MBAM 2.5 Deployment Guide PDF

Microsoft BitLocker
Administration and
Monitoring
Deployment Guide
Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprisescalable solution for managing BitLocker technologies, such as BitLocker Drive
Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop
Optimization Pack, helps you improve security compliance on devices by
simplifying the process of provisioning, managing, and supporting BitLockerprotected devices. This guide helps you choose a deployment method for
MBAM and provides step-by-step instructions for each method.
MBAM DEPLOYMENT GUIDE
| INTRODUCTION 1
Introduction
Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on
computers running the Windows 8.1, Windows 8, or Windows 7 operating systems; Windows to
Go; fixed data drives; and removable drives. Microsoft BitLocker Administration and Monitoring
(MBAM) version 2.5, which is included in the Microsoft Desktop Optimization Pack (MDOP) for
Microsoft Software Assurance, makes BitLocker implementations easier to deploy and manage
and allows administrators to provision and monitor encryption for operating system and fixed
data drives.
For BitLocker To Goprotected removable drives, BitLocker stores the

recovery keys but does not monitor or enforce encryption.
The key benefits of using MBAM to manage BitLocker technologies are:
Simplified provisioning and management. BitLocker deployment is easier with MBAM,

because MBAM can be integrated with existing automated provisioning and deployment
processes to ensure that existing and new devices are protected. You can provision
BitLocker as a part of or after operating system deployment, then use Group Policy
settings for ongoing BitLocker management and compliance enforcement. If drives were
already encrypted with BitLocker prior to deploying MBAM, MBAM will escrow the
recovery keys and report compliance.
Improved compliance and reporting. Encryption and protection of sensitive

information are essential to organizational compliance programs. MBAM includes builtin reports that provide the current BitLocker encryption status of devices. MBAM also
audits access to BitLocker recovery keys and can provide reports on who accessed
specific recovery key information.
Reduced support effort. A customized MBAM Control Panel app replaces the default
BitLocker Control Panel item and allows users to manage local MBAM and BitLocker
| INTRODUCTION 2
configuration. Secure, web-based recovery key management portals allow help desk staff
and users recover BitLocker-enabled devices. Together, the customized Control Panel
app and these portals allow users and IT staff to perform common tasks, such managing
the BitLocker PIN, without you having to grant administrative rights to the managed
devices. Enabling self-service support helps reduce BitLocker-related help desk tickets by
enabling users to reset their own PINs and recover their own BitLocker-protected drives.
To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker
Administration and Monitoring content on the Microsoft Desktop Optimization Pack website.
This guide describes how to deploy MBAM, including the server architecture, with a focus on
automating the deployment and configuration of the MBAM client to managed devices. It first
describes the MBAM components. Then, it shows you how to prepare for deployment and
provides step-by-step instructions for deploying the MBAM client by using the following tools
and technologies:
Group Policy software installation
Microsoft Deployment Toolkit (MDT) 2013
Microsoft System Center 2012 R2 Configuration Manager
Scripted installation (e.g., command prompt)
| MBAM COMPONENTS 3
MBAM components
MBAM uses a clientserver model to manage BitLocker. You can deploy MBAM in either a
stand-alone or System Center Configuration Manager Integration topology. The following
sections describe each.
MBAM Stand-alone topology

You use the MBAM Stand-alone topology (illustrated in Figure 1) when your organization does
not have an existing System Center Configuration Manager infrastructure. In this topology,
MBAM and Microsoft SQL Server provide all the necessary components. You can use the MBAM
Stand-alone topology even if your organization uses System Center Configuration Manager.
However, if your organization has a System Center Configuration Manager infrastructure and
you want to use the MBAM with it, see MBAM Configuration Manager Integration topology.
Figure 1. MBAM Stand-alone topology

Table 1 describes the computers and devices in this topology and provides a brief description of
MBAM components and the role of each computer and device. The components in Table 1 are
logical, and you can define your topology in many ways (e.g., putting the MBAM databases on
different servers).
| MBAM COMPONENTS 4
Table 1. Computers in the MBAM Stand-alone topology

Computer or device
Description
Administration and
Monitoring Server
The following features are installed on this server:
Administration and Monitoring Server. The

Administration and Monitoring Server feature is
installed on a computer running the Windows Server
operating system and consists of the Administration
and Monitoring website, which includes the reports
and the Help Desk Portal, and the monitoring web
services.
Self-Service Portal. The Self-Service Portal is

installed on a computer running Windows Server. The
portal enables users on client computers to
independently obtain a key to recover a locked
BitLocker volume.
| MBAM COMPONENTS 5
Computer or device
Description
Database Server
Recovery Database. The Recovery Database is

installed on a computer running Windows Server and
a supported instance of SQL Server. This database
stores recovery data collected from MBAM client
computers.
Compliance and Audit Database. The Compliance

and Audit Database is installed on a computer
running Windows Server and a supported instance of
SQL Server. This database stores compliance data for
MBAM client computers, which is used primarily for
reports that Microsoft SQL Server Reporting Services
hosts.
Compliance and Audit Reports. The Compliance

and Audit Reports are installed on a computer
running Windows Server and a supported instance of
SQL Server that has the SQL Server Reporting Services
feature installed. They provide MBAM reports that
you can access from the Administration and
Monitoring website or directly from the SQL Server
Reporting Services server.
| MBAM COMPONENTS 6
Computer or device
Description
Management workstation
The following can be downloaded and installed on the

Management workstation, which can be a computer
running Windows Server or a client operating system:
Managed device
Policy Template. The Policy Template consists of

Group Policy settings that define MBAM
implementation settings for BitLocker. You can install
the Policy Template on any server or workstation, but
it is commonly installed on a management
workstation, which is a supported Windows Server
machine or client computer. The workstation does not
have to be a dedicated computer. For more
information, see the section Deploying the MBAM
Group Policy settings.
The MBAM client is installed on the managed Windows
device and has the following characteristics:
Uses Group Policy to enforce the BitLocker encryption

of client computers in the enterprise
Collects the recovery key for the three BitLocker data

drive types: operating system drives, fixed data drives,
and removable data (USB) drives
Collects compliance data for the computer and

passes the data to the reporting system
| MBAM COMPONENTS 7
Computer or device
Description
Active Directory Domain

Services (AD DS) domain
controller

domain controller:

the Policy Template on a domain controller so that it
is available to administrators on all management
computers. For more information, see the section
Deploying the MBAM Group Policy settings.
MBAM Configuration Manager Integration topology

Use the MBAM Configuration Manager Integration topology (illustrated in Figure 2) when your
organization has an existing System Center Configuration Manager infrastructure. In this
topology, the MBAM components are distributed across the MBAM Administration and
Monitoring Server, SQL Server, and System Center Configuration Manager. In this topology,
System Center Configuration Manger runs some of the MBAM components. MBAM supports
System Center 2012 R2 Configuration Manager, System Center 2012 Configuration Manager
with Service Pack 1 (SP1), and Microsoft System Center Configuration Manager 2007 with SP1
infrastructures.
Windows to Go is not supported when you install the System Center

Configuration Manager Integration topology with System Center
Configuration Manager 2007.
If your organization does not have a System Center Configuration Manager infrastructure, see
MBAM Stand-alone topology.
| MBAM COMPONENTS 8
Figure 2. MBAM Configuration Manager Integration topology

The placement of the MBAM components in the MBAM Configuration Manager Integration
topology is similar to the MBAM Stand-alone topology.
Table 2 describes the computers and devices in the MBAM Configuration Manager Integration
topology (illustrated in Figure 2) and provides a brief description of the MBAM components and
role of each computer and device.
| MBAM COMPONENTS 9
Table 2. Computers in the MBAM Configuration Manager Integration

topology
Computer or device
Description
Administration and
Monitoring Server
Administration and Monitoring Server. The

Administration and Monitoring Server feature is
consists of the Administration and Monitoring
website, which includes the audit reports, the Help
Desk Portal, and the monitoring web services.
Self-Service Portal. The Self-Service Portal is

installed on a computer running Windows Server. It
enables users on client computers to independently
obtain a key to recover a locked BitLocker volume.
Database Server
Recovery Database. The Recovery Database is

a supported instance of SQL Server. This database
stores recovery data collected from MBAM client
computers.
Audit Database. The Audit Database is installed on a

computer running Windows Server and a supported
instance of SQL Server. This database stores audit
details about recovery data access.
Audit Reports. The Audit Reports are installed on a

computer running Windows Server and a supported
instance of SQL Server that has the SQL Server
Reporting Services feature installed. They provide
MBAM reports that you can access from the
Administration and Monitoring website or directly
from the SQL Server Reporting Services server.
| MBAM COMPONENTS 10
Computer or device
Description
Configuration Manager
Primary Site Server
The Configuration Manager Site Server collects the

hardware inventory information from client computers
and is used to report the BitLocker compliance of client
computers. The following features are installed on this
server:
Management workstation
Compliance Reports. The Compliance Reports are

installed on the computer running the Reporting
Services point site system role. They provide MBAM
reports that you can access from the Configuration
Manager console or directly from the SQL Server
Reporting Services server on the Reporting Services
point.
The following can be installed on the Management
workstation, which can be a client computer running
Windows Server or a client operating system:

the Policy Template on any server or workstation, but
it is commonly installed on a management
workstation, which is a supported Windows Server
computer or client computer. The workstation does
not have to be a dedicated computer. For more
information, see the section Deploying the MBAM
Group Policy settings.
Configuration Manager console. The Configuration

Manager console is used to view MBAM reports.
| MBAM COMPONENTS 11
Computer or device
Description
Managed device
The MBAM client and Configuration Manager client are

installed on the managed Windows device and have the
following characteristics:
Use Group Policy to enforce the BitLocker encryption

of client computers in the enterprise
Collect the recovery key for the three BitLocker data

drive types: operating system drives, fixed data drives,
and removable data (USB) drives
Enable System Center Configuration Manager to

collect hardware compatibility data about client
computers
Enable System Center Configuration Manager to

report compliance information
AD DS domain controller

domain controller:

the Policy Template on a domain controller so that it
is available to administrators on all management
computers. For more information, see the section
Deploying the MBAM Group Policy settings.
| PREPARING FOR DEPLOYMENT 12
Preparing for deployment

MBAM requires the following services and features for both the stand-alone and Configuration
Manager topologies:
AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain
members.
SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery
information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more
information on SQL Server requirements, see the section, SQL Server database
requirements, in the Microsoft BitLocker Administration and Monitoring 2.5 administrators
guide, which is available on Microsoft TechNet. For more information about deploying
SQL Server in the:
Stand-alone topology, see Deploying MBAM in the Stand-alone topology
Configuration Manager Integration topology, see Deploying MBAM in the Configuration

Manager Integration topology
Group Policy. You manage MBAM client configuration by using Group Policy settings.
MBAM allows you to manage BitLocker and MBAM settings from a single template. For
more information, see Deploying the MBAM Group Policy settings.
Web server (Microsoft Internet Information Services [IIS]). The Administration and
Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the
Web Server (IIS) server role.
| DEPLOYING THE MBAM SERVER 13
Deploying the MBAM server

You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration
Manager Integration topology. You will deploy the MBAM server components on different
computers (virtual or physical) depending on your scale requirements and the MBAM
deployment topology you choose.
Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two
computers to MBAMone for running MBAM web server components and one for running
SQL Server.
You can deploy MBAM in a single-server configuration. However, this

configuration is recommended for use only in test environments. For
production environments, Microsoft recommends that you use the twoserver deployment configuration.
The process to install the MBAM 2.5 server software is different from earlier MBAM versions. In
earlier versions, you installed and configured the software at the same time. In MBAM 2.5, you
use a two-step process to install and configure the software, which you repeat on each server in
your topology:
1. Run MBAMserversetup.exe to install the MBAM server software.
You can use the Microsoft BitLocker Administration and Monitoring Setup Wizard or
script installation by using command-line options. For more information, see the section
Installing the MBAM 2.5 Server Software in the Microsoft BitLocker Administration and
Monitoring 2.5 administrators guide.
2. Perform one of the following tasks to configure the databases, reports, web apps, and
optional System Center Configuration Manager Integration topology:
Use the MBAM Server Configuration Wizard.
Use Windows PowerShell cmdlets.
For more information, see the section Configuring the MBAM 2.5 Server Features in the
Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
Select the MBAM deployment topology

Which MBAM deployment topology you choose is based on whether you have System Center
Configuration Manager. Use the information in Table 3 to determine which MBAM deployment
topology is right for you.
Table 3. MBAM deployment topologies and when to select them

Topology
Description
Stand-alone topology
Select this topology when your organization does not have an

existing System Center Configuration Manager infrastructure
or is not planning to deploy a System Center Configuration
Manager infrastructure prior to deploying MBAM.
Integration topology
Integrating MBAM with System Center Configuration Manager

is entirely optional. Select this topology when your
organization has an existing System Center Configuration
Manager infrastructure or is planning to deploy a System
Center Configuration Manager infrastructure prior to
deploying MBAM, and your organization wants to integrate
MBAM with it. MBAM supports System Center 2012 R2
Configuration Manager, System Center 2012 Configuration
Manager with SP1, and System Center Configuration
Manager 2007 with SP1.
Deploy MBAM in the Stand-alone topology

Deploying MBAM in the Stand-alone topology typically uses two computers (physical or virtual)
for the MBAM components. The two-computer configuration is recommended for production
environments. Installation of all MBAM components on one computer is possible but
recommended only for lab or evaluation environments or small production environments. The
MBAM Stand-alone topology is illustrated in Figure 1 in the section MBAM Stand-alone

topology, earlier in this guide.
To deploy MBAM in the Stand-alone topology, perform the following steps:
1. Deploy a supported version of SQL Server on the designated computer.
For more information about the versions of SQL Server that MBAM supports, see the
section, SQL Server database requirements, in the Microsoft BitLocker Administration
and Monitoring 2.5 administrators guide, which is available on TechNet.
2. Configure SQL Server to support encrypted connections to the SQL Server Database
Engine (optional).
If you plan to secure communication between the MBAM client and the web services,
you should also secure communication to the SQL Server Database Engine by enabling
encrypted connections to it. For more information about how to do so, see Enable
Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
3. Create the required users and groups in AD DS.
For more information about creating the required users and groups in AD DS, see the
section Planning for MBAM 2.5 Groups and Accounts in the Microsoft BitLocker
Administration and Monitoring 2.5 administrators guide.
4. Ensure that the computer that will run the MBAM web server components has the
necessary prerequisites.
The MBAM Web Server Installation Wizard automatically checks

prerequisites before installing the MBAM web server components.
For more information about MBAM server prerequisites, see the section MBAM 2.5
Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
in the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
5. Install the MBAM server components.

For more information about how to install the MBAM server components in the MBAM
Stand-alone topology, see the section Deploying the MBAM 2.5 Server Infrastructure in
the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
6. Register service principal names (SPN) in AD DS.
An SPN is the name by which a client uniquely identifies an instance of a service. The
MBAM Server Setup program automatically registers the required SPNs in AD DS if you
run it in an account that has Administrator rights in AD DS. Otherwise, you must ask your
Active Directory team to register the required SPNs, as described in the section
Registering SPNs for the application pool account in the Microsoft BitLocker
Deploy MBAM in the Configuration Manager Integration topology

Deploying MBAM in the Configuration Manager Integration topology typically uses two
computers (physical or virtual) for the MBAM components in addition to the System Center
Configuration Manager infrastructure. The two-computer configuration is recommended for
production environments. Installation of all MBAM components on one computer is possible but
recommended only for lab or evaluation environments or small production environments. In
addition, this topology requires a System Center Configuration Manager infrastructure. MBAM
has no additional system requirements for System Center Configuration Manager beyond the
standard system requirements. For more information about the system requirements for:
System Center 2012 R2 Configuration Manager, see Supported Configurations for

System Center Configuration Manager 2007, see Configuration Manager Supported

Configurations
To deploy MBAM in the Configuration Manager Integration topology, perform the following
steps:
1. Deploy a supported version of SQL Server.
For more information about the versions of SQL Server that MBAM supports, see the
sections, SQL Server database requirements, SQL Server processor, RAM, and disk
space requirementsStand-alone topology, and SQL Server processor, RAM, and disk
space requirementsConfiguration Manager Integration topology, in the Microsoft

BitLocker Administration and Monitoring 2.5 administrators guide.
2. Create the required users and groups in AD DS.
For more information about creating the required users and groups in AD DS, see the
section Planning for MBAM 2.5 Groups and Accounts in the Microsoft BitLocker
3. Configure the System Center Configuration Manager permissions required to install
MBAM.
For more information about how to do so, see the section, Required permissions to
install MBAM with Configuration Manager, in the Microsoft BitLocker Administration
and Monitoring 2.5 administrators guide.
4. Edit and import the configuration.mof file.
For more information about how to do so, see the section, Edit the Configuration.mof
File, in the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
5. Edit and import the sm_def.mof file.
For more information about how to do so, see the section, Create or Edit the
Sms_def.mof File, in the Microsoft BitLocker Administration and Monitoring 2.5
administrators guide.
6. Install the MBAM web server components.
For more information about how to install the MBAM web server components in the
MBAM Configuration Manager Integration topology, see the section Deploying the
MBAM 2.5 Server Infrastructure in the Microsoft BitLocker Administration and
7. Register SPNs in AD DS.
An SPN is the name by which a client uniquely identifies an instance of a service. The
MBAM Server Setup program automatically registers the required SPNs in AD DS if you
run it in an account that has Administrator rights in AD DS. Otherwise, you must ask your
Active Directory team to register the required SPNs, as described in the section
Registering SPNs for the application pool account in the Microsoft BitLocker
Deploying MBAM in high-availability scenarios

MBAM 2.5 supports the following high-availability scenarios in addition to the standard twoserver and Configuration Manager Integration topologies:
SQL Server AlwaysOn availability groups
SQL Server clustering
Network load balancing
SQL Server mirroring
Volume Shadow Copy Service Backup
MBAM is agnostic in high-availability deployments. You install and configure it the same either
way, and you can use high-availability solutions from Microsoft or other vendors. For more
information about deploying MBAM in high-availability scenarios, see the section Planning for
MBAM 2.5 High Availability in the Microsoft BitLocker Administration and Monitoring 2.5
| DEPLOYING THE MBAM GROUP POLICY SETTINGS
19
Deploying the MBAM Group Policy settings

You use Group Policy settings to configure and manage the MBAM client. Doing so provides a
central location for configuring the client and allows you to easily configure unique settings for
different groups.
Install the MBAM Group Policy administrative templates

The MBAM administrative templates expose all of the BitLocker and MBAM client configuration
settings in the Group Policy Editor. Although previous versions of MBAM included the Group
Policy administrative templates in the installer, MBAM 2.5 does not. Instead, download the
required Group Policy templates from the Microsoft Download Center.
You can install the administrative templates on management computers or in the domains
central store for ADMX files. Table 4 compares these methods:
Local installation on management workstations. Install the templates on any

computer from which you will use Group Policy to configure the MBAM client
(i.e., management computers). (The Remote Server Administration Tools are required on
PCs.) You must copy the administrative templates to every management computer.
When editing Group Policy on computers that do not have the administrative templates
installed, the MBAM Group Policy settings will not appear.
Installation in the domains central store for ADMX files. Optionally, install the
templates in the central store for ADMX files to make them available to all administrators
editing Group Policy. This method ensures that administrators can edit MBAM Group
Policy settings even if they did not copy the administrative templates locally. However,
once you create a central store for the domain, you only see administrative templates
that are in the central store. Therefore, you must also copy any Windows 8.1, Windows 8,
and Windows 7 administrative templates that you want to use to the central store.
20
Table 4. Copying the MBAM administrative templates

Method
Advantages
Copying to
management
computers
Avoids having to
populate SYSVOL with
all of the administrative
templates you need
Only MBAM
administrators have
access to the
administrative
templates
Copy once, and all

administrators have
access to the
administrative
templates
Copying to the
central store for
ADMX files
Disadvantages
Must copy the administrative

templates to every
management computer
Only administrative templates

in the central store appear in
the Group Policy Editor
Must copy all administrative

templates from each target
operating system to the
central store for ADMX files
For more information about configuring a central store for ADMX files,
see the article Scenario 2: Editing Domain-Based GPOs Using ADMX Files.
Even though this guidance was written for Windows Server 2008, it still
applies to Windows Server 2008 R2 and Windows Server 2012.
To install the Group Policy administrative templates locally

1. Copy the ADMX files to %SystemRoot%\PolicyDefinitions on the local computer.
21
2. Copy the ADML files to %SystemRoot%\PolicyDefinitions\LANGUAGE on the local

computer, where LANGUAGE is a language code (e.g., en-US).
To install the Group Policy administrative templates in the central store for ADMX files
1. Copy the AMDX files to %SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions on a
domain controller. Create the PolicyDefinitions folder if it does not already exist.
2. Copy the ADML files to
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions\LANGUAGE on a domain
controller, where LANGUAGE is a language code (e.g., en-US). Create the LANGUAGE
folder if it does not already exist.
The MBAM Group Policy administrative templates are supported only on

Windows Server 2012 R2, Windows Server 2012, and Windows
Server 2008 R2 operating systems.
For more information on how to install the MBAM Group Policy template, see the section,
Copying the MBAM 2.5 Group Policy Templates, in the Microsoft BitLocker Administration and
Create the MBAM Group Policy settings

The MBAM Group Policy administrative templates define policy settings for the MBAM client.
Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy
settings you need. For example, if you have two groups within your organization that will have
different configurations for BitLocker, create two GPOsone for each group of settings. You can
also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and
a PIN.
MBAM Group Policy settings are in the Group Policy Management Editor under Computer
Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker
Management). Table 5 lists the categories of MBAM Group Policy settings and provides a brief
description of each. For more information on the MBAM Group Policy settings, see the section,
22
Planning for MBAM 2.5 Group Policy Requirements, in the Microsoft BitLocker Administration
and Monitoring 2.5 administrators guide.
With MBAM 2.5, you can enforce encryption policies on operating system
and fixed data drives. You can also limit the number of days that users can
postpone encryption. Configure the new Group Policy setting Encryption
Policy Enforcement Settings in the Operating System Drive and Fixed
Drive categories that Table 5 describes. For more information, see the
section Ability to enforce encryption policies on operating system and
fixed data drives in the Microsoft BitLocker Administration and
Table 5. MBAM Group Policy setting categories

Category
Description
Global
Used to configure global BitLocker settings, such as the drive

encryption method and cypher strength and whether a unique
organizational identifier will be used. These settings are located in the
root of the MBAM Group Policy settings hierarchy.
Client
Management
Used to configure the client management aspects of the MBAM

client, such as the configuration of the MBAM services that the client
uses. These settings are located in the Client Management node.
Fixed Drive
Used to configure the settings that affect encryption of fixed drives,

such as denying Write access to fixed drives not protected by
BitLocker or choosing how BitLocker-protected fixed drives can be
recovered. These settings are located in the Fixed Drive node.
Category
Description
Operating
System Drive
Used to configure the settings that affect the operating system drive,
such as requiring users to encrypt the operating system drive and the
methods for recovering BitLocker-protected operating system drives.
These settings are located in the Operating System Drive node.
Removable
Drive
Used to configure the settings that affect encryption of fixed drives,

such as controlling the use of BitLocker on removable drives or
choosing how BitLocker-protected removable drives can be
recovered. These settings are located in the Removable Drive node.
23
Configure the MBAM Group Policy settings in the GPOs that you have created (based on the
information in Table 5), and then link those GPOs to the OUs that contain the devices you will
use MBAM to manage. For more information on the MBAM Group Policy settings and the
suggested configuration, see the section, Planning for MBAM 2.5 Group Policy Requirements,
in the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
Manage MBAM user exemptions

In some instances, users may need to be exempt from protecting their drives by using BitLocker.
For example, users may bring their own devices as a part of a bring-your-own-device initiative
and do not want their devices to be BitLocker protected. You can exempt users from MBAM
enforcement of automatic BitLocker protection by using the Allow the user to be exempted
from BitLocker encryption Group Policy setting, which is under User
Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker
Management).
To exempt users from MBAM enforcement of automatic BitLocker protection, perform the
following steps:
1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to
be exempted from BitLocker encryption Group Policy setting.
24
2. Create a domain security group, such as MBAM Exempt Users, that contains the user
accounts of the users to be exempted.
3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the
MBAM Exempt Users domain security group (created in step 2) by using GPO security
filtering, as shown in Figure 3.
Figure 3. Configuring GPO security filtering

For more information on how to perform GPO security filtering for a specific group, see
Using Security Filtering to Apply GPOs to Selected Groups.
4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the
devices to be managed reside.
For more information on how to manage MBAM user exemptions, see the section, How to
Manage User BitLocker Encryption Exemptions, in the Microsoft BitLocker Administration and
| DEPLOYING THE MBAM CLIENT 25
Deploying the MBAM client

You must install the MBAM client on each device you will use MBAM to manage. The client is
available in 64-bit and 32-bit versions that are stored in the MBAM\Installers\2.5\x64 and
MBAM\Installers\2.5\x86 folders, respectively, on the MBAM source media. Select the
appropriate version based on the target operating system.
The MBAM client installation files include:
MbamClientSetup.exe. This Setup program contains the MBAM client and is

appropriate for methods that require an .exe file, such as scripted installation. This
program passes any installer properties you use on its command line to the Windows
Installer package file.
MBAMClient.msi. This Windows Installer package contains the MBAM client and is
appropriate for deployment methods that require an .msi file, such as Group Policy
software deployment.
You can easily deploy the MBAM client by using almost any software or operating system
deployment tool. Table 6 lists the deployment methods that this guide describes and offers
suggestions for when to use each. You can also use a combination of these methods. For
example, you could use MDT to deploy the MBAM client during operating system deployment
and use Group Policy to deploy the MBAM client to existing computers.
To drive consistency across MBAM client installations, use highly

automated techniques to perform MBAM client deployments. For
example, if you choose command-line deployment, ensure that you
automate installation by using scripts (e.g., Windows PowerShell or batch
scripts).
Table 6. Choosing a deployment method

Method
Use this method when
Group Policy
You do not use an electronic software distribution (ESD)

solution, such as System Center Configuration Manager or
MDT
You already deploy software by using Group Policy
You want to deploy the MBAM client to existing computers
You want to deploy the MBAM client after operating

system images are deployed
Computers have high-speed, persistent connections to the

network share containing the installation files
You use MDT for operating system deployment
You want to deploy the MBAM client during operating

system deployment
You already use System Center Configuration Manager for

application and operating system deployment
You want to use one tool to deploy the MBAM client to

existing computers or during operating system
deployment
Computers have high-speed, persistent connections to the

distribution points in which the MBAM client installation
files reside
MDT 2013
System Center
Configuration
Manager
Method
Use this method when
Scripted Installation
You want to script installation as part of operating system

installation, and you are not using MDT or System
Center Configuration Manager
You want to deploy the MBAM client by using a nonMicrosoft ESD system
Computers might not have high-speed, persistent

connections to the enterprise network, and installation
from local media might be required
Installing the MBAM client remotely

If you do not have an ESD system (e.g., System Center Configuration
Manager) and you do not want to use Group Policy to install the MBAM
client, you can use scripts to install it. You must install the MBAM client
from an elevated command prompt, however, so users with restricted
accounts cannot run scripts that install the MBAM client. A variety of
tools and techniques are available to work around this limitation.
Examples include:
Use Windows PowerShell Remoting to run the MBAM client Setup program on a list
of remote computers. For more information about Windows PowerShell Remoting,
see the TechNet article, Running Remote Commands.
Use the Windows Sysinternals PsExec tool to run processes remotely with specific
credentials. For more information about PsExec and the other amazing tools in the
Sysinternals toolset, see the TechNet article, PsTools.
Use Group Policy preferences to schedule a job in Task Scheduler that runs the
MBAM client installation on targeted computers with credentials that you specify in
the task. For more information about scheduling tasks by using Group Policy
preferences, see the TechNet article, Configure a Scheduled Task Item.
In addition, many non-Microsoft tools are available to script the installation of programs
that require elevated permissions. Many of them are free or have a nominal cost.
BitLocker partition configuration requirements

BitLocker requires that the partitions on the targeted devices be configured properly to support
BitLocker. Ensure that the targeted devices have the correct partition configuration to support
BitLocker prior to deploying the MBAM client.
BitLocker requires the following partitions:
System partition. This unencrypted partition is used to start the target device. The system
partition must have a minimum of 100 MB of space, but larger partitions are recommended.
If the system partition is 300 MB or larger, the Windows Recovery Environment is
automatically copied to the partition when BitLocker is enabled. By default, MDT
automatically creates a 512-MB system partition.
Windows partition. This encrypted partition contains the Windows operating system,
applications, and user data. It must meet the minimum required available disk space for the
desired operating system.
In addition to the BitLocker partition requirements, the device may have

requirements such as those for Unified Extensible Firmware Interface
(UEFI). For more information on the recommended partition configuration
for BIOS and UEFI devices, see 5.1 Create a DiskPart script in Step-byStep: Windows 8 Deployment for IT Professionals.
For new device deployments or when you are replacing an existing device with a new device, the
operating system deployment process automatically creates the appropriate partitions. This is
true if you are performing the deployment by using the operating system deployment media or
by using automated processes such as MDT or System Center 2012 R2 Configuration Manager.
However, in refresh device deployment scenarios, the existing device may have a partition
configuration that is inappropriate for BitLockerfor example, refreshing the Windows XP
operating system on an existing device with Windows 8. In these scenarios, you may need to
repartition the drive to support BitLocker before performing operating system deployment and
deploying the MBAM client. Ensure that you create the partitions based on the
recommendations in the 5.1 Create a DiskPart script in Step-by-Step: Windows 8 Deployment

for IT Professionals.
For more information about how MDT creates disk partitions, see the section, Review the
Default Partition Configuration Created by MDT, in the MDT document Using the Microsoft
Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is
discussed in the sections for each MBAM client deployment method.
TPM and MBAM client deployment

The TPM is a microchip that stores the private portion of security keys that are kept separate
from the memory that the operating system controls. BitLocker uses these keys to encrypt data.
On Windows 8 and Windows 8.1, MBAM supports computers that do not

have a TPM. However, MBAM requires a password protector on these
computers.
BitLocker and MBAM have the following dependencies on the TPM:
The TPM must be physically enabled. The TPM must be physically enabled on the targeted
device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI
on the device or by using scripts to automate the process.
Set ownership of the TPM. Taking ownership of the TPM allows MBAM help desk
personnel to provide users with a file they can use to reset the TPM on their devices.
However, it is not required that MBAM own the TPM. Windows can automatically provision
and take ownership of the TPM, which allows the TPM management within Windows. If
Windows owns the TPM, MBAM will be unable to help users reset the TPM on their device.
Enable the TPM

BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed
or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS
or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software
and process for enabling TPM at the hardware level is unique for each device hardware
manufacturer and sometimes within models. For fully automated deployment, such as MDT or
System Center Configuration Manager, ensure that the TPM for the device is physically enabled
within the BIOS or UEFI prior to image deployment.
In addition, enabling the TPM may require that the administrator

password for the BIOS or UEFI be configured. Some hardware vendor
tools allow you to temporarily set the administrator password, enable the
TPM, and then remove the password. Please consult the documentation
from the hardware vendor specific to the BIOS or UEFI for the device.
Most hardware vendors provide software that allows you to enable the TPM from the command
line. For information about the software for enabling a TPM from a command line, contact each
specific hardware vendor.
For information on how to run the software to enable the TPM from a command line for each
deployment method, see the step for enabling the TPM on targeted devices in the following
sections:
LTI in MDT 2013
ZTI and UDI in MDT 2013
System Center 2012 R2 Configuration Manager
Scripted installation
Set the ownership of the TPM

The TPM can have only one owner. In this context, the choices are MBAM or the operating
system. Configure TPM ownership based on the operating system on the target device.
With Windows 8 and Windows 8.1, if you pre-provision BitLocker during

bare-metal Windows deployment, MBAM cannot take ownership of the
TPM or store the recovery password. For MBAM to take ownership of the
TPM and store the recovery password, you must disable auto-provisioning
and clear the TPM before deploying MBAM, and then allow MBAM to
provision BitLocker.
Table 7 lists the operating systems and the recommendation for configuring TPM ownership.
There are advantages to MBAM owning the TPM and storing recovery passwords versus the
operating system doing the same:
The OwnerAuth password file is more secure, because fewer people have access to the
MBAM database that stores the file.
MBAM reports provide information about all recovery activity.
MBAM help desk users can use the Administration and Monitoring website to provide
recovery passwords to users if their TPM is locked.
With Windows 8 and Windows 8.1, if you pre-provision BitLocker during

bare-metal Windows deployment, MBAM cannot take ownership of the
TPM or store the recovery password. For MBAM to take ownership of the
TPM and store the recovery password, you must disable auto-provisioning
and clear the TPM before deploying MBAM, and then allow MBAM to
provision BitLocker.
Table 7. Operating systems and ownership of the TPM

Operating system
Ownership
Windows 8.1 and

Windows 8
Use only one of the following:
Windows 7
MBAM owns the TPM. If MBAM has ownership, then

MBAM can be used to help reset the TPM.
Windows 8 owns the TPM. If Windows 8 has ownership,

then the user can use Windows 8 to help reset the TPM.
MBAM owns the TPM, which allows MBAM to help reset the
TPM.
Windows 8.1 and Windows 8 automatically provision the TPM. If you want MBAM to store and
manage TPM recovery keys, you must turn off TPM auto-provisioning in the operating system
and clear the TPM, which the following Windows PowerShell commands do, before deploying
MBAM. Then, restart the computer and confirm that you want to clear the TPM.
# Get an instance of the TPM WMI class
$tpm=get-wmiobject -class Win32_Tpm `
-namespace root\cimv2\security\microsofttpm
# Disable TPM auto-provisioning
$tpm.DisableAutoProvisioning()
# Clear the TPM
$tpm.SetPhysicalPresenceRequest(22)
After disabling auto-provisioning and clearing the TPM, deploy MBAM and use it to provision
the TPM. You must ensure that the Require TPM Backup to AD DS option is not set in the
Turn on TPM backup to Active Directory Domain Services Group Policy setting. See the
section, Configure MBAM to own the TPM and store OwnerAuth passwords, in the Microsoft
BitLocker Administration and Monitoring 2.5 administrators guide for more information.
TPM and BitLocker pre-provisioning

BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows
operating system deployment. BitLocker pre-provisioning occurs while in the Windows
Preinstallation Environment (Windows PE) by using the Manage-bde.exe BitLocker commandline utility. Automated operating system deployment methods, such as MDT and System
Center 2012 R2 Configuration Manager automatically preform BitLocker pre-provisioning for
Windows 8.1, Windows 8, and Windows 7 if you are using Windows PE 4.0 or later and the TPM
is enabled.
In System Center Configuration Manager, the built-in step Pre-provision

BitLocker enables the AES128 encryption method by default. Most
businesses prefer to use the stronger AES256 encryption method. In this
case, you can replace the built-in step with a command-line step that runs
the following command: manage-bde -on %OSDrive% -UsedSpaceOnly
-em aes256.
To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following
methods:
Manually configuring the BIOS or UEFI. This method requires that the user performing
the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually
enabled, the operating system deployment can go on as normal.
Automatically by running a script or other software. Most device vendors have

scripts or software that allows you to enable the TPM automatically. However, these
scripts or other software may need to run in a full Windows operating system (not in
Windows PE). In instances where the script or software is unable to run in Windows PE
and you require fully automated deployment, you cannot use BitLocker pre-provisioning.
If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating
system is deployed and the full operating system is running. The length of time to encrypt after
the operating system is deployed depends on the operating system, as shown in Table 8.
Table 8. Encryption behavior after the operating system is deployed

Operating system
Encryption behavior
Windows 8
Can use the Used Disk Space Only feature to reduce the
amount of time needed to encrypt the drive. This is the
default behavior for MDT task sequences.
Windows 7
Can use the Used Disk Space Only feature to reduce the
amount of time needed to encrypt the drive when using
Windows PE 4.0 or a later version. This is the default behavior
for MDT task sequences.
Starting MBAM encryption immediately during task sequences

If you deploy the MBAM client during operating system deployment, the client does not
immediately initiate encryption by default, because the MBAM client is typically configured by
Group Policy settings. That configuration occurs after the operating system is deployed and the
user starts it for the first time. As a result, the targeted device may be in an unprotected state
the first time the user starts the device, and MBAM will not have saved the recovery keys and
other secrets.
To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys,
configure the MBAM client to immediately initiate encryption during the operating system task
sequence. The section How to Deploy the MBAM Client as Part of a Windows Deployment in
the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide describes steps
to start MBAM encryption immediately. You can write scripts to automate this process during a
task sequence.
Better yet, you can download ready-to-use scripts from Alexey Semibratov's blog post titled
Start MBAM encryption on BitLocker pre-provisioned and Windows To Go drives. Download
MBAMAgent-Policy.zip from the blog post (the link is below the blog post), and copy the
following files from it:
ZTIPrepareBDE.wsf. The script ZTIBDE.wsf in MDT pre-provisions BitLocker, but it does

not support MBAM. ZTIPrepareBDE.wsf replaces ZTIBDE.wsf. If running from Windows PE,
it prepares the TPM and pre-provisions BitLocker for MBAM. The property
OSDBitLockerMode must be set to TPM. Run this script early in the task sequence,
preferably in the Preinstall Phase, and set the condition Task sequence variable
_SMSTSWTG not equals TRUE so that it does not run on Windows To Go. Disable the
existing Enable BitLocker (Offline) step in the Preinstall Phase. You can also run this
script in the State Restore phase of Refresh scenarios to partition the drive for BitLocker,
if it is running from a live operating system with a single partition occupying the entire
hard drive.
StartMBAMEncryption.wsf. This script starts MBAM encryption, which in turn reports

the recovery key to the MBAM database. When you run this script from a task sequence,
you must set the command-line option MBAMServiceEndPoint to the URL of the
MBAM service end point. Run this script later in the task sequence, preferably in the
State Restore Phase, after installing the MBAM client on the computer. Disable the
existing Enable BitLocker step in the State Restore Phase.
Both scripts rely on the ZTIDiskUtility.wsf, ztiRunCommandHidden.wsf, and ZTIUtility.wsf scripts

that MDT provides. The file MBAMAgent-Policy.zip also provides these files. In System Center
Configuration Manager, you can create a separate package for ZTIPrepareBDE.wsf and
StartMBAMEncryption.wsf, and then run the scripts from that package. If you choose this route,
include ZTIDiskUtility.wsf, ztiRunCommandHidden.wsf, and ZTIUtility.wsf in the package.
Alternatively, you can simply copy ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf to the MDT
Scripts folder and run them from there.
Finally, set the following property:
OSDBitLockerMode=TPM

You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software
installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a
network share for the MBAM client installation files, and then create a GPO that installs the
appropriate Windows Installer package file on each computer.
To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use
Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to
target computers in a particular security group or computers that are running Windows 8 or
Windows 7.
You cannot use command-line options when you use Group Policy to
deploy the MBAM client. In this scenario, the easiest way to configure the
MBAM client is to use the MBAM Group Policy administrative templates.
Alternatively, you can create a transform for the MBAM client Windows
Installer package files and apply that transform when you create the GPO.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker
Before you can enable encryption with MBAM, you must ensure that the partitions on the
targeted devices are configured properly for BitLocker deployment. Group Policy software
installationbased deployments are always performed on devices where the operating system
has been deployed. Ensure that the partitions on the targeted devices are configured properly
for BitLocker deployment, as described in the section, BitLocker partition configuration
requirements in this guide.
If the partitions on a targeted device are not configured properly for

BitLocker deployment, consider refreshing the operating system on the
device to create the proper partitions. For more information, see the
section Lite Touch Installation in MDT 2013 or Zero Touch Installation
and User-Driven Installation in MDT 2013.
Step 2: Enable the TPM on targeted devices

Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.
The process for enabling the TPM is different for each device manufacturer and sometimes even
across models within a device manufacturer. The high-level process for automatically enabling
the TPM is as follows:
1. Package the vendor-specific software for enabling TPM as an .msi package.
In some instances, the vendor-specific software may be scripts and cannot be easily
packaged as an .msi file. In these instances, use one of the other methods for enabling
TPM.
2. Create a network shared folder that contains the .msi package created in the previous
step.
3. Create a GPO to install the .msi package (such as Enable TPM Policy).
4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a
WMI query to determine whether the TPM is enabled on targeted devices.
5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if
applicable.
6. Link the Enable TPM Policy GPO to the appropriate OUs.
Step 3: Share the installation files
You must create a network share that contains the MBAM client Setup files. This network share
must be accessible to all computers on which you want to install the MBAM client. Grant Read
access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and
MBAM Client Setup is the name of the folder you are creating to contain the MBAM client
installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 9
describes. To configure NTFS file system permissions, right-click the folder, click
Properties, and then click Advanced on the Security tab.
Table 9. NTFS file system permissions for the distribution folder

Account
Permissions
Applies to
Administrators
Full control
This folder, subfolders, and files
Authenticated Users
Read and Execute
3. Share the folder MBAM_Client_Setup by using the permissions that Table 10 describes. To
configure share permissions, right-click the folder, click Properties, and then click
Advanced Sharing on the Sharing tab.
Table 10. Share permissions for the distribution folder

Account
Permissions
Authenticated Users
Read
4. Copy the contents of the MBAM\Installers\2.5 folder from the MBAM distribution media
to \\SERVER\MBAM_Client_Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the 64bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of the
folder so that both versions are available for deployment.
Step 4: Create a GPO to install the MBAM client
You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a
client running the Remote Server Administration Tools. You can create a GPO that installs only
the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of
your MBAM policies in one location. The steps in this section install both the x64 and x86 agents
by using a single GPO, allowing Group Policy to determine the correct version to install.
To create and edit a GPO to deploy the x64 and x86 MBAM client
1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client
Installation):
a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click
New.
b. In the Name box, type MBAM Client Installation, and then click OK.
2. In the navigation pane, right-click MBAM Client Installation, and then click Edit.
3. In the Group Policy Management Editor, right-click Software Installation in Computer

Configuration\Policies\Software Settings, point to New, and then click Package.
4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit
version of MBAMClient.msi in the x64 folder, and then click Open.
Make sure you open the file from the network share you created earlier and not from a
local path.
5. In the Deploy Software dialog box, click Advanced, and then click OK.
6. In the Name box on the General tab of the MDOP MBAM Properties dialog box,
append x64 to the end of the name, and then click OK.
This will help you to distinguish between the x86 and x64 versions later.
7. In the Group Policy Management Editor, right-click Software Installation in Computer
Configuration\Policies\Software Settings, point to New, and then click Package.
8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in
the x86 folder, and then click Open.
Make sure you open the file from the network share you created earlier and not from a
local path.
9. In the Deploy Software dialog box, click Advanced, and then click OK.
10. In the MDOP MBAM Properties dialog box, complete the following steps, and then
click OK:
a. On the General tab, in the Name box, append x86 to the end of the name.
b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86
application available to Win64 machines check box and click OK.
Clearing this check box prevents Group Policy from installing the 32-bit MBAM client
on 64-bit operating systems, ensuring that the correct version of the MBAM client is
installed for each system type.
11. Close the Group Policy Management Editor.
Step 5: Link the GPO to OUs

You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in
those OUs. You can link the GPO to individual OUs. If the computers you want to target for
installation are in multiple OUs, you can link the GPO to the domain and use security or WMI
filtering to limit installation to specific computers, types of computers, or Windows versions,
which is discussed in the section, Step 6: Optionally target the GPO.
To link the GPO to an OU
1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation
GPO, and then click Link an Existing GPO.
2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client
Installation, and then click OK.
Step 6: Optionally target the GPO
When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all
computers in that OU, installing the MBAM client on them. In some cases, however, this might
not be desirable. You can target MBAM client deployment to specific computers within an OU
by using security or WMI filtering. See Table 11 for more information.
Table 11. Filtering the MBAM Client Installation GPO

Method
Description
Security
filtering
This filtering method allows you to target specific computers based on

membership in AD DS security groups. The members of the security group
can be computer objects or other security groups containing computer
objects. You control the deployment of the MBAM client to specific
computers by adding or removing them from the security group. For more
information about security filtering, see Filter Using Security Groups.
Method
Description
WMI
filtering
This filtering method allows you to target specific computers based on a

WMI query. For example, you could use a WMI query to target the
operating system version on computers and deploy the MBAM client only
if the operating system is Windows 8 or Windows 7.
You create a WMI filter separately, and then link the WMI filter to the GPO
that you created to deploy the MBAM client. For more information about
WMI filtering and how to create a WMI filter, see Work with WMI Filters.
Lite Touch Installation in MDT 2013

You can deploy the MBAM client during operating system deployment by using the Lite Touch
Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client
installation files as an application, and then adding an Install Application step for the agent to
your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, MDT
installs the client automatically, which ensures that that the encryption is started or completed
before users receive their device and is protected before they start the device for the first time.
The MBAM client will be ready for use before users log on to the device for the first time.
Windows 8.1 and Windows 8 include the BitLocker Used Disk Space Only
encryption feature, which encrypts only the disk space currently in use
instead of the entire disk volume. This feature dramatically reduces the
time required to encrypt a volume. By default, MDT automatically
performs Used Disk Space Only encryption to reduce deployment time
when enabling BitLocker for Windows 8. MDT does not support MBAM
natively, however, but you can customize it to pre-provision and
immediately start MBAM encryption in a task sequence. For more
information, see the section TPM and BitLocker pre-provisioning.
The following sections describe the steps necessary to complete each task in the Deployment
Workbench:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Add the MBAM client to the Applications node of your deployment share.
4. Configure the MBAM client application to hide it from users in the Deployment Wizard.
5. Add an Install Application step to your existing operating system task sequences.
6. Configure the MDT BitLocker-related configuration settings.
7. Pre-provision BitLocker for the MBAM client (ZTIPrepareBDE.wsf).
8. Start MBAM encryption immediately during tasks sequences (StartMBAMEncryption.wsf).
For more information about using MDT to install applications during

operating system deployment, see the MDT documentation.
Before you can enable with MBAM, ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. For new devices or for devices that are being
replaced, MDT automatically creates the necessary partitions to support BitLocker. When
refreshing an existing device, LTI automatically resizes and creates the necessary partitions to
support BitLocker, if there is sufficient available disk space.
Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices.
The scripts or software for enabling the TPM are different for each device manufacturer and
sometimes even across models within a device manufacturer.
By default, LTI performs BitLocker pre-provisioning for new device and replace device
deployment scenarios. BitLocker pre-provisioning occurs while the target device is running
Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling
the TPM can:
Run in Windows PE, then you can support BitLocker pre-provisioning
Only run in a Windows operating system, then you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but
still as a part of the task sequence
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker preprovisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts
or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the
TPM.
2. Create an MDT application that contains the software in the previous step.
3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before
the Enable BitLocker (Offline) task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a
Windows operating system (no BitLocker pre-provisioning support)
TPM.
2. Create an MDT application that contains the software in the previous step.
Place the Install Application task sequence step in the State Restore group.
For more information on enabling the TPM, see Enable the TPM.
Step 3: Add the MBAM client application

When you add an application to your MDT deployment share, you must specify the command
that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client
installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based
on the target operating system version.
The command you specify for MBAM client installation must include the /q command-line
option to perform an unattended installation. This option runs MbamClientSetup.exe with no
user interaction. If you do not include this command-line option, the Setup program stalls the
deployment process to wait for user interaction.
To add the MBAM client to your deployment share
1. In the Deployment Workbench, click Applications under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the
name of your deployment share).
2. In the Actions pane, click New Application.
3. Complete each page of the New Application Wizard:
Page
Steps
Application Type
1. Click Application with source files.

2. Click Next.
Select the Application without source files or elsewhere on
the network check box if you already have the installation files
in a network share. For more information, see the section,
Create a New Application That Is Deployed from Another
Network Share, in the MDT documentation.
Page
Steps
Details
1. In the Application Name box, type MBAM Client 64-bit.

2. Click Next.
The remaining text boxes on this page are optional and
informational only. Although they do not affect deployment of
the MBAM client, completing the remaining text boxes can
prove useful later when you are maintaining the deployment
share.
Source
1. In the Source directory box, type the path of the

MBAM\Installers\2.5\x64 folder that contains
MbamClientSetup.exe.
The Source directory box supports autocomplete, but you
can click Browse to locate the files.
2. Click Next.
Destination
1. In the Specify the name of the directory that should be

created box, optionally edit the name of the folder that the
New Application Wizard will create in the deployment share.
The wizard suggests a name based on the publisher, name,
and version that you provided on the Details page.
2. Click Next.
Command Details
1. In the Command line box, type the command you want to

run to install the MBAM clientfor example:
MbamClientSetup.exe.exe /q
2. Click Next.
Page
Steps
Summary
1. In the Details area, review the information that the Add New
Application Wizard collected.
2. Click Next.
Progress
1. Monitor the wizards progress as it adds the application to

your deployment share.
Confirmation
1. Review the results, and then click Finish.
If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New
Application Wizard, changing the following:
On the Details page, in Application Name, type MBAM Client 32-bit.
On the Source page, browse to the MBAM\Installers\2.5\x86 folder.
Step 4: Configure the application

After adding the application to your MDT deployment share, configure it to hide the application
in the Deployment Wizard from users so they cannot prevent installation during deployment by
selecting the Hide this application in the Deployment Wizard check box. Hiding the
application prevents the user from selecting the application, which could create errors in the
deployment process, because the application would try to install twice and one installation
would return a failure code.
To customize the MBAM client in your deployment share
1. In the Applications node of the deployment share, right-click the MBAM client
application that you previously added, and then click Properties.
2. On the General tab of the applications Properties dialog box, select the Hide this
application in the Deployment Wizard check box.
3. Click OK.
Step 5: Edit task sequences

Install the MBAM client application during operating system deployment by adding it to task
sequences. By adding the MBAM client to your existing task sequences, you can install the agent
automatically, with no interaction from the user. This method helps to ensure that the MBAM
client is available immediately, before users log on to the computer.
To install the MBAM client in an LTI task sequence
1. In the Deployment Workbench, click Task Sequences under Deployment
Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the
name of your deployment share).
2. In the results pane, right-click the task sequence to which you want to add the MBAM
client, and then click Properties.
3. On the Task Sequence tab of the task sequences Properties dialog box, click the Install
Applications task sequence step.
This step is in the State Restore group. The task sequence editor adds the new task
sequence step immediately after this step.
4. From the Add menu, click General, and then click Install Application.
5. Click the new Install Application task sequence step that you just added, then perform
the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click Install a single application, click Browse, click the MBAM client application
in the Select An Item dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box. Select
this check box only if you want the task sequence to continue running if the
MBAM client fails to install during operating system deployment.
Click OK to close the task sequences Properties dialog box.
Step 6: Configure MDT BitLocker-related settings

Define the following MDT properties in the CustomSettings.ini file or the MDT database
(MDT DB):
Required:
o
BDEInstallSuppress=NO
Optional:
o
BDEDriveLetter
BDEDriveSize
TPMOwnerPassword
For more information these MDT properties, see the corresponding sections in the MDT
document Toolkit Reference.
Step 7: Add a task sequence step to pre-provision BitLocker for the MBAM client
Disable the existing Enable BitLocker (Offline) step in the Preinstall Phase. Then, add a new
step to run the script ZTIPrepareBDE.wsf, which pre-provisions BitLocker and is compatible with
MBAM. For more information, see the section TPM and BitLocker pre-provisioning, earlier in
this guide.
Step 8: Add a task sequence step to immediately start encryption by using the MBAM client
Disable the existing Enable BitLocker step in the State Restore Phase. Then, add a new step to
run the script StartMBAMEncryption.wsf, which starts MBAM encryption immediately to report
the recovery key to the MBAM service end point. For more information, see the section TPM
and BitLocker pre-provisioning, earlier in this guide.
Zero Touch Installation and User-Driven Installation in MDT 2013

You can deploy the MBAM client by using the application model in System Center 2012 R2
Configuration Manager. You create applications in the Applications node of the Configuration
Manager console. By using System Center 2012 R2 Configuration Manager, you can use a single
deployment tool to install the MBAM client on existing computers as well as during operating
system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted
computers that already exist or deploys the MBAM client immediately after operating
system deployment is complete. The advantage of this method is that it covers both
scenarios (existing computers and new computers). This process will be discussed in the
section, System Center 2012 R2 Configuration Manager Application Model.
Installation during operating system deployment. This method installs the MBAM
client during operating system deployment so that the agent is immediately available.
The benefit of this method is that the encryption can be started or completed before
users receive their device, and the device is protected before the user starts it for the first
time. After you create the application in the Configuration Manager console, simply add
an Install Application step to the operating system deployment task sequence. This
process is discussed in this section.
You can deploy the MBAM client during operating system deployment by using the Zero Touch
Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the
client installation files as an application, and then adding an Install Application step for the
agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, ZTI
and UDI install the client automatically, which ensures that that the encryption is started or
completed before users receive their device and the device is protected before users starts it for
the first time.. The MBAM client will be ready for use before users log on to the device for the
first time.
Windows 8.1 and Windows 8 include the BitLocker Used Disk Space Only
encryption feature, which encrypts only the disk space currently in use
instead of the entire disk volume. This feature dramatically reduces the
time required to encrypt a volume. By default, MDT automatically
performs Used Disk Space Only encryption to reduce deployment time
when enabling BitLocker for Windows 8. MDT does not support MBAM
natively, however, but you can customize it to pre-provision and
immediately start MBAM encryption in a task sequence. For more
information, see the section TPM and BitLocker pre-provisioning.
The following tasks describe the steps necessary to complete each task:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Create and share a content folder for the MBAM client installation files.
4. Create a System Center 2012 R2 Configuration Manager application for the MBAM client
installation.
5. Distribute the System Center 2012 R2 Configuration Manager application to the
distribution points.
6. Deploy the System Center 2012 R2 Configuration Manager application to the targeted
computers.
7. Add an Install Application step to your existing operating system task sequences.
8. Configure the MDT BitLocker-related configuration settings.
9. Pre-provision BitLocker for the MBAM client (ZTIPrepareBDE.wsf).
10. Start MBAM encryption immediately during tasks sequences (StartMBAMEncryption.wsf).
For more information about using MDT to install applications during

operating system deployment, see the MDT documentation.
Before you can use MBAM, you need to ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. For new devices or devices that are being
replaced, MDT automatically creates the necessary partitions to support BitLocker. When
refreshing an existing device, MDT automatically resizes and creates the necessary partitions to
support BitLocker (if there is sufficient available disk space) after the operating system has been
deployed in the State Restore group.
If you want ZTI and UDI to automatically create the appropriate partitions
for the refresh device deployment scenario in ZTI and UDI, perform a
replace device deployment scenario, and treat the existing device as the
original and replacement device. In this way, you back up the user state
from the device, wipe the device, deploy the operating system, and then
restore the user state to the device. Ensure that you store the user state in
a network shared folder or in local storage on a disk other than where the
operating system will be deployed.

Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The
scripts or software for enabling the TPM are different for each device manufacturer and
sometimes even different across models within a device manufacturer.
By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and
replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device
is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for
enabling the TPM can:
Run in Windows PE, then you can support BitLocker pre-provisioning
Run only in a Windows operating system, you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but
still as a part of the task sequence
If you want to use BitLocker pre-provisioning for the refresh device

deployment scenario for ZTI and UDI, perform a replace device
deployment scenario, and treat the existing device as the original and
replacement device. In this way, you back up the user state from the
device, wipe the device, deploy the operating system, and then restore
the user state to the device. Ensure that you store the user state in a
network shared folder or in local storage on a disk other than where the
operating system will be deployed.
For more information on the TPM and BitLocker pre-provisioning, see TPM and BitLocker preprovisioning.
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts
or software that can run in Windows PE
TPM.
2. Create an application that contains the software in the previous step.
Place the Install Application task sequence step in the Preinstall group immediately before
the Pre-provision BitLocker task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a
Windows operating system (no BitLocker pre-provisioning support)
TPM.
2. Create an application that contains the software in the previous step.

3. Install the application created in the previous step by using the Install Application task
sequence step.
Place the Install Application task sequence step in the State Restore group.
Step 3: Share the installation content
When you create a System Center 2012 R2 Configuration Manager application, you must specify
a source for the application content. The source must be a network share that is accessible to
System Center 2012 R2 Configuration Manager, because System Center 2012 R2 Configuration
Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM
client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 12
describes.
To configure NTFS file system permissions, right-click the folder, click Properties, and
then click Advanced on the Security tab.
Table 12. NTFS file system permissions for the MBAM client setup
folder
Account
Permissions
Applies to
Administrators
Full control
Site_Server_Account
Read and
Execute
configure share permissions, right-click the folder, click Properties, and then click the
Sharing tab.
Table 13. Share permissions for the MBAM client setup folder
Account
Permissions
Administrators
Full control
Site_Server_Account
Full control
4. Copy the contents of the MBAM\Installers\2.5 folder from the MBAM distribution media
to \\SERVER\MBAM Client Setup.
Step 4: Create the MBAM client application
the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM
client, MBAMClient.msi requires less effort because of automatic detection of product codes and
other application settings. Creating applications in System Center 2012 R2 Configuration
Manager is based on MSI files, which:
Allow System Center 2012 R2 Configuration Manager to detect whether the application
is already installed
Use a well-known System Center 2012 R2 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 R2 Configuration Manager
1. In the Configuration Manager console, click the Software Library workspace.
2. In the Software Library workspace, click Applications in Overview\Application

Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page
Steps
General
1. Click Manually specify the application information.

2. Click Next.
General: General
Information
1. In the Name box, type MBAM Client.

2. Select the Allow this application to be installed from the
Install Application task sequence action without being
deployed check box.
Selecting this check box allows you to use task sequence
variables to install the MBAM client.
3. Click Next.
informational. Although they do not affect the deployment of
the MBAM client, completing them can prove useful later when
you are maintaining the deployment share.
General:
Application
Catalog
1. Click Next.
General:
1. Click Add to add a deployment type for the 64-bit version of
The text boxes on this page are optional and prompt for
information that you want to display in the application catalog.
However, this deployment guide recommends that you hide the
MBAM client from the application catalog.
Page
Deployment Types
Steps
the MBAM client (MBAMClient.msi in the
MBAM\Installers\2.5\x64 folder).
2. On the General page of the Create Deployment Type
Wizard, click Browse, open MBAMClient.msi from the
location in which you shared the installation sources
(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment
Type Wizard, click Next.
4. On the General Information page of the Create
Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the
name for easier identification later.
b. In the Installation program box, add /q to the end
of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type
Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7
(64-bit), All Windows 8 (64-bit), and All
Windows 8.1 (64-bit). (Select the 64-bit operating
systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type
Wizard, click Next.
Page
Steps
7. On the Summary page of the Create Deployment Type
Wizard, review the deployment type details, and then click
Next.
8. On the Completion page of the Create Deployment Type
Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version
of the MBAM client (MBAMClient.msi in the
MBAM\Installers\2.5\x86), and then click Next.
Summary
1. In the Details area, review the information that the Create

Application Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Create Application Wizard while

it creates the application.
Completion
1. Verify that the Create Application Wizard finished

successfully, and then click Close.
Step 5: Distribute the MBAM client application

After creating the MBAM client application in System Center 2012 R2 Configuration Manager,
you must distribute the application content to your distribution points. Targeted computers will
install the MBAM client from the distribution points. You use the Distribute Content Wizard in
the Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 R2 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Distribute Content.
3. Complete each page of the Distribute Content Wizard:
Page
Steps
General
1. Click Next.
General: Content
1. Click Next.
General: Content
Destination
1. Click Add, and then click Distribution Point.

2. In the Add Distribution Points dialog box, select the
distribution points to which you want to distribute the
MBAM client installation content, and then click OK.
3. Click Next.
Summary
1. In the Details area, review the information that the

Distribute Content Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Distribute Content Wizard while

it distributes the MBAM client installation content.
Completion
1. Verify that the Distribute Content Wizard finished

After completing the Distribute Content Wizard, verify successful distribution of the installation
content before continuing to deploy the MBAM client application. To do so, click Refresh in the
Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution
status on the Summary tab at the bottom. When the content status shows that content
distribution is successful, you can deploy the MBAM client application.
Step 6: Deploy the MBAM client application
You can deploy the MBAM client application to users or devices. Because the agent is computercentric, Microsoft recommends that you deploy it to computer collectionsnot user collections.
You use the Deploy Software Wizard in the Configuration Manager console to deploy the
MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 R2 Configuration Manager application
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page
Steps
General
1. Click Browse next to the Collection box.

2. In the Select Collection dialog box, click Device Collections
on the left side; on the right side, click a device collection to
which you want to deploy the MBAM client, and then click
OK.
3. Click Next.
You can choose one of the built-in collections or your own
collection. For more information about creating collections in
System Center 2012 R2 Configuration Manager, see the TechNet
article, How to Create Collections in Configuration Manager.
Content
1. Click Next.
Deployment
Settings
1. In the Purpose list, click Required.

2. Click Next.
Selecting Required in the Purpose list forces installation of the
MBAM client application on targeted computers. System
Center 2012 R2 Configuration Manager also reinstalls the agent
if users remove it.
Page
Steps
Scheduling
1. Click Next.
User Experience
1. In the User notifications list, click Hide in Software Center

and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications
prevents System Center 2012 R2 Configuration Manager from
notifying users about the installation of the MBAM client. This
recommended setting prevents any user interaction or
interference with deployment.
Alerts
1. Click Next.
Summary
1. In the Details area, review the information that the Deploy

Software Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Deploy Software Wizard while it

deploys the MBAM client application.
Completion
1. Verify that the Deploy Software Wizard finished successfully,

and then click Close.
Step 7: Edit task sequences

Install the MBAM client application during operating system deployment by adding the MBAM
client application to existing task sequences. In this way, you can install the client automatically,
with no interaction or interference from users. Doing so helps to ensure that the MBAM client is
available immediately, before users log on to the computer.
To install the MBAM client in a System Center 2012 R2 Configuration Manager task
sequence
2. In the Software Library workspace, click Task Sequences in Overview\Operating Systems.
3. In the results pane, right-click the task sequence to which you want to add the MBAM
client, and then click Edit.
4. Click the Install Applications group under the State Restore group. The task sequence
editor adds the new step in this group.
5. From the Add menu, click General, and then click Install Application.
6. Click the new Install Application task sequence step that you just added, then perform
the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click New (the button that looks like a star), click the MBAM client application in
the Select The Application To Install dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box.
Select this check only if you want the task sequence to continue running if the
MBAM Client fails to install during operating system deployment.
7. Click OK to close the Task Sequence Editor dialog box.
Step 8: Configure MDT BitLocker-related settings

Define the following MDT properties in the CustomSettings.ini file or the MDT database
(MDT DB):
Required:
o
BDEInstallSuppress=NO
Optional:
o
BDEDriveLetter
BDEDriveSize
TPMOwnerPassword
For more information on these MDT properties, see the corresponding sections in the MDT
document Toolkit Reference.
Step 9: Add a task sequence step to pre-provision BitLocker for the MBAM client
Disable the existing Pre-provision BitLocker step in the Preinstall phase. Then, add a new step
to run the script ZTIPrepareBDE.wsf, which pre-provisions BitLocker and is compatible with
MBAM. For more information, see the section TPM and BitLocker pre-provisioning, earlier in
this guide.
Step 10: Add a task sequence step to immediately start encryption by using the MBAM client
Disable the existing Enable BitLocker step in the State Restore Phase. Then, add a new step to
run the script StartMBAMEncryption.wsf, which starts MBAM encryption immediately to report
the recovery key to the MBAM service end point. For more information, see the section TPM
and BitLocker pre-provisioning, earlier in this guide.
System Center 2012 R2 Configuration Manager Application Model

You can deploy the MBAM client by using the application model in System Center 2012 R2
Configuration Manager. You create applications in the Applications node of the Configuration
Manager console. By using System Center 2012 R2 Configuration Manager, you can use a single
deployment tool to install the MBAM client on existing computers as well as during operating
system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted
computers that already exist or deploys the MBAM client immediately after operating
system deployment is complete. The advantage of this method is that it covers both
scenarios (existing computers and new computers). This process is discussed in this
section.
Installation during operating system deployment. This method installs the MBAM
client during operating system deployment so that the agent is immediately available.
The benefit of this method is that the encryption can be started or completed before
users receive their device, and the device is protected before the user starts it for the first
time. After you create the application in the Configuration Manager console, simply add
an Install Application step to the operating system deployment task sequence. This
process was discussed in the section, Zero Touch Installation and User-Driven Installation
in MDT 2013.
You can also deploy the MBAM client by using the package and program
feature in System Center Configuration Manager 2007. For more
information on how to deploy software using the package and program
feature, see Tasks for Software Distribution.
The following sections describe the steps necessary to complete each task in the Configuration
Manager console:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a content folder for the MBAM client installation files.
4. Create a System Center 2012 R2 Configuration Manager application for the MBAM client
installation.
5. Distribute the System Center 2012 R2 Configuration Manager application to the
distribution points.
6. Deploy the System Center 2012 R2 Configuration Manager application to the targeted
computers.
You can automate the steps listed above by creating a custom System
Center Configuration Manager task sequence. For more information, see
the section, To create a custom task sequence, in the TechNet article
How to Create Task Sequences.
For more information about using System Center 2012 R2 Configuration Manager to deploy
applications, see the Microsoft TechNet article, System Center Technical Resources.
Before you can enable with MBAM, ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. Because this section focuses on deploying the
MBAM client on existing devices, the deployment is always performed on devices where the
operating system has been deployed. Ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment as described in the section, BitLocker partition
configuration requirements in this guide.


Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. You
can manually enable the TPM on the targeted devices or automate enabling the TPM on the
targeted devices by using scripts or software. The scripts or software for enabling the TPM are
different for each device manufacturer and sometimes even different across models within a
device manufacturer.
To automatically enable the TPM by using scripts or software
TPM.
2. Create a System Center 2012 R2 Configuration Manager application that contains the
software in the previous step.
3. Distribute the application to the distribution points.
4. Deploy the application to the appropriate user or device collections.
Step 3: Share the installation content
a source for the application content. The source must be a network share that is accessible to
System Center 2012 R2 Configuration Manager, because System Center 2012 R2 Configuration
Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 14
describes.
Table 14. NTFS file system permissions for the MBAM client setup
folder
Account
Permissions
Applies to
Administrators
Full control
Site_Server_Account
Read and
Execute
configure share permissions, right-click the folder, click Properties, and then click the
Sharing tab.
Table 15. Share permissions for the MBAM client setup folder
Account
Permissions
Administrators
Full control
Site_Server_Account
Full control
4. Copy the contents of the MBAM\Installers\2.5 folder structure from the MBAM
distribution media to \\SERVER\MBAM Client Setup.
Step 4: Create the MBAM client application
the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM
client, MBAMClient.msi requires less effort because of automatic detection of product codes and
other application settings. Creating applications in System Center 2012 R2 Configuration

Manager is based on MSI files, which:
Allow System Center 2012 R2 Configuration Manager to detect whether the application
is already installed
Use a well-known System Center 2012 R2 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 R2 Configuration Manager
2. In the Software Library workspace, click Applications in Overview\Application
Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page
Steps
General
1. Click Manually specify the application information.

2. Click Next.
Page
Steps
General: General
Information
1. In the Name box, type MBAM Client.

2. Select the Allow this application to be installed from the
Install Application task sequence action without being
deployed check box.
Selecting this check box allows you to use task sequence
variables to install the MBAM client.
3. Click Next.
informational. Although they do not affect the deployment of
the MBAM client, completing them can prove useful later when
you are maintaining the deployment share.
General:
Application
Catalog
1. Click Next.
General:
Deployment Types
1. Click Add to add a deployment type for the 64-bit version of

the MBAM client (MBAMClient.msi in the
MBAM\Installers\2.5\x64 folder).
The text boxes on this page are optional and prompt for
information that you want to display in the application catalog.
However, this deployment guide recommends that you hide the
MBAM client from the application catalog.
2. On the General page of the Create Deployment Type

Wizard, click Browse, open MBAMClient.msi from the
location in which you shared the installation sources
(e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment
Type Wizard, click Next.
4. On the General Information page of the Create
Page
Steps
Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the
name for easier identification later.
b. In the Installation program box, add /q to the end
of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type
Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7
(64-bit), All Windows 8 (64-bit), and All
Windows 8.1 (64-bit). (Select the 64-bit operating
systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type
Wizard, click Next.
7. On the Summary page of the Create Deployment Type
Wizard, review the deployment type details, and then click
Next.
8. On the Completion page of the Create Deployment Type
Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version
of the MBAM client (MBAM\Installers\2.5\x86), and then
click Next.
Page
Steps
Summary
1. In the Details area, review the information that the Create

Application Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Create Application Wizard while

it creates the application.
Completion
1. Verify that the Create Application Wizard finished

If you decided to automatically enable the TPM by using a script or

software in Step 2: Enable the TPM on targeted devices, make certain you
set the application created in that step as a dependency for the
deployment type for the application created in this step. For more
information on creating System Center 2012 R2 Configuration Manager
application dependencies, see the section Step 7: Specify Dependencies
for the Deployment Type in How to Create Applications in Configuration
Manager on TechNet.
Step 5: Distribute the MBAM client application

After creating the MBAM client application in System Center 2012 R2 Configuration Manager,
you must distribute the application content to your distribution points. Targeted computers
install the MBAM client from the distribution points. You use the Distribute Content Wizard in
the Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 R2 Configuration Manager application
2. In the Deployment group on the Ribbon, click Distribute Content.
3. Complete each page of the Distribute Content Wizard:
Page
Steps
General
1. Click Next.
General: Content
1. Click Next.
General: Content
Destination
1. Click Add, and then click Distribution Point.

2. In the Add Distribution Points dialog box, select the
distribution points to which you want to distribute the
MBAM client installation content, and then click OK.
3. Click Next.
Summary
1. In the Details area, review the information that the

Distribute Content Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Distribute Content Wizard while

it distributes the MBAM client installation content.
Completion
1. Verify that the Distribute Content Wizard finished

After completing the Distribute Content Wizard, verify successful distribution of the installation
content before continuing to deploy the MBAM client application. To do so, click Refresh in the
Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution
status on the Summary tab at the bottom. When the content status shows that content
distribution is successful, you can deploy the MBAM client application.
Step 6: Deploy the MBAM client application

You can deploy the MBAM client application to users or devices. Because the agent is computercentric, Microsoft recommends that you deploy it to computer collectionsnot user collections.
You use the Deploy Software Wizard in the Configuration Manager console to deploy the
MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 R2 Configuration Manager application
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page
Steps
General
1. Click Browse next to the Collection box.

2. In the Select Collection dialog box, click Device Collections
on the left side; on the right side, click a device collection to
which you want to deploy the MBAM client, and then click
OK.
3. Click Next.
You can choose one of the built-in collections or your own
collection. For more information about creating collections in
System Center 2012 R2 Configuration Manager, see the TechNet
article, How to Create Collections in Configuration Manager.
Content
1. Click Next.
Page
Steps
Deployment
Settings
1. In the Purpose list, click Required.

2. Click Next.
Selecting Required in the Purpose list forces installation of the
MBAM client application on targeted computers. System
Center 2012 R2 Configuration Manager also reinstalls the agent
if users remove it.
Scheduling
1. Click Next.
User Experience
1. In the User notifications list, click Hide in Software Center

and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications
prevents System Center 2012 R2 Configuration Manager from
notifying users about the installation of the MBAM client. This
recommended setting prevents any user interaction or
interference with deployment.
Alerts
1. Click Next.
Summary
1. In the Details area, review the information that the Deploy

Software Wizard collected, and then click Next.
Progress
1. Monitor the progress of the Deploy Software Wizard while it

deploys the MBAM client application.
Page
Steps
Completion
1. Verify that the Deploy Software Wizard finished successfully,

and then click Close.
Scripted installation
If you do not use MDT or System Center 2012 R2 Configuration Manager to deploy applications
in your environment and you do not want to use Group Policy software installation, you can
script installation by using batch scripts, Windows PowerShell scripts, and so on. With this
technique, you are essentially performing a command-line installation. You can use the same
technique to install the MBAM client by using any non-Microsoft ESD system.
The following sections describe the steps necessary to complete each task:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a folder containing the MBAM client installation files.
4. Run MbamClientSetup.exe from the network share containing the installation files.
Before you can use MBAM, you need to ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment. Because this section focuses on deploying the
MBAM client on existing devices, the deployment is always performed on devices where the
operating system has been deployed. Ensure that the partitions on the targeted devices are
configured properly for BitLocker deployment as described in the section, BitLocker partition
configuration requirements, in this guide.


Before you deploy the MBAM client to the targeted devices, enable the TPM on them. You can
manually enable the TPM on the targeted devices or automate the process by using scripts or
software. The scripts or software for enabling the TPM are different for each device
manufacturer and sometimes even different across models within a device manufacturer.
To automatically enable the TPM by using scripts or software
TPM.
2. Create a batch file or script that runs the software in the previous step.
3. Ensure that you run the software to enable the TPM prior to running
MbamClientSetup.exe and installing the MBAM client.
Step 3: Share the installation files
Create a network share that contains the MBAM client installation files. This network share must
be accessible to all computers on which you want to install the MBAM client. You can give Read
access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 16
describes.
Table 16. NTFS file system permissions for the distribution folder
Account
Permissions
Applies to
Administrators
Full control
Authenticated Users
Read and Execute
3. Share the folder MBAM_Client_ Setup by using the permissions that Table 17 describes.
To configure share permissions, right-click the folder, click Properties, and then click the
Sharing tab.
Table 17. Share permissions for the distribution folder

Account
Permissions
Authenticated Users
Read
4. Copy the contents of the MBAM\Installers\2.5 folder structure from the MBAM
distribution media to \\SERVER\MBAM Client Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the
64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of
the folder so that both versions are available for deployment.
Step 4: Run MbamClientSetup.exe
For a scripted installation, the command you use to install the MBAM client must include the /q
command-line option to perform an unattended installation. This option runs
MbamClientSetup.exe with no user interaction, as shown in the following example. If you do not
include this command-line option, the Setup program stalls the deployment process to wait for
user interaction.
MbamClientSetup.exe /q
You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target
operating system version.
| VALIDATING THE MBAM INFRASTRUCTURE
78
Validating the MBAM infrastructure

After deploying the MBAM server and client, verify that the MBAM infrastructure is working
properly. You can validate the MBAM infrastructure by performing some common BitLocker
management tasks in MBAM. For more information about how to perform BitLocker
management tasks by using MBAM, see the section, Performing BitLocker Management with
MBAM 2.5, in the Microsoft BitLocker Administration and Monitoring 2.5 administrators guide.
Use the MBAM Self-Service Portal to regain access to a device

Users can be prevented from accessing their BitLocker-enabled devices if they forget their
password or PIN, changed operating system files, changed the BIOS, or changed the TPM. Users
can regain access to their device without assistance from the help desk by using the MBAM SelfService Portal.
To use the MBAM Self-Service Portal to regain access to a device
1. In Internet Explorer, browse to the MBAM Self-Service Portal (e.g., server\SelfService).
2. In Recovery Key ID, enter a minimum of eight digits from the 32-digit BitLocker Key ID
displayed on the BitLocker recovery page of the inaccessible device.
3. In Reason, select a reason for the recovery key request, and then click Get Key.
The MBAM Self-Service Portal obtains and displays the 48-digit BitLocker recovery key in
Your BitLocker Recovery Key.
4. Enter the 48-digit BitLocker recovery key on the BitLocker recovery page on the
inaccessible device.
5. The device can now be successfully started.
For more information about how to regain access to a device by using the MBAM SelfService Portal and other BitLocker management tasks that you can perform, see the
section, Performing BitLocker Management with MBAM 2.5, in the Microsoft BitLocker
79
Determine the BitLocker encryption state of lost or stolen devices

A common concern for most organizations is the loss or theft of a device that contains sensitive
information. A BitLocker-protected device helps prevent unauthorized users from accessing the
sensitive information on such a device. IT pros can determine which volumes on a device are
protected and better assess the risk associated with the loss or theft of the device.
To determine the BitLocker encryption state of lost or stolen devices
1. In Internet Explorer, browse to the MBAM website (e.g., server\HelpDesk).
2. In the navigation pane, in the Report node, click Computer Compliance Report.
3. In the Device user or computer name box in the results pane, type a user or devices
name, and then click View Report.
Search results are shown in the list box below. Device protection is determined by the
deployed BitLocker policies, which reflect the BitLocker encryption state of a device.
For more information about how to determine the BitLocker encryption state of a device by
using MBAM and other BitLocker management tasks that you can perform by using MBAM, see
the section, Performing BitLocker Management with MBAM 2.5, in the Microsoft BitLocker
80
Use a help desk portal to reset a TPM lockout

Users can be prevented from accessing their BitLocker-enabled device if they enter an incorrect
PIN too many times, which results in a TPM lockout. The number of times a user can enter an
incorrect PIN before the TPM locks varies by manufacturer. You can help users regain access to
their devices by using the MBAM Help Desk Portal to reset the TPM lockout.
You can reset a TPM lockout only if MBAM was used to initially provision
the TPM. If the TPM was provisioned prior to MBAM deployment, the TPM
data may be stored in AD DS if the appropriate Group Policy settings
were configured and you cannot reset a TPM lockout by using MBAM.
To use the MBAM administration website to reset a TPM lockout

1. In Internet Explorer, browse to the MBAM administration website (e.g., server\HelpDesk).
2. In the navigation pane, click Manage TPM.
3. Enter the following information, and then click Submit:
Fully qualified domain name of the locked device
Computer name of the locked device
Windows logon domain for the user
User name of the user
Reason for requesting the TPM owner password file
The MBAM Help Desk Portal returns one of the following results:
The TPM owner password file for the device
A message indicating that no matching TPM owner password file was found
4. Click Save.
Doing so saves the TPM owner password file.
81
5. Run the TPM management console, select the Reset TPM lockout option, and provide
the TPM owner password file to reset the TPM lockout.
The TPM hash value and TPM owner password should only be
used by authorized help desk and support personnel for the
purpose of resolving a TPM lockout scenario. Microsoft does not
recommend providing this information directly to users, because
the TPM information does not change and could pose a security
risk if the information does not remain secure.
For more information about how to reset a TPM lockout and other BitLocker management
tasks that you can perform with MBAM, see the section, Performing BitLocker Management
with MBAM 2.5, in the Microsoft BitLocker Administration and Monitoring 2.5
| CONCLUSION 82
Conclusion
Deploying MBAM can be easy and requires minimal updates to your existing infrastructure. You
can deploy the MBAM server components in a Stand-alone topology or, if you want to integrate
with an existing System Center Configuration Manager infrastructure, a Configuration Manager
Integration topology. In either case, you can evaluate MBAM on a single server or deploy the
MBAM server components in your production environment on multiple servers so that you can
scale to a size appropriate for your organization.
With the infrastructure in place, you can use highly automated processes such as Group Policy,
MDT, System Center Configuration Manager, or scripted installation methods to deploy the
MBAM client and provision BitLocker on user devices. From there, use the MBAM Group Policy
template to provide ongoing management of the MBAM client.

Download MBAM today to evaluate its deployment in your organization. MBAM is part of
MDOP, and MDOP is available to TechNet subscribers and MSDN subscribers. MDOP is also
available for purchase if you have Software Assurance on Windows client (including Windows
Intune subscribers).
For more information about MBAM, see:
The Microsoft Desktop Optimization Pack website to learn more about its business benefits
The Microsoft BitLocker Administration and Monitoring content on TechNet for technical
information, including videos that provide an overview and demonstrate how to set up and
configure MBAM

MBAM 2.5 Deployment Guide PDF

Uploaded by

Copyright:

Available Formats

MBAM 2.5 Deployment Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MBAM 2.5 Deployment Guide PDF

Uploaded by

Copyright:

Available Formats

Microsoft BitLocker

MBAM DEPLOYMENT GUIDE

For BitLocker To Goprotected removable drives, BitLocker stores the

The key benefits of using MBAM to manage BitLocker technologies are:

Simplified provisioning and management. BitLocker deployment is easier with MBAM,

Improved compliance and reporting. Encryption and protection of sensitive

MBAM DEPLOYMENT GUIDE

Group Policy software installation

Microsoft Deployment Toolkit (MDT) 2013

Microsoft System Center 2012 R2 Configuration Manager

Scripted installation (e.g., command prompt)

MBAM DEPLOYMENT GUIDE

MBAM Stand-alone topology

Figure 1. MBAM Stand-alone topology

MBAM DEPLOYMENT GUIDE

Table 1. Computers in the MBAM Stand-alone topology

The following features are installed on this server:

Administration and Monitoring Server. The

Self-Service Portal. The Self-Service Portal is

MBAM DEPLOYMENT GUIDE

The following features are installed on this server:

Recovery Database. The Recovery Database is

Compliance and Audit Database. The Compliance

Compliance and Audit Reports. The Compliance

MBAM DEPLOYMENT GUIDE

The following can be downloaded and installed on the

Policy Template. The Policy Template consists of

Uses Group Policy to enforce the BitLocker encryption

Collects the recovery key for the three BitLocker data

Collects compliance data for the computer and

MBAM DEPLOYMENT GUIDE

Active Directory Domain

The following can be downloaded and installed on the

Policy Template. The Policy Template consists of

MBAM Configuration Manager Integration topology

Windows to Go is not supported when you install the System Center

MBAM DEPLOYMENT GUIDE

Figure 2. MBAM Configuration Manager Integration topology

MBAM DEPLOYMENT GUIDE

Table 2. Computers in the MBAM Configuration Manager Integration

The following features are installed on this server:

Administration and Monitoring Server. The

Self-Service Portal. The Self-Service Portal is

The following features are installed on this server:

Recovery Database. The Recovery Database is

Audit Database. The Audit Database is installed on a

Audit Reports. The Audit Reports are installed on a

MBAM DEPLOYMENT GUIDE

The Configuration Manager Site Server collects the

Compliance Reports. The Compliance Reports are

Policy Template. The Policy Template consists of

Configuration Manager console. The Configuration

MBAM DEPLOYMENT GUIDE

The MBAM client and Configuration Manager client are

Use Group Policy to enforce the BitLocker encryption

Collect the recovery key for the three BitLocker data

Enable System Center Configuration Manager to

Enable System Center Configuration Manager to

The following can be downloaded and installed on the