Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, May 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Active Directory»How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 1

    How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 1

    Eswar KonetiBy Eswar KonetiSeptember 11, 8:30 pm3 Mins Read Active Directory 20,735 Views
    Share
    Facebook Twitter LinkedIn Reddit

     

    In first part (part 1) of this multi series guides ,we will setup the user accounts and security groups required in Active Directory to install ,configure MBAM server.

    Create the Following AD Accounts and security groups in your domain controller (Perform the following steps in Domain controller) under specific OU.In my lab ,I created OU called MBAM .These accounts are used during the installation of SQL server /MBAM server.

    All the below steps are performed in my domain controller (DC01).

    Database Accounts         User /Group ?
    MBAM_DB_RO                  User
    MBAM_DB_RW                 User
    HelpDesk Accounts
    MBAM_HD_Adv                Group
    MBAM_HD_AppPool      User
    MBAM_HD_DataMig       Group
    MBAM_HD_Reports        Group
    MBAM_HD_Users             Group
    Report Accounts
    MBAM_Reports_RO        Group

    Test accounts:

    MBAM_Report1              User

    Add this account (MBAM_Report1) to MBAM_HD_Reports groups so this user can run MABM reports .

    image

    You can use the below powershell script to create MBAM User accounts without doing manual procedure:

    All you need to do is ,change the csv file ,domain name and password (bold letters)

    Import-Module ActiveDirectory
    Import-Csv "E:\sources\Scripts\NewUsers.csv" | ForEach-Object {
    $userPrincinpal = $_."samAccountName" + "@apac.eskonr.com"
    New-ADUser -Name $_.Name `
    -Path $_."OU" `
    -SamAccountName $_."samAccountName" `
    -UserPrincipalName $userPrincinpal `
    -AccountPassword (ConvertTo-SecureString "P@ssword2015" -AsPlainText -Force) `
    -ChangePasswordAtLogon $false `
    -PasswordNeverExpires $true `
    -Enabled $true `
    }

    How does the CSV file looks like ?

    Name,samAccountName,OU
    MBAM_DB_RO,MBAM_DB_RO,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
    MBAM_DB_RW,MBAM_DB_RW,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
    MBAM_HD_AppPool,MBAM_HD_AppPool,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"
    MBAM_Report1,MBAM_Report1,"OU=MBAM,OU=Service Accounts,OU=SG,DC=apac,DC=eskonr,DC=com"

    In addition to above user accounts ,create another user account called MBAM_Admin who will be member of (will add later) local admin group on MBAM server and SQL Database. This account is used for all installations in MBAM Server and SQL.

    As I already have SCCM account (CM_SRV) used for all installations ,I use this account to install MBAM and SQL database. Where ever I user CM_SRV account.you can replace it with MBAM_Admin.

    Once you are done with account/groups creation,we will Register SPNS for the application pool account .(No delegation required in MBAM 2.5 SP1)

    SPN Registration is required for MBAM servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal.

    so we will now register a Service Principal Name (SPN) for the application pool account .

    Note:You must have domain administrative rights to perform this action.

    Open the CMD (run as admin) ,run the following commands:

    Setspn -s http/mbam01.corp.eskonr.com eskonr\mbam_hd_apppool

    mbam01.corp.eskonr.com:FQDN of my MBAM server (This MBAM server is installed server 2012 R2 and joined to domain without any other configurations).
    eskonr\mbam_hd_apppool: Domain account used for web Application pool

    image

    Check if the account has been registered or not using setspn –L corp.eskonr.com\mbam_hd_apppool

    image

    With this,we completed the prerequisites required to install MBAM server in Active Directory.

    In next part (part 2),we will install windows roles ,install SQL server,configure the database and permissions etc.

    Bitlocker Configmgr MBAM integration Create AD accounts using Powershell How to Install MBAM MBAM 2.5 SP1 MBAM account using powershell MBAM Integrate with SCCM 2012 MBAM SPN MBAM User Accounts Reports SCCM 2012 R2 SP1 SQL server Install MBAM
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    Investigating Co-Management Issues with Windows Endpoints in SCCM/Intune

    October 26, 10:45 pm

    2 Comments

    1. Leclerc on November 27, 2017 10:32 PM

      Hello,

      I do not understand why you need to create both MBAM_HD_AppPool and MBAM_DB_RW.
      During database installation MBAM_DB_RW is granted access to the database but nerver used after.
      On the other side, you have to manually give acces to the database for user MBAM_HD_AppPool that will be used for RW operations to the database.

      Can the MBAM_DB_RW account be used instead of the MBAM_HD_AppPool for running the application pool ?

      Kind regards.

      Reply
      • Eswar Koneti on November 28, 2017 10:27 PM

        Hi,
        MBAM_HD_AppPool is service account used to setup application pool and will be used later. DB_RW is read write access to database and will be used to create the databases using this account.
        For more information about the accounts that are used in the blog post can refer https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-groups-and-accounts

        Regards,
        Eswar

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.