Windows - Software - Install Bitwarden (64-Bit)

What the Bitwarden Windows installer does

This Automox Worklet™ deploys the latest 64-bit Bitwarden password manager to Windows endpoints without user interaction. The Worklet checks the Windows Registry for an existing Bitwarden installation, downloads the current installer from the Automox software cache, and runs it with the /allusers /S arguments so the application is installed system-wide and silently.

The evaluation script handles both 64-bit and 32-bit Windows hosts. On a 64-bit host it inspects the native uninstall hive at HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and the WOW64 hive at HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for any DisplayName matching "Bitwarden." On a 32-bit host it inspects HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall directly. Either match returns exit code 0 and skips remediation.

Remediation downloads Bitwarden_x64.exe from the Automox software cache into the Worklet's working directory and launches it with Start-Process -FilePath $scriptDir\Bitwarden_x64.exe -ArgumentList /allusers,/S -Wait. After the installer exits, the Worklet re-runs the registry check and returns exit 0 on a successful install or exit 1 when the install fails to register.

Bitwarden is an open-source password manager that lets end users store, generate, and autofill credentials across Windows, macOS, Linux, mobile, and browsers. The Worklet places the Windows desktop client on every covered endpoint so credential workflows match across the fleet.

Why deploy Bitwarden to every Windows endpoint

Password reuse and weak credentials remain a common contributor to identity-based incidents. End users left to manage credentials on their own often fall back to browser-stored passwords, reused passphrases, or shared notes. Those paths do not hold up well against credential stuffing or workstation-targeted phishing. Standardizing on a managed password manager addresses that gap, but the rollout only matters if Bitwarden is present and current on every Windows endpoint in scope, not just the laptops the help desk got to last quarter.

Centralized password management also maps to control families in NIST 800-53 (IA-5 Authenticator Management), the CIS Critical Security Controls (Control 5 Account Management, Control 6 Access Control), and PCI-DSS v4.0 8.6 (Use of Application and System Accounts and Associated Authentication Factors). PCI-DSS 8.3.x in v4.0 focuses on multi-factor authentication for system access; password manager deployment supports the broader credential hygiene controls in section 8 rather than a single sub-requirement. Auditors looking at access control coverage want to see uniform credential hygiene tooling, not screenshots from one user's laptop. Installing Bitwarden through this Worklet produces consistent registry evidence on every endpoint.

Schedule this Worklet against the Windows workstation and server groups so the same Bitwarden_x64.exe lands with the same /allusers /S arguments on every endpoint in scope. The registry probe across HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall confirms the install result before the policy reports back to the Activity Log.

How the Bitwarden installer Worklet works

1. Evaluation phase: The Worklet calls [System.Environment]::Is64BitOperatingSystem to decide which registry view to read. On a 64-bit host it opens the Registry64 view of HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and iterates subkeys, then falls back to HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall via Get-ChildItem | Get-ItemProperty. On a 32-bit host it reads HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall directly. Any DisplayName matching "Bitwarden" returns exit 0 (compliant); no match returns exit 1 and flags the endpoint for remediation.

2. Remediation phase: The Worklet downloads Bitwarden_x64.exe from the Automox software cache into the Worklet working directory using System.Net.WebClient.DownloadFile, then runs Start-Process -FilePath "$scriptDir\Bitwarden_x64.exe" -ArgumentList '/allusers','/S' -Wait. The /allusers flag installs Bitwarden as ALLUSERS=1 for every account on the endpoint, and /S runs the NSIS-based installer in silent mode. After the installer exits, the Worklet re-runs the same registry probe and returns exit 0 on a confirmed install or exit 1 if the registry still shows no Bitwarden entry.

Bitwarden deployment requirements

• Windows 8 or later (x64 or x86), workstation or server SKU

• PowerShell 5.0 or later (default on Windows 10, Windows 11, and Windows Server 2016+)

• Administrator context for the Automox agent (required for the ALLUSERS install and for writes under HKLM)

• Outbound HTTPS to api.automox.com to retrieve the cached Bitwarden_x64.exe installer

• Approximately 150 MB of free disk space on the system drive for the installer and the installed application

• No competing Bitwarden deployment from MSI, winget, or the Microsoft Store; remove those first to avoid duplicate Start menu entries

Expected Bitwarden state after the Worklet runs

After a successful run, Bitwarden is registered under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall on 64-bit endpoints (the Worklet also accepts a match under HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for 32-bit installer variants) with a DisplayName of "Bitwarden" and the current vendor version. The Bitwarden shortcut appears in the Start menu for every user profile on the endpoint, and the application is available in Settings under Apps and features. The Worklet exits 0 and the endpoint reports compliant on the next evaluation pass.

Verification: From an elevated PowerShell session on a target endpoint, run Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*Bitwarden*"} | Select DisplayName, DisplayVersion, InstallLocation to confirm the installer registered the application. The /allusers flag installs to C:\Program Files\Bitwarden\Bitwarden.exe and the registry entry lands in the native 64-bit HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall hive. In the Automox console, an exit code of 0 in the remediation activity log and a passing evaluation on the next policy run together indicate a successful deployment. Re-running the Worklet on an already-compliant endpoint is safe – the evaluation script short-circuits on the first DisplayName match and exits 0 without downloading the installer again.