0 Replies Latest reply on Nov 24, 2015 1:08 PM by 1EarEngineer

    How To: Deploy MBAM 2.5 SP1 on Windows 7 with LDMS 9.6 SP2

    1EarEngineer Specialist

      So one of the few knocks I have with LANDESK when compared to SCCM is the poor integration with Bitlocker or encryption in general. Now, I realize they have partnered with folks like WinMagic who use agent based encryption rather than requiring a partition and TPM etc like Bitlocker does, but let's face it, enterprises today usually are getting MDOP bundled with their EA agreements, and that means Bitlocker. I digress, back to the topic at hand.

       

      With MDOP 2015, MBAM has changed over to 2.5 SP1, and with that came quite a few changes. I'm creating this post to save folks the time and headaches I and the LD Techs have gone through getting this work. If anyone was able to do this differently, I fully welcome anyone to share their process.This process has been confirmed on both Dell and Lenovo machines with LDMS 9.6 SP2.

       

      MBAM Notes:

      I'll assume since you are running LANDESK, you have already followed https://support.microsoft.com/en-us/kb/3046555 and is setup. If not, the following will not work.

      • Your image must have a separate hidden partition, or else the PS script will fail.
      • MBAM client MUST be installed prior to running the powershell script or else it will fail.
      • TPM must be inactive and not owned. If this not the case, run tpm.msc, and clear it. We want it inactive so that Windows doesn't take ownership or else the PS script will fail.
      • Computer must not be in an AD OU that has already has MBAM settings configured or else the PS script will fail.

       

      IMAGE:

      A big note here:

      If you are using ImageW, your captured image MUST contain an additional partition for bitlocker to use. If your capture does not have more than 1 partition, you will not be able to add this later when deploying. If you wish to be able to do this, you need to capture your image with ImageX, not ImageW.

       

      Lenovo Template:

      Here is a screenshot of a template. We actually add in a lot more but I've taken out everything else that isn't needed for MBAM.

      LenovoMBAM.PNG

      We don't currently use HII, but rather DISM to inject our drivers. We are hoping when the next version of LDMS comes out with the upgraded HII we can transition. As you can see, I've copied the files needed for MBAM locally during PE, this was to avoid any Mapped Drives issues while actually in the OS.

      Run DISM

      Dism.PNG

      Create MBAM Directory

      CreateMBAM.PNG

       

      Save TPM Owner - As part of MBAM 2.5 SP1, Microsoft has created this file to save the TPM Owner info.

      SaveTPMOwner.PNG

       

      Switch TPM to Active - According to LANDESK, this appears to be a bug that required me to move my parameters to the path and file name field rather than call out cmd.exe for the file name and the rest in the parameters field. Ironically, the nice thing about this is you get the output included in the Provisioning Window. The tpm_activate.vbs script is a Lenovo provided script that you can download from this post.


      LenovoActivateTPM.PNG

      Install MBAM 2.5 SP1 Client - For this step, I simply took the Client that was provided as part of MDOP 2015, and created an EXE package in LANDESK with the following options for the command line. After installing the MBAM Client, we reboot so that the TPM can be activated.

      MBAMAgent_PackageCLO.PNG

      Run MBAM 2.5 SP1 PS Script - Here is where we run the powershell script provided by Microsoft. However, in order for it to properly work, you have to pass along parameters, which I was not able to do with the Powershell distribution package type. However, we were able to make a .bat file and then wrap that into a LD package. The only bug is that LD will report that it fails, even though the script will run and your hard drive is encrypting.

       

      At this point, you can now move your computer into an AD OU that contains your MBAM configurations.

       

      For Dell Machines: Since Dell uses CCTK instead of the vbscripts, we have to copy both CCTK, and the batch files locally during PE.

       

      DellMBAM.PNG

      Run DISM

      Dism.PNG

      Create MBAM Directory

      CreateMBAM.PNG

       

      Save TPM Owner - As part of MBAM 2.5 SP1, Microsoft has created this file to save the TPM Owner info.

      SaveTPMOwner.PNG

      Turn on TPM and Set BIOS Password - For this I simply created a batch file with the following info inside

      cctk --setuppwd=YourBiosPassword

      cscript pause.vbs

      cctk --tpm=on --valsetuppwd=SameBiosPassword as above

      cscript pause.vbs

      TurnOnTPM.PNG


      Switch TPM To Active - Again, create a batch file with the following inside

      cctk --tpmactivation=activate --valsetupppwd=SameBiosPassword as above

      ActivateTPM.PNG