This document will outline how to install and enable MBAM BitLocker drive encryption manually on an existing computer system.  These steps assume you have completed all MBAM Requirements on Support Article 103952.

Prerequisites

  • The system must be joined to the IOWA domain
  • The system must have the SCCM Client installed
  • The system must be running one of the supported OS configurations (103959)

Preparing for the installation of the MBAM Client

Verify TPM Chip on Windows Workstations with a TPM Chip

If your system does not have a TPM Chip please proceed to Verify Disk Partition Setup

  1. First we must determine what state the TPM Chip is in.  An easy way to tell if the TPM chip is enabled on the machine is to check the device manager and look for a Security Devices section.

     
    arrow pointing to Trusted Platform Module 1.2

    If you see a Trusted Platform Module listed there, you have a TPM chip enabled on your system, although it may not necessarily be activated.  If you don't see one listed the TPM Chip is disabled.  To check the status of a disabled TPM Chip you need to check the BIOS of the system.
     
  2. Restart the machine and enter the System Setup or BIOS of the system.  How to do this varies from model to model so you may need to check with the manufacturer of the system.  On most Dell models you can get into the Setup by pressing the F2 key at the Dell splash screen when it is first booting up.
     
  3. Once you are in the BIOS, look for a Security section.  More specifically, look for TPM Security under the security section.  The actual location of these settings will vary from system to system.

    arrows pointing to security and TPM security

     
  4. If TPM Security is not enabled, as the above picture shows, check the box to enable it and click Apply.
     
  5. Once you click Apply some additional options should show up.  The number of options will vary from system to system but the constant one that we are looking for is an Activate button.  The default setting after you first turn it on is usually Deactivate.  Change this to Activate and click Apply.

    red arrows pointing to TPM security and activate

     
  6. Once TPM security is turned on and activated, exit out of the BIOS setup, saving any changes if prompted.
     
  7. When the machine reboots, login and check the Device Manager.  You should now see the Trusted Platform Module pictured in step 1. 
    Note:  MBAM requires a TPM chip of at least version 1.2 or higher.  If it is lower than 1.2 you will not be able to use MBAM with TPM Security.
     
  8. This step applies only to Windows 8 and Windows 8.1.  If you are using Windows 7 skip to Verify Disk Partition Setup.  Windows 8.x has an auto-provisioning feature that automatically takes ownership of the TPM chip.  Since we want MBAM to take ownership of the TPM we need to shut auto-provisioning off which we can do through a PowerShell script.  You can download the script from the ITS Software Download page under the MBAM section here: https://helpdesk.its.uiowa.edu/software/download/mbam/default.htm  Since the file is a .zip file, unzip it, and locate the MBAMownTPM-win8 Manual.ps1 file.  Right-click on the file and select Run with PowerShell.  If you get a Open file – Security warning box click Open.  If you get a User Account Control box, click Yes
     
  9. Reboot the machine.  When it comes back up you may be prompted to hit the F10 or F12 key due to changes made to the TPM chip.  Hit the appropriate key to continue.

    TPM Ownership Change
  10. That's it!  Your TPM chip is now owned by the MBAM Client.  Please proceed to Verify Disk Partition Setup.

Verify Disk Partition Setup

One of the requirements for setting up BitLocker on a computer is that the hard drive must have at least two partitions.  Most Windows 7 and Windows 8 installations will have these two partitions by default, one being the System partition and the other being the Operating System partition.  However, on rare occasions depending on how the Operating System was installed, you may encounter a computer that only has one partition. 

To check this do the following steps

  • On Windows 7 systems:
    • Click the Start button, right-click on Computer, and select Manage.
    • Then in the left hand pane, under Storage, click on Disk Management.
       
  • On Windows 8.1 systems:
    • Press the Windows key on the keyboard and the X key together and select Computer Management. 
    • Then in the left hand pane, under Storage, click on Disk Management.

Example of a Drive with a Single Partition

1 Partition

Example of a Drive with Two Partitions

Two partitions

How to create a second partition if it does not exist

If your hard drive only has one partition you can create the extra partition required for BitLocker using the BitLocker Drive Preparation Tool.  This is a command line utility built into Windows. 

  1. Open an administrative command prompt (right-click and choose Run as administrator) and type: Bdehdcfg.exe –target default
     
  2. Press Enter
    Disk utility for creating two partitions

     
  3. After the command completes you should see two partitions in Disk Management.

     
  4. Restart your system
  5. That’s it!  Your hard drive is now prepared for BitLocker drive encryption.  Please proceed to Verify Group Policy Setup

Verify Group Policy Setup

The MBAM Client requires a Domain Group Policy to function correctly.  We need to verify that the system you are working on is receiving the correct Group Policy in regards to whether it has a TPM Chip or not.  If the system you are working on has a TPM chip it needs to receive a Domain Group Policy that is or is based off of the _Public-MBAM (TPM Only) Group Policy.  If the system you are working on does not have a TPM chip it needs to receive a Domain Group Policy that is or is based off of the _Public-MBAM (non-TPM) Group Policy.

  1. Open up a command prompt as an Administrator.
     
  2. Type in gpresult /h c:\gpresult.html

    CMD - GPresult command

     
  3. Open the gpresult.html file using Internet Explorer
     
  4. Look for your Departments MBAM GPOs in the Applied and Denied GPOs list and verify you are receiving the correct one based on whether you have a TPM Chip or not.

    MBAM GPResults
  5. If the correct MBAM GPO is applied proceed to the Install MBAM Client section.  If the incorrect MBAM GPO is applied or no MBAM GPO is applied please talk to your Departmental Windows Systems Administrators to get the correct MBAM GPO applied to the system you are working on.

Install the MBAM Client

This section will walk you through downloading and installing the MBAM Client on the system you are working on.

  1. Log in and install the MBAM client located on the ITS Software Download site:  https://helpdesk.its.uiowa.edu/software/download/mbam/default.htm
     
  2. Restart the computer
     
  3. That's it!  Log in and in a few minutes you should see a Microsoft BitLocker Administration and Monitoring screen pop up and you can then begin encrypting the drive

    BitLocker drive encryption is required to help secure the data on drive C:
     

Note:  For added security ECM recommends that you set a BIOS password on the machine after the encryption process is complete.

How to setup MBAM for a Department

Article number: 
103277
Last updated: 
May 23, 2016