In part 3 here of this MBAM 2.5 SP1 multi series guide,we have installed MBAM prerequisites for configuration manager 2012,changes to MOF file,inventory changes,MBAM collection etc.
In this part 4 ,we will see the main components of MBAM 2.5 SP1, which are database ,reports and web application.
Login to MBAM01 server with CM_SRV (MBAM_admin) account ,mount the MDOP 2015 ISO,browse to the MBAM 2.5 SP1 folder.
Run MBAMserversetup with default options Next,Next ,Next until the last screen.
Click on Add new features
we will first install database and reports and later will install web applications.
Enter the SQL server Name (if you have installed locally or remote server)
I have used default instance (MSSQLSERVER) so I leave it blank, if you have named instance,please provide so.
Use the account you have created in AD for Database read and write
Enter the reporting role domain group name (MBAM_HD_Reports_ and compliance audit domain account name (MBAM_DB_RO)
check the summary page if all set correctly or not.
If you have other servers where you want to install these components again and you don’t want follow all these steps ,you can export the powershell script ,change the components (like certificate ,account etc) and run the script on other server to make things easy.
With this,we have installed compliance database,recovery database .
Check if these databases created or not by openings SQL server management studio.
Also the account that have specified during the installation will get automatically added with required permissions.
Next ,we will install the web Applications
On the server ,from start menu ,search mbam ,open MBAM server Configuration to add the WebApplications
Click on Add new features
As am not using any SSL now ,I will check do not use certificate
Enter the hostname,IIS path an d Port number ( if you have enabled the firewall ,you must allow the this port for website communication).
fill the details as shown below
Enable TPM Lockout Autoreset is new feature in MBAM 2.5 SP1. On computers running TPM 1.2, you can now configure MBAM to automatically unlock the TPM in case of a lockout. If the TPM lockout auto reset feature is enabled, MBAM can detect that a user is locked out and then get the OwnerAuth password from the MBAM database to automatically unlock the TPM for the user.
This feature must be enabled on both the server side (enable as shown above) and in Group Policy on the client side (we will configure this later)
SQL Server reporting service URL : http://MBAM01.corp.eskonr.com/ReportServer If you are using SSL,use https.
lets have a check on IIS server if these websites created or not.
From Run command,type inetmgr .
Right click on helpdesk ,choose manage applications –browse ,you will see the helpdesk webpage.
If you don’t see reports ,then you are not member of group ‘MBAM_HD_Reports’. Only user MBAM_report1 is member can can view reports.
To view below 2 options like Drive recovery and Manage TPM,user must be member of MBAM_HD_ADv group.To see only reports,user must be member of MBAM_HD_reports.
If user member of only MBAM_HD_Reports then can see only reports.
do the same for self-service portal
If you want to configure the selfservice portal to change the company name, display text etc ,you can go to IIS Server ,click on selfservice ,open application settings
With this,we have successfully installed the database,reports and web applications on our MBAM server.
In next part 5 of this multi series ,we will see how to configure the prerequisites (GPO’s etc) for Clients before we start doing computer bitlocker.
I have a small Query.
I have setup MBAM with SCCM, For reporting server if I provide the SCCM RP server URL, Can I see the reports in SCCM console or I need to install MBAM reporting feature first on SCCM RP server t?.
I have done this once, I installed MABM Reporting feature in SCCM server, It was working like a standard reporting server, I wasn't able to see the reports in SCCM console.
Please clear this doubt
If you want to see reports in SCCM console, you would need to run the MBAM setup wizard and run the SCCM integration that would install reports ,collections and also configuration item for compliance check.
Thanks again for this guide.
I have a CAS and 2 PS, is MBAM server needed in both Primary Sites? Also can I use one SSL for the website?
You dont have to be install on both the sites .You can have it on CAS . Yes, SSL is supported.
Hey, Eswar. Great guide! Quick question- It states in your guide to use the MBAM_DB_RW for the Compliance and Audit database Read/Write access domain user or group. On the MS guide (https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases) it states "If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page." Wouldn't that be the MBAM_HD_AppPool account?
If you plan to install MBAM on SQL Server 2016 SP1 - Please complete the following - If not New Features install will fail.
When, I started to install New Features on MBAM Server - I was getting database and pre req error. The issue was, I was running SQL 2016 SP1 and no CU's. This is what, I did to fix above error.
1. Installed SQLServer2016-KB4019089-x64.exe
5. Restarted the Server
6. Installed New Features - Compliance & Audit Database, Recovery Database & Reports
All working fine now.
Thanks for sharing it Ramlan.
Where do you find MBAM2.5_X64_Server_KB4041137.exe and MBAM2.5_X64_Server_KB4041137.msp. I am having the same issue with SQL 2016 SP1 but these two files are nowhere to be found..... where did you get these?
did you try this ? https://support.microsoft.com/en-us/help/4041137/september-2017-servicing-release-for-microsoft-desktop-optimization
I had to manually grant the ReadRole to my AppPool account for the compliance database and both read and write to the recovery database before the web application would connect to my local SQL 2016 for install. Props to https://social.technet.microsoft.com/Forums/en-US/405d2f96-93b4-4a29-bee4-ae7295616272/setting-up-mbam-unable-to-connect-to-the-sql-server-instance?forum=mdopmbam
If you get "Web service application pool account is not valid" error, even after granting SQL rights to the MBAM_HD_AppPool account then the MBAM_HD_AppPool account needs rights to login as a batch job. refer to https://social.technet.microsoft.com/Forums/en-US/cc53349a-93d6-4d6b-9d75-308fff7c99ea/mbam-25-web-applications-installation-web-service-application-pool-account-is-not-valid?forum=mdopmbam
Got a quick question. I am doing SCCM integrated install of MBAM 2.5 SP1, and went through all the other parts of the install successfully, however, I have a question, as I'm a little bit confused, since I already have SCCM reports integrated for MBAM stuff, do I still need to install Reports as described on this page in part 4?
I would say yes, you will need to install reports and is required . I need to check what is the difference between the report that install with this wizard and Configmgr reports but there is nothing wrong installing this feature for reports on MBAM server.
Great guide. I had installed MBAM and SQL on different server, when add Reports feature, got an error message Unable to find an instance of the Reporting Services.
Any advise of this error? Thanks.
refer this guide for troubleshooting http://eskonr.com/2016/10/install-mbam-2-5-sp1-on-remote-sql-and-integrate-with-sccm-configmgr-1606-notes-and-scripts/
if user account "MBAM_DB_RO" account is set for password change in every 3 months, how and what are the places where this account password need to be updated?
interesting. I always recommend to use service account and set the never expire password .It is always create problem to use account that expire password.
In your case, one of the place that i would see is SQL database is where this account is used while creating database but other places ,need to check.
Exactly that account is used while creating "Compliance and Audit Database connection" for database "MBAM Compliance status" in "Reports" section. I have checked Security-Users under database "MBAM Compliance status" but did not find that account. I'm not sure where exactly I look for that account. Now its mystery for me.
you meant to say ,you have got the databases created but you dont see the user accounts that are used to create these databases ?
Yes, At this moment this user account is not visible in "Compliance and Audit Database connection".
This is a very nice guide.
I do not have access to these sites MBAMAdministrationService, MBAMRecoveryAndHardwareService, or MBAMComplianceStatusService.
Am I supposed to have access to the sites mentioned above in MBAM.
I am only able to access the Helpdesk and Self-service portals. Why is that I am prompted for credential if I go to the Helpdesk site?
user who access reports etc should be member of mbam_hd_reports etc groups as they those groups are used while installing the MBAM components.
Good series will Part 5 be out soon?
Part 5 is available here http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1-part-5/
Why did you leave ""se system center configuration manager integration" unchecked?
because ,that step was already done on the Configmgr server in part 3 http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1-part-3/ and this part 4 installation and configuration done on MBAM Server.
Hmm, in the MS doc (Gotta find it again) it states if you're using Config Manager you should check the box or it tries to install those reports on the server you're installing the web tools.
yes thats true and i have already done that step in part 3 .You can read part 3 http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1-part-3/
This isn't too clear. Is it that the checkbox does not need to be selected on the Web configuration if the ConfigMgr integration has already been completed on the ConfigMgr server? My thinking is, that if you don't check this box it will think you are in a standalone install and add the bits accordingly. Is this not correct?
If you are referring to web applications in the screenshot ,yes they are completely different than configmgr. These options are for web based portal (administration and monitoring and self service portal) where you can retrive the bitlocker keys etc do required which do not exist in SCCM.
Very good guide. Helpful. Once thing i noticed was, after installing database and reports, Web application installation did not accept the SQL server name. I have to to SQL management studio, and provide write access to RW account and Read permission to RO account and then installation was successful
If anyone come across such issue, please check SQL permissions and make adjustments.
thanks for the correction,Miss to document the SQL Permissions for the accounts. Will update the blog post.