Evaluating MBAM 1.0
Before you deploy Microsoft BitLocker Administration and Monitoring (MBAM) into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up MBAM in a single server lab environment for evaluation purposes only.
While the actual deployment steps are very similar to the scenario that is described in How to Install and Configure MBAM on a Single Server, this topic contains additional information to enable you to set up an MBAM evaluation environment in the least amount of time.
Set up the Lab Environment
Even when you set up a non-production instance of MBAM to evaluate in a lab environment, you should still verify that you have met the deployment prerequisites and the hardware and software requirements. For more information, see MBAM 1.0 Deployment Prerequisites and MBAM 1.0 Supported Configurations. You should also review Preparing your Environment for MBAM 1.0 before you begin the MBAM evaluation deployment.
Plan for an MBAM Evaluation Deployment
Review the Getting Started information about MBAM to gain a basic understanding of the product before you begin your deployment planning.
Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.
You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
Plan for and configure MBAM Group Policy requirements.
Plan for and create the necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
Plan for MBAM Server feature deployment.
Plan for MBAM Client deployment.
Perform an MBAM Evaluation Deployment
After you complete the necessary planning and software prerequisite installations to prepare your computing environment for an MBAM installation, you can begin the MBAM evaluation deployment.
Review the MBAM supported configurations information to make sure that the selected client and server computers are supported for the MBAM feature installation.
Run MBAM Setup to deploy MBAM Server features on a single server for evaluation purposes.
Add the Active Directory Domain Services security groups that you created during the planning phase to the appropriate local MBAM Server feature local groups on the new MBAM server.
Create and deploy the required MBAM Group Policy Objects.
Deploy the MBAM Client software.
Configure Lab Computers for MBAM Evaluation
You can change the frequency settings on the MBAM Client status reporting by using Registry Editor. However, these modifications should be used for testing purposes only.
This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
Modify the Frequency Settings on MBAM Client Status Reporting
The MBAM Client wakeup and status reporting frequencies have a minimum value of 90 minutes when they are set to use Group Policy. You can change these frequencies on MBAM client computers by editing the Windows registry to lower values, which will help speed up the testing. To modify the frequency settings on MBAM Client status reporting, use a registry editor to navigate to HKLM\Software\Policies\FVE\MDOPBitLockerManagement, change the values for ClientWakeupFrequency and StatusReportingFrequency to 1 as the minimum client supported value, and then restart BitLocker Management Client Service. When you make this change, the MBAM Client will report every minute. You can set values this low only when you do so manually in the registry.
Modify the Startup Delay on MBAM Client Service
In addition to the MBAM Client wakeup and status reporting frequencies, there is a random delay of up to 90 minutes when the MBAM Client agent service starts on client computers. If you do not want the random delay, create a DWORD value of NoStartupDelay under HKLM\Software\Microsoft\MBAM, set its value to 1, and then restart BitLocker Management Client Service.