How to Install and Configure MBAM on a Single Server
The procedures in this topic describe the full installation of the Microsoft BitLocker Administration and Monitoring (MBAM) features on a single server.
Each server feature has certain prerequisites. To verify that you have met the prerequisites and the hardware and software requirements, see MBAM 1.0 Deployment Prerequisites and MBAM 1.0 Supported Configurations. In addition, some features also have information that must be provided during the installation process to successfully deploy the feature. You should also review Preparing your Environment for MBAM 1.0 before you begin the MBAM deployment.
To obtain the setup log files, you must install MBAM by using the msiexec package and the /l <location> option. Log files are created in the location that you specify.
Additional setup log files are created in the %temp% folder of the user who is installing MBAM.
To install MBAM Server features on a single server
The following steps describe how to install general MBAM features.
Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.
To start MBAM Server features installation
Start the MBAM installation wizard. Click Install at the Welcome page.
Read and accept the Microsoft Software License Terms, and then click Next to continue the installation.
By default, all MBAM features are selected for installation. Features that will be installed on the same computer must be installed together at the same time. Clear the features that you want to install elsewhere. You must install the MBAM features in the following order:
Recovery and Hardware Database
Compliance and Audit Database
Compliance Audit and Reports
Administration and Monitoring Server
MBAM Group Policy Template
The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you must resolve the missing prerequisites, and then click Check prerequisites again. After all prerequisites are met, the installation resumes.
You are prompted to configure the network communication security. MBAM can encrypt the communication between the Recovery and Hardware Database, the Administration and Monitoring Server, and the clients. If you decide to encrypt the communication, you are asked to select the authority-provisioned certificate that will be used for encryption.
Click Next to continue.
The MBAM Setup wizard will display the installation pages for the selected features.
To deploy MBAM Server features
In the Configure the Recovery and Hardware database window, specify the instance of SQL Server and the name of the database that will store the recovery and hardware data. You must also specify both the database files location and the log information location.
Click Next to continue.
In the Configure the Compliance and Audit database window, specify the instance of the SQL Server and the name of the database that will store the compliance and audit data. Then, specify the database files location and the log information location.
Click Next to continue.
In the Compliance and Audit Reports window, specify the report service instance that will be used and provide a domain user account for accessing the database. This should be a user account that is provisioned specifically for this use. The user account should be able to access all data available to the MBAM Reports Users group.
Click Next to continue.
In the Configure the Administration and Monitoring Server window, enter the Port Binding, the Host Name (optional), and the Installation Path for the MBAM Administration and Monitoring server.
The port number that you specify must be an unused port number on the Administration and Monitoring server, unless a unique host header name is specified.
Click Next to continue.
Specify whether to use Microsoft Updates to help keep your computer secure, and then click Next. The Microsoft Updates option does not turn on the Automatic Updates in Windows.
When the Setup wizard has collected the necessary feature information, the MBAM installation is ready to start. Click Back to move back through the wizard if you want to review or change your installation settings. Click Install to begin the installation. Click Cancel to exit Setup. Setup installs the MBAM features and notifies you that the installation is completed.
Click Finish to exit the wizard.
After you install MBAM server features, you must add users to the MBAM roles. For more information, see Planning for MBAM 1.0 Administrator Roles.
To perform post installation configuration
After Setup is finished, you must add user roles so that you can give users access to features in the MBAM administration website. On the Administration and Monitoring Server, add users to the following local groups:
MBAM Hardware Users: Members of this local group can access the Hardware feature in the MBAM administration website.
MBAM Helpdesk Users: Members of this local group can access the Drive Recovery and Manage TPM features in the MBAM administration website. All fields in Drive Recovery and Manage TPM are required fields for a Helpdesk User.
MBAM Advanced Helpdesk Users: Members of this local group have advanced access to the Drive Recovery and Manage TPM features in the MBAM administration website. For Advanced Helpdesk Users, only the Key ID field is required in Drive Recovery. For Manage TPM users, only the Computer Domain field and Computer Name field are required.
On the Administration and Monitoring Server, Compliance and Audit Database, and on the computer that hosts the Compliance and Audit Reports, add users to the following local group to enable them to access the Reports feature in the MBAM administration website:
- MBAM Report Users: Members of this local group can access the Reports features in the MBAM administration website.
Identical user membership or group membership of the MBAM Report Users local group must be maintained on all computers where the Administration and Monitoring Server features, Compliance and Audit Database, and Compliance and Audit Reports are installed.
To maintain identical memberships on all computers, you should create a domain security group and add that domain group to each local MBAM Report Users group. When you do this, you can manage the group memberships by using the domain group.
Validating the MBAM Server feature installation
When the MBAM installation is complete, validate that the installation has successfully set up all the necessary MBAM features that are required for BitLocker management. Use the following procedure to confirm that the MBAM service is functional:
To validate MBAM Server feature installation
On each server where an MBAM feature is deployed, open Control Panel. Click Programs, and then click Programs and Features. Verify that Microsoft BitLocker Administration and Monitoring appears in the Programs and Features list.
To validate the installation, you must use a Domain Account that has local computer administrative credentials on each server.
On the server where the Recovery and Hardware Database is installed, open SQL Server Management Studio and verify that the MBAM Recovery and Hardware database is installed.
On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the MBAM Compliance and Audit Database is installed.
On the server where the Compliance and Audit Reports are installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.
The default Home location of a SQL Server Reporting Services site instance is at http://<NameofMBAMReportsServer>/Reports. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances specified during setup.
Confirm that a folder named Malta Compliance Reports is listed and that it contains five reports and one data source.
If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://<NameofMBAMReportsServer>/Reports_<SRSInstanceName>
On the server where the Administration and Monitoring feature is installed, run Server Manager and browse to Roles, select Web Server (IIS), and click Internet Information Services (IIS) Manager
In Connections, browse to <computername>, select Sites, and select Microsoft BitLocker Administration and Monitoring. Verify that MBAMAdministrationService, MBAMComplianceStatusService, and MBAMRecoveryAndHardwareService are listed.
On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges, and then browse to the following locations in the MBAM website to verify that they load successfully:
http://<computername>/default.aspx and confirm each of the links for navigation and reports
Typically, the services are installed on the default port 80 without network encryption. If the services are installed on a different port, change the URLs to include the appropriate port. For example, http://<computername>:<port>/default.aspx or http://<hostheadername>/default.aspx.
If the services are installed with network encryption, change http:// to https://.