Installation of the MBAM client is done automatically via Group Policy the next time Group Policy refreshes (around 90 minutes maximum).
There are two Group Policy Objects (GPO) that can be used to install the client: Technology Solutions - MBAM - 64BIT and Technology Solutions - MBAM - 32BIT. Each GPO will only install the client for the correct version of windows and ignore the rest. So, for example, you can apply both GPOs the an Organizational Unit in Active Directory that contains a variety of machines and the 64BIT client will only be installed on 64BIT versions of Windows and the 32BIT client will only be installed on 32BIT versions of Windows. Furthermore, the client will currently only install itself on non-server versions of Windows.
NOTE: No reboot is required.
NOTE: Please leave the machine in the OU that the GPO is linked to. If you move it to an OU that doesn't have a GPO that contains MBAM settings linked to it, then the endpoint won't be able to communicate with the server. It will continue to be encrypted, but users that log onto the machine after it has been moved won't be added to the authorized list in the database and will not be able to use the self-help portal to retrieve their keys. Similarly, this value may fail to be correctly set without using a VPN client depending on network topology. For example, when working remotely.
To install the client:
1. Open up the Group Policy Management console.
2. Find the OU that contains computers you want to enforce encryption on, right-click on it, and select "Link an Existing GPO".
NOTE: Unless inheritance is blocked, the policy will be applied to computers in Organization Units that are "children" of the one you apply the policy to.
3. Select the desired GPO from the list and click "OK".