Long ago ,I did step by step guide series on how to Install MBAM 2.5 SP1 integration with SCCM Configmgr 2012/Current Branch . In that guide,I have used MBAM server which has SQL server and MBAM components installed on local server and integrate MBAM with Configmgr 2012 server.
Few days ago ,I was trying to install MBAM 2.5 SP1 and integrate with SCCM Configmgr Current Branch 1606 in my lab. In this setup ,my requirement was different .I do not want to install SQL Server on MBAM server (local) instead ,use existing SQL instance (remote) to install MBAM Databases and reports.
Since I already have SQL Server installed locally on my Configmgr server ,have decided to use this SQL instance for my MBAM setup.
Before I start the setup in my lab ,I followed the steps on my blog post but I encountered some issues during the installation of web components and reports.
In this blog post, I will share the steps (no screen shots),tips and PowerShell scripts that I have used to setup MBAM in my lab.
If you are looking for step by step guide series on how to install MBAM 2.5 SP1,please go through http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1/
In my lab ,I already have SCCM CB 1606 installed with SQL (local) and I will use this SQL to install my MBAM databases and reports (remote).
Below is my lab setup:
1 Domain Controller (DC01 ,apac.eskonr.com)
1 SCCM server running on Current Branch (CMCB01) with SQL local
1 MBAM Server (MBM01 , Plane server with domain join)
Here are the steps what I followed in short .
1.Create required MABM Accounts.
2.Register SPN for MBAM Server
3.Login to MBAM Server (MBAM01) and install the prerequisites like IIS components (No SQL server is needed ,we will be using remote SQL) and ASP.net MVC 4
4.Login to SCCM server(CMCB01) ,perform the changes to MOF,Hardware inventory ,run the MBAM server setup to perform system center configuration manager integration. you must run this setup only in your SCCM Server .
5.Login to MBAM Server (MBAM01) ,Insert/Copy Supported Version of SQL server media and install SSRS Reporting services (native) . SSRS must be installed and running during the MBAM Server installation.
Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. You cannot use remote installed SSRS for MBAM Server.
6. On MBAM Server ,open Reporting services configuration manager ,click on connect ,go to web service URL ,create Virtual Directory ,move on to database tab ,create reportserver database (place the database on remote server that you wish to have ,in this case it will be on my SCCM Server) and to create the reportserver DB (I name it MBAMReportServer) on SCCM SQL , make sure you have full permissions on SCCM SQL database. Follow the steps reporting services configuration manager take you through.
7. Make sure the reporting services account that is running on your MBAM Server (MBAM01) must use domain account (cannot be system account and NT account) to connect to remotely configured Reportserver database . so open services.msc ,properties of SQL Service Reporting services ,choose account that permissions to connect to reportserver DB(MBAMReportServer) on SCCM Server.
8.Restart SQL Service reporting services.
9. Now its time to start the installation of MBAM components on MBAM Server (MBAM01).
10. Launch MBAM server setup ,go with default installation and open MBAM server Configuration ,click on add new features ,select databases (Compliance and Audit, Recovery Database) ,Reports .
11. when the databases are created ,launch MBAM Server setup,again and this time select the leftover component Web Applications (Administration and monitoring and self-service portal).
At this step ,I had some issues with Application pool account that failed to connect to MBAM recovery and hardware database which was installed on my Configmgr SQL server. so I had to look at the logs to troubleshoot the issue by providing the enough permissions to MBAM Recovery and hardware database on my SCCM server for MBAM_HD_AppPool account
Error:
Cannot connect to the database using specified connection string 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True'
Error: System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'APAC\MBAM_HD_AppPool'.
12. If you see any errors during the installation of any of the MBAM components, check the event viewer which will give you more information about the issue . Where to look at event viewer ?
Open event viewer ,Applications and service logs ,Microsoft ,windows ,MBAM-Setup ,in this ,you have 2 sections 1) Admin 2) Operational .
All these steps can be performed through PowerShell scripts right from creation of MBAM User accounts/Groups to installation of MBAM components.
Tanner Slayton Sr Consultant Cyber Security from Microsoft has posted MBAM scripts on Github ,can be downloaded from https://github.com/tslayton.
13. Configure GPO settings as per the requirement ,for more information on this ,you can read part 5 of my step by step guide series
14. If you want add support for the BitLocker XTS-AES encryption type ,then install September 2016 servicing release hotfix from https://support.microsoft.com/en-us/kb/3168628
Below are scripts /command lines that I have used while installing the MBAM components in my lab.
Adding IIS Features:
Write-Host 'Adding IIS and the components required for MBAM Installation of the Helpdesk and SelfService Portals'
$Features = 'Web-Server', 'Web-WebServer', 'Web-Common-Http', 'Web-Default-Doc', 'Web-Static-Content', 'Web-Security', 'Web-Filtering', 'Web-Windows-Auth', 'Web-App-Dev', 'Web-Net-Ext45',
'Web-Asp-Net45', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Mgmt-Tools', 'Web-Mgmt-Console', 'NET-WCF-Services45', 'NET-WCF-HTTP-Activation45', 'NET-WCF-TCP-Activation45',
'WAS', 'WAS-Process-Model', 'WAS-NET-Environment', 'WAS-Config-APIs'
Add-WindowsFeature -Name $Features
Install MBAM componets:
Import-Module 'C:\Program Files\Microsoft BitLocker Administration and Monitoring\WindowsPowerShell\Modules\Microsoft.MBAM\Microsoft.MBAM.psd1'
# Enable compliance and audit database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RW' -ComplianceAndAudit -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Compliance Status' -ReportAccount 'APAC\MBAM_DB_RO'
# Enable recovery database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RO' -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Recovery and Hardware' -Recovery
# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable report feature
Enable-MbamReport -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -ComplianceAndAuditDBCredential (Get-Credential -UserName "APAC\MBAM_DB_RO" -Message ComplianceAndAuditDBCredential) -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports'
# Enable agent service feature
Enable-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -DataMigrationAccessGroup 'APAC\MBAM_HD_DataMig' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable administration web portal feature
Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup 'APAC\MBAM_HD_Adv_Users' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskAccessGroup 'APAC\MBAM_HD_Users' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports' -ReportUrl 'http://mbm01.apac.eskonr.com/ReportServer' -VirtualDirectory 'HelpDesk' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
Hope it helps!
14 Comments
Fantastic guide but I have been following every step of your guide. I have SQL and Reporting Services installed in a remote server and I have my SCCM Server with SQL Server and Reporting Services integrated, but unlike you, I have another server with SQL and Reporting Services installed.
I'm trying to install the step "Configure Web Applications" and indicated my SQL Server Reporting Services URL (short URL, long url, http, https) but I get an error again and again "Unable to find MBAM Reports parent folder 'Microsoft BitLocker Administration and Monitoring".
I have reviwed every group and every permission and everithing is OK. I don't know what else to do!
Do you mean that I have to install Reporting Services on the same server where I'm going to implement MBAM? I have no read nothing about this in Microsoft Documentation. I think this doesn't make sense. Any idea?
Thanks and regards!l
This will be a helpful guide for me as I plan to install mbam in our 1709 environment. We havethe sccm server and the sql server running on separate vm. is it best installing mbam on a separate vm too or can I install all components on say the sql server vm (which handles ssrs and reporting) and the integration component on the sccm server?
Sorry for late reply. I would always suggest to have seperate VM for any such components (MABM server).
Regards,
Eswar
Since we created reports database on remote SQL in step 6 , should we use the same database when configuring database in step 10 for report server? . Thanks in advance
Hi Raj,
step 6 database is for reporting and step 10 is for compliance & audit ,recovery database which are completely different purpose.
Regards,
Eswar
Hi, great guide but I'm on the latest version of sccm current branch 1702 and having some trouble getting the mof files to work. Should I be just using the 2012 configuration.mof and importing the Sms_def.mof. I've tried this and keep getting the error
The MOF file you tried to import could not be compiled. Ensure that the MOF file contains valid data. You can use the command line mofcomp utility to test the data.
Hi Michael,
Configuration.mof file should go into inbox folders and sms_def.mof into client agent settings and it works for me.
Check the code in mof file if you have any syntax errors or spaces etc.
Regards,
ESwar
Hi Eswar,
Although I have followed these instructions for an installation in one of my clients, because I had exactly the same problem than you, I have to tell you that I realized that it's possible to install MBAM with the SQL Server in a remote server and also, with SSRS in a remote server.
What you need to do is install MBAM Server Configuration in the server where you want to install the Reports (so, this is the SQL Server), and then proceed with the installation of Reports in that server.
I can tell you that right now, I have a lab environment with this configuration and everything is working correctly.
Anyway, thanks a lot for your posts, they are really good and very useful for me!
Laura,
This isn't strictly true. We have a configuration with an MBAM Admin Server reporting to a remote SQL Cluster and Reporting Services on another Remote SQL working perfectly for an enterprise customer with around 30k of users.
Regards,
Tim
Hi Tim,
which means the blog what i said is incorrect about installing the reporting services on remote SQL work fine ?
in 5th point ,i said the following which is not true ?
Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. You cannot use remote installed SSRS for MBAM Server.
Do you have this working ? what is your setup ?
Regards,
Eswar
Hi Tim, do you have any documentation on this setup procedure? I've been struggling to find anything with the steps required to do exactly what you're describing. MBAM management on a single server using a remote SQL cluster to host the databases and reporting services. Thanks in advance, I'm sure this would help alot of admins!
Great article. Really enjoy your site. Do you have a tips of speeding up the initial MBAM sync after OSD?
I have already implemented this setup using sccm 1511. My clarification is Can I install MBAM reports feature on remote SQL reporting services server?
MBAM reports must be installed on same server that is hosting MBAM components but database can be installed on remote SQL as i mentioned in my blog post.