This document will outline how to install and enable Microsoft BitLocker Administration and Monitoring (MBAM) BitLocker drive encryption using an Operating System Deployment (OSD) Task Sequence (TS) through System Center Configuration Manager (SCCM).  These steps assume you have completed all MBAM Requirements on Support Article 103952.

How to install the the MBAM Client on non-TPM Systems and pre-Enabled/Activated TPM Systems through a SCCM OSD Task Sequence

Prerequisites

  • The system must be running one of the supported OS configurations (103959)
  • The system must have the correct MBAM GPO applied via AD & Group Policy (103953)
  • The system must be joined to the IOWA domain during the Task Sequence
  • The system must install the SCCM Client during the Task Sequence

Creating and deploying the MBAM OSD Task Sequence

(For use with imaging and re-imaging of SCCM Clients only!)

  1. Copy an existing Departmental OSD Task Sequence or one of the existing Public OSD Task Sequences for a particular OS version.
     
  2. Add the Application Public - MBAM Client (Only) as an Application Install Step to the OSD Task Sequence
     
    1. Create a new Install Application Step
      MBAM - Install Application TS

       
    2. Select the Public - MBAM Client (Only) Application and Click OK
      MBAM - Install Application TS part 2

       
    3. Click Apply and OK
      MBAM - Install Application TS part 3

       
  3. Deploy the Task Sequence to your OSD collection and monitor its progress until it completes the installation.
     
  4. That's it!  Once the user logs in for the first time after the MBAM Client installs they will see a Microsoft BitLocker Administration and Monitoring screen pop up and they can kick off the encryption process or delay it up to one day.

Application Steps: Public - MBAM Client (Only)

  • Create System Partition
  • Clear Ownership of TPM (MBAM client takes ownership to store recovery keys)
  • Install MBAM Client
  • Initiate Encryption Process

Note 1:  The MBAM client will either prompt the user to Postpone or Start the encryption process immediately after the first log in…

Screenshot of MBAM Client GUI prompting to Postpone or start the encryption process

 …or it will automatically start the encryption process if it is one day after the first client check-in to the MBAM Server and the user will only see an icon in the notification area while the encryption process is running (system tray).

Screenshot of MBAM encryption starting without GUI prompt

Note 2:  For added security ECM recommends that you set a BIOS password on the machine after the encryption process is complete.

Back to MBAM - SCCM Task Sequence (OSD)

Article number: 
104018
Last updated: 
May 23, 2016