MBAM ships with two different versions of the client. One for 32-bit and one for 64-bit. As I had stated in my previous post on this site there’s a quirk with the client if you are trying to deploy to any of the ‘N’ operating systems. You will need to open the MSI and modify one of the launch conditions HERE . Look at my link if you have that issue. One other note for a change I made to the MSI for my client, I added a new property. ARPSYSTEMCOMPONENT =1 which ensures the application does not appear in the Add/Remove Programs thus users should never know it’s on there, at least the non-technical users. I also add a registry key (Ensures the client checks in with the server on startup):
Depending on your environment it might make more sense to include MBAM on your corporate image and it definitely saves some time and effort for sure as I’ve found a couple of quirks to deploying the MSI. If you want to deploy the MSI be sure the machines TPM has been enabled and initialized first, as TPM is a requirement here. You can do this via the machines BIOS.
A noted issue is the fact that if the machine you want to encrypt is in OU your Bitlocker policies are applied to you may not be able to encrypt the drive!! This is because one of the policies actually stops Bitlocker from being able to setup it’s own partition to do it’s thing. Bitocker cannot encrypt the drive until it has completed creating the small partition. As part of my process I build machines to one OU, allow the applications to deploy such as the MBAM client and then switch it to the correct OU that gets the Bitlocker policies.
For the install itself, I try to force it a little bit by ensuring the installer prepares the drive, installs the client and sets a registry so that the client talks to the server right on log-in. By doing it this way it ensures once the machine is booted up in the correct OU, within 1-3 minutes the user will get a prompt to encrypt their drive. I do this via the commands:
echo “Move the machine into the laptops OU and do a reboot”