane, right-click MBAM Client Installation, and then click Edit. 3. In the Group Policy Management Editor, right-click Software Installation in Computer

Configuration\Policies\Software Settings, point to New, and then click Package.

4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit version of MBAMClient.msi in the x64 folder, and then click Open.

Make sure you open the file from the network share you created earlier and not from a local path.

5. In the Deploy Software dialog box, click Advanced, and then click OK.

6. In the Name box on the General tab of the MDOP MBAM Properties dialog box, append x64 to the end of the name, and then click OK.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 35

This will help you to distinguish between the x86 and x64 versions later.

7. In the Group Policy Management Editor, right-click Software Installation in Computer Configuration\Policies\Software Settings, point to New, and then click Package. 8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in

the x86 folder, and then click Open.

Make sure you open the file from the network share you created earlier and not from a local path.

9. In the Deploy Software dialog box, click Advanced, and then click OK.

10. In the MDOP MBAM Properties dialog box, complete the following steps, and then click OK:

a. On the General tab, in the Name box, append x86 to the end of the name. b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86

application available to Win64 machines check box and click OK.

Clearing this check box prevents Group Policy from installing the 32-bit MBAM client on 64-bit operating systems, ensuring that the correct version of the MBAM client is installed for each system type.

11. Close the Group Policy Management Editor.

Step 5: Link the GPO to OUs

You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in those OUs. You can link the GPO to individual OUs. If the computers you want to target for installation are in multiple OUs, you can link the GPO to the domain and use security or WMI filtering to limit installation to specific computers, types of computers, or Windows versions, which is discussed in the section, “Step 6: Optionally target the GPO.”

To link the GPO to an OU

1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation GPO, and then click Link an Existing GPO.

2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 36

Step 6: Optionally target the GPO

When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all computers in that OU, installing the MBAM client on them. In some cases, however, this might not be desirable. You can target MBAM client deployment to specific computers within an OU by using security or WMI filtering. See Table 10 for more information.

Table 10. Filtering the MBAM Client Installation GPO

Method

Description

Security filtering

This filtering method allows you to target specific computers based on membership in AD DS security groups. The members of the security group can be computer objects or other security groups containing computer objects. You control the deployment of the MBAM client to specific

computers by adding or removing them from the security group. For more information about security filtering, see Filter Using Security Groups. WMI

filtering

This filtering method allows you to target specific computers based on a WMI query. For example, you could use a WMI query to target the

operating system version on computers and deploy the MBAM client only if the operating system is Windows 8 or Windows 7.

You create a WMI filter separately, and then link the WMI filter to the GPO that you created to deploy the MBAM client. For more information about WMI filtering and how to create a WMI filter, see Work with WMI Filters.

Lite Touch Installation in MDT 2012

You can deploy the MBAM client during operating system deployment by using the Lite Touch Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.

By installing the MBAM client as part of the operating system deployment task sequence, MDT installs the client automatically, which ensures that that the encryption is started or completed

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 37

before users receive their device and is protected before they start the device for the first time. The MBAM client will be ready for use before users log on to the device for the first time.

Windows 8 includes the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a disk volume.

By default, MDT automatically performs Used Disk Space Only encryption when enabling BitLocker for Windows 8 deployments to reduce the length of time required to deploy Windows 8.

The following sections describe the steps necessary to complete each task in the Deployment Workbench:

1. Ensure that partitions on targeted devices are configured for BitLocker. 2. Enable the TPM on targeted devices.

3. Add the MBAM client to the Applications node of your deployment share.

4. Configure the MBAM client application to hide it from users in the Deployment Wizard. 5. Add an Install Application step to your existing operating system task sequences. 6. Configure the MDT BitLocker-related configuration settings.

7. Immediately initiate encryption by using the MBAM client during tasks sequences.

For more information about using MDT to install applications during operating system deployment, see the MDT documentation.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 38

Step 1: Ensure that partitions on targeted devices are configured for BitLocker

Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or for devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, LTI automatically resizes and creates the necessary partitions to support BitLocker, if there is sufficient available disk space.

Step 2: Enable the TPM on targeted devices

Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even across models within a device manufacturer.

By default, LTI performs BitLocker pre-provisioning for new device, refresh device, and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:

 Run in Windows PE, then you can support BitLocker pre-provisioning  Only run in a Windows operating system, then you must either:

 Manually enable the TPM to support BitLocker pre-provisioning

 Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence

For more information on the TPM and BitLocker provisioning, see TPM and BitLocker pre-provisioning.

To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE

1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.

2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step.

Place the Install Application task sequence step in the Preinstall group immediately before the Enable BitLocker (Offline) task sequence step.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 39

To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support)

1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.

2. Create an MDT application that contains the software in the previous step. 3. Install the application by using the Install Application task sequence step.

Place the Install Application task sequence step in the State Restore group immediately before the Enable BitLocker task sequence step.

For more information on enabling the TPM, see Enable the TPM.

Step 3: Add the MBAM client application

When you add an application to your MDT deployment share, you must specify the command that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client

installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version.

The command you specify for MBAM client installation must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction. If you do not include this command-line option, the Setup program stalls the deployment process to wait for user interaction.

To add the MBAM client to your deployment share

1. In the Deployment Workbench, click Applications under Deployment

Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 40

3. Complete each page of the New Application Wizard:

Page

Steps

Application Type 1. Click Application with source files. 2. Click Next.

Select the Application without source files or elsewhere on

the network check box if you already have the installation files

in a network share. For more information, see the section, “Create a New Application That Is Deployed from Another Network Share,” in the MDT documentation.

Details 1. In the Application Name box, type MBAM Client 64-bit. 2. Click Next.

The remaining text boxes on this page are optional and

informational only. Although they do not affect deployment of the MBAM client, completing the remaining text boxes can prove useful later when you are maintaining the deployment share.

Source 1. In the Source directory box, type the path of the \MBAM\Installers\2.0\x64 folder that contains MbamClientSetup.exe.

The Source directory box supports autocomplete, but you can click Browse to locate the files.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 41

Page

Steps

Destination 1. In the Specify the name of the directory that should be

created box, optionally edit the name of the folder that the

New Application Wizard will create in the deployment share. The wizard suggests a name based on the publisher, name, and version that you provided on the Details page.

2. Click Next.

Command Details 1. In the Command line box, type the command you want to run to install the MBAM client—for example:

MbamClientSetup.exe.exe /q

2. Click Next.

Summary 1. In the Details area, review the information that the Add New Application Wizard collected.

2. Click Next.

Progress 1. Monitor the wizard’s progress as it adds the application to your deployment share.

Confirmation 1. Review the results, and then click Finish.

If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New Application Wizard, changing the following:

 In step 1, in Application Name, type MBAM Client 32-bit.  In step 3, browse to the \MBAM\Installers\2.0\x86 folder.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 42

Step 4: Configure the application

After adding the application to your MDT deployment share, configure it to hide the application in the Deployment Wizard from users so they cannot prevent installation during deployment by selecting the Hide this application in the Deployment Wizard check box. Hiding the

application prevents the user from selecting the application, which could create errors in the deployment process, because the application would try to install twice and one installation would return a failure code.

To customize the MBAM client in your deployment share

1. In the Applications node of the deployment share, right-click the MBAM client application that you previously added, and then click Properties.

2. On the General tab of the application’s Properties dialog box, select the Hide this

application in the Deployment Wizard check box.

3. Click OK.

Step 5: Edit task sequences

Install the MBAM client application during operating system deployment by adding it to task sequences. By adding the MBAM client to your existing task sequences, you can install the agent automatically, with no interaction from the user. This method helps to ensure that the MBAM client is available immediately, before users log on to the computer.

To install the MBAM client in an LTI task sequence

1. In the Deployment Workbench, click Task Sequences under Deployment

Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).

2. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Properties.

3. On the Task Sequence tab of the task sequence’s Properties dialog box, click the Install

Applications task sequence step.

This step is in the State Restore group. The task sequence editor adds the new task sequence step immediately after this step.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 43

5. Click the new Install Application task sequence step that you just added, then perform the following steps:

a. In the Name box, type Install the MBAM Client.

b. Click Install a single application, click Browse, click the MBAM client application in the Select An Item dialog box, and then click OK.

c. Optionally, on the Options tab, select the Continue on error check box. Select this check box only if you want the task sequence to continue running if the MBAM client fails to install during operating system deployment.

 Click OK to close the task sequence’s Properties dialog box.

Step 6: Configure MDT BitLocker-related settings

You can configure BitLocker-related settings by using one the following methods in LTI:  MDT properties specified in the CustomSettings.ini file or the MDT database (MDT DB)

The benefit of this method is that you can prevent configuration errors by making the configuration settings in advance. This allows you to bypass the BitLocker page in the Deployment Wizard. The following are the MDT properties that you must set to fully automate BitLocker configuration for LTI deployments and bypass the BitLocker page:  BDEDriveLetter  BDEDriveSize  BDEInstall  BDEInstallSuppress  BDERecoveryKey  TPMOwnerPassword  OSDBitLockerStartupKeyDrive  OSDBitLockerWaitForEncryption

For more information these MDT properties, see the corresponding sections in the MDT document Toolkit Reference.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 44

 The BitLocker page in the Deployment Wizard (shown in Figure 5)

The benefit of this method is that you can provide the BitLocker configuration settings at the time of deployment. This allows the user performing the deployment to make BitLocker configuration changes as required on a device-by-device basis at the time of deployment.

Figure 5. The BitLocker page in the Deployment Wizard

Step 7: Add a task sequence step to immediately initiate encryption by using the MBAM client

By default, the MBAM client initiates encryption and saves the recovery keys when configured by the MBAM Group Policy settings. However, this can leave the device in an unprotected state for a period of time.

MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 45

You can configure the MBAM client to immediately initiate encryption in a task sequence step. For more information on how to do this, see Configure the MBAM client to immediately initiate encryption during task sequence.

Zero Touch Installation and User-Driven Installation in MDT 2012

You can deploy the MBAM client by using the application model in System Center 2012 Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment:

 Deployment to existing computers. This method deploys the MBAM client to targeted

computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process will be discussed in the section, System Center 2012 Configuration Manager Application Model.

 Installation during operating system deployment. This method installs the MBAM

client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process is discussed in this section.

You can deploy the MBAM client during operating system deployment by using the Zero Touch Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.

By installing the MBAM client as part of the operating system deployment task sequence, ZTI and UDI install the client automatically, which ensures that that the encryption is started or completed before users receive their device and the device is protected before users starts it for the first time.. The MBAM client will be ready for use before users log on to the device for the first time.