Microsoft BitLocker Administration and Monitoring Deployment Guide
Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise- scalable solution for managing BitLocker technologies, such as BitLocker Drive Encryption and BitLocker To Go. MBAM, which is part of the Microsoft Desktop Optimization Pack, helps you improve security compliance on devices by simplifying the process of provisioning, managing, and supporting BitLocker- protected devices. This guide helps you choose a deployment method for MBAM and provides step-by-step instructions for each method.
MBAM DEPLOYMENT GUIDE | INTRODUCTION 1
Introduction
Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on computers running the Windows 8.1, Windows 8, or Windows 7 operating systems; Windows to Go; fixed data drives; and removable drives. Microsoft BitLocker Administration and Monitoring (MBAM) version 2.5, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance, makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed data drives.
For BitLocker To Go–protected removable drives, BitLocker stores the recovery keys but does not monitor or enforce encryption.
The key benefits of using MBAM to manage BitLocker technologies are:
Simplified provisioning and management. BitLocker deployment is easier with MBAM, because MBAM can be integrated with existing automated provisioning and deployment processes to ensure that existing and new devices are protected. You can provision BitLocker as a part of or after operating system deployment, then use Group Policy settings for ongoing BitLocker management and compliance enforcement. If drives were already encrypted with BitLocker prior to deploying MBAM, MBAM will escrow the recovery keys and report compliance.
Improved compliance and reporting. Encryption and protection of sensitive information are essential to organizational compliance programs. MBAM includes built- in reports that provide the current BitLocker encryption status of devices. MBAM also audits access to BitLocker recovery keys and can provide reports on who accessed specific recovery key information.
Reduced support effort. A customized MBAM Control Panel app replaces the default BitLocker Control Panel item and allows users to manage local MBAM and BitLocker
MBAM DEPLOYMENT GUIDE | INTRODUCTION 2
configuration. Secure, web-based recovery key management portals allow help desk staff and users recover BitLocker-enabled devices. Together, the customized Control Panel app and these portals allow users and IT staff to perform common tasks, such managing the BitLocker PIN, without you having to grant administrative rights to the managed devices. Enabling self-service support helps reduce BitLocker-related help desk tickets by enabling users to reset their own PINs and recover their own BitLocker-protected drives.
To learn more about taking advantage of MBAM in your business, see the Microsoft BitLocker Administration and Monitoring content on the Microsoft Desktop Optimization Pack website.
This guide describes how to deploy MBAM, including the server architecture, with a focus on automating the deployment and configuration of the MBAM client to managed devices. It first describes the MBAM components. Then, it shows you how to prepare for deployment and provides step-by-step instructions for deploying the MBAM client by using the following tools and technologies:
Group Policy software installation
Microsoft Deployment Toolkit (MDT) 2013
Microsoft System Center 2012 R2 Configuration Manager
Scripted installation (e.g., command prompt)
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 3
MBAM components
MBAM uses a client–server model to manage BitLocker. You can deploy MBAM in either a stand-alone or System Center Configuration Manager Integration topology. The following sections describe each.
MBAM Stand-alone topology
You use the MBAM Stand-alone topology (illustrated in Figure 1) when your organization does not have an existing System Center Configuration Manager infrastructure. In this topology, MBAM and Microsoft SQL Server provide all the necessary components. You can use the MBAM Stand-alone topology even if your organization uses System Center Configuration Manager. However, if your organization has a System Center Configuration Manager infrastructure and you want to use the MBAM with it, see “MBAM Configuration Manager Integration topology.”
Figure 1. MBAM Stand-alone topology Table 1 describes the computers and devices in this topology and provides a brief description of MBAM components and the role of each computer and device. The components in Table 1 are logical, and you can define your topology in many ways (e.g., putting the MBAM databases on different servers).
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 4
Table 1. Computers in the MBAM Stand-alone topology
Computer or device Description
Administration and The following features are installed on this server: Monitoring Server Administration and Monitoring Server. The Administration and Monitoring Server feature is installed on a computer running the Windows Server operating system and consists of the Administration and Monitoring website, which includes the reports and the Help Desk Portal, and the monitoring web services.
Self-Service Portal. The Self-Service Portal is installed on a computer running Windows Server. The portal enables users on client computers to independently obtain a key to recover a locked BitLocker volume.
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 5
Computer or device Description
Database Server The following features are installed on this server:
Recovery Database. The Recovery Database is installed on a computer running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.
Compliance and Audit Database. The Compliance and Audit Database is installed on a computer running Windows Server and a supported instance of SQL Server. This database stores compliance data for MBAM client computers, which is used primarily for reports that Microsoft SQL Server Reporting Services hosts.
Compliance and Audit Reports. The Compliance and Audit Reports are installed on a computer running Windows Server and a supported instance of SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and Monitoring website or directly from the SQL Server Reporting Services server.
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 6
Computer or device Description
Management workstation The following can be downloaded and installed on the Management workstation, which can be a computer running Windows Server or a client operating system:
Policy Template. The Policy Template consists of Group Policy settings that define MBAM implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management workstation, which is a supported Windows Server machine or client computer. The workstation does not have to be a dedicated computer. For more information, see the section “Deploying the MBAM Group Policy settings.”
Managed device The MBAM client is installed on the managed Windows device and has the following characteristics:
Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise
Collects the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives
Collects compliance data for the computer and passes the data to the reporting system
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 7
Computer or device Description
Active Directory Domain The following can be downloaded and installed on the Services (AD DS) domain domain controller: controller Policy Template. The Policy Template consists of Group Policy settings that define MBAM implementation settings for BitLocker. You can install the Policy Template on a domain controller so that it is available to administrators on all management computers. For more information, see the section “Deploying the MBAM Group Policy settings.”
MBAM Configuration Manager Integration topology
Use the MBAM Configuration Manager Integration topology (illustrated in Figure 2) when your organization has an existing System Center Configuration Manager infrastructure. In this topology, the MBAM components are distributed across the MBAM Administration and Monitoring Server, SQL Server, and System Center Configuration Manager. In this topology, System Center Configuration Manger runs some of the MBAM components. MBAM supports System Center 2012 R2 Configuration Manager, System Center 2012 Configuration Manager with Service Pack 1 (SP1), and Microsoft System Center Configuration Manager 2007 with SP1 infrastructures.
Windows to Go is not supported when you install the System Center Configuration Manager Integration topology with System Center
Configuration Manager 2007.
If your organization does not have a System Center Configuration Manager infrastructure, see “MBAM Stand-alone topology.”
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 8
Figure 2. MBAM Configuration Manager Integration topology The placement of the MBAM components in the MBAM Configuration Manager Integration topology is similar to the MBAM Stand-alone topology.
Table 2 describes the computers and devices in the MBAM Configuration Manager Integration topology (illustrated in Figure 2) and provides a brief description of the MBAM components and role of each computer and device.
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 9
Table 2. Computers in the MBAM Configuration Manager Integration topology
Computer or device Description
Administration and The following features are installed on this server: Monitoring Server Administration and Monitoring Server. The Administration and Monitoring Server feature is installed on a computer running Windows Server and consists of the Administration and Monitoring website, which includes the audit reports, the Help Desk Portal, and the monitoring web services.
Self-Service Portal. The Self-Service Portal is installed on a computer running Windows Server. It enables users on client computers to independently obtain a key to recover a locked BitLocker volume.
Database Server The following features are installed on this server:
Recovery Database. The Recovery Database is installed on a computer running Windows Server and a supported instance of SQL Server. This database stores recovery data collected from MBAM client computers.
Audit Database. The Audit Database is installed on a computer running Windows Server and a supported instance of SQL Server. This database stores audit details about recovery data access.
Audit Reports. The Audit Reports are installed on a computer running Windows Server and a supported instance of SQL Server that has the SQL Server Reporting Services feature installed. They provide MBAM reports that you can access from the Administration and Monitoring website or directly from the SQL Server Reporting Services server.
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 10
Computer or device Description
Configuration Manager The Configuration Manager Site Server collects the Primary Site Server hardware inventory information from client computers and is used to report the BitLocker compliance of client computers. The following features are installed on this server:
Compliance Reports. The Compliance Reports are installed on the computer running the Reporting Services point site system role. They provide MBAM reports that you can access from the Configuration Manager console or directly from the SQL Server Reporting Services server on the Reporting Services point.
Management workstation The following can be installed on the Management workstation, which can be a client computer running Windows Server or a client operating system:
Policy Template. The Policy Template consists of Group Policy settings that define MBAM implementation settings for BitLocker. You can install the Policy Template on any server or workstation, but it is commonly installed on a management workstation, which is a supported Windows Server computer or client computer. The workstation does not have to be a dedicated computer. For more information, see the section “Deploying the MBAM Group Policy settings.”
Configuration Manager console. The Configuration Manager console is used to view MBAM reports.
MBAM DEPLOYMENT GUIDE | MBAM COMPONENTS 11
Computer or device Description
Managed device The MBAM client and Configuration Manager client are installed on the managed Windows device and have the following characteristics:
Use Group Policy to enforce the BitLocker encryption of client computers in the enterprise
Collect the recovery key for the three BitLocker data drive types: operating system drives, fixed data drives, and removable data (USB) drives
Enable System Center Configuration Manager to collect hardware compatibility data about client computers
Enable System Center Configuration Manager to report compliance information
AD DS domain controller The following can be downloaded and installed on the domain controller:
Policy Template. The Policy Template consists of Group Policy settings that define MBAM implementation settings for BitLocker. You can install the Policy Template on a domain controller so that it is available to administrators on all management computers. For more information, see the section “Deploying the MBAM Group Policy settings.”
MBAM DEPLOYMENT GUIDE | PREPARING FOR DEPLOYMENT 12
Preparing for deployment
MBAM requires the following services and features for both the stand-alone and Configuration Manager topologies:
AD DS. MBAM requires an AD DS infrastructure and that the MBAM clients be domain members.
SQL Server. MBAM requires SQL Server for storing MBAM compliance, audit, and recovery information. MBAM also requires SQL Server Reporting Services for MBAM reports. For more information on SQL Server requirements, see the section, “SQL Server database requirements,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide, which is available on Microsoft TechNet. For more information about deploying SQL Server in the:
Stand-alone topology, see “Deploying MBAM in the Stand-alone topology”
Configuration Manager Integration topology, see “Deploying MBAM in the Configuration Manager Integration topology”
Group Policy. You manage MBAM client configuration by using Group Policy settings. MBAM allows you to manage BitLocker and MBAM settings from a single template. For more information, see “Deploying the MBAM Group Policy settings.”
Web server (Microsoft Internet Information Services [IIS]). The Administration and Monitoring website and the Self-Service Portal run on IIS, which is installed as part of the Web Server (IIS) server role.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 13
Deploying the MBAM server
You can deploy the MBAM server in either the MBAM stand-alone or MBAM Configuration Manager Integration topology. You will deploy the MBAM server components on different computers (virtual or physical) depending on your scale requirements and the MBAM deployment topology you choose.
Regardless of the MBAM deployment topology selected, Microsoft recommends dedicating two computers to MBAM—one for running MBAM web server components and one for running SQL Server.
You can deploy MBAM in a single-server configuration. However, this configuration is recommended for use only in test environments. For production environments, Microsoft recommends that you use the two- server deployment configuration.
The process to install the MBAM 2.5 server software is different from earlier MBAM versions. In earlier versions, you installed and configured the software at the same time. In MBAM 2.5, you use a two-step process to install and configure the software, which you repeat on each server in your topology:
1. Run MBAMserversetup.exe to install the MBAM server software. You can use the Microsoft BitLocker Administration and Monitoring Setup Wizard or script installation by using command-line options. For more information, see the section “Installing the MBAM 2.5 Server Software” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
2. Perform one of the following tasks to configure the databases, reports, web apps, and optional System Center Configuration Manager Integration topology:
Use the MBAM Server Configuration Wizard.
Use Windows PowerShell cmdlets.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 14
For more information, see the section “Configuring the MBAM 2.5 Server Features” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Select the MBAM deployment topology
Which MBAM deployment topology you choose is based on whether you have System Center Configuration Manager. Use the information in Table 3 to determine which MBAM deployment topology is right for you.
Table 3. MBAM deployment topologies and when to select them
Topology Description
Stand-alone topology Select this topology when your organization does not have an existing System Center Configuration Manager infrastructure or is not planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM.
Configuration Manager Integrating MBAM with System Center Configuration Manager Integration topology is entirely optional. Select this topology when your organization has an existing System Center Configuration Manager infrastructure or is planning to deploy a System Center Configuration Manager infrastructure prior to deploying MBAM, and your organization wants to integrate MBAM with it. MBAM supports System Center 2012 R2 Configuration Manager, System Center 2012 Configuration Manager with SP1, and System Center Configuration Manager 2007 with SP1.
Deploy MBAM in the Stand-alone topology
Deploying MBAM in the Stand-alone topology typically uses two computers (physical or virtual) for the MBAM components. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but recommended only for lab or evaluation environments or small production environments. The
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 15
MBAM Stand-alone topology is illustrated in Figure 1 in the section “MBAM Stand-alone topology,” earlier in this guide.
To deploy MBAM in the Stand-alone topology, perform the following steps:
1. Deploy a supported version of SQL Server on the designated computer.
For more information about the versions of SQL Server that MBAM supports, see the section, “SQL Server database requirements,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide, which is available on TechNet.
2. Configure SQL Server to support encrypted connections to the SQL Server Database Engine (optional).
If you plan to secure communication between the MBAM client and the web services, you should also secure communication to the SQL Server Database Engine by enabling encrypted connections to it. For more information about how to do so, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
3. Create the required users and groups in AD DS. For more information about creating the required users and groups in AD DS, see the section “Planning for MBAM 2.5 Groups and Accounts” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
4. Ensure that the computer that will run the MBAM web server components has the necessary prerequisites.
The MBAM Web Server Installation Wizard automatically checks prerequisites before installing the MBAM web server components.
For more information about MBAM server prerequisites, see the section “MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 16
5. Install the MBAM server components.
For more information about how to install the MBAM server components in the MBAM Stand-alone topology, see the section “Deploying the MBAM 2.5 Server Infrastructure” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
6. Register service principal names (SPN) in AD DS.
An SPN is the name by which a client uniquely identifies an instance of a service. The MBAM Server Setup program automatically registers the required SPNs in AD DS if you run it in an account that has Administrator rights in AD DS. Otherwise, you must ask your Active Directory team to register the required SPNs, as described in the section “Registering SPNs for the application pool account” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Deploy MBAM in the Configuration Manager Integration topology
Deploying MBAM in the Configuration Manager Integration topology typically uses two computers (physical or virtual) for the MBAM components in addition to the System Center Configuration Manager infrastructure. The two-computer configuration is recommended for production environments. Installation of all MBAM components on one computer is possible but recommended only for lab or evaluation environments or small production environments. In addition, this topology requires a System Center Configuration Manager infrastructure. MBAM has no additional system requirements for System Center Configuration Manager beyond the standard system requirements. For more information about the system requirements for:
System Center 2012 R2 Configuration Manager, see Supported Configurations for Configuration Manager
System Center Configuration Manager 2007, see Configuration Manager Supported Configurations
To deploy MBAM in the Configuration Manager Integration topology, perform the following steps:
1. Deploy a supported version of SQL Server.
For more information about the versions of SQL Server that MBAM supports, see the sections, “SQL Server database requirements,” “SQL Server processor, RAM, and disk space requirements—Stand-alone topology,” and “SQL Server processor, RAM, and disk
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 17
space requirements—Configuration Manager Integration topology,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
2. Create the required users and groups in AD DS.
For more information about creating the required users and groups in AD DS, see the section “Planning for MBAM 2.5 Groups and Accounts” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
3. Configure the System Center Configuration Manager permissions required to install MBAM.
For more information about how to do so, see the section, “Required permissions to install MBAM with Configuration Manager,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
4. Edit and import the configuration.mof file.
For more information about how to do so, see the section, “Edit the Configuration.mof File,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
5. Edit and import the sm_def.mof file.
For more information about how to do so, see the section, “Create or Edit the Sms_def.mof File,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
6. Install the MBAM web server components.
For more information about how to install the MBAM web server components in the MBAM Configuration Manager Integration topology, see the section “Deploying the MBAM 2.5 Server Infrastructure” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
7. Register SPNs in AD DS.
An SPN is the name by which a client uniquely identifies an instance of a service. The MBAM Server Setup program automatically registers the required SPNs in AD DS if you run it in an account that has Administrator rights in AD DS. Otherwise, you must ask your Active Directory team to register the required SPNs, as described in the section
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM SERVER 18
“Registering SPNs for the application pool account” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Deploying MBAM in high-availability scenarios
MBAM 2.5 supports the following high-availability scenarios in addition to the standard two- server and Configuration Manager Integration topologies:
SQL Server AlwaysOn availability groups
SQL Server clustering
Network load balancing
SQL Server mirroring
Volume Shadow Copy Service Backup
MBAM is agnostic in high-availability deployments. You install and configure it the same either way, and you can use high-availability solutions from Microsoft or other vendors. For more information about deploying MBAM in high-availability scenarios, see the section “Planning for MBAM 2.5 High Availability” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 19
Deploying the MBAM Group Policy settings
You use Group Policy settings to configure and manage the MBAM client. Doing so provides a central location for configuring the client and allows you to easily configure unique settings for different groups.
Install the MBAM Group Policy administrative templates
The MBAM administrative templates expose all of the BitLocker and MBAM client configuration settings in the Group Policy Editor. Although previous versions of MBAM included the Group Policy administrative templates in the installer, MBAM 2.5 does not. Instead, download the required Group Policy templates from the Microsoft Download Center.
You can install the administrative templates on management computers or in the domain’s central store for ADMX files. Table 4 compares these methods:
Local installation on management workstations. Install the templates on any computer from which you will use Group Policy to configure the MBAM client (i.e., management computers). (The Remote Server Administration Tools are required on PCs.) You must copy the administrative templates to every management computer. When editing Group Policy on computers that do not have the administrative templates installed, the MBAM Group Policy settings will not appear.
Installation in the domain’s central store for ADMX files. Optionally, install the templates in the central store for ADMX files to make them available to all administrators editing Group Policy. This method ensures that administrators can edit MBAM Group Policy settings even if they did not copy the administrative templates locally. However, once you create a central store for the domain, you only see administrative templates that are in the central store. Therefore, you must also copy any Windows 8.1, Windows 8, and Windows 7 administrative templates that you want to use to the central store.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 20
Table 4. Copying the MBAM administrative templates
Method Advantages Disadvantages
Copying to Avoids having to Must copy the administrative management populate SYSVOL with templates to every computers all of the administrative management computer templates you need
Only MBAM administrators have access to the administrative templates
Copying to the Copy once, and all Only administrative templates central store for administrators have in the central store appear in ADMX files access to the the Group Policy Editor administrative templates Must copy all administrative templates from each target operating system to the central store for ADMX files
For more information about configuring a central store for ADMX files, see the article Scenario 2: Editing Domain-Based GPOs Using ADMX Files. Even though this guidance was written for Windows Server 2008, it still applies to Windows Server 2008 R2 and Windows Server 2012.
To install the Group Policy administrative templates locally
1. Copy the ADMX files to %SystemRoot%\PolicyDefinitions on the local computer.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 21
2. Copy the ADML files to %SystemRoot%\PolicyDefinitions\LANGUAGE on the local computer, where LANGUAGE is a language code (e.g., en-US).
To install the Group Policy administrative templates in the central store for ADMX files
1. Copy the AMDX files to %SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions on a domain controller. Create the PolicyDefinitions folder if it does not already exist.
2. Copy the ADML files to %SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions\LANGUAGE on a domain controller, where LANGUAGE is a language code (e.g., en-US). Create the LANGUAGE folder if it does not already exist.
The MBAM Group Policy administrative templates are supported only on Windows Server 2012 R2, Windows Server 2012, and Windows
Server 2008 R2 operating systems.
For more information on how to install the MBAM Group Policy template, see the section, “Copying the MBAM 2.5 Group Policy Templates,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Create the MBAM Group Policy settings
The MBAM Group Policy administrative templates define policy settings for the MBAM client. Microsoft recommends that you create a new GPO for each set of unique MBAM Group Policy settings you need. For example, if you have two groups within your organization that will have different configurations for BitLocker, create two GPOs—one for each group of settings. You can also create a GPO for using Trusted Platform Module (TPM) only and another for using TPM and a PIN.
MBAM Group Policy settings are in the Group Policy Management Editor under Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management). Table 5 lists the categories of MBAM Group Policy settings and provides a brief description of each. For more information on the MBAM Group Policy settings, see the section,
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 22
“Planning for MBAM 2.5 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
With MBAM 2.5, you can enforce encryption policies on operating system and fixed data drives. You can also limit the number of days that users can postpone encryption. Configure the new Group Policy setting Encryption Policy Enforcement Settings in the Operating System Drive and Fixed Drive categories that Table 5 describes. For more information, see the section “Ability to enforce encryption policies on operating system and fixed data drives” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Table 5. MBAM Group Policy setting categories
Category Description
Global Used to configure global BitLocker settings, such as the drive encryption method and cypher strength and whether a unique organizational identifier will be used. These settings are located in the root of the MBAM Group Policy settings hierarchy.
Client Used to configure the client management aspects of the MBAM Management client, such as the configuration of the MBAM services that the client uses. These settings are located in the Client Management node.
Fixed Drive Used to configure the settings that affect encryption of fixed drives, such as denying Write access to fixed drives not protected by BitLocker or choosing how BitLocker-protected fixed drives can be recovered. These settings are located in the Fixed Drive node.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 23
Category Description
Operating Used to configure the settings that affect the operating system drive, System Drive such as requiring users to encrypt the operating system drive and the methods for recovering BitLocker-protected operating system drives. These settings are located in the Operating System Drive node.
Removable Used to configure the settings that affect encryption of fixed drives, Drive such as controlling the use of BitLocker on removable drives or choosing how BitLocker-protected removable drives can be recovered. These settings are located in the Removable Drive node.
Configure the MBAM Group Policy settings in the GPOs that you have created (based on the information in Table 5), and then link those GPOs to the OUs that contain the devices you will use MBAM to manage. For more information on the MBAM Group Policy settings and the suggested configuration, see the section, “Planning for MBAM 2.5 Group Policy Requirements,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Manage MBAM user exemptions
In some instances, users may need to be exempt from protecting their drives by using BitLocker. For example, users may bring their own devices as a part of a bring-your-own-device initiative and do not want their devices to be BitLocker protected. You can exempt users from MBAM enforcement of automatic BitLocker protection by using the Allow the user to be exempted from BitLocker encryption Group Policy setting, which is under User Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).
To exempt users from MBAM enforcement of automatic BitLocker protection, perform the following steps:
1. Create a GPO, such as MBAM User Exemption Policy, that enables the Allow the user to be exempted from BitLocker encryption Group Policy setting.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM GROUP POLICY SETTINGS 24
2. Create a domain security group, such as MBAM Exempt Users, that contains the user accounts of the users to be exempted.
3. Configure the MBAM User Exemption Policy GPO (created in step 1) to apply only to the MBAM Exempt Users domain security group (created in step 2) by using GPO security filtering, as shown in Figure 3.
Figure 3. Configuring GPO security filtering For more information on how to perform GPO security filtering for a specific group, see Using Security Filtering to Apply GPOs to Selected Groups.
4. Link the MBAM User Exemption Policy GPO (created in step 1) to the OUs in which the devices to be managed reside.
For more information on how to manage MBAM user exemptions, see the section, “How to Manage User BitLocker Encryption Exemptions,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 25
Deploying the MBAM client
You must install the MBAM client on each device you will use MBAM to manage. The client is available in 64-bit and 32-bit versions that are stored in the MBAM\Installers\2.5\x64 and MBAM\Installers\2.5\x86 folders, respectively, on the MBAM source media. Select the appropriate version based on the target operating system.
The MBAM client installation files include:
MbamClientSetup.exe. This Setup program contains the MBAM client and is appropriate for methods that require an .exe file, such as scripted installation. This program passes any installer properties you use on its command line to the Windows Installer package file.
MBAMClient.msi. This Windows Installer package contains the MBAM client and is appropriate for deployment methods that require an .msi file, such as Group Policy software deployment.
You can easily deploy the MBAM client by using almost any software or operating system deployment tool. Table 6 lists the deployment methods that this guide describes and offers suggestions for when to use each. You can also use a combination of these methods. For example, you could use MDT to deploy the MBAM client during operating system deployment and use Group Policy to deploy the MBAM client to existing computers.
To drive consistency across MBAM client installations, use highly automated techniques to perform MBAM client deployments. For example, if you choose command-line deployment, ensure that you
automate installation by using scripts (e.g., Windows PowerShell or batch scripts).
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 26
Table 6. Choosing a deployment method
Method Use this method when
Group Policy You do not use an electronic software distribution (ESD) solution, such as System Center Configuration Manager or MDT
You already deploy software by using Group Policy
You want to deploy the MBAM client to existing computers
You want to deploy the MBAM client after operating system images are deployed
Computers have high-speed, persistent connections to the network share containing the installation files
MDT 2013 You use MDT for operating system deployment
You want to deploy the MBAM client during operating system deployment
System Center You already use System Center Configuration Manager for Configuration application and operating system deployment Manager You want to use one tool to deploy the MBAM client to existing computers or during operating system deployment
Computers have high-speed, persistent connections to the distribution points in which the MBAM client installation files reside
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 27
Method Use this method when
Scripted Installation You want to script installation as part of operating system installation, and you are not using MDT or System Center Configuration Manager
You want to deploy the MBAM client by using a non- Microsoft ESD system
Computers might not have high-speed, persistent connections to the enterprise network, and installation from local media might be required
Installing the MBAM client remotely
If you do not have an ESD system (e.g., System Center Configuration Manager) and you do not want to use Group Policy to install the MBAM client, you can use scripts to install it. You must install the MBAM client from an elevated command prompt, however, so users with restricted accounts cannot run scripts that install the MBAM client. A variety of tools and techniques are available to work around this limitation. Examples include:
Use Windows PowerShell Remoting to run the MBAM client Setup program on a list of remote computers. For more information about Windows PowerShell Remoting, see the TechNet article, Running Remote Commands.
Use the Windows Sysinternals PsExec tool to run processes remotely with specific credentials. For more information about PsExec and the other amazing tools in the Sysinternals toolset, see the TechNet article, PsTools.
Use Group Policy preferences to schedule a job in Task Scheduler that runs the MBAM client installation on targeted computers with credentials that you specify in the task. For more information about scheduling tasks by using Group Policy preferences, see the TechNet article, Configure a Scheduled Task Item.
In addition, many non-Microsoft tools are available to script the installation of programs that require elevated permissions. Many of them are free or have a nominal cost.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 28
BitLocker partition configuration requirements
BitLocker requires that the partitions on the targeted devices be configured properly to support BitLocker. Ensure that the targeted devices have the correct partition configuration to support BitLocker prior to deploying the MBAM client.
BitLocker requires the following partitions:
System partition. This unencrypted partition is used to start the target device. The system partition must have a minimum of 100 MB of space, but larger partitions are recommended. If the system partition is 300 MB or larger, the Windows Recovery Environment is automatically copied to the partition when BitLocker is enabled. By default, MDT automatically creates a 512-MB system partition.
Windows partition. This encrypted partition contains the Windows operating system, applications, and user data. It must meet the minimum required available disk space for the desired operating system.
In addition to the BitLocker partition requirements, the device may have requirements such as those for Unified Extensible Firmware Interface (UEFI). For more information on the recommended partition configuration
for BIOS and UEFI devices, see “5.1 Create a DiskPart script” in Step-by- Step: Windows 8 Deployment for IT Professionals.
For new device deployments or when you are replacing an existing device with a new device, the operating system deployment process automatically creates the appropriate partitions. This is true if you are performing the deployment by using the operating system deployment media or by using automated processes such as MDT or System Center 2012 R2 Configuration Manager.
However, in refresh device deployment scenarios, the existing device may have a partition configuration that is inappropriate for BitLocker—for example, refreshing the Windows XP operating system on an existing device with Windows 8. In these scenarios, you may need to repartition the drive to support BitLocker before performing operating system deployment and deploying the MBAM client. Ensure that you create the partitions based on the
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 29
recommendations in the “5.1 Create a DiskPart script” in Step-by-Step: Windows 8 Deployment for IT Professionals.
For more information about how MDT creates disk partitions, see the section, “Review the Default Partition Configuration Created by MDT,” in the MDT document Using the Microsoft Deployment Toolkit. Repartitioning of targeted devices in refresh device deployment scenarios is discussed in the sections for each MBAM client deployment method.
TPM and MBAM client deployment
The TPM is a microchip that stores the private portion of security keys that are kept separate from the memory that the operating system controls. BitLocker uses these keys to encrypt data.
On Windows 8 and Windows 8.1, MBAM supports computers that do not have a TPM. However, MBAM requires a password protector on these
computers.
BitLocker and MBAM have the following dependencies on the TPM:
The TPM must be physically enabled. The TPM must be physically enabled on the targeted device before BitLocker and MBAM can use it. Enabling the TPM by using the BIOS or UEFI on the device or by using scripts to automate the process.
Set ownership of the TPM. Taking ownership of the TPM allows MBAM help desk personnel to provide users with a file they can use to reset the TPM on their devices. However, it is not required that MBAM own the TPM. Windows can automatically provision and take ownership of the TPM, which allows the TPM management within Windows. If Windows owns the TPM, MBAM will be unable to help users reset the TPM on their device.
Enable the TPM BitLocker requires that the TPM be physically enabled on the device prior to protecting any fixed or removable drives on the managed device. In some cases, the TPM can be disabled in the BIOS or UEFI, which will prevent BitLocker and MBAM from accessing its functionality. The software and process for enabling TPM at the hardware level is unique for each device hardware
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 30
manufacturer and sometimes within models. For fully automated deployment, such as MDT or System Center Configuration Manager, ensure that the TPM for the device is physically enabled within the BIOS or UEFI prior to image deployment.
In addition, enabling the TPM may require that the administrator password for the BIOS or UEFI be configured. Some hardware vendor tools allow you to temporarily set the administrator password, enable the
TPM, and then remove the password. Please consult the documentation from the hardware vendor specific to the BIOS or UEFI for the device.
Most hardware vendors provide software that allows you to enable the TPM from the command line. For information about the software for enabling a TPM from a command line, contact each specific hardware vendor.
For information on how to run the software to enable the TPM from a command line for each deployment method, see the step for enabling the TPM on targeted devices in the following sections:
Group Policy software installation
LTI in MDT 2013
ZTI and UDI in MDT 2013
System Center 2012 R2 Configuration Manager
Scripted installation
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 31
Set the ownership of the TPM The TPM can have only one owner. In this context, the choices are MBAM or the operating system. Configure TPM ownership based on the operating system on the target device.
With Windows 8 and Windows 8.1, if you pre-provision BitLocker during bare-metal Windows deployment, MBAM cannot take ownership of the TPM or store the recovery password. For MBAM to take ownership of the TPM and store the recovery password, you must disable auto-provisioning and clear the TPM before deploying MBAM, and then allow MBAM to provision BitLocker.
Table 7 lists the operating systems and the recommendation for configuring TPM ownership.
There are advantages to MBAM owning the TPM and storing recovery passwords versus the operating system doing the same:
The OwnerAuth password file is more secure, because fewer people have access to the MBAM database that stores the file.
MBAM reports provide information about all recovery activity.
MBAM help desk users can use the Administration and Monitoring website to provide recovery passwords to users if their TPM is locked.
With Windows 8 and Windows 8.1, if you pre-provision BitLocker during bare-metal Windows deployment, MBAM cannot take ownership of the TPM or store the recovery password. For MBAM to take ownership of the TPM and store the recovery password, you must disable auto-provisioning and clear the TPM before deploying MBAM, and then allow MBAM to provision BitLocker.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 32
Table 7. Operating systems and ownership of the TPM
Operating system Ownership
Windows 8.1 and Use only one of the following: Windows 8 MBAM owns the TPM. If MBAM has ownership, then MBAM can be used to help reset the TPM.
Windows 8 owns the TPM. If Windows 8 has ownership, then the user can use Windows 8 to help reset the TPM.
Windows 7 MBAM owns the TPM, which allows MBAM to help reset the TPM.
Windows 8.1 and Windows 8 automatically provision the TPM. If you want MBAM to store and manage TPM recovery keys, you must turn off TPM auto-provisioning in the operating system and clear the TPM, which the following Windows PowerShell commands do, before deploying MBAM. Then, restart the computer and confirm that you want to clear the TPM.
# Get an instance of the TPM WMI class
$tpm=get-wmiobject -class Win32_Tpm ` -namespace root\cimv2\security\microsofttpm
# Disable TPM auto-provisioning
$tpm.DisableAutoProvisioning()
# Clear the TPM
$tpm.SetPhysicalPresenceRequest(22)
After disabling auto-provisioning and clearing the TPM, deploy MBAM and use it to provision the TPM. You must ensure that the Require TPM Backup to AD DS option is not set in the Turn on TPM backup to Active Directory Domain Services Group Policy setting. See the
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 33
section, “Configure MBAM to own the TPM and store OwnerAuth passwords,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide for more information.
TPM and BitLocker pre-provisioning
BitLocker pre-provisioning enables BitLocker encryption for a drive volume prior to Windows operating system deployment. BitLocker pre-provisioning occurs while in the Windows Preinstallation Environment (Windows PE) by using the Manage-bde.exe BitLocker command- line utility. Automated operating system deployment methods, such as MDT and System Center 2012 R2 Configuration Manager automatically preform BitLocker pre-provisioning for Windows 8.1, Windows 8, and Windows 7 if you are using Windows PE 4.0 or later and the TPM is enabled.
In System Center Configuration Manager, the built-in step Pre-provision BitLocker enables the AES128 encryption method by default. Most businesses prefer to use the stronger AES256 encryption method. In this case, you can replace the built-in step with a command-line step that runs the following command: manage-bde -on %OSDrive% -UsedSpaceOnly -em aes256.
To perform BitLocker pre-provisioning, the TPM must be enabled by one of the following methods:
Manually configuring the BIOS or UEFI. This method requires that the user performing the deployment manually enable the TPM in the BIOS or UEFI. After the TPM is manually enabled, the operating system deployment can go on as normal.
Automatically by running a script or other software. Most device vendors have scripts or software that allows you to enable the TPM automatically. However, these scripts or other software may need to run in a full Windows operating system (not in Windows PE). In instances where the script or software is unable to run in Windows PE and you require fully automated deployment, you cannot use BitLocker pre-provisioning.
If you cannot use BitLocker pre-provisioning, you must enable BitLocker after the operating system is deployed and the full operating system is running. The length of time to encrypt after the operating system is deployed depends on the operating system, as shown in Table 8.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 34
Table 8. Encryption behavior after the operating system is deployed
Operating system Encryption behavior
Windows 8 Can use the Used Disk Space Only feature to reduce the amount of time needed to encrypt the drive. This is the default behavior for MDT task sequences.
Windows 7 Can use the Used Disk Space Only feature to reduce the amount of time needed to encrypt the drive when using Windows PE 4.0 or a later version. This is the default behavior for MDT task sequences.
Starting MBAM encryption immediately during task sequences
If you deploy the MBAM client during operating system deployment, the client does not immediately initiate encryption by default, because the MBAM client is typically configured by Group Policy settings. That configuration occurs after the operating system is deployed and the user starts it for the first time. As a result, the targeted device may be in an unprotected state the first time the user starts the device, and MBAM will not have saved the recovery keys and other secrets.
To ensure that devices are in a fully protected state and that MBAM has saved the recovery keys, configure the MBAM client to immediately initiate encryption during the operating system task sequence. The section “How to Deploy the MBAM Client as Part of a Windows Deployment” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide describes steps to start MBAM encryption immediately. You can write scripts to automate this process during a task sequence.
Better yet, you can download ready-to-use scripts from Alexey Semibratov's blog post titled Start MBAM encryption on BitLocker pre-provisioned and Windows To Go drives. Download MBAMAgent-Policy.zip from the blog post (the link is below the blog post), and copy the following files from it:
ZTIPrepareBDE.wsf. The script ZTIBDE.wsf in MDT pre-provisions BitLocker, but it does not support MBAM. ZTIPrepareBDE.wsf replaces ZTIBDE.wsf. If running from Windows PE,
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 35
it prepares the TPM and pre-provisions BitLocker for MBAM. The property OSDBitLockerMode must be set to TPM. Run this script early in the task sequence, preferably in the Preinstall Phase, and set the condition Task sequence variable _SMSTSWTG not equals TRUE so that it does not run on Windows To Go. Disable the existing Enable BitLocker (Offline) step in the Preinstall Phase. You can also run this script in the State Restore phase of Refresh scenarios to partition the drive for BitLocker, if it is running from a live operating system with a single partition occupying the entire hard drive.
StartMBAMEncryption.wsf. This script starts MBAM encryption, which in turn reports the recovery key to the MBAM database. When you run this script from a task sequence, you must set the command-line option MBAMServiceEndPoint to the URL of the MBAM service end point. Run this script later in the task sequence, preferably in the State Restore Phase, after installing the MBAM client on the computer. Disable the existing Enable BitLocker step in the State Restore Phase.
Both scripts rely on the ZTIDiskUtility.wsf, ztiRunCommandHidden.wsf, and ZTIUtility.wsf scripts that MDT provides. The file MBAMAgent-Policy.zip also provides these files. In System Center Configuration Manager, you can create a separate package for ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf, and then run the scripts from that package. If you choose this route, include ZTIDiskUtility.wsf, ztiRunCommandHidden.wsf, and ZTIUtility.wsf in the package. Alternatively, you can simply copy ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf to the MDT Scripts folder and run them from there.
Finally, set the following property:
OSDBitLockerMode=TPM
Group Policy software installation
You can install a 64-bit or 32-bit version of MBAMClient.msi by using Group Policy software installation. (You cannot run MbamClientSetup.exe with Group Policy.) You must create a network share for the MBAM client installation files, and then create a GPO that installs the appropriate Windows Installer package file on each computer.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 36
To target MBAM client installation, link the GPO to specific OUs, use security filtering, or use Windows Management Instrumentation (WMI) filtering. For example, you can filter the GPO to target computers in a particular security group or computers that are running Windows 8 or Windows 7.
You cannot use command-line options when you use Group Policy to deploy the MBAM client. In this scenario, the easiest way to configure the MBAM client is to use the MBAM Group Policy administrative templates.
Alternatively, you can create a transform for the MBAM client Windows Installer package files and apply that transform when you create the GPO.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable encryption with MBAM, you must ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Group Policy software installation–based deployments are always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment, as described in the section, BitLocker partition configuration requirements in this guide.
If the partitions on a targeted device are not configured properly for BitLocker deployment, consider refreshing the operating system on the device to create the proper partitions. For more information, see the
section “Lite Touch Installation in MDT 2013” or “Zero Touch Installation and User-Driven Installation in MDT 2013.”
Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The process for enabling the TPM is different for each device manufacturer and sometimes even across models within a device manufacturer. The high-level process for automatically enabling the TPM is as follows:
1. Package the vendor-specific software for enabling TPM as an .msi package.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 37
In some instances, the vendor-specific software may be scripts and cannot be easily packaged as an .msi file. In these instances, use one of the other methods for enabling TPM.
2. Create a network shared folder that contains the .msi package created in the previous step.
3. Create a GPO to install the .msi package (such as Enable TPM Policy).
4. Configure the existing MBAM client installation GPO (MBAM Client Installation) to use a WMI query to determine whether the TPM is enabled on targeted devices.
5. Target the Enable TPM Policy GPO for different processor versions (64 bit or 32 bit), if applicable.
6. Link the Enable TPM Policy GPO to the appropriate OUs.
Step 3: Share the installation files You must create a network share that contains the MBAM client Setup files. This network share must be accessible to all computers on which you want to install the MBAM client. Grant Read access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM Client Setup is the name of the folder you are creating to contain the MBAM client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 9 describes. To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.
Table 9. NTFS file system permissions for the distribution folder
Account Permissions Applies to
Administrators Full control This folder, subfolders, and files
Authenticated Users Read and Execute This folder, subfolders, and files
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 38
3. Share the folder MBAM_Client_Setup by using the permissions that Table 10 describes. To configure share permissions, right-click the folder, click Properties, and then click Advanced Sharing on the Sharing tab.
Table 10. Share permissions for the distribution folder
Account Permissions
Authenticated Users Read
4. Copy the contents of the MBAM\Installers\2.5 folder from the MBAM distribution media to \\SERVER\MBAM_Client_Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the 64- bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of the folder so that both versions are available for deployment.
Step 4: Create a GPO to install the MBAM client You create GPOs by using the Group Policy Management Console (GPMC) on a server or on a client running the Remote Server Administration Tools. You can create a GPO that installs only the MBAM client, or you can configure the MBAM client by using the same GPO to keep all of your MBAM policies in one location. The steps in this section install both the x64 and x86 agents by using a single GPO, allowing Group Policy to determine the correct version to install.
To create and edit a GPO to deploy the x64 and x86 MBAM client
1. In the GPMC, create a new GPO for MBAM client installation (e.g., MBAM Client Installation):
a. Right-click Group Policy Objects under Forest\Domains\Domain, and then click New.
b. In the Name box, type MBAM Client Installation, and then click OK.
2. In the navigation pane, right-click MBAM Client Installation, and then click Edit.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 39
3. In the Group Policy Management Editor, right-click Software Installation in Computer Configuration\Policies\Software Settings, point to New, and then click Package.
4. In File name, type the Universal Naming Convention (UNC) path and name of the 64-bit version of MBAMClient.msi in the x64 folder, and then click Open.
Make sure you open the file from the network share you created earlier and not from a local path.
5. In the Deploy Software dialog box, click Advanced, and then click OK.
6. In the Name box on the General tab of the MDOP MBAM Properties dialog box, append x64 to the end of the name, and then click OK.
This will help you to distinguish between the x86 and x64 versions later.
7. In the Group Policy Management Editor, right-click Software Installation in Computer Configuration\Policies\Software Settings, point to New, and then click Package.
8. In File name, type the UNC path and name of the 32-bit version of MBAMClient.msi in the x86 folder, and then click Open.
Make sure you open the file from the network share you created earlier and not from a local path.
9. In the Deploy Software dialog box, click Advanced, and then click OK.
10. In the MDOP MBAM Properties dialog box, complete the following steps, and then click OK:
a. On the General tab, in the Name box, append x86 to the end of the name.
b. On the Deployment tab, click Advanced; then, clear the Make this 32-bit X86 application available to Win64 machines check box and click OK.
Clearing this check box prevents Group Policy from installing the 32-bit MBAM client on 64-bit operating systems, ensuring that the correct version of the MBAM client is installed for each system type.
11. Close the Group Policy Management Editor.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 40
Step 5: Link the GPO to OUs You must link the MBAM Client Installation GPO to OUs to install the agent on the computers in those OUs. You can link the GPO to individual OUs. If the computers you want to target for installation are in multiple OUs, you can link the GPO to the domain and use security or WMI filtering to limit installation to specific computers, types of computers, or Windows versions, which is discussed in the section, “Step 6: Optionally target the GPO.”
To link the GPO to an OU
1. In the GPMC, right-click the OU to which you want to link the MBAM Client Installation GPO, and then click Link an Existing GPO.
2. In the Group Policy objects list in the Select GPO dialog box, click MBAM Client Installation, and then click OK.
Step 6: Optionally target the GPO When you link the MBAM Client Installation GPO to an OU, Group Policy applies the GPO to all computers in that OU, installing the MBAM client on them. In some cases, however, this might not be desirable. You can target MBAM client deployment to specific computers within an OU by using security or WMI filtering. See Table 11 for more information.
Table 11. Filtering the MBAM Client Installation GPO
Method Description
Security This filtering method allows you to target specific computers based on filtering membership in AD DS security groups. The members of the security group can be computer objects or other security groups containing computer objects. You control the deployment of the MBAM client to specific computers by adding or removing them from the security group. For more information about security filtering, see Filter Using Security Groups.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 41
Method Description
WMI This filtering method allows you to target specific computers based on a filtering WMI query. For example, you could use a WMI query to target the operating system version on computers and deploy the MBAM client only if the operating system is Windows 8 or Windows 7.
You create a WMI filter separately, and then link the WMI filter to the GPO that you created to deploy the MBAM client. For more information about WMI filtering and how to create a WMI filter, see Work with WMI Filters.
Lite Touch Installation in MDT 2013
You can deploy the MBAM client during operating system deployment by using the Lite Touch Installation (LTI) process in MDT. You do this as part of the LTI process by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, MDT installs the client automatically, which ensures that that the encryption is started or completed before users receive their device and is protected before they start the device for the first time. The MBAM client will be ready for use before users log on to the device for the first time.
Windows 8.1 and Windows 8 include the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a volume. By default, MDT automatically performs Used Disk Space Only encryption to reduce deployment time when enabling BitLocker for Windows 8. MDT does not support MBAM natively, however, but you can customize it to pre-provision and
immediately start MBAM encryption in a task sequence. For more information, see the section “TPM and BitLocker pre-provisioning.”
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 42
The following sections describe the steps necessary to complete each task in the Deployment Workbench:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Add the MBAM client to the Applications node of your deployment share.
4. Configure the MBAM client application to hide it from users in the Deployment Wizard.
5. Add an Install Application step to your existing operating system task sequences.
6. Configure the MDT BitLocker-related configuration settings.
7. Pre-provision BitLocker for the MBAM client (ZTIPrepareBDE.wsf).
8. Start MBAM encryption immediately during tasks sequences (StartMBAMEncryption.wsf).
For more information about using MDT to install applications during operating system deployment, see the MDT documentation.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or for devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, LTI automatically resizes and creates the necessary partitions to support BitLocker, if there is sufficient available disk space.
Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on those devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even across models within a device manufacturer.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 43
By default, LTI performs BitLocker pre-provisioning for new device and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:
Run in Windows PE, then you can support BitLocker pre-provisioning
Only run in a Windows operating system, then you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence
For more information on the TPM and BitLocker pre-provisioning, see “TPM and BitLocker pre- provisioning.”
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an MDT application that contains the software in the previous step.
3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before the Enable BitLocker (Offline) task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support)
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an MDT application that contains the software in the previous step.
3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the State Restore group.
For more information on enabling the TPM, see “Enable the TPM.”
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 44
Step 3: Add the MBAM client application When you add an application to your MDT deployment share, you must specify the command that installs it. Running MbamClientSetup.exe is the simplest way to start MBAM client installation with MDT. You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version.
The command you specify for MBAM client installation must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction. If you do not include this command-line option, the Setup program stalls the deployment process to wait for user interaction.
To add the MBAM client to your deployment share
1. In the Deployment Workbench, click Applications under Deployment Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).
2. In the Actions pane, click New Application.
3. Complete each page of the New Application Wizard:
Page Steps
Application Type 1. Click Application with source files.
2. Click Next.
Select the Application without source files or elsewhere on the network check box if you already have the installation files in a network share. For more information, see the section, “Create a New Application That Is Deployed from Another Network Share,” in the MDT documentation.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 45
Page Steps
Details 1. In the Application Name box, type MBAM Client 64-bit.
2. Click Next.
The remaining text boxes on this page are optional and informational only. Although they do not affect deployment of the MBAM client, completing the remaining text boxes can prove useful later when you are maintaining the deployment share.
Source 1. In the Source directory box, type the path of the MBAM\Installers\2.5\x64 folder that contains MbamClientSetup.exe.
The Source directory box supports autocomplete, but you can click Browse to locate the files.
2. Click Next.
Destination 1. In the Specify the name of the directory that should be created box, optionally edit the name of the folder that the New Application Wizard will create in the deployment share.
The wizard suggests a name based on the publisher, name, and version that you provided on the Details page.
2. Click Next.
Command Details 1. In the Command line box, type the command you want to run to install the MBAM client—for example:
MbamClientSetup.exe.exe /q
2. Click Next.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 46
Page Steps
Summary 1. In the Details area, review the information that the Add New Application Wizard collected.
2. Click Next.
Progress 1. Monitor the wizard’s progress as it adds the application to your deployment share.
Confirmation 1. Review the results, and then click Finish.
If you also need to deploy the 32-bit version of MbamClientSetup.exe, repeat the New Application Wizard, changing the following:
On the Details page, in Application Name, type MBAM Client 32-bit.
On the Source page, browse to the MBAM\Installers\2.5\x86 folder.
Step 4: Configure the application After adding the application to your MDT deployment share, configure it to hide the application in the Deployment Wizard from users so they cannot prevent installation during deployment by selecting the Hide this application in the Deployment Wizard check box. Hiding the application prevents the user from selecting the application, which could create errors in the deployment process, because the application would try to install twice and one installation would return a failure code.
To customize the MBAM client in your deployment share
1. In the Applications node of the deployment share, right-click the MBAM client application that you previously added, and then click Properties.
2. On the General tab of the application’s Properties dialog box, select the Hide this application in the Deployment Wizard check box.
3. Click OK.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 47
Step 5: Edit task sequences Install the MBAM client application during operating system deployment by adding it to task sequences. By adding the MBAM client to your existing task sequences, you can install the agent automatically, with no interaction from the user. This method helps to ensure that the MBAM client is available immediately, before users log on to the computer.
To install the MBAM client in an LTI task sequence
1. In the Deployment Workbench, click Task Sequences under Deployment Workbench\Deployment Shares\Deployment_Share (where Deployment_Share is the name of your deployment share).
2. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Properties.
3. On the Task Sequence tab of the task sequence’s Properties dialog box, click the Install Applications task sequence step.
This step is in the State Restore group. The task sequence editor adds the new task sequence step immediately after this step.
4. From the Add menu, click General, and then click Install Application.
5. Click the new Install Application task sequence step that you just added, then perform the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click Install a single application, click Browse, click the MBAM client application in the Select An Item dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box. Select this check box only if you want the task sequence to continue running if the MBAM client fails to install during operating system deployment.
Click OK to close the task sequence’s Properties dialog box.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 48
Step 6: Configure MDT BitLocker-related settings Define the following MDT properties in the CustomSettings.ini file or the MDT database (MDT DB):
Required:
o BDEInstallSuppress=NO
o OSDBitLockerMode=TPM
Optional:
o BDEDriveLetter
o BDEDriveSize
o TPMOwnerPassword
For more information these MDT properties, see the corresponding sections in the MDT document Toolkit Reference.
Step 7: Add a task sequence step to pre-provision BitLocker for the MBAM client Disable the existing Enable BitLocker (Offline) step in the Preinstall Phase. Then, add a new step to run the script ZTIPrepareBDE.wsf, which pre-provisions BitLocker and is compatible with MBAM. For more information, see the section “TPM and BitLocker pre-provisioning,” earlier in this guide.
Step 8: Add a task sequence step to immediately start encryption by using the MBAM client Disable the existing Enable BitLocker step in the State Restore Phase. Then, add a new step to run the script StartMBAMEncryption.wsf, which starts MBAM encryption immediately to report the recovery key to the MBAM service end point. For more information, see the section “TPM and BitLocker pre-provisioning,” earlier in this guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 49
Zero Touch Installation and User-Driven Installation in MDT 2013
You can deploy the MBAM client by using the application model in System Center 2012 R2 Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 R2 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process will be discussed in the section, System Center 2012 R2 Configuration Manager Application Model.
Installation during operating system deployment. This method installs the MBAM client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process is discussed in this section.
You can deploy the MBAM client during operating system deployment by using the Zero Touch Installation (ZTI) and User-Driven Installation (UDI) processes in MDT. You do this by adding the client installation files as an application, and then adding an Install Application step for the agent to your existing operating system deployment task sequences.
By installing the MBAM client as part of the operating system deployment task sequence, ZTI and UDI install the client automatically, which ensures that that the encryption is started or completed before users receive their device and the device is protected before users starts it for the first time.. The MBAM client will be ready for use before users log on to the device for the first time.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 50
Windows 8.1 and Windows 8 include the BitLocker Used Disk Space Only encryption feature, which encrypts only the disk space currently in use instead of the entire disk volume. This feature dramatically reduces the time required to encrypt a volume. By default, MDT automatically performs Used Disk Space Only encryption to reduce deployment time
when enabling BitLocker for Windows 8. MDT does not support MBAM natively, however, but you can customize it to pre-provision and immediately start MBAM encryption in a task sequence. For more information, see the section “TPM and BitLocker pre-provisioning.”
The following tasks describe the steps necessary to complete each task:
1. Ensure that partitions on targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices.
3. Create and share a content folder for the MBAM client installation files.
4. Create a System Center 2012 R2 Configuration Manager application for the MBAM client installation.
5. Distribute the System Center 2012 R2 Configuration Manager application to the distribution points.
6. Deploy the System Center 2012 R2 Configuration Manager application to the targeted computers.
7. Add an Install Application step to your existing operating system task sequences.
8. Configure the MDT BitLocker-related configuration settings.
9. Pre-provision BitLocker for the MBAM client (ZTIPrepareBDE.wsf).
10. Start MBAM encryption immediately during tasks sequences (StartMBAMEncryption.wsf).
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 51
For more information about using MDT to install applications during operating system deployment, see the MDT documentation.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can use MBAM, you need to ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. For new devices or devices that are being replaced, MDT automatically creates the necessary partitions to support BitLocker. When refreshing an existing device, MDT automatically resizes and creates the necessary partitions to support BitLocker (if there is sufficient available disk space) after the operating system has been deployed in the State Restore group.
If you want ZTI and UDI to automatically create the appropriate partitions for the refresh device deployment scenario in ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.
Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer.
By default, ZTI and UDI task sequences perform BitLocker pre-provisioning for new device and replace device deployment scenarios. BitLocker pre-provisioning occurs while the target device is running Windows PE in the Preinstall phase of the task sequence. If the scripts or software for enabling the TPM can:
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 52
Run in Windows PE, then you can support BitLocker pre-provisioning
Run only in a Windows operating system, you must either:
Manually enable the TPM to support BitLocker pre-provisioning
Forgo BitLocker pre-provisioning and encrypt after the operating system is deployed but still as a part of the task sequence
If you want to use BitLocker pre-provisioning for the refresh device deployment scenario for ZTI and UDI, perform a replace device deployment scenario, and treat the existing device as the original and replacement device. In this way, you back up the user state from the device, wipe the device, deploy the operating system, and then restore the user state to the device. Ensure that you store the user state in a network shared folder or in local storage on a disk other than where the operating system will be deployed.
For more information on the TPM and BitLocker pre-provisioning, see “TPM and BitLocker pre- provisioning.”
To automatically enable the TPM and support BitLocker pre-provisioning by using scripts or software that can run in Windows PE
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create an application that contains the software in the previous step.
3. Install the application by using the Install Application task sequence step.
Place the Install Application task sequence step in the Preinstall group immediately before the Pre-provision BitLocker task sequence step.
To automatically enable the TPM by using scripts or software that can run only in a Windows operating system (no BitLocker pre-provisioning support)
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 53
2. Create an application that contains the software in the previous step.
3. Install the application created in the previous step by using the Install Application task sequence step.
Place the Install Application task sequence step in the State Restore group.
Step 3: Share the installation content When you create a System Center 2012 R2 Configuration Manager application, you must specify a source for the application content. The source must be a network share that is accessible to System Center 2012 R2 Configuration Manager, because System Center 2012 R2 Configuration Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 12 describes.
To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.
Table 12. NTFS file system permissions for the MBAM client setup folder
Account Permissions Applies to
Administrators Full control This folder, subfolders, and files
Site_Server_Account Read and This folder, subfolders, and files Execute
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 54
3. Share the folder MBAM_Client_Setup by using the permissions that Table 13 describes. To configure share permissions, right-click the folder, click Properties, and then click the Sharing tab.
Table 13. Share permissions for the MBAM client setup folder
Account Permissions
Administrators Full control
Site_Server_Account Full control
4. Copy the contents of the MBAM\Installers\2.5 folder from the MBAM distribution media to \\SERVER\MBAM Client Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the 64- bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of the folder so that both versions are available for deployment.
Step 4: Create the MBAM client application When you create a System Center 2012 R2 Configuration Manager application, you must specify the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM client, MBAMClient.msi requires less effort because of automatic detection of product codes and other application settings. Creating applications in System Center 2012 R2 Configuration Manager is based on MSI files, which:
Allow System Center 2012 R2 Configuration Manager to detect whether the application is already installed
Use a well-known System Center 2012 R2 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 R2 Configuration Manager
1. In the Configuration Manager console, click the Software Library workspace.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 55
2. In the Software Library workspace, click Applications in Overview\Application Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page Steps
General 1. Click Manually specify the application information.
2. Click Next.
General: General 1. In the Name box, type MBAM Client. Information 2. Select the Allow this application to be installed from the Install Application task sequence action without being deployed check box.
Selecting this check box allows you to use task sequence variables to install the MBAM client.
3. Click Next.
The remaining text boxes on this page are optional and informational. Although they do not affect the deployment of the MBAM client, completing them can prove useful later when you are maintaining the deployment share.
General: 1. Click Next. Application Catalog The text boxes on this page are optional and prompt for information that you want to display in the application catalog. However, this deployment guide recommends that you hide the MBAM client from the application catalog.
General: 1. Click Add to add a deployment type for the 64-bit version of
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 56
Page Steps
Deployment Types the MBAM client (MBAMClient.msi in the MBAM\Installers\2.5\x64 folder).
2. On the General page of the Create Deployment Type Wizard, click Browse, open MBAMClient.msi from the location in which you shared the installation sources (e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment Type Wizard, click Next.
4. On the General Information page of the Create Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the name for easier identification later.
b. In the Installation program box, add /q to the end of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7 (64-bit), All Windows 8 (64-bit), and All Windows 8.1 (64-bit). (Select the 64-bit operating systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type Wizard, click Next.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 57
Page Steps
7. On the Summary page of the Create Deployment Type Wizard, review the deployment type details, and then click Next.
8. On the Completion page of the Create Deployment Type Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version of the MBAM client (MBAMClient.msi in the MBAM\Installers\2.5\x86), and then click Next.
Summary 1. In the Details area, review the information that the Create Application Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Create Application Wizard while it creates the application.
Completion 1. Verify that the Create Application Wizard finished successfully, and then click Close.
Step 5: Distribute the MBAM client application After creating the MBAM client application in System Center 2012 R2 Configuration Manager, you must distribute the application content to your distribution points. Targeted computers will install the MBAM client from the distribution points. You use the Distribute Content Wizard in the Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 R2 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Distribute Content.
3. Complete each page of the Distribute Content Wizard:
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 58
Page Steps
General 1. Click Next.
General: Content 1. Click Next.
General: Content 1. Click Add, and then click Distribution Point. Destination 2. In the Add Distribution Points dialog box, select the distribution points to which you want to distribute the MBAM client installation content, and then click OK.
3. Click Next.
Summary 1. In the Details area, review the information that the Distribute Content Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Distribute Content Wizard while it distributes the MBAM client installation content.
Completion 1. Verify that the Distribute Content Wizard finished successfully, and then click Close.
After completing the Distribute Content Wizard, verify successful distribution of the installation content before continuing to deploy the MBAM client application. To do so, click Refresh in the Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution status on the Summary tab at the bottom. When the content status shows that content distribution is successful, you can deploy the MBAM client application.
Step 6: Deploy the MBAM client application You can deploy the MBAM client application to users or devices. Because the agent is computer- centric, Microsoft recommends that you deploy it to computer collections—not user collections.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 59
You use the Deploy Software Wizard in the Configuration Manager console to deploy the MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 R2 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page Steps
General 1. Click Browse next to the Collection box.
2. In the Select Collection dialog box, click Device Collections on the left side; on the right side, click a device collection to which you want to deploy the MBAM client, and then click OK.
3. Click Next.
You can choose one of the built-in collections or your own collection. For more information about creating collections in System Center 2012 R2 Configuration Manager, see the TechNet article, How to Create Collections in Configuration Manager.
Content 1. Click Next.
Deployment 1. In the Purpose list, click Required. Settings 2. Click Next.
Selecting Required in the Purpose list forces installation of the MBAM client application on targeted computers. System Center 2012 R2 Configuration Manager also reinstalls the agent if users remove it.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 60
Page Steps
Scheduling 1. Click Next.
User Experience 1. In the User notifications list, click Hide in Software Center and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications prevents System Center 2012 R2 Configuration Manager from notifying users about the installation of the MBAM client. This recommended setting prevents any user interaction or interference with deployment.
Alerts 1. Click Next.
Summary 1. In the Details area, review the information that the Deploy Software Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Deploy Software Wizard while it deploys the MBAM client application.
Completion 1. Verify that the Deploy Software Wizard finished successfully, and then click Close.
Step 7: Edit task sequences Install the MBAM client application during operating system deployment by adding the MBAM client application to existing task sequences. In this way, you can install the client automatically, with no interaction or interference from users. Doing so helps to ensure that the MBAM client is available immediately, before users log on to the computer.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 61
To install the MBAM client in a System Center 2012 R2 Configuration Manager task sequence
1. In the Configuration Manager console, click the Software Library workspace.
2. In the Software Library workspace, click Task Sequences in Overview\Operating Systems.
3. In the results pane, right-click the task sequence to which you want to add the MBAM client, and then click Edit.
4. Click the Install Applications group under the State Restore group. The task sequence editor adds the new step in this group.
5. From the Add menu, click General, and then click Install Application.
6. Click the new Install Application task sequence step that you just added, then perform the following steps:
a. In the Name box, type Install the MBAM Client.
b. Click New (the button that looks like a star), click the MBAM client application in the Select The Application To Install dialog box, and then click OK.
c. Optionally, on the Options tab, select the Continue on error check box.
Select this check only if you want the task sequence to continue running if the MBAM Client fails to install during operating system deployment.
7. Click OK to close the Task Sequence Editor dialog box.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 62
Step 8: Configure MDT BitLocker-related settings Define the following MDT properties in the CustomSettings.ini file or the MDT database (MDT DB):
Required:
o BDEInstallSuppress=NO
o OSDBitLockerMode=TPM
Optional:
o BDEDriveLetter
o BDEDriveSize
o TPMOwnerPassword
For more information on these MDT properties, see the corresponding sections in the MDT document Toolkit Reference.
Step 9: Add a task sequence step to pre-provision BitLocker for the MBAM client Disable the existing Pre-provision BitLocker step in the Preinstall phase. Then, add a new step to run the script ZTIPrepareBDE.wsf, which pre-provisions BitLocker and is compatible with MBAM. For more information, see the section “TPM and BitLocker pre-provisioning,” earlier in this guide.
Step 10: Add a task sequence step to immediately start encryption by using the MBAM client Disable the existing Enable BitLocker step in the State Restore Phase. Then, add a new step to run the script StartMBAMEncryption.wsf, which starts MBAM encryption immediately to report the recovery key to the MBAM service end point. For more information, see the section “TPM and BitLocker pre-provisioning,” earlier in this guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 63
System Center 2012 R2 Configuration Manager Application Model
You can deploy the MBAM client by using the application model in System Center 2012 R2 Configuration Manager. You create applications in the Applications node of the Configuration Manager console. By using System Center 2012 R2 Configuration Manager, you can use a single deployment tool to install the MBAM client on existing computers as well as during operating system deployment:
Deployment to existing computers. This method deploys the MBAM client to targeted computers that already exist or deploys the MBAM client immediately after operating system deployment is complete. The advantage of this method is that it covers both scenarios (existing computers and new computers). This process is discussed in this section.
Installation during operating system deployment. This method installs the MBAM client during operating system deployment so that the agent is immediately available. The benefit of this method is that the encryption can be started or completed before users receive their device, and the device is protected before the user starts it for the first time. After you create the application in the Configuration Manager console, simply add an Install Application step to the operating system deployment task sequence. This process was discussed in the section, Zero Touch Installation and User-Driven Installation in MDT 2013.
You can also deploy the MBAM client by using the package and program feature in System Center Configuration Manager 2007. For more information on how to deploy software using the package and program feature, see Tasks for Software Distribution.
The following sections describe the steps necessary to complete each task in the Configuration Manager console:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a content folder for the MBAM client installation files.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 64
4. Create a System Center 2012 R2 Configuration Manager application for the MBAM client installation.
5. Distribute the System Center 2012 R2 Configuration Manager application to the distribution points.
6. Deploy the System Center 2012 R2 Configuration Manager application to the targeted computers.
You can automate the steps listed above by creating a custom System Center Configuration Manager task sequence. For more information, see the section, “To create a custom task sequence,” in the TechNet article How to Create Task Sequences.
For more information about using System Center 2012 R2 Configuration Manager to deploy applications, see the Microsoft TechNet article, System Center Technical Resources.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can enable with MBAM, ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Because this section focuses on deploying the MBAM client on existing devices, the deployment is always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment as described in the section, BitLocker partition configuration requirements in this guide.
If the partitions on a targeted device are not configured properly for BitLocker deployment, consider refreshing the operating system on the device to create the proper partitions. For more information, see the
section “Lite Touch Installation in MDT 2013” or “Zero Touch Installation and User-Driven Installation in MDT 2013.”
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 65
Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on the devices. You can manually enable the TPM on the targeted devices or automate enabling the TPM on the targeted devices by using scripts or software. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer.
To automatically enable the TPM by using scripts or software
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create a System Center 2012 R2 Configuration Manager application that contains the software in the previous step.
3. Distribute the application to the distribution points.
4. Deploy the application to the appropriate user or device collections.
Step 3: Share the installation content When you create a System Center 2012 R2 Configuration Manager application, you must specify a source for the application content. The source must be a network share that is accessible to System Center 2012 R2 Configuration Manager, because System Center 2012 R2 Configuration Manager uses the contents of the source folder to create the application.
To create and share a folder for the MBAM client installation content
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_ Setup, as Table 14 describes.
To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 66
Table 14. NTFS file system permissions for the MBAM client setup folder
Account Permissions Applies to
Administrators Full control This folder, subfolders, and files
Site_Server_Account Read and This folder, subfolders, and files Execute
3. Share the folder MBAM_Client_Setup by using the permissions that Table 15 describes. To configure share permissions, right-click the folder, click Properties, and then click the Sharing tab.
Table 15. Share permissions for the MBAM client setup folder
Account Permissions
Administrators Full control
Site_Server_Account Full control
4. Copy the contents of the MBAM\Installers\2.5 folder structure from the MBAM distribution media to \\SERVER\MBAM Client Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the 64- bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of the folder so that both versions are available for deployment.
Step 4: Create the MBAM client application When you create a System Center 2012 R2 Configuration Manager application, you must specify the command that installs it. Although you could run MbamClientSetup.exe to install the MBAM client, MBAMClient.msi requires less effort because of automatic detection of product codes and
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 67
other application settings. Creating applications in System Center 2012 R2 Configuration Manager is based on MSI files, which:
Allow System Center 2012 R2 Configuration Manager to detect whether the application is already installed
Use a well-known System Center 2012 R2 Configuration Manager deployment type
Simplify the ongoing management of the MBAM client by simplifying updates
To create the MBAM client application in System Center 2012 R2 Configuration Manager
1. In the Configuration Manager console, click the Software Library workspace.
2. In the Software Library workspace, click Applications in Overview\Application Management.
3. In the Create group on the Ribbon, click Create Application.
4. Complete each page of the Create Application Wizard:
Page Steps
General 1. Click Manually specify the application information.
2. Click Next.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 68
Page Steps
General: General 1. In the Name box, type MBAM Client. Information 2. Select the Allow this application to be installed from the Install Application task sequence action without being deployed check box.
Selecting this check box allows you to use task sequence variables to install the MBAM client.
3. Click Next.
The remaining text boxes on this page are optional and informational. Although they do not affect the deployment of the MBAM client, completing them can prove useful later when you are maintaining the deployment share.
General: 1. Click Next. Application Catalog The text boxes on this page are optional and prompt for information that you want to display in the application catalog. However, this deployment guide recommends that you hide the MBAM client from the application catalog.
General: 1. Click Add to add a deployment type for the 64-bit version of Deployment Types the MBAM client (MBAMClient.msi in the MBAM\Installers\2.5\x64 folder).
2. On the General page of the Create Deployment Type Wizard, click Browse, open MBAMClient.msi from the location in which you shared the installation sources (e.g., \\SERVER\MBAM_Client_Setup), and then click Next.
3. On the Import Information page of the Create Deployment Type Wizard, click Next.
4. On the General Information page of the Create
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 69
Page Steps
Deployment Type Wizard, perform the following steps:
a. In the Name box, append x64 to the end of the name for easier identification later.
b. In the Installation program box, add /q to the end of the command.
c. Click Next.
5. On the Requirements page of the Create Deployment Type Wizard, perform the following steps:
a. Click Add.
b. Click Operating system in the Condition list.
c. In the operating system list, select All Windows 7 (64-bit), All Windows 8 (64-bit), and All Windows 8.1 (64-bit). (Select the 64-bit operating systems that you want to support.)
d. Click OK.
e. Click Next.
6. On the Dependencies page of the Create Deployment Type Wizard, click Next.
7. On the Summary page of the Create Deployment Type Wizard, review the deployment type details, and then click Next.
8. On the Completion page of the Create Deployment Type Wizard, click Close.
9. Repeat steps 1 through 8 on this page for the 32-bit version of the MBAM client (MBAM\Installers\2.5\x86), and then click Next.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 70
Page Steps
Summary 1. In the Details area, review the information that the Create Application Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Create Application Wizard while it creates the application.
Completion 1. Verify that the Create Application Wizard finished successfully, and then click Close.
If you decided to automatically enable the TPM by using a script or software in Step 2: Enable the TPM on targeted devices, make certain you set the application created in that step as a dependency for the deployment type for the application created in this step. For more information on creating System Center 2012 R2 Configuration Manager application dependencies, see the section “Step 7: Specify Dependencies for the Deployment Type” in How to Create Applications in Configuration Manager on TechNet.
Step 5: Distribute the MBAM client application After creating the MBAM client application in System Center 2012 R2 Configuration Manager, you must distribute the application content to your distribution points. Targeted computers install the MBAM client from the distribution points. You use the Distribute Content Wizard in the Configuration Manager console to distribute the MBAM client application.
To distribute the MBAM client System Center 2012 R2 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Distribute Content.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 71
3. Complete each page of the Distribute Content Wizard:
Page Steps
General 1. Click Next.
General: Content 1. Click Next.
General: Content 1. Click Add, and then click Distribution Point. Destination 2. In the Add Distribution Points dialog box, select the distribution points to which you want to distribute the MBAM client installation content, and then click OK.
3. Click Next.
Summary 1. In the Details area, review the information that the Distribute Content Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Distribute Content Wizard while it distributes the MBAM client installation content.
Completion 1. Verify that the Distribute Content Wizard finished successfully, and then click Close.
After completing the Distribute Content Wizard, verify successful distribution of the installation content before continuing to deploy the MBAM client application. To do so, click Refresh in the Application area of the Ribbon. Click MBAM Client in the results pane to see the distribution status on the Summary tab at the bottom. When the content status shows that content distribution is successful, you can deploy the MBAM client application.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 72
Step 6: Deploy the MBAM client application You can deploy the MBAM client application to users or devices. Because the agent is computer- centric, Microsoft recommends that you deploy it to computer collections—not user collections. You use the Deploy Software Wizard in the Configuration Manager console to deploy the MBAM client application after you have successfully distributed it.
To deploy the MBAM client System Center 2012 R2 Configuration Manager application
1. In the results pane, click MBAM Client.
2. In the Deployment group on the Ribbon, click Deploy.
3. Complete each page of the Deploy Software Wizard:
Page Steps
General 1. Click Browse next to the Collection box.
2. In the Select Collection dialog box, click Device Collections on the left side; on the right side, click a device collection to which you want to deploy the MBAM client, and then click OK.
3. Click Next.
You can choose one of the built-in collections or your own collection. For more information about creating collections in System Center 2012 R2 Configuration Manager, see the TechNet article, How to Create Collections in Configuration Manager.
Content 1. Click Next.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 73
Page Steps
Deployment 1. In the Purpose list, click Required. Settings 2. Click Next.
Selecting Required in the Purpose list forces installation of the MBAM client application on targeted computers. System Center 2012 R2 Configuration Manager also reinstalls the agent if users remove it.
Scheduling 1. Click Next.
User Experience 1. In the User notifications list, click Hide in Software Center and all notifications.
2. Click Next.
Selecting Hide in Software Center and all notifications prevents System Center 2012 R2 Configuration Manager from notifying users about the installation of the MBAM client. This recommended setting prevents any user interaction or interference with deployment.
Alerts 1. Click Next.
Summary 1. In the Details area, review the information that the Deploy Software Wizard collected, and then click Next.
Progress 1. Monitor the progress of the Deploy Software Wizard while it deploys the MBAM client application.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 74
Page Steps
Completion 1. Verify that the Deploy Software Wizard finished successfully, and then click Close.
Scripted installation
If you do not use MDT or System Center 2012 R2 Configuration Manager to deploy applications in your environment and you do not want to use Group Policy software installation, you can script installation by using batch scripts, Windows PowerShell scripts, and so on. With this technique, you are essentially performing a command-line installation. You can use the same technique to install the MBAM client by using any non-Microsoft ESD system.
The following sections describe the steps necessary to complete each task:
1. Ensure that the partitions on the targeted devices are configured for BitLocker.
2. Enable the TPM on targeted devices (if not already enabled).
3. Create and share a folder containing the MBAM client installation files.
4. Run MbamClientSetup.exe from the network share containing the installation files.
Step 1: Ensure that partitions on targeted devices are configured for BitLocker Before you can use MBAM, you need to ensure that the partitions on the targeted devices are configured properly for BitLocker deployment. Because this section focuses on deploying the MBAM client on existing devices, the deployment is always performed on devices where the operating system has been deployed. Ensure that the partitions on the targeted devices are configured properly for BitLocker deployment as described in the section, BitLocker partition configuration requirements, in this guide.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 75
If the partitions on a targeted device are not configured properly for BitLocker deployment, consider refreshing the operating system on the device to create the proper partitions. For more information, see the
section “Lite Touch Installation in MDT 2013” or “Zero Touch Installation and User-Driven Installation in MDT 2013.”
Step 2: Enable the TPM on targeted devices Before you deploy the MBAM client to the targeted devices, enable the TPM on them. You can manually enable the TPM on the targeted devices or automate the process by using scripts or software. The scripts or software for enabling the TPM are different for each device manufacturer and sometimes even different across models within a device manufacturer.
To automatically enable the TPM by using scripts or software
1. Create a network shared folder that contains the vendor-specific software for enabling the TPM.
2. Create a batch file or script that runs the software in the previous step.
3. Ensure that you run the software to enable the TPM prior to running MbamClientSetup.exe and installing the MBAM client.
Step 3: Share the installation files Create a network share that contains the MBAM client installation files. This network share must be accessible to all computers on which you want to install the MBAM client. You can give Read access to the Domain Computers group or to the Authenticated Users group.
To create and share a folder for the MBAM client installation files
1. On SERVER, create MBAM_Client_Setup, where SERVER is the name of the file server and MBAM_Client_Setup is the name of the folder you are creating to contain the MBAM client installation files.
2. Configure NTFS file system permissions for the folder MBAM_Client_Setup, as Table 16 describes.
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 76
To configure NTFS file system permissions, right-click the folder, click Properties, and then click Advanced on the Security tab.
Table 16. NTFS file system permissions for the distribution folder
Account Permissions Applies to
Administrators Full control This folder, subfolders, and files
Authenticated Users Read and Execute This folder, subfolders, and files
3. Share the folder MBAM_Client_ Setup by using the permissions that Table 17 describes.
To configure share permissions, right-click the folder, click Properties, and then click the Sharing tab.
Table 17. Share permissions for the distribution folder
Account Permissions
Authenticated Users Read
4. Copy the contents of the MBAM\Installers\2.5 folder structure from the MBAM distribution media to \\SERVER\MBAM Client Setup.
The MBAM\Installers\2.5 folder includes the x64 and x86 folders, which contain the 64-bit and 32-bit versions of the MBAM client, respectively. Copy the entire contents of the folder so that both versions are available for deployment.
Step 4: Run MbamClientSetup.exe For a scripted installation, the command you use to install the MBAM client must include the /q command-line option to perform an unattended installation. This option runs MbamClientSetup.exe with no user interaction, as shown in the following example. If you do not
MBAM DEPLOYMENT GUIDE | DEPLOYING THE MBAM CLIENT 77
include this command-line option, the Setup program stalls the deployment process to wait for user interaction.
MbamClientSetup.exe /q
You must run the 64-bit or 32-bit version of MbamClientSetup.exe, based on the target operating system version.
MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 78
Validating the MBAM infrastructure
After deploying the MBAM server and client, verify that the MBAM infrastructure is working properly. You can validate the MBAM infrastructure by performing some common BitLocker management tasks in MBAM. For more information about how to perform BitLocker management tasks by using MBAM, see the section, “Performing BitLocker Management with MBAM 2.5,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
Use the MBAM Self-Service Portal to regain access to a device
Users can be prevented from accessing their BitLocker-enabled devices if they forget their password or PIN, changed operating system files, changed the BIOS, or changed the TPM. Users can regain access to their device without assistance from the help desk by using the MBAM Self- Service Portal.
To use the MBAM Self-Service Portal to regain access to a device
1. In Internet Explorer, browse to the MBAM Self-Service Portal (e.g., server\SelfService).
2. In Recovery Key ID, enter a minimum of eight digits from the 32-digit BitLocker Key ID displayed on the BitLocker recovery page of the inaccessible device.
3. In Reason, select a reason for the recovery key request, and then click Get Key.
The MBAM Self-Service Portal obtains and displays the 48-digit BitLocker recovery key in Your BitLocker Recovery Key.
4. Enter the 48-digit BitLocker recovery key on the BitLocker recovery page on the inaccessible device.
5. The device can now be successfully started.
For more information about how to regain access to a device by using the MBAM Self- Service Portal and other BitLocker management tasks that you can perform, see the section, “Performing BitLocker Management with MBAM 2.5,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 79
Determine the BitLocker encryption state of lost or stolen devices
A common concern for most organizations is the loss or theft of a device that contains sensitive information. A BitLocker-protected device helps prevent unauthorized users from accessing the sensitive information on such a device. IT pros can determine which volumes on a device are protected and better assess the risk associated with the loss or theft of the device.
To determine the BitLocker encryption state of lost or stolen devices
1. In Internet Explorer, browse to the MBAM website (e.g., server\HelpDesk).
2. In the navigation pane, in the Report node, click Computer Compliance Report.
3. In the Device user or computer name box in the results pane, type a user or device’s name, and then click View Report.
Search results are shown in the list box below. Device protection is determined by the deployed BitLocker policies, which reflect the BitLocker encryption state of a device.
For more information about how to determine the BitLocker encryption state of a device by using MBAM and other BitLocker management tasks that you can perform by using MBAM, see the section, “Performing BitLocker Management with MBAM 2.5,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 80
Use a help desk portal to reset a TPM lockout
Users can be prevented from accessing their BitLocker-enabled device if they enter an incorrect PIN too many times, which results in a TPM lockout. The number of times a user can enter an incorrect PIN before the TPM locks varies by manufacturer. You can help users regain access to their devices by using the MBAM Help Desk Portal to reset the TPM lockout.
You can reset a TPM lockout only if MBAM was used to initially provision the TPM. If the TPM was provisioned prior to MBAM deployment, the TPM data may be stored in AD DS if the appropriate Group Policy settings were configured and you cannot reset a TPM lockout by using MBAM.
To use the MBAM administration website to reset a TPM lockout
1. In Internet Explorer, browse to the MBAM administration website (e.g., server\HelpDesk).
2. In the navigation pane, click Manage TPM.
3. Enter the following information, and then click Submit:
Fully qualified domain name of the locked device
Computer name of the locked device
Windows logon domain for the user
User name of the user
Reason for requesting the TPM owner password file
The MBAM Help Desk Portal returns one of the following results:
The TPM owner password file for the device
A message indicating that no matching TPM owner password file was found
4. Click Save.
Doing so saves the TPM owner password file.
MBAM DEPLOYMENT GUIDE | VALIDATING THE MBAM INFRASTRUCTURE 81
5. Run the TPM management console, select the Reset TPM lockout option, and provide the TPM owner password file to reset the TPM lockout.
The TPM hash value and TPM owner password should only be used by authorized help desk and support personnel for the purpose of resolving a TPM lockout scenario. Microsoft does not recommend providing this information directly to users, because the TPM information does not change and could pose a security risk if the information does not remain secure.
For more information about how to reset a TPM lockout and other BitLocker management tasks that you can perform with MBAM, see the section, “Performing BitLocker Management with MBAM 2.5,” in the Microsoft BitLocker Administration and Monitoring 2.5 administrator’s guide.
MBAM DEPLOYMENT GUIDE | CONCLUSION 82
Conclusion
Deploying MBAM can be easy and requires minimal updates to your existing infrastructure. You can deploy the MBAM server components in a Stand-alone topology or, if you want to integrate with an existing System Center Configuration Manager infrastructure, a Configuration Manager Integration topology. In either case, you can evaluate MBAM on a single server or deploy the MBAM server components in your production environment on multiple servers so that you can scale to a size appropriate for your organization.
With the infrastructure in place, you can use highly automated processes such as Group Policy, MDT, System Center Configuration Manager, or scripted installation methods to deploy the MBAM client and provision BitLocker on user devices. From there, use the MBAM Group Policy template to provide ongoing management of the MBAM client.
Download MBAM today to evaluate its deployment in your organization. MBAM is part of MDOP, and MDOP is available to TechNet subscribers and MSDN subscribers. MDOP is also available for purchase if you have Software Assurance on Windows client (including Windows Intune subscribers).
For more information about MBAM, see:
The Microsoft Desktop Optimization Pack website to learn more about its business benefits
The Microsoft BitLocker Administration and Monitoring content on TechNet for technical information, including videos that provide an overview and demonstrate how to set up and configure MBAM