Share via

How to Move MBAM Features to Another Server

  • Article

Applies To: Microsoft BitLocker Administration and Monitoring

This topic describes the steps that you should take to move one or more Microsoft BitLocker Administration and Monitoring (MBAM) features to a different computer. When moving more than one Microsoft BitLocker Administration and Monitoring feature you should move them in the following order:

  1. Recovery and Hardware Database

  2. Compliance Status Database

  3. Compliance and Audit Reports

  4. Administration and Monitoring

Moving the Recovery and Hardware Database Feature

If you choose to move the MBAM Recovery and Hardware Database Feature from one computer to another (that is, move feature from Server A to Server B) you should use the following procedure. The process includes the following steps:

  1. Stop all instances of the MBAM Administration and Monitoring website

  2. Run MBAM setup on Server B

  3. Backup the Database on Server A

  4. Move the Database from Server A to B

  5. Restore the Database on Server B

  6. Configure Access to the Database on Server B

  7. Update database connection data on MBAM Administration and Monitoring servers

  8. Resume all instances of the MBAM Administration and Monitoring website

Stop all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring Feature use the Internet Information Services (IIS) Manager console to stop the MBAM web site which is named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure execute a command line similar to the following using Windows PowerShell:

    PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”

    Note

    To execute this command-line, the IIS Module for PowerShell must be added to current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable execution of scripts.

Run MBAM setup on Server B

  1. Run MBAM setup on Server B and just select the Recovery and Hardware Database feature for installation.

  2. To automate this procedure execute a command line similar to the following using Windows PowerShell:

    PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=KeyDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$

    Note

    Replace the following values in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Recovery and Hardware Database will be moved to.

    • $DOMAIN$\$SERVERNAME$ - Input the domain and server names of each MBAM Application and Monitoring Server that will contact the Recovery and Hardware Database. If there are multiple use a semi-colon to separate them each one in the list (e.g.: $DOMAIN\SERVERNAME$;$DOMAIN\$SERVERNAME$$). Each server name must be followed by a “$” as shown in the example. (e.g.: MyDomain\MyServerName1$; MyDomain\MyServerName2$)

Backup the Database on Server A

  1. To backup the Recovery and Hardware Database on Server A use SQL Server Management Studio and the Task named Back Up…. By default the database name will be “MBAM Recovery and Hardware Database”.

  2. To automate this procedure create a SQL file (.sql) that contains the following-SQL script:

    Modify the MBAM Recovery and Hardware Database to use the full recovery model.

    USE master;

    GO

    ALTER DATABASE "MBAM Recovery and Hardware"

    SET RECOVERY FULL;

    GO

    -- Create MBAM Recovery and Hardware Database Data and MBAM Recovery logical backup devices.

    USE master

    GO

    EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',

    'Z:\MBAM Recovery and Hardware Database Data.bak';

    GO

    -- Back up the full MBAM Recovery and Hardware database.

    BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];

    GO

    BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]

    TO FILE = 'Z:\SQLServerInstanceCertificateFile'

    WITH PRIVATE KEY

    (

    FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',

    ENCRYPTION BY PASSWORD = '$PASSWORD$'

    );

    GO

    Note

    Replace the following values in the example above with those that match your environment:

    • $PASSWORD$ - Input a password that you will use to encrypt the Private Key file.

  3. Next execute the SQL File using a command line similar to the following using the SQL Server PowerShell:

    PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Recovery and Hardware Database will be backed up from.

Move the Database and Certificate from Server A to B

  1. Move the following file from Server A to Server B using Windows Explorer

    • MBAM Recovery and Hardware Database Data.bak

  2. To move the Certificate for the encrypted database you will need to use the automation steps listed below. To automate this procedure execute command lines similar to the following using Windows PowerShell:

    PS C:\> Copy-Item “Z:\MBAM Recovery and Hardware Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$

    PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” \\$SERVERNAME$\$DESTINATIONSHARE$

    PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$ - Input the server name where the files will be copied to.

    • $DESTINATIONSHARE$ - Input the name of share and path where the files will be copied to.

Restore the Database on Server B

  1. Restore the Recovery and Hardware Database on Server B by using SQL Server Management Studio and the Task named Restore Database

  2. Once the task has been executed, select the database backup file by selecting the From Device option and then use the Add command to select the ‘MBAM Recovery and Hardware Database Data.bak’ file.

  3. Select OK to complete the restoration process.

  4. To automate this procedure create a SQL file (.sql) that contains the following-SQL script:

    -- Restore MBAM Recovery and Hardware Database.

    USE master

    GO

    -- Drop certificate created by MBAM setup.

    DROP CERTIFICATE [MBAM Recovery Encryption Certificate]

    GO

    --Add certificate

    CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]

    FROM FILE = 'Z: \SQLServerInstanceCertificateFile'

    WITH PRIVATE KEY

    (

    FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',

    DECRYPTION BY PASSWORD = '$PASSWORD$'

    );

    GO

    -- Restore the MBAM Recovery and Hardware Database data and log files.

    RESTORE DATABASE [MBAM Recovery and Hardware]

    FROM DISK = 'Z:\MBAM Recovery and Hardware Database Data.bak'

    WITH REPLACE

    Note

    Note: Replace the following values in the example above with those that match your environment:

    • $PASSWORD$ - Input a password that you was used to encrypt the Private Key file.

  5. Next, execute the SQL File using a command line similar to the following using the SQL Server PowerShell:

    PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Recovery and Hardware Database will be restored to.

Configure Access to the Database on Server B

  1. On Server B use the Local user and Groups snap-in from Server Manager to add the machine accounts from each server running the MBAM Administration and Monitoring feature to the Local Group named “MBAM Recovery and Hardware DB Access”.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell on Server B.

    PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$ /add

    Note

    Replace the following values in the example above with the applicable values for your environment:

    • $DOMAIN$\$SERVERNAME$$ - Input the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a “$” as shown in the example. (e.g.: MyDomain\MyServerName1$)

    This command-line must be run for each Administration and Monitoring Server that will be accessing the database within your environment.

Update database connection data on MBAM Administration and Monitoring servers

  1. On each of the servers running the MBAM Administration and Monitoring Feature use the Internet Information Services (IIS) Manager console to update the Connection String information for the following Applications which are hosted within the Microsoft BitLocker Administration and Monitoring website:

    • MBAMAdministrationService

    • MBAMRecoveryAndHardwareService

  2. Select each Application and use the Configuration Editor feature which can be found under the Management section of the Feature View.

  3. From here, select the configurationStrings option from the Section list control.

  4. Next select the row named (Collection) and open the Collection Editor by selecting the button on the right hand side of the row.

  5. Within the Collection Editor, select the row named KeyRecoveryConnectionString when updating the configuration for the ‘MBAMAdministrationService’ application or the row named **Microsoft.Mbam.RecoveryAndHardwareDataStore.**ConnectionString when updating the configuration for the ‘MBAMRecoveryAndHardwareService’.

  6. Update the Data Source= value for the configurationStrings property such to list the server name and instance (for example, $SERVERNAME$\$SQLINSTANCENAME$) where the Recovery and Hardware Database was moved to.

  7. To automate the procedure above, execute a command line similar to the following using Windows PowerShell on each Administration and Monitoring Server:

    PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”

    PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;"

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Recovery and Hardware Database is.

Resume all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring Feature use the Internet Information Services (IIS) Manager console to Start the MBAM web site which is named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure execute a command line similar to the following using Windows PowerShell:

    PS C:\> Start-Website “Microsoft BitLocker Administration and Monitoring”

Moving the Compliance Status Database Feature

If you choose to move the MBAM Compliance Status Database Feature from one computer to another (i.e.: move feature from Server A to Server B) you should use the following procedure. The process includes the following steps:

  1. Stop all instances of the MBAM Administration and Monitoring website

  2. Run MBAM setup on Server B

  3. Backup the Database on Server A

  4. Move the Database from Server A to B

  5. Restore the Database on Server B

  6. Configure Access to the Database on Server B

  7. Update database connection data on MBAM Administration and Monitoring servers

  8. Resume all instances of the MBAM Administration and Monitoring website

Stop all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring feature use the Internet Information Services (IIS) Manager console to Stop the MBAM web site named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”

    Note

    To execute this command-line, the IIS Module for PowerShell must be added to current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable execution of scripts.

Run MBAM setup on Server B

  1. Run MBAM setup on Server B and just select the Compliance Status Database feature for installation.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal= ReportsDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$ COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNT=$DOMAIN$\$USERNAME$

    Note

    Note: Replace the following values in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Compliance Status Database will be moved to.

    • $DOMAIN$\$SERVERNAME$ - Input the domain and server names of each MBAM Application and Monitoring Server that will contact the Compliance Status Database. If there are multiple, use a semi-colon to separate them each one in the list (such as, $DOMAIN\SERVERNAME$;$DOMAIN\$SERVERNAME$$). Each server name must be followed by a “$” as shown in the example. (such as, MyDomain\MyServerName1$; MyDomain\MyServerName2$)

    • $DOMAIN$\$USERNAME$ - Input the domain and user name that will be used by the Compliance and Audit reports feature to connect to the Compliance Status Database.

Backup the Database on Server A

  1. To back up the Compliance Database on Server A use SQL Server Management Studio and the Task named Back Up…. By default the database name will be “MBAM Compliance Status Database”.

  2. To automate this procedure create a SQL file (.sql) that contains the following-SQL script:

    -- Modify the MBAM Compliance Status Database to use the full recovery model.

    USE master;

    GO

    ALTER DATABASE "MBAM Compliance Status"

    SET RECOVERY FULL;

    GO

    -- Create MBAM Compliance Status Data logical backup devices.

    USE master

    GO

    EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',

    'Z: \MBAM Compliance Status Database Data.bak';

    GO

    -- Back up the full MBAM Recovery and Hardware database.

    BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];

    GO

  3. Next execute the SQL File using a command line similar to the following using the SQL Server PowerShell:

    PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Compliance Status Database will be backed up from.

Move the Database from Server A to B

  1. Move the following files from Server A to Server B using Windows Explorer

    • MBAM Compliance Status Database Data.bak

  2. To automate this procedure, execute command lines similar to the following using Windows PowerShell:

    PS C:\> Copy-Item “Z:\MBAM Compliance Status Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$ - Input the server name where the files will be copied to.

    • $DESTINATIONSHARE$ - Input the name of share and path where the files will be copied to.

Restore the Database on Server B

  1. Restore the Compliance Status Database on Server B by using SQL Server Management Studio and the Task named Restore Database….

  2. Once the task has been executed, select the database backup file by selecting the From Device option and then use the Add command to select the MBAM Compliance Status Database Data.bak file. Select OK to complete the restoration process.

  3. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script:

    -- Create MBAM Compliance Status Database Data logical backup devices.

    Use master

    GO

    -- Restore the MBAM Compliance Status Database data files.

    RESTORE DATABASE [MBAM Compliance Status Database]

    FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'

    WITH REPLACE

  4. Next, execute the SQL File using a command line similar to the following using the SQL Server PowerShell:

    PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Compliance Status Database will be restored to.

Configure Access to the Database on Server B

  1. On Server B use the Local user and Groups snap-in from Server Manager to add the machine accounts from each server running the MBAM Administration and Monitoring feature to the Local Group named “MBAM Compliance Status DB Access”.

  2. To automate this procedure, execute command lines similar to the following using Windows PowerShell on Server B.

    PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$SERVERNAME$$ /add

    PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$REPORTSUSERNAME$ /add

    Note

    Replace the following value in the example above with the applicable values for your environment:

    • $DOMAIN$\$SERVERNAME$$ - Input the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a “$” as shown in the example. (e.g.: MyDomain\MyServerName1$)

    • $DOMAIN$\$REPORTSUSERNAME$ - Input the user account name that was used to configure the data source for the Compliance and Audit reports

    The command-line for adding the servers to the MBAM Compliance Auditing DB Access local group must be run for each Administration and Monitoring Server that will be accessing the database within your environment.

Update database connection data on MBAM Administration and Monitoring servers

  1. On each of the servers running the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to update the Connection String information for the following Applications which are hosted within the Microsoft BitLocker Administration and Monitoring website:

    • MBAMAdministrationService

    • MBAMComplianceStatusService

  2. Select each Application and use the Configuration Editor feature which can be found under the Management section of the Feature View.

  3. Select the configurationStrings option from the Section list control.

  4. Next select the row named (Collection) and open the Collection Editor by selecting the button on the right-hand side of the row.

  5. Within the Collection Editor select the row named ComplianceStatusConnectionString when updating the configuration for the MBAMAdministrationService application or the row named Microsoft.Windows.Mdop.BitLockerManagement.StatusReportDataStore.ConnectionString when updating the configuration for the MBAMComplianceStatusService.

  6. Update the Data Source= value for the configurationStrings property to list the server name and instance (such as, $SERVERNAME$\$SQLINSTANCENAME) where the Recovery and Hardware Database was moved to.

  7. To automate this procedure, execute a command line similar to the following using Windows PowerShell on each Administration and Monitoring Server:

    PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="ComplianceStatusConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Compliance Status;Integrated Security=SSPI;"

    PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Windows.Mdop.BitLockerManagement.StatusReportDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMComplianceStatusService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME;Initial Catalog=MBAM Compliance Status;Integrated Security=SSPI;"

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Recovery and Hardware Database is.

Resume all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring Feature use the Internet Information Services (IIS) Manager console to Start the MBAM web site named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure execute a command line similar to the following using Windows PowerShell:

    PS C:\> Start-Website “Microsoft BitLocker Administration and Monitoring”

Moving the Compliance and Audit Reports Feature

If you choose to move the MBAM Compliance and Audit Reports feature from one computer to another (i.e.: move feature from Server A to Server B) you should use the following procedure. The process includes the following steps:

  1. Run MBAM setup on Server B

  2. Configure Access to the Compliance and Audit Reports on Server B

  3. Stop all instances of the MBAM Administration and Monitoring website

  4. Update the reports connection data on MBAM Administration and Monitoring servers

  5. Resume all instances of the MBAM Administration and Monitoring website

Run MBAM setup on Server B

  1. Run MBAM setup on Server B and only select the Compliance and Audit feature for installation.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=Reports COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNTPW=$PASSWORD$

    Note

    Replace the following values in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - Input the server name and instance where the Compliance Status Database is located.

    • $DOMAIN$\$USERNAME$ - Input the domain and user name that will be used by the Compliance and Audit reports feature to connect to the Compliance Status Database.

    • $PASSWORD$ - Input the password of the user account that will be used to connect to the Compliance Status Database.

Configure Access to the Compliance and Audit Reports on Server B

  1. On Server B use the Local user and Groups snap-in from Server Manager to add the user accounts that will have access to the Compliance and Audit Reports. Add the user accounts to the local group named “MBAM Report Users”.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell on Server B.

    PS C:\> net localgroup "MBAM Report Users" $DOMAIN$\$REPORTSUSERNAME$ /add

    Note

    Replace the following value in the example above with the applicable values for your environment:

    • $DOMAIN$\$REPORTSUSERNAME$ - Input the user account name that was used to configure the data source for the Compliance and Audit reports

    The command-line for adding the users to the MBAM Report Users local group must be run for each user that will be accessing the reports within your environment.

Stop all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring Feature use the Internet Information Services (IIS) Manager console to Stop the MBAM web site named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”

Update database connection data on MBAM Administration and Monitoring servers

  1. On each of the servers running the MBAM Administration and Monitoring Feature, use the Internet Information Services (IIS) Manager console to update the Compliance Reports URL.

  2. Select the Microsoft BitLocker Administration and Monitoring website and use the Configuration Editor feature which can be found under the Management section of the Feature View.

  3. Next, select the appSettings option from the Section list control.

  4. From here, select the row named (Collection) and open the Collection Editor by selecting the button on the right hand side of the row.

  5. Within the Collection Editor select the row named “Microsoft.Mbam.Reports.Url”.

  6. Update the value for Microsoft.Mbam.Reports.Url to reflect the server name for Server B. If the Compliance and Audit reports feature was installed on a named SQL Reporting Services instance make sure to add or update the name of the instance to the URL (e.g.: https://$SERVERNAME$/ReportServer_$SQLSRSINSTANCENAME$/Pages....)

  7. To automate this procedure, execute a command line similar to the following using Windows PowerShell on each Administration and Monitoring Server:

    PS C:\> Set-WebConfigurationProperty '/appSettings/add[@key="Microsoft.Mbam.Reports.Url"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring" -Name "Value" -Value “https://$SERVERNAME$/ReportServer_$SRSINSTANCENAME$/Pages/ReportViewer.aspx?/Malta+Compliance+Reports/”

    Note

    Replace the following value in the example above with those that match your environment:

    • $SERVERNAME$ - Input the server name where the Compliance and Audit Reports were installed to.

    • $SRSINSTANCENAME$ - Input the name of the SQL Reporting Services instance where the Compliance and Audit Reports were installed to.

Resume all instances of the MBAM Administration and Monitoring website

  1. On each of the servers running the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to Start the MBAM web site named “Microsoft BitLocker Administration and Monitoring”.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> Start-Website “Microsoft BitLocker Administration and Monitoring”

    Note

    To execute this command-line, the IIS Module for PowerShell must be added to current instance of PowerShell. In addition you must update the PowerShell execution policy to enable execution of scripts.

Moving the Administration and Monitoring Feature

If you choose to move the MBAM Administration and Monitoring Reports Feature from one computer to another (i.e.: move feature from Server A to Server B) you should use the following procedure. The process includes the following steps:

  1. Run MBAM setup on Server B

  2. Configure Access to the Database on Server B

Run MBAM setup on Server B

  1. Run MBAM setup on Server B and only select the Administration feature for installation.

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell:

    PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=AdministrationMonitoringServer,HardwareCompatibility COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ SRS_REPORTSITEURL=$REPORTSSERVERURL$

    Note

    Replace the following values in the example above with those that match your environment:

    • $SERVERNAME$\$SQLINSTANCENAME$ - For the COMPLIDB_SQLINSTANCE parameter input the server name and instance where the Compliance Status Database is located. For the RECOVERYANDHWDB_SQLINSTANCE parameter input the server name and instance where the Recovery and Hardware Database is located.

    • $DOMAIN$\$USERNAME$ - Input the domain and user name that will be used by the Compliance and Audit reports feature to connect to the Compliance Status Database.

    • $ REPORTSSERVERURL$ - Input the URL for the Home location of the SQL Reporting Service website. If the reports were installed to a default SRS instance the URL format will formatted “https:// $SERVERNAME$/ReportServer”. If the reports were installed to a default SRS instance the URL format will formatted “https://$SERVERNAME$/ReportServer_$SQLINSTANCENAME$”.

Configure Access to the Databases

  1. On server or servers where the Recovery and Hardware, and Compliance and Audit databases are deployed, use the Local user and Groups snap-in from Server Manager to add the machine accounts from each server running the MBAM Administration and Monitoring feature to the Local Groups named “MBAM Recovery and Hardware DB Access” (Recovery and Hardware DB Server) and “MBAM Compliance Status DB Access” (Compliance and Audit DB Server).

  2. To automate this procedure, execute a command line similar to the following using Windows PowerShell on the server where the Compliance and Audit databases were deployed.

    PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$SERVERNAME$$ /add

    PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$REPORTSUSERNAME$ /add

  3. On the server where the Recovery and Hardware databases were deployed execute a command line similar to the following using Windows PowerShell.

    PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$ /add

    Note

    Replace the following value in the example above with the applicable values for your environment:

    • $DOMAIN$\$SERVERNAME$$ - Input the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a “$” as shown in the example. (e.g.: MyDomain\MyServerName1$)

    • $DOMAIN$\$REPORTSUSERNAME$ - Input the user account name that was used to configure the data source for the Compliance and Audit reports

    The command-lines listed for adding servers machine accounts to the MBAM local groups must be run for each Administration and Monitoring Server that will be accessing the databases within your environment.

See Also

Other Resources

Operations for MBAM