MBAM – Install guide – tips

So as promised.. the install guide.. or at least some small tips as the installation is not that hard..

First of all, we are going to use a three server architecture. One server for the databases, one for the administration and monitoring and a group policy server.

To start, we need to create some groups in Active Directory, the service account for SQL and a service Account for the MBAM compliancy part. Create the following groups in AD and the following service accounts:

  • • GRP-MBAM-System-Admins
  • • GRP-MBAM-Harware-Users
  • • GRP-MBAM-Helpdesk-Users
  • • GRP-MBAM-Report-Users
  • • GRP-MBAM-Advanced-Helpdesk Users
  • SA-MBAM-Compliance
  • SA-SQL

The first server to be installed is the database server hosting the following MBAM services.

  • • Recovery and Hardware database
  • • Compliance and Audit Database
  • • Compliance and Audit Reports

This server requires an SQL 2008(R2) enterprise installation with the following services installed: Database, Analysis Services and Reporting Services. All of these need to be installed, configured and ready to go. Apart from the basic installation the SQL Agent needs to be set to automatic start in the services.msc console (or during installation of SQL).

Now that the database server is ready for MBAM the first thing that needs to be configured is the master encryption key for all the databases. As said in my previous post, all the information in the databases is encrypted to enhance security. To set a master encryption key do the following:

  • Open SQL Management Studio
  • Connect to the database server
  • Click on New Query
  • In the right top pane, type the following:
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘password’;
  • off course changing the password entry for something else
  • Click on Execute and what the messages window it should say Command(s) completed successfully

That’s it for the SQL part, now start the MBAM installation and continue until you can select the features to be installed. Deselect the Administration and Monitoring and Group Policy entries and click on next. Fill in all the values after the prerequisits checker. Values are for example the service account created in AD and the paths where you want to store the database files. Also one of the requested fields is the computer account that will host the Administration en Monitoring website. This computer account will be made a member of newly created groups on the database server granting access to the databases.

The second server to be installed is the Administration and Monitoring server. This servers needs to have the following roles installed prior to launching the installation:

  • • IIS
    • o Common HTTP Features
      • ♣ Static content
      • ♣ Default document
    • o Application Development
      • ♣ ASP.NET
      • ♣ .NET Extensibility
      • ♣ ISAPI Extensions
      • ♣ ISAPI filters
    • o Security
      • ♣ Windows Authentication
      • ♣ Request Filtering
      • • .Net Framework
  • .Net Framework 3.5.1
    • o WCF Activation
      • ♣ HTTP Activation
      • ♣ Non-HTTP Activation
    • o Windows Process Activation Service
      • ♣ Process Model
      • ♣ .Net environment
      • ♣ Configuration API’s

Installing IIS also installs the default website which takes port 80 as its default listener. In order to allow the administration and monitoring website to use port 80, it is best to either disable the default website, or as I did change the port it is listening on. To change the port, open IIS management console, select sites and select the default website. On the right pane (or right click) select bindings and then select the http binding. click edit and change port 80 to port 81. click ok and click close. You can also close the IIS management tool.

After installing these roles and features the installation of MBAM can be started. Continue the installation until the features selection is visible again and now select only the Administration and Monitoring option. During the installation the name of the database server is requested, just like the URL for the Reporting service. In order to allow the wizard to quickly find the Reporting URL, use a browser first and browse to http://<DBServer>/Reports. It can take a while but eventually something will show up and that indicates that the Reporting engine is working and has been started. Click on the Test URL button in the MBAM wizard and click next if all is okay.

Now after the installation you are probably wondering how the rights to these services are delegated. During the installation of the various components, local groups where added to the two servers. The database server has two groups which have the administration server as member (to allow database access) and a group to allow members to view reports and audit information.

The Administration server has 5 new groups which control access to the various MBAM components. Add the AD groups to these local groups and assign permissions as needed. The delegated permissions are stated in the description of each of the local group.

  • • Administration and Monitoring Server
    • o MBAM System Administrators
    • o MBAM Harware Users
    • o MBAM Helpdesk Users
    • o MBAM Report Users
    • o MBAM Advanced Helpdesk Users

The main infrastructure is now ready. Next are the policies that need to be applied to the clients. These policies are located in the Group Policies part of the MBAM installation program. On a computer running the Group Policy Management Console you can install the Group Policies from the MBAM installer. This will add adm templates to the group policies. If you edit (an existing or new) GPO you will see a new entry under Computer Settings/Policies/Administrative Templates/Windows Components called MDOP MBAM (BitLocker Management). This entry is also visible in the User Settings hyve. The recommended policies can be found; http://onlinehelp.microsoft.com/en-us/mdop/hh285629.aspx

 

And now all that is left is the installation of the client. This is a small MSI installer file that requires no input. Just run the file on a laptop and you’re done.