Planning for MBAM Client Deployment
With Microsoft BitLocker Administration and Monitoring (MBAM), you can encrypt a computer in your organization either before the end-user receives the computer or afterwards using group policy.
You can use one or both methods in your organization. By using both methods, you can improve compliance, reporting, and key recovery support.
Note
To review the MBAM client system requirements, see MBAM Supported Configurations.
Computer Encryption before Distribution to the User
In organizations where computers are received and configured centrally, you can encrypt each computer before any user data is written to the new computer. The benefit of this process is that every computer is compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization installs a corporate Windows image before the computer is delivered to the user.
If your organization wants to use Trusted Platform Modules (TPM) to encrypt computers, adding this protector type is completed when the administrator encrypts the operating system volume of the computer with TPM protector. If your organization wants to use the TPM chip and a PIN protector, the administrator encrypts the system volume with the TPM protector, and then the user selects a PIN the first time the user logs on. If your organization decides to only use the PIN protector, the administrator does not have to encrypt the volume first. When the user logs on, Microsoft BitLocker Administration and Monitoring prompts the user to provide a PIN or a PIN and password to be used on later computer restarts.
Note
The TPM protector option requires that the administrator must accept the BIOS prompt to activate and initialize the TPM before delivering the computer to the user.
Computer Encryption after Distribution to the User
By configuring and distributing Group Policy and the Microsoft BitLocker Administration and Monitoring client agent software by using either Active Directory Domain Services or an enterprise software distribution system, users who have Windows computers are prompted to encrypt their computer. This lets Microsoft BitLocker Administration and Monitoring collect the data including the PIN and password, and then begin the encryption process.
Note
In this approach, the user is prompted to activate and initialize the TPM chip if it has not been previously activated.