The MBAM Client

BitLocker

MBAM ships with two different versions of the client. One for 32-bit and one for 64-bit. As I had stated in my previous post on this site there’s a quirk with the client if you are trying to deploy to any of the ‘N’ operating systems. You will need to open the MSI and modify one of the launch conditions HERE . Look at my link if you have that issue. One other note for a change I made to the MSI for my client, I added a new property. ARPSYSTEMCOMPONENT =1 which ensures the application does not appear in the Add/Remove Programs thus users should never know it’s on there, at least the non-technical users. I also add a registry key (Ensures the client checks in with the server on startup):

[HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\MBAM]
“NoStartupDelay”=dword:00000001

Depending on your environment it might make more sense to include MBAM on your corporate image and it definitely saves some time and effort for sure as I’ve found a couple of quirks to deploying the MSI. If you want to deploy the MSI be sure the machines TPM has been enabled and initialized first, as TPM is a requirement here. You can do this via the machines BIOS.

A noted issue is the fact that if the machine you want to encrypt is in OU your Bitlocker policies are applied to you may not be able to encrypt the drive!! This is because one of the policies actually stops Bitlocker from being able to setup it’s own partition to do it’s thing. Bitocker cannot encrypt the drive until it has completed creating the small partition. As part of my process I build machines to one OU, allow the applications to deploy such as the MBAM client and then switch it to the correct OU that gets the Bitlocker policies.

For the install itself, I try to force it a little bit by ensuring the installer prepares the drive, installs the client and sets a registry so that the client talks to the server right on log-in. By doing it this way it ensures once the machine is booted up in the correct OU, within 1-3 minutes the user will get a prompt to encrypt their drive. I do this via the commands:

C:\Windows\System32\BdeHdCfg.

exe -target default -size 300 -quietmsiexec /i “\\Server\Share\BitLocker\MBAMClient-64bit.msi” /qb-

echo “Move the machine into the laptops OU and do a reboot”

PAUSE

After the machine boots up you should see the following dialogs. If you don’t it’s possible that the machine has been picked up as new e.g. the hardware type, firmware, TPM make has not been approved for use yet. In the case browse to your MBAM console, go to Hardware and see if there’s any hardware set as Incompatible. You will need to switch it to Compatible. You can then restart the Bitlocker Management Service and the prompt should appear in 1 minute.

Request Exemption and Postpone are only options if you didn’t configure a policy to block them.

As the above screen suggests the larger the drive the longer it will take to encrypt. If you do not have your machine plugged in, the encryption will not start. You can shut down the machine at any time and it will simply resume silently the next time you start up.

That’s it. MBAM is needlessly complicated to set up in it’s currently form. My suggestion would be to put it on your image if possible. Also MBAM 2.0 is currently in Beta and will hopefully be a little more straight forward.