How to: Setup MBAM 2.5

A couple of years ago, I setup MBAM in a production environment for a company that wanted it. The setup was heartbreaking! It was so complex and at the time there wasn’t any good info online, on how to do it. So I published a few blog posts myself. One of which you can find HERE. Well, the good news is that Microsoft greatly simplified the setup and they now cater for larger scale Enterprise environments. If you’d like a video to follow, take a look at this:

It’s a great video that shows a start to finish setup. This blog post is just my footnotes from my own setup, which was not quite as complex as the setup in the video, as I was setting up on one home server.. Many times I use my site as a memory dump from different projects that I’ve worked on. One note before we start. Desktops that you wish to encrypt MUST have a TPM chip UNLESS they are running Windows 8. In the past TPM was a must across the board, however now there’s an option to deploy to Microsofts newer Operating Systems without a TPM chip.

Pre-requisites 

.Net Framework 4.5
If the server you are using already has IIS installed and does not yet have .Net, you may need to run the command: aspnet_regiis -I

Powershell 3.0

ASP.Net MVC4 for SSP

SQL Server

Download and add the MDOP Group Policy Template: MDOP Template

If you are setting up for a Production environment, it’s recommended to split out the server setup depending on how large your environment is, it may be two servers or more.

Also for a Production environment it’s a good idea to user a Certificate for security purposes

Similar to the previous version of MBAM, there’s several different roles and service accounts required, so you may want to setup service accounts before you start. They are as follows:

Read\Write Access User or Group for Databases

Group for Reporting

A domain account for the Compliance and Audit Service

A domain account for the Application Pool

AD Group for Advanced Help Desk Users

AD Group for regular Help Desk Users

Create SPN

Launch the command line as administrator on your server

setspn

 

As you can see, in my single server setup. I created an SPN pointing to my single server by using the command:

setspn – S http/MBAM01.Rorymon.com MBAM01

Read moreHow to: Setup MBAM 2.5