A couple of years ago, I setup MBAM in a production environment for a company that wanted it. The setup was heartbreaking! It was so complex and at the time there wasn’t any good info online, on how to do it. So I published a few blog posts myself. One of which you can find HERE. Well, the good news is that Microsoft greatly simplified the setup and they now cater for larger scale Enterprise environments. If you’d like a video to follow, take a look at this:
It’s a great video that shows a start to finish setup. This blog post is just my footnotes from my own setup, which was not quite as complex as the setup in the video, as I was setting up on one home server.. Many times I use my site as a memory dump from different projects that I’ve worked on. One note before we start. Desktops that you wish to encrypt MUST have a TPM chip UNLESS they are running Windows 8. In the past TPM was a must across the board, however now there’s an option to deploy to Microsofts newer Operating Systems without a TPM chip.
.Net Framework 4.5
If the server you are using already has IIS installed and does not yet have .Net, you may need to run the command: aspnet_regiis -I
Download and add the MDOP Group Policy Template: MDOP Template
If you are setting up for a Production environment, it’s recommended to split out the server setup depending on how large your environment is, it may be two servers or more.
Also for a Production environment it’s a good idea to user a Certificate for security purposes
Similar to the previous version of MBAM, there’s several different roles and service accounts required, so you may want to setup service accounts before you start. They are as follows:
Read\Write Access User or Group for Databases
Group for Reporting
A domain account for the Compliance and Audit Service
A domain account for the Application Pool
AD Group for Advanced Help Desk Users
AD Group for regular Help Desk Users
Launch the command line as administrator on your server
As you can see, in my single server setup. I created an SPN pointing to my single server by using the command:
setspn – S http/MBAM01.Rorymon.com MBAM01
On your single server which has all of the pre-reqs mentioned above, as well as SQL Server (with Report Services installed and configured) launch the install from MDOP
Check the checkbox ‘I accept the terms in the License Agreement’ and click Next
I picked that I did not want to use Microsoft Updates as I manage my own patching and click Next
Pick whatever option you’d like for this and Click Next
Click Add New Features
Check all boxes, except those related to System Center Configuration Manager Integration and click Next >
Click Next >
Fill in the above for your own single server name. This should ensure the Databases are installed on your server. Here you can also pass your pre-created AD Group\Users and click Next >
Also fill for the reports setup and again use those previously created AD Accounts and Click Next >
In my setup, I chose not to use a certificate. You’ll again need to use the account you setup as part of our pre-reqs then Click Next >
You’ll again need to pass the groups we created as pre-reqs. You’ll see the option to Use System Center Configuration Manager Integration, if you’d like to integrate with SCCM. You can do so by installing on your SCCM Server. For a little more info on what you get out of integrating check out my short video HERE Click Next >
Click Add and Next >
Click Close (The warnings in my screenshot are due to me using Admin users and also not using a certificate)
To verify the setup, you can open IIS and ensure the following web services are installed:
Deploy\Encrypt Client Machines
Create a Group Policy object. You can toggle through the MBAM Policies and configure for your environment. You should find the MDOP MBAM policy options:
You will want to set all that apply to your desired environment. e.g. if you do not wish to enforce encryption of removable drives then no need to configure that. You should however, configure the Client Management, Fixed Drive and Operating System Drive.
You will want to fill in the correct value pointing to the services on your server. e.g. https://MBAM01.Rorymon.com:316/MBAMRecoveryAndHardwareService/CoreService.svc
There’s an option to store the machines encryption key in Active Directory, anybody who installed the Bitlocker key viewer feature in RSAT will then be able to see the key through the computer object in AD. It’s not required, if you really need to, you can view the keys in the database which is maybe a little easier to secure…
You can do other things to do such as allow exemptions from encryption, if desired. You can set a security notice for all to agree to before they can use the Self Service Portal to unlock their drive too. Microsoft have done a great job of detailing the Group Policy options in the help. You can navigate through these at set whatever it is that suits your environment.
You can deploy the agent MSI to your desktops through SCCM, LanDESK or maybe GPO, however you’d like to do it. Your users should receive a prompt to encrypt, this may take some time. If the prompt is never received, you should check the event logs. I’ve noticed this issue myself: HERE, there’s also some registry settings under the Policy hive which can be tweaked to make the frequency with which the client talks back to the server, more frequent.