BitLocker: Install MBAM
MBAM (Microsoft BitLocker Administration and Monitoring) can be installed using three methods. Use whichever method makes sense for your unit's security and desktop management practices.
This article applies to: BitLocker
Prerequisites
- Update the computer to the latest BIOS before beginning the encryption process.
- If the client computers have been previously encrypted, you must decrypt them before using any of these three processes. These processes will only work if the client computers are not currently encrypted with any other solution.
- Before you start any process, the device must be connected to Cornell Active Directory (AD), and the MBAM GPO Settings must be applied to the unit's OU. The GPO can be found here:
Group Policy Management\Forest\Domains\cornell.edu\Group Policy Objects\CU-MBAM
(Information from Microsoft on applying GPO settings)
Install via MBAM Task Sequence found in CM2012
This Task Sequence provides a largely hands-off process, which usually completes in about 20 minutes.
Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).
- Make sure the prerequisites have been met.
- Copy the Task Sequence found in SoftwareLibrary\Operating Systems\Task Sequences\MD\Production\MBAM\ and deploy it to a collection of your choice. (See our Work with a Task Sequence page for more information on this step.)
- Once deployed to a collection, the Task Sequence can be run from Software Center on the computer requiring encryption.
Install via MBAM Application found in CM2012
Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).
First - Meet Prerequisites
Second - Deploy Application
Using CM2012, copy and deploy (or just deploy) the application into the desired Collection:
Software Library\ApplicationManagement\Applications\MD\MBAM\MD –MBAM 2.5 SP1 –New Client Installation - Production
Third - Update BIOS
On each computer where the application is to be installed, boot into BIOS and do the following:
- Navigate to Security Settings, then TPM Security.
- Check all the checkboxes (the exact number of boxes and the wording of the text will depend on the computer's make and model).
- Make sure the radio button is set to Deactivate.
- Exit BIOS.
Fourth - Install
After the application has been deployed AND the BIOS options have been set, the application can be run from Software Center on the computer requiring encryption. The installer will re-partition the hard drive, then install the MBAM client. At this point you'll be prompted to re-boot.
After rebooting, at some point in the next 90 minutes, the MBAM client will contact the server. You can also force the MBAM client to contact the server immediately by running the MBAM 2.5 SP1 Client\Install Client\ directory).
batch file as an Administrator (the file found in theWhether you wait or use the batch file, you'll be prompted to restart again.
On restart, you'll be prompted to press F10 to accept the TPM configuration changes.
BitLocker will begin the encryption process. When finished, you'll see an "Encryption complete" dialog box.
Install MBAM Manually
Client computers should be connected to power (not battery) and connected via Ethernet (not running over Wi-Fi).
Make sure the prerequisites have been met.
On each computer where the application is to be installed, boot into BIOS and do the following:
- Navigate to Security Settings, then TPM Security.
- Check all the checkboxes (the exact number of boxes and the wording of the text will depend on the computer's make and model).
- Make sure the radio button is set to Deactivate.
- Exit BIOS.
- Log in to the computer with a valid NetID or DOC account.
- Copy this directory to the machine's desktop: \\oitfs.c\Public\MBAM Standalone Installer\MBAM 2.5 SP1 Client
- In the MBAM 2.5 SP1 Client\Install Client\ directory, run as an Administrator.
- The hard drive will be re-partitioned, then you'll be prompted to reboot. On restart, you'll be prompted to press F10 to accept the TPM configuration change.
After rebooting, at some point in the next 90 minutes, the MBAM client will contact the server. You can also force the MBAM client to contact the server immediately by running the MBAM 2.5 SP1 Client\Install Client\ directory).
batch file as an Administrator (the file found in theWhether you wait or use the batch file, you'll be prompted to restart again.
On restart, you'll be prompted to press
to accept the TPM configuration change.BitLocker will begin the encryption process. When finished, you'll see an "Encryption complete" dialog box.
Comments?
To share feedback about this page or request support, log in with your NetID