Permalink
Fetching contributors…
Cannot retrieve contributors at this time
105 lines (85 sloc) 3.88 KB
title description author ms.assetid ms.pagetype ms.mktglfcycl ms.sitesec ms.prod ms.date
Prerequisites for MBAM 2.5 Clients
Prerequisites for MBAM 2.5 Clients
jamiejdt
fc230679-9c84-4b99-a77c-bae7e7bf8145
mdop, security
manage
library
w10
04/23/2017

Prerequisites for MBAM 2.5 Clients

Before you install the MBAM Client software on end users' computers, ensure that your environment and the client computers meet the following prerequisites.

Prerequisite Details

The enterprise domain must contain at least one Windows Server 2008 (or later) domain controller.

The client computer must be logged on to the enterprise intranet.

For Windows 7 client computers only: Each client must have Trusted Platform Module (TPM) capability (TPM 1.2 or later).

For Windows 8.1, Windows 10 RTM or Windows 10 version 1511 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.

In MBAM 2.5 SP1 only, you no longer need to turn off TPM auto-provisioning, but you must make sure that the TPM Group Policy Objects are set to not escrow TPM OwnerAuth to Active Directory.

[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md#bkmk-tpm)

For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM.

In MBAM 2.5 SP1, you must turn on auto-provisioning.

See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.

The TPM chip must be turned on in the BIOS and be resettable from the operating system.

See the BIOS documentation for more information.

The computer’s hard disk must have at least two partitions and must be formatted with the NTFS file system.

The computer’s hard disk must have a BIOS that is compatible with TPM and that supports USB devices during computer startup.

Note  

Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.

 

If you use a proxy, it must be visible in the system context. MBAM runs under the system context, not the user context.

 

Important   If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.  

Related topics

MBAM 2.5 Supported Configurations

Planning to Deploy MBAM 2.5

 

Got a suggestion for MBAM?