Windows Windows Server

How to fix the MBAM Client Deployment is only supported on MBAM 2.5 SP1


The Microsoft BitLocker Administration and Monitoring (MBAM) Client software enables administrators to enforce and monitor BitLocker Drive Encryption on computers in the enterprise. The BitLocker client can be integrated into an organization by deploying the client through an electronic software distribution system such as Ivanti DSM, and GPO, or by directly encrypting the client computers as part of the initial imaging process.

Depending on when you deploy the Microsoft BitLocker Administration and Monitoring client, you can enable BitLocker Drive Encryption on a computer in your organization either before the end user receives the computer or afterward. Kindly refer to these related guides: How to unlock a fixed drive protected by BitLocker, how to deploy Microsoft BitLocker Administration and Monitoring Tool, how to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices, and how to uninstall your current version of MBAM and run setup again.

Reason for the Error

The MBAM Client was initially integrated into MDT alone without including the Servicing update as recommended. For MBAM 2.5 SP1, you must have the release version of MBAM 2.5 SP1 installed. The October 2020 servicing release for Microsoft Desktop Optimization Pack can be downloaded from the following link. Below is an image of the BDD log.



Kindly bundle the MBAM client and the October 2020 servicing release for Microsoft Desktop Optimization Pack downloaded from the link above and re-create a new Application of it.

Please follow all the steps discussed in this guide for a flawless integration or setup “how to deploy MBAM Client to Computers as Part of a Windows Deployment“.

Note Beginning in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product.


When you are done, do not fail to update the deployment share.

Now take the image to WDS


Start a new image deployment as shown below.


When these steps are completed, the MBAM agent will work as specified and should be able to apply the BitLocker/MBAM policies to your device. As you can see, the encryption is in progress.

It’s recommended that you install the agent near the end of the OSD task sequence so that the encryption does not slow your deployment down.


Now let’s verify the device compliance status! As you can see the device is a complaint as shown in the image below. This means the Recovery keys were successfully escrowed to the database.


I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x