Dela via

How to Deploy the MBAM Client as Part of a Windows Deployment

  • Artikel

Gäller för: Microsoft BitLocker Administration and Monitoring 2.5

This topic explains how to deploy the MBAM Client on end-user computers before any user data is written to the computer. If computers have a Trusted Platform Module (TPM) chip, the MBAM Client can be integrated into an organization by enabling BitLocker Drive Encryption on client computers running Windows as part of the imaging and deployment process.

What to know or do before you start:

If the following condition is true... Complete these steps

The TPM has already been auto-provisioned

Follow the steps in Configuring MBAM to own the TPM and store OwnerAuth passwords before you complete the following procedure.

These steps will enable MBAM to store TPM OwnerAuth passwords, which will make these passwords recoverable through the Administration and Monitoring Website (Help Desk).

Your organization is planning to use the Trusted Platform Module (TPM) protector or the TPM + PIN protector options in BitLocker

Activate the TPM chip before the initial deployment of MBAM.

When you activate the TPM chip, you avoid a reboot later in the process and ensure that the TPM chips are correctly configured according to the requirements of your organization. You must activate the TPM chip manually in the BIOS of the computer.

Some vendors provide tools to turn on and activate the TPM chip in the BIOS from within the operating system. Refer to the manufacturer documentation for more details about how to configure the TPM chip.

Varning

The procedure in this topic describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk.

To encrypt data on client computers as part of Windows deployment

  1. Install the MBAM Client. For instructions, see How to Deploy the MBAM Client by Using a Command Line.

  2. Join the computer to a domain (recommended).

    • If the computer is not joined to a domain, the recovery password is not stored in the MBAM Key Recovery service. By default, MBAM does not allow encryption to occur unless the recovery key can be stored.

    • If a computer starts in recovery mode before the recovery key is stored on the MBAM Server, no recovery method is available, and the computer has to be reimaged.

  3. Open a command prompt as an administrator, and stop the MBAM service.

  4. Set the service to Manual or On demand by typing the following commands:

    net stop mbamagent

    sc config mbamagent start= demand

  5. Set the registry values so that the MBAM Client ignores the Group Policy settings and instead sets encryption to start the time Windows is deployed to that client computer. To do this:

    1. Set the TPM for Operating system only encryption, run Regedit.exe, and then import the registry key template from C:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg.

    2. In Regedit.exe, go to HKLM\SOFTWARE\Microsoft\MBAM, and configure the settings that are listed in the following table.

      noteAnm
      You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values.

    Registry entry Configuration settings

    DeploymentTime

    0 = Off

    1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer.

    UseKeyRecoveryService

    0 = Do not use key escrow (the next two registry entries are not required in this case)

    1 = Use key escrow in Key Recovery system (default)

    This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed.

    KeyRecoveryOptions

    0 = Uploads Recovery Key only

    1 = Uploads Recovery Key and Key Recovery Package (default)

    KeyRecoveryServiceEndPoint

    Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc.

  6. The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator:

    net start mbamagent

  7. When the computers restarts, and the BIOS prompts you, accept the TPM change.

  8. During the Windows client operating system imaging process, when you are ready to start encryption, open a command prompt as an administrator, and type the following commands to set the start to Automatic and to restart the MBAM Client agent:

    sc config mbamagent start= auto

    net start mbamagent

  9. To delete the bypass registry values, run Regedit.exe, and go to the HKLM\SOFTWARE\Microsoft registry entry. Right-click the MBAM node, and then click Delete.

    Got a suggestion for MBAM? Add or vote on suggestions here.
    Got a MBAM issue? Use the MBAM TechNet Forum.

Se även

Begrepp

Planning for MBAM 2.5 Client Deployment

Andra resurser

Deploying the MBAM 2.5 Client