This document will outline how to install and enable Microsoft BitLocker Administration and Monitoring (MBAM) BitLocker drive encryption using an Application Deployment through System Center Configuration Manager (SCCM).  These steps assume you have completed all MBAM Requirements on Support Article 103952.

Installing the MBAM Client through a SCCM Application Software Deployment

(For use with existing SCCM Clients only!)

This is the recommend option for deploying the MBAM Client to existing systems that are in your Departmental MBAM Ready Laptop Collection.


  • The system must be joined to the IOWA domain
  • The system must have the SCCM Client installed
  • The system must be running one of the supported OS configurations (103959)
  • The system must have the correct MBAM GPO applied via AD & Group Policy (103953)

MBAM Client Application Deployment Steps

  • This Method may require reboots during the process.  Please schedule an appropriate time to deploy this to the End-User.
  1.  Deploy the Public - MBAM Client (Only) to your Departmental MBAM Ready Laptop Collection or another collection that is limited to your Departmental MBAM Ready Laptop Collection.
    Deploy Public-MBAM Client Only APplication
  2. That's it!  Once the user logs in for the first time after the MBAM Client installs they will see a Microsoft BitLocker Administration and Monitoring screen pop up and they can kick off the encryption process or delay it up to one day.

Application Steps:  Public - MBAM Client (Only)

  1. Create System Partition
  2. Clear Ownership of TPM (MBAM client takes ownership to store recovery keys)
  3. Install MBAM Client
  4. Initiate Encryption process

Note 1:  The Application Deployment Steps 1 through 2 are evaluated to determine if they are needed to be run.  If either of steps 1 and 2 need to run a reboot will be required to complete each step.

Note 2: The MBAM client will either prompt the user to Postpone or Start the encryption process immediately after the first log in…

Screenshot of MBAM Client GUI prompting to Postpone or start the encryption process

 …or it will automatically start the encryption process if it is one day after the first client check-in to the MBAM Server and the user will only see an icon in the notification area while the encryption process is running (system tray).

Screenshot of MBAM encryption starting without GUI prompt

Note 3:  For added security ECM recommends that you set a BIOS password on the machine after the encryption process is complete.

Back to MBAM - SCCM Deployment

Article number: 
Last updated: 
May 23, 2016