Skip to main content

Cornell University

BitLocker: Install MBAM

MBAM (Microsoft BitLocker Administration and Monitoring) can be installed using three methods. Use whichever method makes sense for your unit's security and desktop management practices.

This article applies to: BitLocker

On This Page

Prerequisites

  1. Update the computer to the latest BIOS before beginning the encryption process.
  2. If the client computers have been previously encrypted, you must decrypt them before using any of these three processes. These processes will only work if the client computers are not currently encrypted with any other solution.
  3. Before you start any process, the device must be connected to Cornell Active Directory (AD), and the MBAM GPO Settings must be applied to the unit's OU. The GPO can be found here:

Group Policy Management\Forest\Domains\cornell.edu\Group Policy Objects\CU-MBAM

(Information from Microsoft on applying GPO settings)

Install via MBAM Task Sequence found in CM2012

This Task Sequence provides a largely hands-off process, which usually completes in about 20 minutes.

Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).

  1. Make sure the prerequisites have been met.
  2. Copy the Task Sequence found in SoftwareLibrary\Operating Systems\Task Sequences\MD\Production\MBAM\ and deploy it to a collection of your choice. (See our Work with a Task Sequence page for more information on this step.)
  3. Once deployed to a collection, the Task Sequence can be run from Software Center on the computer requiring encryption.

Install via MBAM Application found in CM2012

Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).

First - Meet Prerequisites

Second - Deploy Application

Using CM2012, copy and deploy (or just deploy) the application into the desired Collection:

Software Library\ApplicationManagement\Applications\MD\MBAM\MD –MBAM 2.5 SP1 –New Client Installation - Production

Third - Update BIOS

On each computer where the application is to be installed, boot into BIOS and do the following:

  1. Navigate to Security Settings, then TPM Security.
  2. Check all the checkboxes (the exact number of boxes and the wording of the text will depend on the computer's make and model).
  3. Make sure the radio button is set to Deactivate.
  4. Exit BIOS.

Fourth - Install

After the application has been deployed AND the BIOS options have been set, the application can be run from Software Center on the computer requiring encryption. The installer will re-partition the hard drive, then install the MBAM client. At this point you'll be prompted to re-boot.

After rebooting, at some point in the next 90 minutes, the MBAM client will contact the server. You can also force the MBAM client to contact the server immediately by running the StartEncryption.bat batch file as an Administrator (the file found in the MBAM 2.5 SP1 Client\Install Client\ directory).

Whether you wait or use the batch file, you'll be prompted to restart again.

On restart, you'll be prompted to press F10 to accept the TPM configuration changes. 

BitLocker will begin the encryption process. When finished, you'll see an "Encryption complete" dialog box.


Install MBAM Manually

Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).

Make sure the prerequisites have been met.

On each computer where the application is to be installed, boot into BIOS and do the following:

  1. Navigate to Security Settings, then TPM Security.
  2. Check all the checkboxes (the exact number of boxes and the wording of the text will depend on the computer's make and model).
  3. Make sure the radio button is set to Deactivate.
  4. Exit BIOS.
  5. Log in to the computer with a valid NetID or DOC account.
  6. Copy this directory to the machine's desktop: \\oitfs.c\Public\MBAM Standalone Installer\MBAM 2.5 SP1 Client
  7. In the MBAM 2.5 SP1 Client\Install Client\ directory, run Deploy-Application.exe as an Administrator.
  8. The hard drive will be re-partitioned, then you'll be prompted to reboot. On restart, you'll be prompted to press F10 to accept the TPM configuration change.

After rebooting, at some point in the next 90 minutes, the MBAM client will contact the server. You can also force the MBAM client to contact the server immediately by running the StartEncryption.bat batch file as an Administrator (the file found in the MBAM 2.5 SP1 Client\Install Client\ directory).

Whether you wait or use the batch file, you'll be prompted to restart again. ""

On restart, you'll be prompted to press F10 to accept the TPM configuration change.

BitLocker will begin the encryption process. When finished, you'll see an "Encryption complete" dialog box.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.