MBAM 2.0 Deployment Prerequisites

Before you start Microsoft BitLocker Administration and Monitoring (MBAM) Setup, you should ensure that you have met the prerequisites to install the product. This section contains information to help you successfully plan your computing environment before you deploy Microsoft BitLocker Administration and Monitoring Server features and Clients. If you are installing MBAM with Configuration Manager, see Planning to Deploy MBAM with Configuration Manager for additional prerequisites.

Installation Prerequisites for MBAM Server Features

Each of the MBAM Server features has specific prerequisites that must be met before the MBAM features can be successfully installed. MBAM Setup checks that all prerequisites are met before the installation starts.

Prerequisites for Administration and Monitoring Server

Prerequisite Details

Windows Server Web Server Role

This role must be added to a server operating system that is supported for the Administration and Monitoring Server feature.

Web Server (IIS) Management Tools

Select IIS Management Scripts and Tools.

SSL Certificate

Optional. To secure communication between the clients and the web services, you have to obtain and install a certificate that a trusted security authority signed.

Web Server Role Services

Common HTTP Features:

  • Static Content

  • Default Document

Application Development:

  • ASP.NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

Security:

  • Windows Authentication

  • Request Filtering

Windows Server Features

.NET Framework 3.5.1 features:

  • .NET Framework 3.5.1

  • WCF Activation

    • HTTP Activation

    • Non-HTTP Activation

Windows Process Activation Service:

  • Process Model

  • .NET Environment

  • Configuration APIs

Note
For a list of supported operating systems, see MBAM 2.0 Supported Configurations.

Prerequisites for the Compliance and Audit Reports

Prerequisite Details

Supported version of SQL Server

See MBAM 2.0 Supported Configurations for supported versions.

Install SQL Server with:

  • SQL_Latin1_General_CP1_CI_AS collation

SQL Server Reporting Services (SSRS)

SSRS instance rights – required for installing reports only if you are installing databases on a separate server from the reports.

Required instance rights:

  • Create Folders

  • Publish Reports

SSRS must be installed and running during the MBAM Server installation. Configure SSRS in “native” mode and not in unconfigured or “SharePoint” mode.

Prerequisites for the Recovery Database

Prerequisite Details

Supported version of SQL Server

See MBAM 2.0 Supported Configurations for supported versions.

Install SQL Server with:

  • SQL_Latin1_General_CP1_CI_AS collation

  • SQL Server Management Tools

Required SQL Server permissions

Required permissions:

  • SQL instance Login Server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install Transparent Data Encryption (TDE) feature available in SQL Server

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.

Note

TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.

More about TDE: MBAM 2.0 Security Considerations.

Prerequisites for the Compliance and Audit Database

Prerequisite Details

Supported version of SQL Server

See MBAM 2.0 Supported Configurations for supported versions.

Install SQL Server with:

  • SQL_Latin1_General_CP1_CI_AS collation

  • SQL Server Management Tools

Required SQL Server permissions

Required permissions:

  • SQL instance Login Server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install Transparent Data Encryption (TDE) feature in SQL Server.

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.

Note

TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.

More about TDE: MBAM 2.0 Security Considerations

SQL Server must have Database Engine Services installed and running during MBAM Server installation.

The SQL Server Agent service must be running and set to auto-start on the selected instances of SQL Server.

Prerequisites for the Self-Service Portal

Prerequisite Details

Supported version of Windows Server

See MBAM 2.0 Supported Configurations for supported versions.

ASP.NET MVC 2.0

ASP.NET MVC 2 download

Web Service IIS Management Tools

Prerequisites for MBAM Clients

Prerequisite Details

Windows 7 clients only - must have Trusted Platform Module (TPM) capability.

TPM version must be 1.2 or later.

The TPM chip must be turned on in the BIOS and be resettable from the operating system.

For more information, see the BIOS documentation.

Windows 8 clients only: To have MBAM store and manage the TPM recovery keys: TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM. To turn off TPM auto-provisioning, see Disable-TpmAutoProvisioning.

  • TPM auto-provisioning must be turned off.

  • MBAM must be set as the owner of the TPM before you deploy MBAM.

To turn off TPM auto-provisioning, see Disable-TpmAutoProvisioning.

  • TPM auto-provisioning must be turned off.

    Note

    Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.

Planning to Deploy MBAM 2.0

MBAM 2.0 Supported Configurations