When upgrading MBAM there are a couple things to note. Number one, if you haven’t already you should make sure you have PowerShell scripts to setup everything on the server side. This will be a nice to have since every servicerelease requires a uninstall/reinstall. And with lots of serviceaccounts, groups and what not, not automating the install will cause you headaches everytime.
The next issue is that the agents needs to be ugpraded everywhere. Now there is no panic to upgrade the agents on the machines as the old version will keep reporting to a newer server release. However to benefit from all the bugs and security fixes the update should absolutley be deployed.
Now the issue, when you run the MSP on an already patches systems (let’s assume you already have a service release installed) nothing happends. Well this is due to the fact that the MSP only upgrades from version 220.127.116.11 as can be viewed in the MSP itself. Below is from the x64 patch of the september release.
Now to fix this the easiest way is actually to create a wrapper around the MBAM agent installer and use that to install the agent. That way if there is already and agent installed we can uninstall it and reinstall the patched version. And if there is no version installed we can go ahead and install the version.
All of this can be done using PowerShell and checking the registry for known keys.
To save you the time on creating your own script to solve this you can use mine. It can be found on github overe here https://github.com/LofgrenP/Scripts/tree/master/Install-MBAMClient
Now the script requires a simple folder structure looking like this
Now in the source folder you place the MbamClientSetup.exe and the patch file from the latest servicingrelease. The script is prepped for the current September 2017 release.
Next up is you run the script as a administrator on a box, or run the script as part of a package in Configuration Manager, an application in MDT or basically however you want.
The logfiles will switch location based on if its run as part of Configuration Manager, MDT or standalone. The end result will always be the same!