MBAM is Microsoft Bitlocker Administration and Monitoring Tool Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.BitLocker offers protection against data theft or data exposure for computers that are lost or stolen. BitLocker encrypts all data that is stored on the Windows operating system and drives and configured data drives.
MBAM 2.5 SP1 has the following features:
- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
- Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
- Reduces the workload on the Help Desk to assist end users with BitLocker PIN and recovery key requests.
- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
- Enables security officers to easily audit access to recover key information.
- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
To know more about what's new in MBAM 2.5 SP1 ,read the TechNet document https://technet.microsoft.com/en-us/library/mt427465.aspx
MBAM is one of the major component in Microsoft Desktop Optimization Pack for Software Assurance (MDOP).MDOP consist of 6 components.
UE-V :User Experience Virtualization captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.More info, refer Technet
MED-V:Microsoft Enterprise Desktop Virtualization (MED-V) uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization.More info,Refer Technet
MBAM:Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.Will cover in this blog post.
DarT:Microsoft Diagnostics and Recovery Toolset (DaRT) helps troubleshoot and repair Windows-based computers.More info,Refer Technet
App-V:Microsoft Application Virtualization (App-V) lets you make applications available to end user computers without installing the applications directly on those computers.More info,refer technet
AGPM:Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide change control and improved management.
I
To get any of these components,you must download MDOP from Volume licensing and MSDN.
Microsoft recently released MBAM 2.5 SP1 which is part of MDOP 2015 with some new features,functionalities and complete support for Windows 10 .
To know more about MBAM 2.5 SP1 and what's new compare to its previous version,Read the TechNet documentation https://technet.microsoft.com/en-us/library/mt427465.aspx .
Due to huge content involved in this step by step guide series, I will split this post into multiple parts as outlined below.
Part 1: Setting up accounts required for MBAM 2.5 SP1 in Active Directory—This post contains, how to create domain accounts/security groups and register SPN.
Part 2:Prerequisites for MBAM 2.5 SP1: This post contains how to enable roles and install SQL server 2012 SP1 ,configure Database.
Part 3:Prerequisites for the Configuration Manager Integration Feature (this is Optional)—This posts contains how to extend MOF file both in Configuration.mof and hardware Inventory .
Part 4: How to install and Configure Components of MBAM 2.5 SP1:This includes installation of MBAM,web services,reporting etc
Part 5: How to create Group policy settings for MBAM 2.5 SP1 Bitlocker and deploy to Workstation OU.—Importing MBAM ADM templates,creation of GPO’s ,deploy to Clients.
Part 6: Create MBAM 2.5 SP1 application in SCCM 2012 ,Deploy to clients ,bitlocker encryption demo —Logon to the Windows 8 clients,verify bitlocker,Retrieve the bitlocker Key,check the compliance using SCCM 2012 etc.
Part 7: Bitlocker Encryption for windows 10 ,configure preboot recovery message demo ---Demo's on Windows 10 bitlocker encryption,retrieving the recovery keys from web service portal and troubleshooting steps
If you are looking for Upgrade from MBAM 2.5 to MBAM 2.5 SP1 ,steps are outlined below:
Stand Alone:
1. Uninstall Web Components
2. Back up Databases
3. Uninstall other components ,databases remain
4. Install New Version, databases upgraded in place
5. Update group policies if needed for new features
6. Deploy updated MBAM agent (Uninstall old Agent ,no reboot required)
For more information,please refer TechNet document https://technet.microsoft.com/en-us/library/dn645354.aspx
Integrated with Configmgr:
1.Uninstall Web Components
2.Back up Databases
3.Uninstall other components ,reports,databases remain
4.Update MOF files
5.Install New Version,databases,CM objects and CM Reports upgraded in place ,preventing data loss
6.Update group policies if needed for new features
7.Deploy updated MBAM agent (Uninstall old Agent ,no reboot required)
For more information,please refer TechNet document https://technet.microsoft.com/en-us/library/dn645354.aspx
Before we get into the part 1 of this series ,We will first see the supported server operating system,SQL server,Configmgr Supported versions and client Operating System:
MBAM Server OS Requirements:
MBAM SQL Server Requirements:
Supported Configuration Manager versions for MBAM.
MBAM Client OS Requirements:
Below diagrams show the components involved in both Stand Alone Server Components and Configuration manager 2012 server Components (Integration).
Stand Alone Server Components:
SCCM 2012 Server Components:
I am running this installation setup on my windows 10 Hyper-V with following server. All servers are running on server 2012 R2 Standard Edition.
1. 1 Domain Controller running with DNS,DHCP
2. 1 Server with SCCM Configmgr 2012 R2 SP1 (SQL Server installed on same box) is required, if you want to integrate MBAM else you can go with standalone server.
3. 1 Member server for MBAM Installation.---This server hosts SQL Database,reports ,Administration server and Self service portal.
Domain Controller: DC01
SCCM 2012 R2 SP1: CM01
MBAM Member server: MBAM01
Domain:corp.eskonr.com
In first part of this multi series guide (part 1) ,we will be creating user accounts,security groups,SPN registration in Active Directory which is required for MBAM 2.5 SP1 setup.
1 Comment
Pingback: MBAM Supported Computers Collection Issues after ConfigMgr 1606 Upgrade – deploymentramblings