This two- part series will walk through all the steps necessary to install and configure Microsoft BitLocker Administration (MBAM). For this series, I’m installing MBAM 2.5 SP1 on Windows Server 2016 and using SQL Server 2016 SP1 for the database. For specific supported configurations in terms of operating systems and SQL, go here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-supported-configurations.
In part one, I will give you an overview of the MBAM components. Also, we’ll go over all the prerequisites you will need, including service accounts, AD groups, etc. Finally in part one, we will install the MBAM databases and reporting point. In part two, we will install the Administrative and Self-Service Portals, look at the Group Policy settings you need, and deploy the MBAM client.
The MBAM client works on Windows 10 Enterprise or Education, Windows 8.1 Enterprise, or Windows 7 Enterprise or Ultimate. You must be running one of the SKUs.
To get MBAM, you must download the Microsoft Desktop Optimization Pack for Software Assurance (MDOP). As of this writing, the latest version is 2015. Also, you need to download the latest servicing release for that MBAM client and server. As of this writing, the latest service release was June 2017 and it’s available here: https://www.microsoft.com/en-us/download/details.aspx?id=55529. This service release is required to support installing the MBAM server components on Server 2016 and SQL 2016. Also, this release is required to support Windows 10 1703.
I will be installing MBAM in the stand-alone topology. For details on installing it with ConfigMgr integration, see the official Microsoft documentation. A lot of the same steps are required.
Best practice is to use two servers for MBAM. One server runs SQL and SQL Server Reporting Services, while the other hosts the administrative help desk portal and the user self-service portal.
MBAM has several components. Here they are:
- Recovery Database (stores recovery keys)
- Compliance and Audit Database (stores compliance data mostly used by reporting)
- Reporting (based on SQL Server Reporting Services)
- Administration and Monitoring Portal (more of a Help Desk portal)
- Self-Service Portal (end-user portal)
- MBAM Client
- MBAM GPO
You need to build or do several things before installing MBAM:
- Database server with SQL instance and SQL Reporting Services install (example hostname: mbamdb01.contoso.local)
- Application server (example hostname: mbam01.contoso.local)
- Two HTTPS certificates, one for each server
- Service account for read/write access to the database. The IIS application pool for the Administration and Monitoring Portal and Self-Service Portal run as this account (example account name: MBAM_IIS)
- Service account for read access to the database. SQL Reporting Services runs as this account (example account name: MBAM_SSRS)
- SPN needs to be created linking the server name to the application pool account. SPN is required to ensure secure communication between the clients and system.
- IIS user account (IIS_IUSRS) must be given “Impersonate a client after authentication” and “Log on as a batch job” rights. This is granted via User Rights Assignment in Group Policy.
- Reporting users group for granting access to MBAM reports (example group: MBAM_ReportingUsers)
- Advanced Help Desk role group (example group: MBAM_AdvHelpDesk)
- Help Desk role group (example group: MBAM_HelpDesk)
- MBAM ADMX template imported into Group Policy
These items are needed at some point in the process. I would suggest going ahead and creating them ahead of time.
If you’re a domain admin, the installation process for the administration and monitoring portal will create the SPN for you. If you’re not a domain admin, you need to get a domain admin to run this command from a domain controller:
setspn -s http/<application server name> <domain>\<database read/write IIS service account>
Example: setspn -s http/mbam01.contoso.local contoso\MBAM_IIS
There is a set of required Group Policy settings for MBAM to function. You can download the required ADMX template from here: https://www.microsoft.com/en-us/download/details.aspx?id=55531. This will download the ADMX templates for all MDOP products; you only need the templates for MBAM 2.5 SP1. You will need a domain admin to import them into the Group Policy store for your domain.
Installing the Databases
Installing your SQL instance is straight forward. I elected to do a named instance, but I used the default ports, so setup wasn’t difficult. If you use a named instance, be sure to also open the SQL Browser Server port (UDP 1434). You only need database services and SQL Server Reporting Services.
Once SQL has installed, we’re ready to load the MBAM server software and install our databases. You’ll need to run MbamServerSetup.exe and the latest servicing release patch. This setup installs a configuration wizard on your server that you then use to install the other components.
After installation, launch the MBAM Server Configuration wizard and click “Add New Features”. We’re going to be installed the databases, so check both of their boxes:
After the prerequisite check completes, fill in the options on the next screen. You have the option of giving the MBAM databases different names, but I would caution against it. As I said earlier, I installed the SQL instance into a named instance. If you used the default instance, leave that box blank. Also, be sure to list the correct user accounts. The read/write account is the IIS account (MBAM_IIS), while the read-only account is the SSRS account (MBAM_SSRS).
We can now install the databases. It doesn’t take long for the wizard to run.
Installing the Reports
Because we are not installing IIS on this server, ports 80 and 443 (HTTP and HTTPS) are not opened. You need to manually add a firewall rule to allow web traffic.
We’re also going to install the reports on the database server. You must run the SQL Reporting Services configuration wizard first to build the reporting webpages. To do that, open Reporting Services Configuration Manager. Go to the Databases node and click “Change Database”.
Walk through this wizard to create new reporting services databases. You shouldn’t have to change any options, except adding the instance name on the second screen (if you installed SQL to a named instance).
Once the databases are created, go to the “Web Service URL” node. If you want to put reporting services on HTTPS, select the certificate in the “HTTPS Certificate” box. Now click the “Apply” button to build the web service site. For my site, the URL that we will be using later is http://MBAM01/ReportServer_MBAM.
Now, go to the “Web Portal URL” node and do the same thing. The URL for this site is http://MBAM01/Reports_MBAM.
Now that we have SSRS configured, lets jump back into the MBAM Server Configuration wizard. Click “Add New Features” again, and this time check the “Reports” box.
For this page, most of it is self-explanatory. The “SQL Server Reporting Services instance” box, however, if not. This is the part of the URL for your reporting webpage after the underscore. For me, that’s MBAM. The box for “Reporting role domain group” is the group we created for reporting users. Finally, the “Compliance and Audit Database domain account” is the SSRS account.
After you fill all of that in, the wizard will build the reports.
Come back later this week for part 2, where we install the Administration and Self-Service Portals, go over the Group Policy settings, and deploy the MBAM client.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.