This document will outline how to install and enable Microsoft BitLocker Administration and Monitoring (MBAM) BitLocker drive encryption along with Enabling and Activating the TPM using an Application Deployment through System Center Configuration Manager (SCCM).  These steps assume you have completed all MBAM Requirements on Support Article 103952.

Installing the MBAM Client and Enabling and Activating the TPM through a SCCM Application Software Deployment

(For use with existing SCCM Clients only!)

This is the recommended option for deploying the MBAM Client to existing systems that are in your Departmental MBAM Not Ready Laptop Collection.


  • The system must be joined to the IOWA domain
  • The system must have the SCCM Client installed
  • The system BIOS Password must not be set
  • The system must be running one of the supported OS configurations (103959)
  • The system must be one of the supported Hardware models (103972)
  • The system must have the correct MBAM GPO applied via AD & Group Policy (103953)

MBAM Client and TPM Enable/Activate Deployment Steps

  • This Method requires reboots during the process.  Please schedule an appropriate time to deploy this to the End-User.
  • ECM Recommends deploying this application while a Local IT Support Consultant is available to monitor the progress of the BIOS changes
  1. Deploy the Public - MBAM Client (TPM Enable) to your Departmental MBAM Not Ready Laptop Collection or another collection that is limited to your Departmental MBAM Not Ready Laptop Collection.
    Deploy Public-MBAM Client TPM Enable Application
  2. That's it!  Once the user logs in for the first time after the MBAM Client installs they will see a Microsoft BitLocker Administration and Monitoring screen pop up and they can kick off the encryption process or delay it up to one day.

Application Steps:  Public - MBAM Client (Enable TPM)

  1. Create System Partition
  2. Set Temporary BIOS Password
  3. Enable TPM Chip
  4. Activate TPM Chip
  5. Clear Ownership of TPM (MBAM client takes ownership to store recovery keys)
  6. Clear Temporary BIOS Password
  7. Install MBAM Client
  8. Initiate Encryption process

Note 1:  The Application Deployment Steps 1 through 6 are evaluated to determine if they are needed to be run.  If they are run the system will require a reboot after each step that is run.

Note 2: The MBAM client will either prompt the user to Postpone or Start the encryption process immediately after the first log in…

Screenshot of MBAM Client GUI prompting to Postpone or start the encryption process

 …or it will automatically start the encryption process if it is one day after the first client check-in to the MBAM Server and the user will only see an icon in the notification area while the encryption process is running (system tray).

Screenshot of MBAM encryption starting without GUI prompt

Note 3:  For added security ECM recommends that you set a BIOS password on the machine after the encryption process is complete.

Back to MBAM - SCCM Deployment

Article number: 
Last updated: 
May 23, 2016