This document will outline how to install and enable Microsoft BitLocker Administration and Monitoring (MBAM) BitLocker drive encryption using an Operating System Deployment (OSD) Task Sequence (TS) through System Center Configuration Manager (SCCM).  These steps assume you have completed all MBAM Requirements on Support Article 103952.

Installing the MBAM Client and Enabling and Activating the TPM through a SCCM OSD Task Sequence

Prerequisites

  • The system must be one of the supported Hardware models (103972)
  • The system must have the correct MBAM GPO applied via AD & Group Policy (103953)
  • The system must be joined to the IOWA domain during the Task Sequence
  • The system must install the SCCM Client during the Task Sequence
  • If a BIOS password is set on the system it must be cleared before you deploy the Task Sequence.

Creating and deploying the MBAM OSD Task Sequence

(For use with imaging and re-imaging of SCCM Clients only!)

  1. Copy the Public - MBAM Task Sequence Steps (Application) Task Sequence to your Departmental Task Sequences Folder.
     
  2. Copy the MBAM Install - App Model Task Sequence Group from your Departmental copy of the Public - MBAM Task Sequence Steps (Application) Task Sequence and paste it at the end of your Departmental OSD Task Sequence for encrypted devices.
    Copy MBAM Install - App Model Task Sequence Group


     
  3. Deploy the Task Sequence to your OSD collection and monitor its progress until it completes the installation.
     
  4. That's it!  Once the user logs in for the first time after the MBAM Client installs they will see a Microsoft BitLocker Administration and Monitoring screen pop up and they can kick off the encryption process or delay it up to one day.

Application Steps: MBAM Client Installer

  1. Create System Partition
  2. Set Temporary BIOS Password
  3. Enable TPM Chip
  4. Activate TPM Chip
  5. Clear Ownership of TPM (MBAM client takes ownership to store recovery keys)
  6. Clear Temporary BIOS Password
  7. Install MBAM Client
  8. Initiate Encryption process

Note 1:  The MBAM Client Installer Steps 1 through 6 are evaluated to determine if they are needed to be run.  If they are run the system will reboot after each step that is run.

Note 2: On Windows 8.x systems even though the Application runs without any user interaction, the user may be prompted to hit the F10 or F12 key due to changes made to the TPM chip during the deployment of the MBAM Client.

Screenshot of BIOS prompt regarding TPM chip configuration change

Note 3: The MBAM client will start the encryption process immediately after the first Domain user logs in while connected to the University Network.  To verify that it is running look for the following system tray icon.  

Screenshot of MBAM encryption starting without GUI prompt

Note 4:  For added security ECM recommends that you set a BIOS password on the machine after the encryption process is complete.

Back to MBAM - SCCM Task Sequence (OSD)

Article number: 
103631
Last updated: 
May 23, 2016