This is part two of a series about installing and configuring MBAM. For part one, go here: https://windowsmanagementexperts.com/installing-and-configuring-mbam-part-1/installing-and-configuring-mbam-part-1.htm.
In this part, we are going to install the administrative and self-service portals, look at the GPO settings, and install the MBAM client.
Installing the Portals
First, we need to install IIS on our web server. Here are the roles/features you need beyond the default IIS installation. These apply to Server 2016, and should also apply to Sever 2012 R2. If you’re using Server 2008 R2, you really shouldn’t.
- Security: Windows Authentication
- Application development: ASP.NET 4.6, .NET Extensibility 4.6, ISAPI Extensions, ISAPI Filters
- Management Tools: IIS Management Scripts and Tools
You also must enable .NET Framework 3.5 Features and Non-HTTP Activation (under .NET 3.5). Also, under .NET Framework 4.6 Features, enable HTTP Activation and TCP Activation. When you enable .NET 3.5, it should ask you to enable all features under “Windows Process Activation Service”. Keep that, as those three features are required as well.
Finally, if you’re installing the self-service portal, you must install ASP.NET MVC 4, available for download here: https://microsoft.com/download/details.aspx?id=30683.
Be sure you’ve installed the MBAM server software on this server as well, following the same process from part one. Once installed, open the MBAM Server Configuration Wizard. Check the boxes for “Administration and Monitoring Website” and “Self-Service Portal”.
After the prerequisite check, we must configure the web applications. First, specify the HTTPS certificate that you’re going to use on the site. The wizard will fill some of the other information in.
Next, we must provide the application pool account. This is the service account that you created for IIS (MBAM_IIS).
The next two sections are telling the wizard where your databases are. Go ahead and fill in that information.
Next, we need to configure the Administration and Monitoring Webste. Give the wizard the two groups you created for help desk access. Leave the data migration role group blank and don’t check the boxes for “Use System Center Configuration Manager Integration” and “Enable TPM lockout auto reset”. Finally, provide the reporting group and SSRS URL.
Finally, we need to configure the self-service portal. You can customize the “Help URL test” and “Helpdesk URL” to whatever you need for your organization.
Click Next to install the portals. Once the installation completes, you should be able open the two web portals.
Next, we need to configure Group Policy. A lot of these settings will be determined based on your organization’s standards, so please review them all. I will go over the minimum required to get MBAM to function correctly. The MBAM settings are located at Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management).
The first thing to know is that you cannot use the BitLocker GPO settings located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption anymore, with very few exceptions, one of which we will specifically talk about. These settings conflict with MBAM.
The first policy we need to configure is “Configure MBAM services” located under “Client Management”. This policy provides MBAM with its server addresses and defines policy check-ins. Its easy to configure, just put the application server in the first box, and the database server in the second box. The check-in values are up to you, but I would set the status frequency to 30 minutes and status report frequency to 180 minutes.
Next, let’s look at the settings in the “Operating System Drive” folder. The “Operating system drive encryption settings” is the policy that defines TPM, or TPM + PIN, so be sure to configure that one. Next, make sure to set “Encryption Policy Enforcement Settings”. This policy defines how long a user can postpone encryption. A setting of “0” here will immediately enforce encryption.
Finally, look at “Configure pre-boot recovery message and URL”. With this setting, you can set a customized message and URL that users will see if they must put in the recovery key. This provides a good opportunity to point them directly to the self-service portal, or some documentation about BitLocker and the recovery process.
The other policies are all based on your organization. Set them to settings that best meet your requirements.
One of the settings you can configure in the BitLocker section is whether to encrypt the entire drive, or just used space. The policy you’re looking for is called “Enforce drive encryption type on operating system drives” located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. There’s two options for this – “Used Space Only encryption” and “Full encryption”.
Installing the MBAM Client
Installing the client is also straight-forward. I recommend extracting the MSI from the installation EXE. The MSI will allow us to stream the latest servicing release patch into the installation. As of MBAM 2.5 SP1, you can extract the MSI by running this command:
MBAMClientSetup.exe /extract <path to extract MSI>
Once we have that, run this command to install the client:
msiexec /I MBAMClientSetup.msi /q PATCH=<path to msp patch file>\<msp file>.msp
Ex: msiexec /I MBAMClientSetup.msi /q PATCH=C:\MBAM\MBAM-patch.msp
Once the MBAM client is installed, it will take over and encrypt the machine. Both elements must be in place for MBAM to function. You must have the client installed and GPO settings configured correctly. Just the GPO settings or just the client will not work.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.