Deploying MBAM on Distributed Servers

  • Article

The procedures in this topic describe the full installation of the Microsoft BitLocker Administration and Monitoring (MBAM) features on a multiple servers. Each server feature has certain prerequisites. To verify that you have met the prerequisites, see MBAM Supported Configurations. In addition, some features also have information that must be provided during the installation process to successfully deploy the feature. You should also review Planning the Server Infrastructure for MBAM before beginning MBAM deployment.

Note

In order to obtain the setup log files, you have to install Microsoft BitLocker Administration and Monitoring by using the msiexec package and the /L <location> option. Log files are created in the location specified.

Additional setup log files are created in the installing user’s %temp% folder.

Deploying the MBAM Server

The following steps describe how to install general Microsoft BitLocker Administration and Monitoring features.

Note

Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.

To deploy MBAM server features

  1. Start the Microsoft BitLocker Administration and Monitoring installation wizard. Click Install at the welcome screen.

  2. Read and accept the Microsoft Software License Terms, and then click Next to continue the installation.

  3. By default, all Microsoft BitLocker Administration and Monitoring features are selected for installation. Clear the features that you want to install elsewhere. Features that will be installed on the same computer must be installed together at the same time. Microsoft BitLocker Administration and Monitoring components must be installed in the following order:

    • Recovery and Hardware Database

    • Compliance Status Database

    • Compliance Audit and Reports

    • Administration and Monitoring Server

    • Policy Template

    For more information about how to plan the MBAM server infrastructure, see Planning the Server Infrastructure for MBAM. For prerequisites of each MBAM server feature, see MBAM Supported Configurations.

    The installation wizard checks the prerequisites for your installation and displays prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click Check prerequisites again. If all prerequisites are met this time, the installation will resume.

  4. The MBAM Setup wizard will display installation pages for the selected features. The following sections describe installation procedures for each feature.

    Note

    The following instructions assume that each feature will be installed on a separate server. If you are installing multiple features on a single server, some steps may be altered or eliminated.

    To install the Recovery and Hardware Database feature

    1. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the certificate authority-provisioned certificate that is used for encryption.

    2. Click Next to continue.

    3. To configure access to the Recovery and Hardware Database, specify the names of the computers that will be running the Administration and Monitoring Server feature. Once the Administration and Monitoring Server feature is deployed, it connects to the database using its domain account.

    4. Click Next to continue.

    5. Specify the Database Configuration for the SQL Server instance that stores the recovery and hardware data. You must also specify both where the database will be located and where the log information will be located.

    6. Click Next to continue with the Microsoft BitLocker Administration and Monitoring Setup wizard.

    To install the Compliance Status Database feature

    1. MBAM can encrypt the communication between the Compliance Status database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the certificate authority-provisioned certificate that will be used for encryption.

    2. Click Next to continue.

    3. Specify the user account that will be used to access the database for reports.

    4. Click Next to continue.

    5. To configure access to the Compliance Status Database, specify the computer names of the machines that will be running the Administration and Monitoring Server and Compliance and Audit Reports features. Once the Administration and Monitoring and Compliance and Audit Reports Server features are deployed they will connect to the databases using their domain accounts.

    6. Specify the Database Configuration for the SQL Server instance that will store the compliance and audit data. You must also specify where the database will be located and where the log information will be located.

    7. Click Next to continue with the Microsoft BitLocker Administration and Monitoring Setup wizard.

    To install the Compliance and Audit Reports feature

    1. Specify the remote SQL Server instance (for example: <ServerName>) where the Compliance Status Database was installed.

    2. Next, specify where the name of the Compliance Status Database. By default, the database name is “MBAM Compliance Status,” although this may be altered when you install the Compliance Status Database feature.

    3. Click Next to continue.

    4. Select the SQL Server Reporting Services instance where the Compliance and Audit Reports will be installed. Provide the username and password used for accessing the compliance database.

    5. Click Next to continue with the Microsoft BitLocker Administration and Monitoring Setup wizard.

    To install the Administration and Monitoring Server feature

    1. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the certificate authority-provisioned certificate that is used for encryption.

    2. Click Next to continue.

    3. Specify the remote SQL Server instance (for example: <ServerName>) where the Compliance Status Database was installed.

    4. Next, specify the name of the Compliance Status Database. By default, the database name is “MBAM Compliance Status,” however this may be altered when installing the Compliance Status Database feature.

    5. Click Next to continue.

    6. Specify the remote SQL Server instance (for example: <ServerName>) where the Recovery and Hardware Database was installed.

    7. Next, specify the name of the Recovery and Hardware Database. By default, the database name is MBAM Recovery and Hardware; however, this may be altered when installing the Recovery and Hardware Database feature.

    8. Click Next to continue.

    9. Specify the URL for the “Home” of the SQL Server Reporting Services (SRS) site. The default Home location of a SQL Server Reporting Services site instance can be found at:

      https://*<NameofMBAMReportsServer>/*ReportServer

      Note

      If SQL Server Reporting Services was configured as a named instance the URL resemble the following:https://<NameofMBAMReportsServer>/ReportServer_<SRSInstanceName>

    10. Click Next to continue.

    11. Enter the Port Number, the Host Name (optional), and the Installation Path for the MBAM Administration and Monitoring server

      Warning

      The port number that is specified must be an unused port number on the Administration and Monitoring server unless a unique host header name is specified.

    12. Click Next to continue with the Microsoft BitLocker Administration and Monitoring Setup wizard.

  5. Specify whether to use Microsoft Updates to help keep your computer secure, and then click Next.

  6. As soon as the selected Microsoft BitLocker Administration and Monitoring feature information is complete, the Microsoft BitLocker Administration and Monitoring installation by using the Setup wizard is ready to start. Click Back to move through the wizard if you have to review or change your installation settings. Click Install to being the installation. Click Cancel to exit the Wizard. Setup installs the Microsoft BitLocker Administration and Monitoring features that you have selected and notifies you that the installation is finished.

  7. Click Finish to exit the wizard.

  8. Although the Microsoft BitLocker Administration and Monitoring server components have now been installed, users have to be added to the Microsoft BitLocker Administration and Monitoring roles. For more information, see How to Manage MBAM Administrator Roles.

Post Installation Configuration

  1. After the Setup is finished, you must add users Roles before users have access to features in the MBAM management console. On the Administration and Monitoring Server, add users to the following local groups to give them access to the features in the management console.

    • MBAM Hardware Users

      Members of this local group will have access to the Hardware feature in the management console.

    • MBAM Helpdesk Users

      Members of this local group will have access to the Drive Recovery and Manage TPM features in the management console. All fields in Drive Recovery and Manage TPM are required fields for a Helpdesk User.

    • MBAM Advanced Helpdesk Users

      Members of this local group will have advanced access to the Drive Recovery and Manage TPM features in the management console. For Advanced Helpdesk Users, only the “Key ID” field is required in Drive Recovery. In Manage TPM, only the “Computer Domain” and “Computer Name” fields are required.

  2. On the Administration and Monitoring, Compliance Status Database, and Compliance and Audit Reports Server, add users to the following local group to give them access to the Reports feature in the management console.

    • MBAM Report Users:

      Members of this local group will have access to the Reports features in the management console.

    Note

    Identical user or group membership of the MBAM Report Users local group must be maintained on all computers where the MBAM Administration and Monitoring, Compliance Status Database, Compliance and Audit Reports Server feature are installed.

Validating the MBAM Server Feature Installations

As soon as the Microsoft BitLocker Administration and Monitoring installation is complete, we recommend that you validate that the installation has successfully set up all the necessary features for MBAM. Use the following procedure to confirm that the Microsoft BitLocker Administration and Monitoring service is functional.

To validate an MBAM installation

  1. On each server where a Microsoft BitLocker Administration and Monitoring feature is deployed, open the Control Panel. Select Programs, and then select Programs and Features. Verify that Microsoft BitLocker Administration and Monitoring appears in the Programs and Features list.

    Note

    To validate the MBAM installation, you must use a Domain Account that has local computer administrative credentials on each server.

  2. On the server where the Recovery and Hardware Database feature is installed, open SQL Server Management Studio and verify that the MBAM Recovery and Hardware database is installed.

  3. On the server where the Compliance Status Database feature is installed, open SQL Server Management Studio and verify that the MBAM Compliance Status database is installed.

  4. On the server where the Compliance and Audit Reports feature is installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.

    The default Home location of a SQL Server Reporting Services site instance can be found at https://<NameofMBAMReportsServer>/Reports.aspx. The actual URL can be found by using the Reporting Services Configuration Manager tool and selecting the instances specified during setup.

    Confirm that a reports folder named Malta Compliance Reports is listed and that it contains five Reports and one Data Source.

    Note

    If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:https://<NameofMBAMReportsServer>/Reports_<SRSInstanceName>

  5. On the server where the Administration and Monitoring feature is installed, run Server Manager and browse to Roles, select Web Server (IIS), and then click Internet Information Services (IIS) Manager. In Connections browse to <machinename>, select Sites, and select Microsoft BitLocker Administration and Monitoring. Verify that MBAMAdministrationService, MBAMComplianceStatusService, and MBAMRecoveryAndHardwareService are listed.

  6. On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges and browse to the following locations in the MBAM web site to verify they load successfully:

    • https://<computername>/default.aspx and confirm each of the links for navigation and reports

    • https://<computername>/MBAMAdministrationService/AdministrationService.svc

    • https://<computername>/MBAMComplianceStatusService/StatusReportingService.svc

    • https://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc

    Note

    This list assumes the services are installed on the default port 80 without network encryption. If the services were installed on a different port, change the URLs to include the appropriate port. For example, https://<computername>:<port>/default.aspx or https://<hostheadername>/default.aspx

    If the services were installed with network encryption, change https:// to https://.

    Verify that each web page loads successfully.

See Also

Tasks

Deploying MBAM on a Single Server

Concepts

Deploying MBAM

Other Resources

Operations for MBAM