MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies

Before starting the Microsoft BitLocker Administration and Monitoring (MBAM) installation, you must complete the prerequisites listed in this article. These prerequisites apply to the MBAM Stand-alone topology and System Center Configuration Manager Integration topology.

If you're deploying MBAM with System Center Configuration Manager, you must complete additional prerequisites, which are listed in MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology.

For a list of the supported hardware and operating systems for MBAM, see MBAM 2.5 Supported Configurations.

Important
If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM can't take ownership of TPM if the client PC is already encrypted and the TPM owner password created.

Required MBAM roles and accounts

Prerequisite Details

Groups created in Active Directory Domain Services (AD DS)

See Planning for MBAM 2.5 Groups and Accounts for a description of these groups and accounts.

Prerequisites for the Recovery Database

Prerequisite Details

Supported version of SQL Server

Install Microsoft SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

Required SQL Server permissions

Required permissions:

  • SQL Server instance login server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install the Transparent Data Encryption (TDE) feature available in SQL Server

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.

Note

TDE performs real-time decryption of database information. This means that, if you're viewing recovery key information in the SQL Server database and you're logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.

SQL Server Database Engine Services

SQL Server Database Engine Services must be installed and running during MBAM Server installation.

Windows PowerShell 3.0 or later

Windows PowerShell doesn't have to be installed on the Recovery Database server if you're using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Compliance and Audit Database

Prerequisite Details

Supported version of SQL Server

Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

Required SQL Server permissions

Required permissions:

  • SQL Server instance login server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install the Transparent Data Encryption (TDE) feature in SQL Server

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.

TDE performs real-time decryption of database information. This means that, if you're viewing recovery key information in the SQL Server database and you're logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.

SQL Server Database Engine Services

SQL Server Database Engine Services must be installed and running during MBAM Server installation. However, SQL Server can be running remotely; it doesn’t have to be on the same server on which you're installing the MBAM Server software.

Windows PowerShell 3.0 or later

Windows PowerShell doesn't have to be installed on the Compliance and Audit Database server if you're using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Reports

Prerequisite Details

Supported version of SQL Server

Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

SQL Server Reporting Services (SSRS)

SSRS must be installed and running during the MBAM Server installation.

Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode.

SSRS instance rights – required for configuring Reports only if you're installing databases on a separate server from the server where Reports are configured.

Required instance rights:

  • Create Folders

  • Publish Reports

Windows PowerShell 3.0 or later

Windows PowerShell doesn't have to be installed on this Database server if you're using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Administration and Monitoring Server

The following table lists the installation prerequisites for the MBAM Administration and Monitoring Server.

Prerequisite Details

Windows Server Web Server Role

This role must be added to a server operating system that is supported for the Administration and Monitoring Server feature.

Web Server (IIS) Management Tools

Click IIS Management Scripts and Tools.

SSL Certificate

Optional. To secure communication between the client computers and the web services, you must obtain and install a certificate that a trusted security authority signed.

Web Server Role Services

Common HTTP Features:

  • Static Content

  • Default Document

Application Development:

  • ASP.NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

Security:

  • Windows Authentication

  • Request Filtering

Windows Server Features

.NET Framework 4.5 features:

  • .NET Framework 4.5 or 4.6

    • Windows Server 2016 - .NET Framework 4.6 is already installed for these versions of Windows Server, but you must enable it.

    • Windows Server 2012 or Windows Server 2012 R2 - .NET Framework 4.5 is already installed for these versions of Windows Server, but you must enable it.

    • Windows Server 2008 R2 - .NET Framework 4.5 isn't included with Windows Server 2008 R2, so you must download Microsoft .NET Framework 4.5 and install it separately.

      Note

      If you're upgrading from MBAM 2.0 or MBAM 2.0 SP1 and need to install .NET Framework 4.5, see Release Notes for MBAM 2.5 for an additional required step to make the websites work.

  • WCF Activation

    • HTTP Activation

    • Non-HTTP Activation (Only for Windows Server 2008, 2012, and 2012 R2)

  • TCP Activation

Windows Process Activation Service:

  • Process Model

  • .NET Framework Environment

  • Configuration APIs

ASP.NET MVC 4.0[1]

ASP.NET MVC 4 download

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.

If you don't have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization to create the SPN for you by using the following command.

Setspn -s http/mbamvirtual contoso\mbamapppooluser
Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.

Note

If you're setting up Load Balancing, use the same application pool account on all servers.

For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.

[1]ASP.NET MVC 4.0 is no longer required after the January 2023 servicing update (HF08).

Prerequisites for the Self-Service Portal

Prerequisite Details

Supported version of Windows Server

See MBAM 2.5 Supported Configurations for supported versions.

ASP.NET MVC 4.0[2]

ASP.NET MVC 4 download

Web Service IIS Management Tools

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.

If you don't have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization administrators in your organization to create the SPN for you by using the following command.

Setspn -s http/mbamvirtual contoso\mbamapppooluser
Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.

Note

If you're setting up Load Balancing, use the same application pool account on all servers.

For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.

[2]ASP.NET MVC 4.0 is no longer required after the January 2023 servicing update (HF08).

Prerequisites for the Management Workstation

Prerequisite Details

Before installing the MBAM client, download the MBAM Group Policy Templates and configure them with the settings that you want to implement in your enterprise for BitLocker Drive Encryption.

Before installing the MBAM Client, do the following:

What to do Where to get instructions

Copy the MBAM Group Policy Templates

Copying the MBAM 2.5 Group Policy Templates

Edit the Group Policy settings

Editing the MBAM 2.5 Group Policy Settings

Preparing your Environment for MBAM 2.5

Planning to Deploy MBAM 2.5

MBAM 2.5 Supported Configurations

Got a suggestion for MBAM?

For MBAM issues, use the MBAM TechNet Forum.