Skip to content
Rorymon Logo
  • Blogroll
  • About
  • Contact
Menu
  • Blogroll
  • About
  • Contact
Twitter Linkedin Rss
  • All Articles
  • Applications
    • App Compatibility
    • App Deployment
    • App Virtualization
      • App-V
        • Decision Matrix
        • App-V 4.x Recipes
        • App-V 5.x Recipes
        • App-V Videos
      • AppSense StrataApps
      • Cameyo
      • Evalaze
      • Frame
      • Numecent CloudPaging
      • P-Apps
      • ThinApp
      • Turbo
      • Workspace Streaming
      • XenApp Profiling
    • Containers
    • Layering
      • App Volumes
      • Citrix App Layering
      • FlexApp
      • Unidesk
  • Citrix
    • AppDNA
    • Citrix App Layering
    • Citrix Monitoring
    • Citrix Profiling
    • Citrix XenApp
  • Microsoft
    • ACT
    • Azure
    • BitLocker
    • Hyper-V
    • inTune
    • MDOP
      • AGPM
      • APP-V
      • DaRT
      • MBAM
      • MED-V
    • RDS
    • System Center
      • SCCM
      • SCOM
    • WDS
    • Windows
      • Windows 7
      • Windows 8
      • Windows 10
      • Windows Server 2012
  • VMware
    • App Volumes
    • ThinApp
  • Downloads
  • Podcast

The MBAM Client

  • Rory Monaghan
  • October 9, 2012
BitLocker

MBAM ships with two different versions of the client. One for 32-bit and one for 64-bit. As I had stated in my previous post on this site there’s a quirk with the client if you are trying to deploy to any of the ‘N’ operating systems. You will need to open the MSI and modify one of the launch conditions HERE . Look at my link if you have that issue. One other note for a change I made to the MSI for my client, I added a new property. ARPSYSTEMCOMPONENT =1 which ensures the application does not appear in the Add/Remove Programs thus users should never know it’s on there, at least the non-technical users. I also add a registry key (Ensures the client checks in with the server on startup):

[HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\MBAM]
“NoStartupDelay”=dword:00000001

Depending on your environment it might make more sense to include MBAM on your corporate image and it definitely saves some time and effort for sure as I’ve found a couple of quirks to deploying the MSI. If you want to deploy the MSI be sure the machines TPM has been enabled and initialized first, as TPM is a requirement here. You can do this via the machines BIOS.

A noted issue is the fact that if the machine you want to encrypt is in OU your Bitlocker policies are applied to you may not be able to encrypt the drive!! This is because one of the policies actually stops Bitlocker from being able to setup it’s own partition to do it’s thing. Bitocker cannot encrypt the drive until it has completed creating the small partition. As part of my process I build machines to one OU, allow the applications to deploy such as the MBAM client and then switch it to the correct OU that gets the Bitlocker policies.

For the install itself, I try to force it a little bit by ensuring the installer prepares the drive, installs the client and sets a registry so that the client talks to the server right on log-in. By doing it this way it ensures once the machine is booted up in the correct OU, within 1-3 minutes the user will get a prompt to encrypt their drive. I do this via the commands:

C:\Windows\System32\BdeHdCfg.

exe -target default -size 300 -quietmsiexec /i “\\Server\Share\BitLocker\MBAMClient-64bit.msi” /qb-

echo “Move the machine into the laptops OU and do a reboot”

PAUSE

 

After the machine boots up you should see the following dialogs. If you don’t it’s possible that the machine has been picked up as new e.g. the hardware type, firmware, TPM make has not been approved for use yet. In the case browse to your MBAM console, go to Hardware and see if there’s any hardware set as Incompatible. You will need to switch it to Compatible. You can then restart the Bitlocker Management Service and the prompt should appear in 1 minute.
Request Exemption and Postpone are only options if you didn’t configure a policy to block them.
As the above screen suggests the larger the drive the longer it will take to encrypt. If you do not have your machine plugged in, the encryption will not start. You can shut down the machine at any time and it will simply resume silently the next time you start up.
That’s it. MBAM is needlessly complicated to set up in it’s currently form. My suggestion would be to put it on your image if possible. Also MBAM 2.0 is currently in Beta and will hopefully be a little more straight forward.
MBAM Client,MBAM Client won't prompt to encrypt,Setting up MBAM Client
PrevPreviousMBAM Console
NextI Lost My Bitlocker Recovery KeyNext
Rory Monaghan

Rory Monaghan

Microsoft MVP. Citrix CTP. VMware EUC Champion & vExpert.
Twitter Linkedin Rss Vimeo Youtube Soundcloud

Speaker Sessions

I'm not speaking at any events at the moment.

Get the App-V Decison Matrix and Interactive Tool.

See what the right deployment option for your applications is.
Let's Go!
FREE TOOL
Further Reading

Windows 10 Migration Checklist

We'll virtualise your 5 most complex apps for FREE
Learn More

Let's make virtualization EASIER!

Be amongst the first to know when I publish new reviews, guides and tools to simplify your virtualization projects.

Categories
  • All Articles
  • Application Compatibility
  • Application Virtualization
  • Containers
  • Citrix XenApp
  • Application Layering
Connect
  • Blogroll
  • About
  • Contact
Twitter Linkedin Rss Vimeo Youtube Soundcloud

© Copyright Rorymon.com. All rights reserved 2022.

Privacy   |   Cookies
Marketing Services by Riabro.