Skip to content
Rorymon Logo
  • Blogroll
  • About
  • Contact
Menu
  • Blogroll
  • About
  • Contact
Twitter
Linkedin
Rss
  • All Articles
  • Applications
    • App Compatibility
    • App Deployment
    • App Virtualization
      • App-V
        • Decision Matrix
        • App-V 4.x Recipes
        • App-V 5.x Recipes
        • App-V Videos
      • AppSense StrataApps
      • Cameyo
      • Evalaze
      • Frame
      • Numecent CloudPaging
      • P-Apps
      • ThinApp
      • Turbo
      • Workspace Streaming
      • XenApp Profiling
    • Containers
    • Layering
      • App Volumes
      • Citrix App Layering
      • FlexApp
      • Unidesk
  • Citrix
    • AppDNA
    • Citrix App Layering
    • Citrix Monitoring
    • Citrix Profiling
    • Citrix XenApp
  • Microsoft
    • ACT
    • Azure
    • BitLocker
    • Hyper-V
    • inTune
    • MDOP
      • AGPM
      • APP-V
      • DaRT
      • MBAM
      • MED-V
    • RDS
    • System Center
      • SCCM
      • SCOM
    • WDS
    • Windows
      • Windows 7
      • Windows 8
      • Windows 10
      • Windows Server 2012
  • VMware
    • App Volumes
    • ThinApp
  • Downloads
  • Podcast

How to: Setup MBAM 2.5

  • Rory Monaghan
  • January 19, 2015
Share on reddit
Share on facebook
Share on twitter
Share on linkedin
BitLocker

A couple of years ago, I setup MBAM in a production environment for a company that wanted it. The setup was heartbreaking! It was so complex and at the time there wasn’t any good info online, on how to do it. So I published a few blog posts myself. One of which you can find HERE. Well, the good news is that Microsoft greatly simplified the setup and they now cater for larger scale Enterprise environments. If you’d like a video to follow, take a look at this:

It’s a great video that shows a start to finish setup. This blog post is just my footnotes from my own setup, which was not quite as complex as the setup in the video, as I was setting up on one home server.. Many times I use my site as a memory dump from different projects that I’ve worked on. One note before we start. Desktops that you wish to encrypt MUST have a TPM chip UNLESS they are running Windows 8. In the past TPM was a must across the board, however now there’s an option to deploy to Microsofts newer Operating Systems without a TPM chip.

Pre-requisites 

.Net Framework 4.5
If the server you are using already has IIS installed and does not yet have .Net, you may need to run the command: aspnet_regiis -I

Powershell 3.0

ASP.Net MVC4 for SSP

SQL Server

Download and add the MDOP Group Policy Template: MDOP Template

If you are setting up for a Production environment, it’s recommended to split out the server setup depending on how large your environment is, it may be two servers or more.

Also for a Production environment it’s a good idea to user a Certificate for security purposes

Similar to the previous version of MBAM, there’s several different roles and service accounts required, so you may want to setup service accounts before you start. They are as follows:

Read\Write Access User or Group for Databases

Group for Reporting

A domain account for the Compliance and Audit Service

A domain account for the Application Pool

AD Group for Advanced Help Desk Users

AD Group for regular Help Desk Users

Create SPN

Launch the command line as administrator on your server

setspn

 

As you can see, in my single server setup. I created an SPN pointing to my single server by using the command:

setspn – S http/MBAM01.Rorymon.com MBAM01

Install MBAM

On your single server which has all of the pre-reqs mentioned above, as well as SQL Server (with Report Services installed and configured) launch the install from MDOP

Step1

Click Next

Step2

Check the checkbox ‘I accept the terms in the License Agreement’ and click Next

Step3

I picked that I did not want to use Microsoft Updates as I manage my own patching and click Next

Step4

Pick whatever option you’d like for this and Click Next

Step5

Click Install

Step6

Click Finish

Step7

Click Add New Features


Step1

Check all boxes, except those related to System Center Configuration Manager Integration and click Next >

Step2

Click Next >

Step3

Fill in the above for your own single server name. This should ensure the Databases are installed on your server. Here you can also pass your pre-created AD Group\Users and click Next >

Step4

Also fill for the reports setup and again use those previously created AD Accounts and Click Next >

Step6

In my setup, I chose not to use a certificate. You’ll again need to use the account you setup as part of our pre-reqs then Click Next >

Step7

You’ll again need to pass the groups we created as pre-reqs. You’ll see the option to Use System Center Configuration Manager Integration, if you’d like to integrate with SCCM. You can do so by installing on your SCCM Server. For a little more info on what you get out of integrating check out my short video HERE Click Next >

Step9

Click Add and Next >

Step10

Click Close (The warnings in my screenshot are due to me using Admin users and also not using a certificate)

To verify the setup, you can open IIS and ensure the following web services are installed:

IISServices

Deploy\Encrypt Client Machines

Create a Group Policy object. You can toggle through the MBAM Policies and configure for your environment. You should find the MDOP MBAM policy options:

GPO

You will want to set all that apply to your desired environment. e.g. if you do not wish to enforce encryption of removable drives then no need to configure that. You should however, configure the Client Management, Fixed Drive and Operating System Drive.

GPO1

You will want to fill in the correct value pointing to the services on your server. e.g. https://MBAM01.Rorymon.com:316/MBAMRecoveryAndHardwareService/CoreService.svc

GPO2

There’s an option to store the machines encryption key in Active Directory, anybody who installed the Bitlocker key viewer feature in RSAT will then be able to see the key through the computer object in AD. It’s not required, if you really need to, you can view the keys in the database which is maybe a little easier to secure…

Exemptions

You can do other things to do such as allow exemptions from encryption, if desired. You can set a security notice for all to agree to before they can use the Self Service Portal to unlock their drive too. Microsoft have done a great job of detailing the Group Policy options in the help. You can navigate through these at set whatever it is that suits your environment.

You can deploy the agent MSI to your desktops through SCCM, LanDESK or maybe GPO, however you’d like to do it. Your users should receive a prompt to encrypt, this may take some time. If the prompt is never received, you should check the event logs. I’ve noticed this issue myself: HERE, there’s also some registry settings under the Policy hive which can be tweaked to make the frequency with which the client talks back to the server, more frequent.

MBAM 2.5,Step by Step setup MBAM 2.5
PrevPreviousDealing with App-V Limitations: Application Performance
NextHow to: Retrieve Bitlocker Encryption Keys from MBAM DBNext
Rory Monaghan

Rory Monaghan

Microsoft MVP. Citrix CTA. IGEL Insider. VMware EUC Champion & vExpert.
Twitter
Linkedin
Rss
Vimeo
Youtube
Soundcloud

Get the App-V Decison Matrix and Interactive Tool.

See what the right deployment option for your applications is.
Let's Go!
FREE TOOL
Further Reading

Windows 10 Migration Checklist

Application packaging and virtualization services.
Learn More

Let's make virtualization EASIER!

Be amongst the first to know when I publish new reviews, guides and tools to simplify your virtualization projects.

Categories
  • All Articles
  • Application Compatibility
  • Application Virtualization
  • Containers
  • Citrix XenApp
  • Application Layering
Connect
  • Blogroll
  • About
  • Contact
Twitter
Linkedin
Rss
Vimeo
Youtube
Soundcloud
© Copyright Rorymon.com. All rights reserved 2021.
Privacy   |   Cookies
Marketing Services by Riabro.