First, a bit of official documentation is here:
MBAM 2.5 has the following features:
- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
- Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
- Reduces the workload on the Help Desk to assist end users with BitLocker PIN and recovery key requests.
- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
- Enables security officers to easily audit access to recover key information.
- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
MBAM enforces the BitLocker encryption policy options that you set for your enterprise, monitors the compliance of client computers with those policies, and reports on the encryption status of the enterprise’s and individual’s computers. In addition, MBAM lets you access the recovery key information when users forget their PIN or password, or when their BIOS or boot records change.
The following groups might be interested in using MBAM to manage BitLocker:
- Administrators, IT security professionals, and compliance officers who are responsible for ensuring that confidential data is not disclosed without authorization
- Administrators who are responsible for computer security in remote or branch offices
- Administrators who are responsible for client computers that are running Windows
Architecture of MBAM service:
In this article I will describe the installation of MBAM 2.5 and integration with Configuration Manager 2012 R2.
This installation will involve three virtual servers: the domain controller, the ConfigMgr site server and SQL server, which will store the MBAM databases.
My SQL server already has default MSSQLSERVER instance with:
- Database engine
- Reporting services (native)
- Management tools complete
and several instances for the family of products System Center. I need to add the Analysis services:
In addition, MBAM Administration and Monitoring Server will be installed on the same server (SQL), so we need to install IIS and some components of Windows Server:
NET Framework 3.5.1 features:
- .NET Framework 3.5.1
- WCF Activation
- HTTP Activation
- Non-HTTP Activation
NET Framework 4.5 features
- WCF Services
- TCP Activation
Windows Process Activation Service:
- Process Model
- .NET Environment
- Configuration APIs
Common HTTP Features:
- Static Content
- Default Document
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- Windows Authentication
- Request Filtering
In addition, you need to install ASP.NET MVC 4:
After that create user accounts and groups for MBAM:
For the user, which will be used by the application pool for our web application, register SPN:
Setspn -S HTTP/sql.firma.com FIRMA\MBAM_HD_AppPool
Then check to see whether the registered SPN:
Setspn -L FIRMA\MBAM_HD_AppPool
After registering an SPN for this account, an additional Delegation tab is appeared. Activate the option Trust this user for delegation to any service (Kerberos only):
On the Configuration Manager Server, browse to the location <CMInstallLocation>\Inboxes\clifiles.src\hinv\ and add the MBAM classes to Configuration.mof:
Open the default client settings, section Hardware Inventory – Set Classes, import information from .mof-file and activate the new classes:
On the Configuration Manager server mount image with Microsoft Desktop Optimization Pack 2014 R2 run MBAM server installation:
Run the Configuration Wizard and select the integration with Configuration Manager:
Specify the database server reports and complete the installation:
After the completion of the integration Configuration Items and Configuration Baseline appear in Configuration Manager , and they are deployed to MBAM Supported Computers collection, which was created automatically:
For what it’s done, it will be clear at the end of the article.
MBAM Supported Computers collection is a dynamic collection based on a query that we need to edit, because in my lab I use only the VMs, ie, they should be selected by query and we need to remove restrictions for VMs:
Before installing databases and Web applications we need to prepare the SQL-server. User MBAM_HD_AppPool is added to the Administrators local group and give the appropriate permissions to SQL-Server:
Mount the same image with Microsoft Desktop Optimization Pack 2014 R2, run MBAM server installation under MBAM_HD_AppPool account and then launch the Configuration Wizard:
SQL-Server will store the database MBAM, web-based application for managing keys and report BitLocker Recovery Audit Report (this is the only one report of a Web application, the rest of the reports are available from the SCCM console after integration), and self-service portal for user:
Set the FQDN database server and accounts that we created earlier:
Specify the accounts to work with reports:
Specify accounts and path for the web application files:
The result is:
Move on to a domain controller. Download the Microsoft Desktop Optimization Pack Group Policy Administrative Templates and unpack. We need two files .admx and two files .adml:
Copy .admx files in %systemroot%\policyDefinitions and copy .adml files in a folder with the appropriate language version:
Create OU with a test computer. I used Windows 8.1 and Windows 10, which, I remind you, is in the testing phase and is not officially supported by Configuration Manager:
Create a group policy for this OU (attention, do not change the other group policies that apply to the BitLocker Drive Encryption, otherwise MBAM will not work properly):
Add http(s)://<servername>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc for MBAM Recovery service and disable MBAM Status reporting service, because we have turned on the integration of MBAM and SCCM:
Turn on encryption policy for system disk and allow Bitlocker without Trusted Platform Module:
Configure the password to the system drive:
Set the number of days during which the user can postpone the application of policies MBAM system drive:
Set Bitlocker settings on a removable drives:
Proceed to install the client MBAM. You can create an application from the .msi file instead of install the client manually :
Deploy an application:
Than wait automatic launch of MBAM client run MBAMClientUI.exe from C:\Program Files\Microsoft\MDOP MBAM:
We get the error message from the fact that the virtual machine has no TMP. To encrypt a system disk, use the applet in the Control Panel:
Save the recovery key:
Are we ready to encrypt a system drive?
To obtain the recovery key you need to know first eight digits of ID:
Open a web application and make a request for key recovery:
Enter the key, press Enter and get access to the operating system:
There is the only one report Recovery Audit Report in Microsoft BitLocker Administration and Monitoring:
The remaining reports are in the Configuration Manager, which are filled with data after checking for compliance with the parameters specified in configuration baseline BitLocker Protection: