How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 4

 

In part 3 here of this MBAM 2.5 SP1 multi series guide,we have installed MBAM prerequisites for configuration manager 2012,changes to MOF file,inventory changes,MBAM collection etc.

In this part 4 ,we will see the main components of MBAM 2.5 SP1, which are database ,reports and web application.

Login to MBAM01 server with CM_SRV (MBAM_admin) account ,mount the MDOP 2015 ISO,browse to the MBAM 2.5 SP1 folder.

image

Run MBAMserversetup with default options Next,Next ,Next until the last screen.

image

Click on Add new features

image

we will first install database and reports and later will install web applications.

image

image

Enter the SQL server Name (if you have installed locally or remote server)

I have used default instance (MSSQLSERVER) so I leave it blank, if you have named instance,please provide so.

Use the account you have created in AD for Database read and write

image

Recovery database:

image

Enter the reporting role domain group name (MBAM_HD_Reports_ and compliance audit domain account name (MBAM_DB_RO)

image

check the summary page if all set correctly or not.

image

If you have other servers where you want to install these components again and you don’t want follow all these steps ,you can export the powershell script ,change the components (like certificate ,account etc) and run the script on other server to make things easy.

image

With this,we have installed compliance database,recovery database .

Check if these databases created or not by openings SQL server management studio.

image

Also the account that have specified during the installation will get automatically added with required permissions.

image

Next ,we will install the web Applications

On the server ,from start menu ,search mbam ,open MBAM server Configuration to add the WebApplications

image

Click on Add new features

image

image

image

As am not using any SSL now ,I will check do not use certificate

Enter the hostname,IIS path an d Port number ( if you have enabled the firewall ,you must allow the this port for website communication).

image

fill the details as shown below

image

image

Enable TPM Lockout Autoreset is new feature in MBAM 2.5 SP1. On computers running TPM 1.2, you can now configure MBAM to automatically unlock the TPM in case of a lockout. If the TPM lockout auto reset feature is enabled, MBAM can detect that a user is locked out and then get the OwnerAuth password from the MBAM database to automatically unlock the TPM for the user.

This feature must be enabled on both the server side (enable as shown above) and in Group Policy on the client side (we will configure this later)

image

SQL Server reporting service URL : http://MBAM01.corp.eskonr.com/ReportServer If you are using SSL,use https.

image

image

image

image

lets have a check on IIS server if these websites created or not.

From Run command,type inetmgr .

image

Right click on helpdesk ,choose manage applications –browse ,you will see the helpdesk webpage.

If you don’t see reports ,then you are not member of group ‘MBAM_HD_Reports’. Only user MBAM_report1 is member can can view reports.

To view below 2 options like Drive recovery and Manage TPM,user must be member of MBAM_HD_ADv group.To see only reports,user must be member of MBAM_HD_reports.

image

If user member of only MBAM_HD_Reports then can see only reports.

image

do the same for self-service portal

image

If you want to configure the selfservice portal to change the company name, display text etc ,you can go to IIS Server ,click on selfservice ,open application settings

image

With this,we have successfully installed the database,reports and web applications on our MBAM server.

In next part 5 of this multi series ,we will see how to configure the prerequisites (GPO’s etc) for Clients before we start doing computer bitlocker.

32 Responses to "How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 4"

  1. I have a small Query.

    I have setup MBAM with SCCM, For reporting server if I provide the SCCM RP server URL, Can I see the reports in SCCM console or I need to install MBAM reporting feature first on SCCM RP server t?.

    I have done this once, I installed MABM Reporting feature in SCCM server, It was working like a standard reporting server, I wasn't able to see the reports in SCCM console.

    Please clear this doubt

    Reply
    1. Hi,
      If you want to see reports in SCCM console, you would need to run the MBAM setup wizard and run the SCCM integration that would install reports ,collections and also configuration item for compliance check.

      Thanks,
      Eswar

      Reply
  2. Hey, Eswar. Great guide! Quick question- It states in your guide to use the MBAM_DB_RW for the Compliance and Audit database Read/Write access domain user or group. On the MS guide (https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases) it states "If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page." Wouldn't that be the MBAM_HD_AppPool account?

    Reply
  3. If you plan to install MBAM on SQL Server 2016 SP1 - Please complete the following - If not New Features install will fail.

    When, I started to install New Features on MBAM Server - I was getting database and pre req error. The issue was, I was running SQL 2016 SP1 and no CU's. This is what, I did to fix above error.

    1. Installed SQLServer2016-KB4019089-x64.exe

    2. SQLServer2016-KB4057119-x64.exe

    3. MBAM2.5_X64_Server_KB4041137.exe

    4. MBAM2.5_X64_Server_KB4041137.msp

    5. Restarted the Server

    6. Installed New Features - Compliance & Audit Database, Recovery Database & Reports

    All working fine now.

    RL

    Reply
    1. Where do you find MBAM2.5_X64_Server_KB4041137.exe and MBAM2.5_X64_Server_KB4041137.msp. I am having the same issue with SQL 2016 SP1 but these two files are nowhere to be found..... where did you get these?

      Reply
  4. Got a quick question. I am doing SCCM integrated install of MBAM 2.5 SP1, and went through all the other parts of the install successfully, however, I have a question, as I'm a little bit confused, since I already have SCCM reports integrated for MBAM stuff, do I still need to install Reports as described on this page in part 4?

    Reply
    1. I would say yes, you will need to install reports and is required . I need to check what is the difference between the report that install with this wizard and Configmgr reports but there is nothing wrong installing this feature for reports on MBAM server.

      Regards,
      Eswar

      Reply
  5. Great guide. I had installed MBAM and SQL on different server, when add Reports feature, got an error message Unable to find an instance of the Reporting Services.
    Any advise of this error? Thanks.

    Reply
      1. Hi Eswar,

        if user account "MBAM_DB_RO" account is set for password change in every 3 months, how and what are the places where this account password need to be updated?

        Reply
        1. interesting. I always recommend to use service account and set the never expire password .It is always create problem to use account that expire password.
          In your case, one of the place that i would see is SQL database is where this account is used while creating database but other places ,need to check.

          Regards,
          Eswar

          Reply
          1. Exactly that account is used while creating "Compliance and Audit Database connection" for database "MBAM Compliance status" in "Reports" section. I have checked Security-Users under database "MBAM Compliance status" but did not find that account. I'm not sure where exactly I look for that account. Now its mystery for me.

            Reply
            1. you meant to say ,you have got the databases created but you dont see the user accounts that are used to create these databases ?

              Regards,
              Eswar

  6. Hi,
    This is a very nice guide.

    Questions,

    I do not have access to these sites MBAMAdministrationService, MBAMRecoveryAndHardwareService, or MBAMComplianceStatusService.

    Am I supposed to have access to the sites mentioned above in MBAM.
    I am only able to access the Helpdesk and Self-service portals. Why is that I am prompted for credential if I go to the Helpdesk site?

    Thanks

    Reply
    1. user who access reports etc should be member of mbam_hd_reports etc groups as they those groups are used while installing the MBAM components.

      Reply
      1. Hmm, in the MS doc (Gotta find it again) it states if you're using Config Manager you should check the box or it tries to install those reports on the server you're installing the web tools.

        Reply
          1. This isn't too clear. Is it that the checkbox does not need to be selected on the Web configuration if the ConfigMgr integration has already been completed on the ConfigMgr server? My thinking is, that if you don't check this box it will think you are in a standalone install and add the bits accordingly. Is this not correct?

            Reply
            1. If you are referring to web applications in the screenshot ,yes they are completely different than configmgr. These options are for web based portal (administration and monitoring and self service portal) where you can retrive the bitlocker keys etc do required which do not exist in SCCM.

              Regards,
              Eswar

  7. Very good guide. Helpful. Once thing i noticed was, after installing database and reports, Web application installation did not accept the SQL server name. I have to to SQL management studio, and provide write access to RW account and Read permission to RO account and then installation was successful

    If anyone come across such issue, please check SQL permissions and make adjustments.

    Reply

Post Comment