deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

editing

Browse Source
This commit is contained in:
Deland Han 2019-09-24 15:24:22 +08:00
parent 1d3bac96e0
commit 0b5e789d8b
2 changed files with 183 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
mdop/mbam-v25/deploy-mbam.md
View File

@ -10,23 +10,23 @@ ms.prod: w10
ms.date: 09/16/2019
---
# Deploying MBAM 2.5 in a stand-alone configuration
# Deploying MBAM 2.5 in a standalone configuration
This article provides step-by-step instructions for installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a stand-alone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that is running Microsoft SQL Server 2012. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."
This article provides step-by-step instructions for installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a standalone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that is running Microsoft SQL Server 2012. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."
## Preparation steps before installing MBAM 2.5 server software
### Step 1: Installation and configuration of servers
Before we start to configure MBAM 2.5, we have to make sure that we have both servers configured as per MBAM system requirements. Refer to the [MBAM minimum system requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-supported-configurations#-mbam-server-system-requirements) and select a configuration that meets these requirements.
Before we start to configure MBAM 2.5, we have to make sure that we have both servers configured per MBAM system requirements. See the [MBAM minimum system requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-supported-configurations#-mbam-server-system-requirements), and select a configuration that meets these requirements.
#### Step 1.1: Deploying prerequisites for database and reporting server
1. Install and configure a server with Windows Server 2008 R2 or a later operating system.
1. Install and configure a server that is running Windows Server 2008 R2 or a later operating system.
2. Install Windows PowerShell 3.0.
3. Install Microsoft SQL Server 2008 R2 or a later version with the latest service pack. If you are installing a new instance of SQL Server for MBAM, make sure that you Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation. Youll have to install the following SQL Server features:
3. Install Microsoft SQL Server 2008 R2 or a later version that includes the latest service pack. If you are installing a new instance of SQL Server for MBAM, make sure that you install SQL Server to have SQL_Latin1_General_CP1_CI_AS collation. Youll have to install the following SQL Server features:
* Database Engine
* Reporting Services
@ -34,23 +34,23 @@ Before we start to configure MBAM 2.5, we have to make sure that we have both se
* Management Tools Complete
>[!Note]
>Optionally, you may also install the [Transparent Data Encryption (TDE) feature in SQL Server](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-security-considerations).
>Optionally, you can also install the [Transparent Data Encryption (TDE) feature in SQL Server](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-security-considerations).
SQL Server Reporting Services must be installed and configured in "native" mode and not in unconfigured or "SharePoint" mode.
![The required SQL Server features](images/deploying-MBAM-1.png)
4. If you plan to use SSL for the Administration and Monitoring website, make that you configure SQL Server Reporting Services (SSRS) to use the Secure Sockets Layer (SSL) protocol before you configure the Administration and Monitoring website. Otherwise, the Reports feature will use HTTP instead of HTTPS.
4. If you plan to use SSL for the Administration and Monitoring website, make sure that you configure SQL Server Reporting Services (SSRS) to use the Secure Sockets Layer (SSL) protocol before you configure the Administration and Monitoring website. Otherwise, the Reports feature will use "HTTP" instead of "HTTPS."
You may follow Configure SSL Connections on a Native Mode Report Server to configure SSL on Report Server.
You can follow [Configure SSL Connections](https://docs.microsoft.com/sql/reporting-services/security/configure-ssl-connections-on-a-native-mode-report-server?view=sql-server-2017) on a Native Mode Report Server to configure SSL on Report Server.
>[!Note]
>You may follow the SQL Server Installation Guide for your respective version of SQL Server to install SQL Server. Links are as follows:
>You can follow the SQL Server Installation Guide for your respective version of SQL Server to install SQL Server. The links are as follows:
>* [SQL Server 2014](https://docs.microsoft.com/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2014)
>* [SQL Server 2012](https://docs.microsoft.com/previous-versions/sql/sql-server-2012/bb500442(v=sql.110))
>* [SQL Server 2008 R2](https://docs.microsoft.com/previous-versions/sql/sql-server-2012/bb500442(v=sql.110))
5. In the post-installation of SQL Server, make sure that you provision the user account in SQL Server and assign the following permissions to the user who will configure the MBAM database and reporting roles on the database server:
5. In the post-installation of SQL Server, make sure that you provision the user account in SQL Server, and assign the following permissions to the user who will configure the MBAM database and reporting roles on the database server.
Roles for the instance of SQL Server:
@ -70,7 +70,7 @@ Choose a server that meets the hardware configuration as explained in the [MBAM
##### Roles
* Web Server (IIS) Management Tools (Click IIS Management Scripts and Tools.)
* Web Server (IIS) Management Tools (Select IIS Management Scripts and Tools.)
* Web Server Role Services
@ -93,11 +93,11 @@ Choose a server that meets the hardware configuration as explained in the [MBAM
* .NET Framework 4.5 features
* The Microsoft .NET Framework 4.5
* Microsoft .NET Framework 4.5
For Windows Server 2012 or Windows Server 2012 R2, the .NET Framework 4.5 is already installed for these versions of Windows Server. However, you must enable it.
For Windows Server 2012 or Windows Server 2012 R2, .NET Framework 4.5 is already installed for these versions of Windows Server. However, you must enable it.
For Windows Server 2008 R2, the .NET Framework 4.5 is not included with Windows Server 2008 R2. So, you must download the .NET Framework 4.5 and install it separately.
For Windows Server 2008 R2, .NET Framework 4.5 is not included with Windows Server 2008 R2. So, you must download .NET Framework 4.5 and install it separately.
* WCF Activation<br />
HTTP Activation<br />
@ -118,13 +118,13 @@ The next step is to create the required MBAM users and groups in Active Director
As part of the prerequisites, you must define certain roles and accounts that are used in MBAM to provide security and access rights to specific servers and features, such as the databases that are running on the instance of SQL Server and the web applications that are running on the Administration and Monitoring Server.
Create the following groups and users in Active Directory. (You can use any name for the groups and users.) Users do not have to have greater user rights. A domain user account is good enough. Youll have to specify the name of these groups during configuration of MBAM 2.5:
Create the following groups and users in Active Directory. (You can use any name for the groups and users.) Users do not have to have greater user rights. A domain user account is sufficient. Youll have to specify the name of these groups during configuration of MBAM 2.5:
* **MBAMAppPool**
**Type**: Domain User
**Description**: Domain user who has read/write permission to the Compliance and Audit Database and the Recovery Database to enable the web applications to access the data and reports in these databases. It will also be used by the application pool for the web applications.
**Description**: Domain user who has Read or Write permission to the Compliance and Audit Database and the Recovery Database to enable the web applications to access the data and reports in these databases. It will also be used by the application pool for the web applications.
**Account Roles (During Configuration of MBAM)**:
@ -136,7 +136,7 @@ Create the following groups and users in Active Directory. (You can use any name
**Type**: Domain User
**Description**: Domain user who will have read-only access to the Compliance and Audit Database to enable the reports to access the compliance and audit data in this database. It will also be the domain user account that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database.
**Description**: Domain user who will have Read-Only access to the Compliance and Audit Database to enable the reports to access the compliance and audit data in this database. It will also be the domain user account that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database.
**Account Roles (During Configuration of MBAM)**:
@ -148,7 +148,7 @@ Create the following groups and users in Active Directory. (You can use any name
**Type**: Domain Group
**Description**: MBAM Advanced Helpdesk Users access group: Domain user group whose members have access to all areas of the Administration and Monitoring Website. Users who have this role have to enter only the recovery key, and not the end-users domain and user name, when they are helping end-users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Group permissions.
**Description**: MBAM Advanced Helpdesk Users access group: Domain user group whose members have access to all areas of the Administration and Monitoring Website. Users who have this role have to enter only the recovery key, not the users domain and user name, when they are helping users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Group permissions.
**Account Roles (During Configuration of MBAM)**: MBAM Advanced Helpdesk Users
@ -156,7 +156,7 @@ Create the following groups and users in Active Directory. (You can use any name
**Type**: Domain Group
**Description**: MBAM Helpdesk Users access group: Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the MBAM Administration and Monitoring Website. People who have this role must fill in all fields when they use either option. This includes the end-users domain and account name.
**Description**: MBAM Helpdesk Users access group: Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the MBAM Administration and Monitoring Website. People who have this role must fill in all fields when they use either option. This includes the users domain and account name.
**Account Roles (During Configuration of MBAM)**: MBAM Helpdesk Users
@ -178,27 +178,27 @@ Although its optional, we highly recommend that you use a certificate to help
After the certificate is issued, you should add the certificate to the personal store of the Administration and Monitoring Server. To add the certificate, open the Certificates store on the local computer. To do this, follow these steps:
1. Right-click Start, and then click Run.
1. Right-select Start, and then select Run.
![Select ](images/deploying-MBAM-2.png)
2. Type "MMC.EXE" (without the quotation marks), and then click **OK**.
2. Type "MMC.EXE" (without the quotation marks), and then select **OK**.
![Run box](images/deploying-MBAM-3.png)
3. Click **File** in the new MMC that you opened, and then click **Add/Remove Snap-in**.
3. Select **File** in the new MMC that you opened, and then select **Add/Remove Snap-in**.
![Select](images/deploying-MBAM-4.png)
4. Highlight the **Certificates** snap-in, and then click **Add**.
4. Highlight the **Certificates** snap-in, and then select **Add**.
![Add or Remove Snap-ins window](images/deploying-MBAM-5.png)
5. Select the **Computer account** option, and then click **Next**.
5. Select the **Computer account** option, and then select **Next**.
![Certificates snap-in window](images/deploying-MBAM-6.png)
6. Select **Local Computer** on the next screen, and then click **Finish**.
6. Select **Local Computer** on the next screen, and then select **Finish**.
![Select Computer window](images/deploying-MBAM-7.png)
@ -208,38 +208,38 @@ After the certificate is issued, you should add the certificate to the personal
8. Import the web server certificate into your computer's certificate store.
Now that you have access to the Certificates snap-in, you can import the web server certificate into your computer's certificate store. To do this, follows next steps.
Now that you have access to the Certificates snap-in, you can import the web server certificate into your computer's certificate store. To do this, follow the next steps.
9. Open the Certificates (Local Computer) snap-in and browse to **Personal** and then **Certificates**.
9. Open the Certificates (Local Computer) snap-in, and browse to **Personal** and then **Certificates**.
![Certificates (Local Computer) snap-in window](images/deploying-MBAM-9.png)
>[!Note]
>The Certificates snap-in may not be listed. If it is not, no certificates are installed.
10. Right-click **Certificates**, select **All Tasks**, and then click **Import**.
10. Right-select **Certificates**, select **All Tasks**, and then select **Import**.
![Certificates (Local Computer) snap-in window](images/deploying-MBAM-10.png)
11. When the wizard starts, click **Next**. Browse to the file that you created that contains your server certificate and private key, and then click **Next**.
11. When the wizard starts, select **Next**. Browse to the file that you created that contains your server certificate and private key, and then select **Next**.
![Certificate Import Wizard window](images/deploying-MBAM-11.png)
12. Enter the password if any you gave to the file when you created it.
12. Enter the password if you specified one for the file when you created it.
![Enter password window](images/deploying-MBAM-12.png)
>[!Note]
>Make sure that the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to make sure that no one can make a backup of your private key.
>Make sure that the **Mark the key as exportable** option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option cleared to make sure that no one can make a backup of your private key.
13. Click **Next**, and then select the **Certificate Store** to which you want to save the certificate.
13. Select **Next**, and then select the **Certificate Store** to which you want to save the certificate.
![Certificate Import Wizard window](images/deploying-MBAM-13.png)
>[!Note]
>You should select **Personal**, because it is a web server certificate. If you included the certificate in the certification hierarchy, it will also be added to this store.
14. Click **Next**, and then click **Finish**.
14. Select **Next**, and then select **Finish**.
![Certificate Import Wizard window](images/deploying-MBAM-14.png)
@ -259,40 +259,40 @@ If you are using SSL communication between the client and server, you should mak
If you receive a certificate error when you try to browse service URLs, you are using a certificate that was issued to a different name, or you are browsing by using an incorrect URL.
Although the browser may prompt you with a certificate error message but let you continue, the MBAM web service will not ignore certificate errors and will block the connection. You will notice certificate-related errors in the MBAM clients MBAM Admin event log. If you are using an alias to connect to the Administration and Monitoring server, you should issue a certificate to the alias name. That is, the subject name of the certificate should be the alias name, and the local servers DNS name should be added to the Subject Alternative Name field of the certificate.
Although the browser may prompt you with a certificate error message but let you continue, the MBAM web service will not ignore certificate errors and will block the connection. You will notice certificate-related errors in the MBAM clients MBAM Admin event log. If you are using an alias to connect to the Administration and Monitoring server, you should issue a certificate to the alias name. That is, the subject name of the certificate should be the alias name, and the local servers DNS name should be added to the **Subject Alternative Name** field of the certificate.
Example:
If the virtual name is "bitlocker.contoso.com" and the MBAM Administration and Monitoring server name is "adminserver.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name), and adminserver.contoso.com should be added to Subject Alternative Name field of the certificate.
If the virtual name is "bitlocker.contoso.com" and the MBAM Administration and Monitoring server name is "adminserver.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name), and adminserver.contoso.com should be added to **Subject Alternative Name** field of the certificate.
Similarly, if you have multiple Administration and Monitoring servers installed to balance the load by using a load balancer, you should issue the SSL certificate to the virtual name. That is, the subject name field of the certificate should have the virtual name, and the names of all the local servers should be added in the Subject Alternative Name field of the certificate.
Similarly, if you have multiple Administration and Monitoring servers installed to balance the load by using a load balancer, you should issue the SSL certificate to the virtual name. That is, the subject name field of the certificate should have the virtual name, and the names of all the local servers should be added in the **Subject Alternative Name** field of the certificate.
Example:
If the virtual name is "bitlocker.contoso.com" and the servers are "adminserver1.contoso.com" and "adminiserver2.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name) and adminserver1.contoso.com, and adminiserver2.contoso.com should be added to the Subject Alternative Name field of the certificate.
If the virtual name is "bitlocker.contoso.com" and the servers are "adminserver1.contoso.com" and "adminiserver2.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name) and adminserver1.contoso.com, and adminiserver2.contoso.com should be added to the **Subject Alternative Name** field of the certificate.
The steps to configure SSL communication with MBAM are described in the following Knowledge Base article: [KB 2754259](https://support.microsoft.com/help/2754259).
The steps to configure SSL communication by using MBAM are described in the following Knowledge Base article: [KB 2754259](https://support.microsoft.com/help/2754259).
### Step 5: Register SPNS for the application pool account and configure constrained delegation
>[!Note]
>Constrained delegation is required only for 2.5 and is not required for 2.5 Service Pack 1 and later.
To enable the MBAM servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool. The following article contains step-by-step instructions on how to register SPNs: [Planning How to Secure the MBAM Websites](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites)
To enable the MBAM servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool. The following article contains step-by-step instructions to register SPNs: [Planning How to Secure the MBAM Websites](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites)
After you have the SPN configured, you should set up constrained delegation on the SPN:
After you have the SPN configured, you should set up constrained delegation on the SPN. To do this, follow these steps:
1. Go to Active Directory, and find the app pool credentials that you configured for MBAM websites in the earlier steps.
1. Go to Active Directory, and find the app pool credentials that you configured for MBAM websites in the previous steps.
2. Right-click, and go to **properties**.
2. Right-click the credentials, and then select **properties**.
3. Click the **delegation** tab.
3. Select the **delegation** tab.
4. Click the option for Kerberos authentication.
4. Select the option for Kerberos authentication.
5. Click **browse**, and browse again for your app pool credentials. You should then see the all the SPNs set up on the app pool creds account. (The SPN should be something that resembles "http/bitlocker.fqdn.com"). Highlight the SPN that is the same as the host name that you specified during the MBAM installation.
5. Select **browse**, and browse again for your app pool credentials. You should then see the all the SPNs that are set up on the app pool creds account. (The SPN should resemble "http/bitlocker.fqdn.com"). Highlight the SPN that is the same as the host name that you specified during the MBAM installation.
6. Click **OK**.
6. Select **OK**.
Now you are good with prerequisites. In the next steps, you will install the MBAM software on the servers and configure it.
@ -302,23 +302,23 @@ Now you are good with prerequisites. In the next steps, you will install the MBA
To install the MBAM Server software by using the Microsoft BitLocker Administration and Monitoring Setup wizard both on Database Server and on Administration and Monitoring Server, follow these steps.
1. On the server where you want to install MBAM, run MBAMserversetup.exe to start the Microsoft BitLocker Administration and Monitoring Setup wizard.
1. On the server on which you want to install MBAM, run MBAMserversetup.exe to start the Microsoft BitLocker Administration and Monitoring Setup wizard.
2. On the Welcome page, click **Next**.
2. On the Welcome page, select **Next**.
3. Read and accept the Microsoft Software License Agreement, and then click **Next** to continue the installation.
3. Read and accept the Microsoft Software License Agreement, and then select **Next** to continue the installation.
4. Decide whether to use Microsoft Update when you check for updates, and then click **Next**.
4. Decide whether to use Microsoft Update when you check for updates, and then select **Next**.
5. Decide whether to participate in the Customer Experience Improvement Program, and then click **Next**.
5. Decide whether to participate in the Customer Experience Improvement Program, and then select **Next**.
6. To start the installation, click **Install**.
6. To start the installation, select **Install**.
7. To configure the server features after the MBAM Server software finishes installing, select the **Run MBAM Server Configuration after the wizard closes** check box. Or, you can configure MBAM later by using the **MBAM Server Configuration** shortcut that the server installation creates on your **Start** menu.
8. Click **Finish**.
8. Select **Finish**.
For more information, refer to [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
For more information, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
### Step 7: Configure MBAM 2.5 database and reports role
@ -326,11 +326,11 @@ In this step, we will configure the MBAM 2.5 databases and reporting component b
1. Configure the Compliance and Audit Database and the Recovery Database by using the wizard:
1. On the server where you want to configure the databases, start the **MBAM Server Configuration wizard**. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
1. On the server on which you want to configure the databases, start the **MBAM Server Configuration wizard**. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
2. Click **Add New Features**, select **Compliance and Audit Database**, **Recovery Database and Reports**, and then click **Next**. The wizard checks that all prerequisites for the databases are met.
2. Select **Add New Features**, select **Compliance and Audit Database**, **Recovery Database and Reports**, and then select **Next**. The wizard checks that all prerequisites for the databases are met.
3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
3. If the prerequisite check is successful, select **Next** to continue. Otherwise, resolve any missing prerequisites, and then select **Check prerequisites again**.
4. Using the following descriptions, enter the field values in the wizard:
@ -338,7 +338,7 @@ In this step, we will configure the MBAM 2.5 databases and reporting component b
|Field |Description|
|-------|-------|
|SQL Server name |Name of the server where you are configuring the Compliance and Audit Database. <br /> You must add an exception on the Compliance and Audit Database computer to enable incoming inbound traffic on the Microsoft SQL Server port. The default port number is 1433.|
|SQL Server name |Name of the server on which you are configuring the Compliance and Audit Database. <br /> You must add an exception on the Compliance and Audit Database computer to enable incoming inbound traffic on the SQL Server port. The default port number is 1433.|
|SQL Server database instance |Name of the database instance where the compliance and audit data will be stored. If you are using the default instance, you must leave this field blank. You must also specify where the database information will be located.|
|Database name |Name of the database that will store the compliance data. You must note the name of the database that you are specifying here because you will have to provide this information in later steps.|
|Read/write permission domain user or group |Specify the name of the MBAMAppPool user as configured in step 2.|
@ -348,14 +348,14 @@ In this step, we will configure the MBAM 2.5 databases and reporting component b
|Field |Description|
|-----|-----|
|SQL Server name |Name of the server where you are configuring the Recovery Database. You must add an exception on the Recovery Database computer to enable incoming inbound traffic on the Microsoft SQL Server port. The default port number is 1433.|
|SQL Server name |Name of the server on which you are configuring the Recovery Database. You must add an exception on the Recovery Database computer to enable incoming inbound traffic on the SQL Server port. The default port number is 1433.|
|SQL Server database instance |Name of the database instance where the recovery data will be stored. If you are using the default instance, you must leave this field blank. You must also specify where the database information will be located.|
|Database name |Name of the database that will store the recovery data.|
|Read/write permission domain user or group |Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database. <br />If you enter a user in this field, it must be the same value as the value in the **Web service application pool domain account** field on the **Configure Web Applications** page. <br />If you enter a group in this field, the value in the **Web service application pool domain account** field on the **Configure Web Applications** page must be a member of the group that you enter in this field.|
When you finish your entries, click **Next**. The wizard checks that all prerequisites for the databases are met.
When you finish your entries, select **Next**. The wizard checks that all prerequisites for the databases are met.
If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Next** again.
If the prerequisite check is successful, select **Next** to continue. Otherwise, resolve any missing prerequisites, and then select **Next** again.
4. Reports.
@ -363,49 +363,49 @@ In this step, we will configure the MBAM 2.5 databases and reporting component b
|----|----|
|SQL Server Reporting Services instance |Instance of SQL Server Reporting Services where the reports will be configured. If you are using the default instance, you must leave this field blank.|
|Reporting role domain group |Specify the name of the MBAMRUGrp as mentioned in step 2.|
|SQL Server name |Name of the server where the Compliance and Audit Database is configured.|
|SQL Server name |Name of the server on which the Compliance and Audit Database is configured.|
|SQL Server database instance |Name of the database instance where the compliance and audit data is configured. If you are using the default instance, you must leave this field blank. <br />You must add an exception on the Reports computer to enable incoming traffic on the port of the Reporting Server. (The default port is 80.)|
|Database name| Name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status.|
|Compliance and Audit Database domain account |Specify the name of the MBAMROUser user as configured in step 2.|
When you finish your entries, click **Next**. The wizard checks that all prerequisites for the Reports feature are met. Click Next to continue. On the **Summary** page, review the features that will be added.
When you finish your entries, select **Next**. The wizard checks that all prerequisites for the Reports feature are met. Select Next to continue. On the **Summary** page, review the features that will be added.
For more information, refer to the following article: [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
For more information, see the following article: [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
### Step 8: Configure the MBAM 2.5 Web applications role
1. On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
1. On the server on which you want to configure the web applications, start the MBAM Server Configuration wizard. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
2. Click **Add New Features**, select **Administration and Monitoring Website** and **Self-Service Portal**, and then click **Next**. The wizard checks that all prerequisites for the databases are met.
2. Select **Add New Features**, select **Administration and Monitoring Website** and **Self-Service Portal**, and then select **Next**. The wizard checks that all prerequisites for the databases are met.
3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
3. If the prerequisite check is successful, select **Next** to continue. Otherwise, resolve any missing prerequisites, and then select **Check prerequisites again**.
4. Use the following descriptions to enter the field values in the wizard.
|Field |Description|
|-----|-----|
|Security certificate |Select a previously created certificate in step 3 to optionally encrypt the communication between the web services and the server on which you are configuring the Administration and Monitoring Website. If you select Do not use a certificate, your web communication may not be secure.|
|Host name |Name of the host computer where you are configuring the Administration and Monitoring Website. <br />It does not have to be the hostname of the machine, it could be anything. However, if the hostname is different than the netbios name of the computer, you have to create an A record and make sure the SPN uses the custom hostname, not the netbios name. This is common on load balancing scenarios.|
|Installation path |Path where you are installing the Administration and Monitoring Website.|
|Host name |Name of the host computer on which you are configuring the Administration and Monitoring Website. <br />It does not have to be the hostname of the machine, it could be anything. However, if the hostname is different than the netbios name of the computer, you have to create an A record and make sure the SPN uses the custom hostname, not the netbios name. This is common on load balancing scenarios.|
|Installation path |Path on which you are installing the Administration and Monitoring Website.|
|Port |Port number to use for website communication. <br /> You must set a firewall exception to enable communication through the specified port.|
|Web service application pool domain account and password |Specify the user account and password of the MBAMAppPool user as configured in step 2. <br /> For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.|
5. Verify that the built-in IIS_IUSRS account or the application pool account was added to the **Impersonate a client after authentication** and the **Log on as a batch job** local security settings.
To check whether the account was added to the local security settings, open the **Local Security Policy editor**, expand the **Local Policies** node, click the **User Rights Assignment** node, and double-click **Impersonate a client after authentication** and **Log on as a batch job** policies in the right-side pane.
To check whether the account was added to the local security settings, open the **Local Security Policy editor**, expand the **Local Policies** node, select the **User Rights Assignment** node, and double-select **Impersonate a client after authentication** and **Log on as a batch job** policies in the right-side pane.
6. Use the following field descriptions to configure the connection information in the wizard for the Compliance and Audit Database.
|Field |Description|
|------|------|
|SQL Server name |Name of the server where the Compliance and Audit Database is configured.|
|SQL Server database instance |Name of the instance of SQL Server (for example, \<Server Name\>) where the Compliance and Audit Database is configured. Leave this blank if you are using the default instance.|
|SQL Server name |Name of the server on which the Compliance and Audit Database is configured.|
|SQL Server database instance |Name of the instance of SQL Server (for example, \<Server Name\>) and on which the Compliance and Audit Database is configured. Leave this blank if you are using the default instance.|
|Database name |Name of the Compliance and Audit Database. By default, its "MBAM Compliance Status".|
7. Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.
|Field |Description|
|----|----|
|SQL Server name |Name of the server where the Recovery Database is configured.|
|SQL Server database instance |Name of the instance of SQL Server (for example, \<Server Name\>) where the Recovery Database is configured. Leave this blank if you are using default instance.|
|SQL Server name |Name of the server on which the Recovery Database is configured.|
|SQL Server database instance |Name of the instance of SQL Server (for example, \<Server Name\>) on which the Recovery Database is configured. Leave this blank if you are using the default instance.|
|Database name |Name of the Recovery Database. By default, its "MBAM Recovery and Hardware".|
8. Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.
@ -413,24 +413,24 @@ In this step, we will configure the MBAM 2.5 databases and reporting component b
|----|----|
|Advanced Helpdesk role domain group |Specify the name of the MBAMAdvHelpDsk Group as configured in step 2.|
|Helpdesk role domain group |Specify the name of the MBAMHelpDsk Group as configured in step 2.|
|Use System Center Configuration Manager Integration |Click to clear this check box. |
|Use System Center Configuration Manager Integration |Select to clear this check box. |
|Reporting role domain group |Specify the name of the MBAMRUGrp Group as configured in step 2. |
|SQL Server Reporting Services URL |Specify the Web Service URL for the SSRS server where the MBAM reports are configured. You can find this information by logging in to Reporting Services Configuration Manager on the Database Server. <br /> Example of a fully qualified domain name: https://MyReportServer.Contoso.com/ReportServer <br />Example of a custom host name: https://MyReportServer/ReportServer|
|SQL Server Reporting Services URL |Specify the Web Service URL for the SSRS server on which the MBAM reports are configured. You can find this information by logging in to Reporting Services Configuration Manager on the Database Server. <br /> Example of a fully qualified domain name: https://MyReportServer.Contoso.com/ReportServer <br />Example of a custom host name: https://MyReportServer/ReportServer|
|Virtual directory |Virtual directory of the Administration and Monitoring Website. This name corresponds to the websites physical directory on the server and is appended to the websites host name. For example: <br />http(s)://*\<host name\>*:*\<port\>*/HelpDesk/ <br />If you do not specify a virtual directory, the value HelpDesk will be used. |
9. Use the following description to enter the field values in the wizard to configure the Self-Service Portal.
|Field |Description|
|----|----|
|Virtual directory |Virtual directory of the web application. This name corresponds to the websites physical directory on the server and is appended to the websites host name. For example:<br />http(s)://*\<host name\>*:*\<port\>*/SelfService/<br /> If you do not specify a virtual directory, the value SelfService will be used.|
|Virtual directory |Virtual directory of the web application. This name corresponds to the websites physical directory on the server and is appended to the websites host name. For example:<br />http(s)://*\<host name\>*:*\<port\>*/SelfService/<br /> If you do not specify a virtual directory, the value "SelfService" will be used.|
10. When you finish your entries, click **Next**. The wizard checks that all prerequisites for the web applications are met.
10. When you finish your entries, select **Next**. The wizard checks that all prerequisites for the web applications are met.
11. Click **Next** to continue.
11. Select **Next** to continue.
12. On the **Summary** page, review the features that will be added.
13. Click **Add** to add the web applications to the server, and then click **Close**.
13. Select **Add** to add the web applications to the server, and then select **Close**.
## Customizing and validating steps after installing MBAM 2.5 server software
@ -440,42 +440,41 @@ To customize the Self-Service Portal by adding custom notice text, your company
### Step 10: Configure the self-server portal if client computers cannot access the CDN
Determine whether your client computers have access to the Microsoft AJAX Content Delivery Network (CDN).
The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you dont configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the end-user signed in will be displayed. No error message will be shown.
Determine whether your client computers have access to the Microsoft AJAX Content Delivery Network (CDN). The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you dont configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the user signed in will be displayed. No error message will be shown.
Do one of the following:
* If your client computers have access to the CDN, do nothing. Your Self-Service Portal configuration is complete.
* If your client computers do not have access to the CDN, follow the steps in How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network.
* If your client computers do not have access to the CDN, follow the steps in [How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network).
### Step 11: Validate the MBAM 2.5 server feature configuration
To validate your MBAM Server deployment with the Stand-alone topology, follow these steps.
To validate your MBAM Server deployment to use the standalone topology, follow these steps.
1. On each server where an MBAM feature is deployed, click **Control Panel** > **Programs** > **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
1. On each server on which an MBAM feature is deployed, select **Control Panel** > **Programs** > **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
>[!Note]
>To perform the validation, you must use a domain account that has local computer administrative credentials on each server.
2. On the server where the Recovery Database is configured, open SQL Server Management Studio, and verify that the **MBAM Recovery and Hardware** database is configured.
2. On the server on which the Recovery Database is configured, open SQL Server Management Studio, and verify that the **MBAM Recovery and Hardware** database is configured.
3. On the server where the Compliance and Audit Database is configured, open SQL Server Management Studio, and verify that the MBAM Compliance Status Database is configured.
3. On the server om which the Compliance and Audit Database is configured, open SQL Server Management Studio, and verify that the MBAM Compliance Status Database is configured.
4. On the server where the Reports feature is configured, open a web browser with administrative credentials, and browse to the "Home" of the SQL Server Reporting Services site.
4. On the server onm which the Reports feature is configured, open a web browser by using administrative credentials, and browse to the homepage of the SQL Server Reporting Services site.
The default Home location of a SQL Server Reporting Services site instance is as follows:
The default homepage location of a SQL Server Reporting Services site instance is as follows:
http(s)://*\<MBAM Reports Server Name\>*:*\<port\>*/Reports.aspx
To find the actual URL, use the Reporting Services Configuration Manager tool, and select the instances that you specified during setup.
5. Confirm that a reports folder named Microsoft BitLocker Administration and Monitoring contains a data source called MaltaDataSource. This data source contains folders that have names that represent languages (for example, en-us). The reports are in the language folders.
5. Verify that a reports folder that is named Microsoft BitLocker Administration and Monitoring contains a data source that is named MaltaDataSource. This data source contains folders that have names that represent language locales (for example, en-us). The reports are in the language folders.
>[!Note]If SQL Server Reporting Services (SSRS) was configured as a named instance, the URL should resemble the following:
>http(s)://\<MBAM Reports Server Name\>:\<port\>/Reports_\<SSRS Instance Name\>
>
>If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM server. If you then go to the Administration and Monitoring Website (also known as Help Desk) and select a report, you receive the following message: "Only Secure Content is Displayed." To show the report, click **Show All Content**.
>If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to "HTTP" instead of "HTTPS" when you install the MBAM server. If you then go to the Administration and Monitoring Website (also known as Helpdesk) and select a report, you receive the following message: "Only Secure Content is Displayed." To show the report, select **Show All Content**.
6. On the server where the Administration and Monitoring Website feature is configured, run Server Manager, browse to **Roles**, and then select **Web Server (IIS)** > **Internet Information Services (IIS)** Manager.
6. On the server on which the Administration and Monitoring Website feature is configured, run Server Manager, browse to **Roles**, and then select **Web Server (IIS)** > **Internet Information Services (IIS)** Manager.
7. In **Connections**, browse to \<computer name\> and then select **Sites** > **Microsoft BitLocker Administration and Monitoring**. Verify that the following are listed:
@ -483,14 +482,14 @@ To validate your MBAM Server deployment with the Stand-alone topology, follow th
* MBAMComplianceStatusService
* MBAMRecoveryAndHardwareService
8. On the server where the Administration and Monitoring Website and Self-Service Portal are configured, open a web browser with administrative credentials.
8. On the server on which the Administration and Monitoring Website and Self-Service Portal are configured, open a web browser by using administrative credentials.
9. Browse to the following websites to verify that they load successfully:
* https(s)://\<MBAM Administration Server Name\>:\<port\>/HelpDesk/ (confirm each link for navigation and reports)
* http(s)://\<MBAM Administration Server Name\>:\<port\>/SelfService/
>[!Note]
>It is assumed that you configured the server features on the default port without network encryption. If you configured the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example:
>It is assumed that you configured the server features on the default port without network encryption. If you configured the server features on a different port or virtual directory, change the URLs to include the appropriate port. For example:
>http(s)://\<host name\>:\<port\>/HelpDesk/
>http(s)://\<host name\>:\<port\>/\<virtualdirectory\>/
>If the server features were configured to use network encryption, change http:// to https://.
@ -504,42 +503,42 @@ To validate your MBAM Server deployment with the Stand-alone topology, follow th
### Step 12: Configure the MBAM Group policy templates
To deploy MBAM, you have to set Group Policy settings that define MBAM implementation settings for BitLocker drive encryption. To complete this task, you must copy the MBAM Group Policy templates to a server or workstation that can run Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM), and then edit the settings.
To deploy MBAM, you have to set Group Policy settings that define MBAM implementation settings for BitLocker Drive Encryption. To complete this task, you must copy the MBAM Group Policy templates to a server or workstation that can run Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM), and then edit the settings.
>[!Important]
>Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
>Do not change the Group Policy settings in the **BitLocker Drive Encryption** node or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
#### Copying the MBAM 2.5 Group Policy templates
Before you install the MBAM Client, you must copy MBAM-specific Group Policy Objects (GPOs) to the management workstation. These GPOs define MBAM implementation settings for BitLocker drive encryption. You can copy the Group Policy templates to any server or workstation that is a supported Windows-based server or client computer and can run the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).
Before you install the MBAM Client, you must copy MBAM-specific Group Policy Objects (GPOs) to the management workstation. These GPOs define MBAM implementation settings for BitLocker. You can copy the Group Policy templates to any server or workstation that is a supported Windows-based server or client computer and that can run the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).
For more information, refer to [Copying the MBAM 2.5 Group Policy Templates](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/copying-the-mbam-25-group-policy-templates).
For more information, see [Copying the MBAM 2.5 Group Policy Templates](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/copying-the-mbam-25-group-policy-templates).
#### Editing MBAM 2.5 GPO settings
After you create the necessary GPOs, you must deploy the MBAM Group Policy settings to your organizations client computers. To view and create GPOs, you must have Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) installed.
For more information, refer to [Editing the MBAM 2.5 Group Policy Settings](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/editing-the-mbam-25-group-policy-settings) and [Planning for MBAM 2.5 Group Policy Requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements).
For more information, see [Editing the MBAM 2.5 Group Policy Settings](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/editing-the-mbam-25-group-policy-settings) and [Planning for MBAM 2.5 Group Policy Requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements).
### Step 13: Deploying the MBAM 2.5 client
### Step 13: Deploying the MBAM 2.5 Client
Depending on when you deploy the Microsoft BitLocker Administration and Monitoring Client software, you can enable BitLocker Drive Encryption on a computer in your organization either before the end-user receives the computer or afterward by configuring Group Policy and deploying the MBAM Client software by using an enterprise software deployment system.
Depending on when you deploy the Microsoft BitLocker Administration and Monitoring Client software, you can enable BitLocker on a computer in your organization either before the user receives the computer or afterward by configuring Group Policy and deploying the MBAM Client software by using an enterprise software deployment system.
#### Deploy the MBAM Client to desktop or portable computers
After you configure Group Policy settings, you can use an enterprise software deployment system product such as Microsoft System Center 2012 Configuration Manager or Active Directory Domain Services to deploy the MBAM Client installation Windows Installer files to target computers. You can use either the 32-bit or 64-bit MbamClientSetup.exe files or the 32-bit or 64-bit MBAMClient.msi files. These are provided with the MBAM Client software.
After you configure Group Policy settings, you can use an enterprise software deployment system product such as Microsoft System Center 2012 Configuration Manager or Active Directory Domain Services (AD DS) to deploy the MBAM client installation Windows Installer files to target computers. You can use either the 32-bit or 64-bit MbamClientSetup.exe files or the 32-bit or 64-bit MBAMClient.msi files. These are provided together with the MBAM Client software.
For more information, refer to [How to Deploy the MBAM Client to Desktop or Laptop Computers](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25).
For more information, see [How to Deploy the MBAM Client to Desktop or Laptop Computers](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25).
#### Deploy the MBAM Client as part of a Windows deployment
In organizations where computers are received and configured centrally, you can install the MBAM Client to manage BitLocker Drive Encryption on each computer before any user data is written to it. The benefit of this process is that every computer is then BitLocker Drive Encryption-compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization is to install a corporate Windows image before the computer is delivered to the user. If the Group Policy settings are configured to require a PIN, users are prompted to set a PIN after they receive the policy.
In organizations in which computers are received and configured centrally, you can install the MBAM Client to manage BitLocker Drive Encryption on each computer before any user data is written to it. The benefit of this process is that every computer is then BitLocker-compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization is to install a corporate Windows image before the computer is delivered to the user. If the Group Policy settings are configured to require a PIN, users are prompted to set a PIN after they receive the policy.
For more information, refer to [How to Deploy the MBAM Client as Part of a Windows Deployment](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25).
For more information, see [How to Deploy the MBAM Client as Part of a Windows Deployment](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25).
#### How to deploy the MBAM Client by using a command line
For more information refer to [How to Deploy the MBAM Client by Using a Command Line](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line).
For more information see [How to Deploy the MBAM Client by Using a Command Line](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line).
#### Post-deployment of clients
@ -547,50 +546,48 @@ Now that you have finished the deployment activity, you should review the follow
## FAQ
### How to create a Load balanced IIS servers?
### How to create a Load balanced IIS servers
* SPN must be registered only to the friendly name (For example: bitlocker.corp.net), and must not be registered to individual IIS servers.
* SPN must be registered only to the friendly name (for example: bitlocker.corp.net), and must not be registered to individual IIS servers.
* If certificate is used, certificate must have Subject Alternative Name field filled in with both FQDN and NetBIOS names for all IIS servers in the load balance group as well as the Friendly Name (ex: bitlocker.corp.net). Otherwise, the certificate will be reported as not trusted by the browser when browsing load balanced address.
* If a certificate is used, the certificate must have both FQDN and NetBIOS names entered into the **Subject Alternative Name** field for all IIS servers in the load balance group and also as the Friendly Name (for example: bitlocker.corp.net). Otherwise, the certificate will be reported as not trusted by the browser when you browse load-balanced addresses.
For more information, see [IIS Network Load Balancing](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-high-availability#a-href-idbkmk-load-balanceaiis-network-load-balancing) and [Registering SPNs for the application pool account](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites#registering-spns-for-the-application-pool-account).
### How to configure a certificate?
### How to configure a certificate
* Youll need two certificates. One certificate is used for SQL server, and the other is used for IIS. They need to be installed before starting MBAM installation.
* Youll have to have two certificates. One certificate is used for SQL server, and the other is used for IIS. They must be installed before starting MBAM installation.
* We recommend you use installer to add certificate to the IIS configuration instead of manually editing the web.config file.
* We recommend that you use the installer to add the certificate to the IIS configuration instead of manually editing the web.config file.
* The certificate will not be accepted by the MBAM Configurator if the “Issued To” field on the certificate does not match the name of the server. When the issue occurs, temporarily create a Self-Signed certificate from IIS Console and use it to proceed with the configurator, which will ensure the Web Apps are installed for SSL and HTTPS. After that, the certificate can be changed to the one desired from IIS bindings for the MBAM Website.
* The certificate will not be accepted by the MBAM Configurator if the “Issued To” field on the certificate does not match the name of the server. In this case, temporarily create a self-signed certificate from the IIS Console, and use it in the Configurator. This will make nsure that the Web Apps are installed for SSL and HTTPS. After that, you can change the certificate to one from IIS bindings for the MBAM Website.
### The SQL permissions requirement for installation.
### The SQL permissions requirement for installation
Create an account for MBAM App Pool, and give it only SecurityAdmin, Public, and DBCreator permissions.
See [MBAM Database configuration minimum permissions](https://blogs.technet.microsoft.com/dubaisec/2016/02/02/mbam-database-configuration-minimum-permissions/) for more information.
>[!Note]
>* In some situations, more permissions are required for the initial install and upgrade operations.
>* Use an account with temp SA for the installation.
>* Launching the configurator in the context of a user account (Run As) that does not have enough permissions to make changes to SQL will result in install errors.
>* You must be logged on as an account which has Permissions on SQL server. Only SQL Databases can be created or updated by runing MBAM Configurator remotely. For SSRS server, you must install MBAM and run configurator Locally to install or update the MBAM SSRS Reports.
>* In some situations, more permissions are required for the initial installation and upgrade operations.
>* Use an account that has temporary SA for the installation.
>* Do not start the Configurator in the context of a user account (Run As) that does not have enough permissions to make changes to SQL Server because this will cause installation errors.
>* You must be logged on by using an account that has permissions on SQL Server. Only SQL Server databases can be created or updated by running MBAM Configurator remotely. For SSRS server, you must install MBAM and run Configurator locally to install or update the MBAM SSRS reports.
### The permission required for SPN Registration.
### The permission required for SPN Registration
Account used for IIS portal installation needs to have Write ServicePrincipalName and Write validated SPN permissions.
Without these permissions, the installation will warn that it cannot register the SPN.
An account that's used for IIS portal installation must have Write ServicePrincipalName and Write Validated SPN permissions. Without these permissions, the installation will return a warning message that states that it cannot register the SPN.
>[!Note]
>You will receive warning messages twice. That does not mean that the SPN needs two objects registered to it.
>You will this receive warning message two times. This does not mean that the SPN must have two objects registered to it.
For more information, see [MBAM Setup fails with “Register SPN Deferred” error message](https://support.microsoft.com/help/2754138/).
### Did I need to update the ADMX templates to the latest version?
### Did I have to update the ADMX templates to the latest version?
You'll see multiple OS options in the MBAM root node for GPO after update the ADMX templates to the latest version. For example, Windows 7, Windows 8.1, Windows 10 version 1511 and later versions.
You'll see multiple OS options in the MBAM root node for GPO after you update the ADMX templates to their latest versions. For example, Windows 7, Windows 8.1, and Windows 10, version 1511 and later versions.
For more information on how to update the ADMX templates, see the following articles.
For more information about how to update the ADMX templates, see the following articles:
* [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates)
* [Planning for MBAM 2.5 Group Policy Requirements](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements)
* [Microsoft Desktop Optimization Pack Group Policy Administrative Templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)

120
mdop/mbam-v25/troubleshooting-mbam-installation.md
View File

@ -12,11 +12,11 @@ ms.date: 09/16/2019
# Troubleshooting MBAM 2.5 installation problems
This article introduces how to troubleshoot Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 installation issues in a stand-alone configuration.
This article introduces how to troubleshoot Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 installation issues in a standalone configuration.
## Referring MBAM log files for troubleshooting purpose
## Referring MBAM log files for troubleshooting
MBAM includes logging for server installation, client installation, and events. This logging should be referred to for troubleshooting purpose.
MBAM includes logging for server installation, client installation, and events. This logging should be referred to for troubleshooting.
### MBAM server installation log files
@ -28,13 +28,13 @@ MBAMServerSetup.exe logs additional actions that were taken during installation.
### MBAM client installation log file
The client installation log consists of the following log file, which is in the %temp% folder (or a custom location, depending on how the client was installed): <br />**MSI\<five random characters\>.log**
The client installation is recorded in the following log file in the %temp% folder (or a custom location, depending on how the client was installed): <br />**MSI\<five random characters\>.log**
This log contains the actions that are taken during MBAM client installation.
### MBAM client event-logging channel
MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under **Application and Services Logs** -> **Microsoft** -> **Windows** -> **MBAM**.
MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under **Application and Services Logs** > **Microsoft** > **Windows** > **MBAM**.
The following table provides a brief description of each event log.
@ -46,7 +46,7 @@ The following table provides a brief description of each event log.
### MBAM server event-logging channel
The log files are located in Event Viewer, under **Application and Services Logs** -> **Microsoft** -> **Windows** -> **MBAM**. The following table includes server event logs that were introduced with MBAM 2.5:
The log files are located in Event Viewer, under **Application and Services Logs** > **Microsoft** > **Windows** > **MBAM**. The following table includes server event logs that were introduced in MBAM 2.5:
|Event log| Description|
|--------|-------------|
@ -56,7 +56,7 @@ The log files are located in Event Viewer, under **Application and Services Logs
### MBAM web service logs
Each MBAM web service log writes logging information in an SVCLOG file. By default, each web service writes the trace file under a folder that uses its name in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder.
Each MBAM web service log writes logging information to an SVCLOG file. By default, each web service writes the trace file under a folder that uses its name in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder.
You can use the service trace viewer tool (part of Microsoft Visual Studio) to review the svclog traces.
@ -71,27 +71,27 @@ Determine whether the MBAM agent is installed on the client computer. When MBAM
Make sure that MBAM Group Policy settings are applied on the client computer. The following registry subkey is created if the Group Policy settings were applied on the client computer:
**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
Verify that this key exists and is populated with values as per Group Policy settings.
Verify that this key exists and is populated by using values per Group Policy settings.
### MBAM Agent in the initial delay period
The MBAM client doesn't start the operation immediately after installation. There is an initial random delay of 1minute to 18 minutes before the MBAM Agent starts its operation. In addition to the initial delay, there is a delay of at least 90 minutes. (The delay depends on the Group Policy settings that are configured for client checking status frequency.) Therefore, the total delay before a client starts operation is *random startup delay* + *client checking frequency delay*.
The MBAM client doesn't start the operation immediately after installation. There is an initial random delay of 118 minutes before the MBAM Agent starts its operation. In addition to the initial delay, there is a delay of at least 90 minutes. (The delay depends on the Group Policy settings that are configured for the frequency of checking the client status.) Therefore, the total delay before a client starts operation is *random startup delay* + *client checking frequency delay*.
If the Operational and Admin event logs are blank, the client has not started the operation yet and is in the delay period that was mentioned earlier. If you want to bypass the delay, follow these steps:
1. Stop the BitLocker Management Client Service service.
2. Create the registry value NoStartupDelay of type REG_DWORD under the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM** registry subkey, and set it to **1**.
2. Under the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM** registry subkey, create the **NoStartupDelay** registry value, set its type to **REG_DWORD**, and then set its value to **1**.
3. Set the ClientWakeupFrequency and StatusReportingFrequency values under **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement** to **1**. These two values will change to their original settings after Group Policy updates are on the computer.
3. Under **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**, set the **ClientWakeupFrequency** and **StatusReportingFrequency** values to **1**. These values will revert to their original settings after Group Policy updates are on the computer.
4. Start the BitLocker Management Client Service service.
If, after the service starts, you log in locally on the computer and there are no errors, you should receive a request to encrypt the computer in a minute. If you do not receive a request, you should review the MBAM Admin logs for any error messages.
After the service starts, if you log in locally on the computer and there are no errors, you should receive a request to encrypt the computer within one minute. If you do not receive a request, you should review the MBAM Admin logs for any error entries.
### Computer does not have a TPM device, or the TPM device is not enabled in the BIOS
Review the MBAM Admin event log. You will see an event message that resembles the following in the MBAM Admin event log:
Review the MBAM Admin event log. You will see an event entry that resembles the following in the MBAM Admin event log:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -106,7 +106,7 @@ Review the MBAM Admin event log. You will see an event message that resembles th
The TPM hardware is missing.
TPM is needed to encrypt the operating system drive with any TPM protector.
Open TPM Management (tpm.msc), and check whether the computer has a TPM device. If tpm.msc does not show a device, open Device Manager (devmgmt.msc), and check for a Trusted Platform Module under Security Devices. If you do not see a Trusted Platform Module device, this might be due to one of the following reasons:
Open TPM Management (tpm.msc), and check whether the computer has a TPM device. If tpm.msc does not show a device, open Device Manager (devmgmt.msc), and check for a Trusted Platform Module under Security Devices. If you do not see a Trusted Platform Module device, this might be true for one of the following reasons:
* Your system doesn't have a Trusted Platform Module (TPM/Security) device.
@ -120,7 +120,7 @@ If the TPM device is not using the C:\Windows\System32\tpm.sys driver, you shoul
### Computer does not have a valid SYSTEM partition
Review the MBAM Admin event log. You will see an event message that resembles the following in the MBAM Admin event log:
Review the MBAM Admin event log. You will see an event entry that resembles the following in the MBAM Admin event log:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -139,17 +139,17 @@ BitLocker requires a SYSTEM partition to enable encryption ([BitLocker Drive Enc
MBAM doesn't create the system partition automatically. You can use the BitLocker drive preparation utility (bdehdcfg.exe) to create the system partition and move the required startup files.
For example, you can use the command %windir%\system32\bdeHdCfg.exe -target default -size 300 quiet to prepare the drive silently before you deploy MBAM to encrypt the drives. This requires a restart. You can also script the action if this is required. The following document describes the BitLocker Drive Preparation Tool:
For example, you can use the command **%windir%\system32\bdeHdCfg.exe -target default -size 300 quiet** to prepare the drive silently before you deploy MBAM to encrypt the drives. This requires a restart. You can also script the action if this is required. The following document describes the BitLocker Drive Preparation Tool:
[Description of the BitLocker Drive Preparation Tool](https://support.microsoft.com/help/933246)
### Drives are not formatted with a compatible file system
### Drives are not formatted to have a compatible file system
Refer to the [TechNet article for file system requirements for BitLocker](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee449438(v=ws.10)?redirectedfrom=MSDN#bkmk_hsrequirements).
See the [TechNet article for file system requirements for BitLocker](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee449438(v=ws.10)?redirectedfrom=MSDN#bkmk_hsrequirements).
### Group Policy conflict
You will see an event message that resembles the following in the MBAM Admin event log:
You will see an event entry that resembles the following in the MBAM Admin event log:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -170,15 +170,15 @@ You should configure Group Policy by using the MDOP MBAM template and not the Bi
For example:
Under Operating system drive encryption settings, you selected TPM as protector, and you also selected Allow enhanced PINs for startup. This is a conflicting setting because TPM-only protection doesn't require a PIN. Therefore, you should disable the enhanced PINs setting.
Under Operating system drive encryption settings, you selected TPM as the protector, and you also selected **Allow enhanced PINs for startup**. These are conflicting settings because TPM-only protection doesn't require a PIN. Therefore, you should disable the enhanced PINs setting.
### User may have requested an exemption
If you enabled the Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Client Management\Configure user exemption policy Group Policy setting, users will be offered a choice to request an exemption.
If you enabled the Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Client Management\Configure user exemption policy Group Policy setting, users will be offered the option to request an exemption.
By default, if the user requests an exemption, it will be valid for 7 days, and the user will not receive prompts to encrypt during this period. (The default value can be increased or decreased during policy configuration.) After the exemption period is over, the user is prompted to encrypt.
By default, if the user requests an exemption, the exemption will be valid for 7 days, and the user will not receive prompts to encrypt during this period. (The default value can be increased or decreased during policy configuration.) After the exemption period is over, the user is prompted to encrypt.
You will see the following message in the MBAM Admin event log when a computer is under user exemption.
You will see the following entry in the MBAM Admin event log when a computer is under user exemption:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -192,21 +192,21 @@ You will see the following message in the MBAM Admin event log when a computer i
Description:
The user is exempt from encryption.
If you want to manually override for a computer that is under user exemption, follow these steps:
If you want to manually override user exemption for a computer, follow these steps:
1. Set the AllowUserExemption value to 0 under the following registry subkey: <br />
1. Set the AllowUserExemption value to **0** under the following registry subkey: <br />
**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
2. Delete all the registry values under the following registry subkey except for AgentVersion, EncodedComputerName, and Installed:<br />
2. Delete all the registry values under the following registry subkey except for **AgentVersion**, **EncodedComputerName**, and **Installed**:<br />
**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM**
**Note** You must restart the MBAM agent for changes to take effect.
**Note** You must restart the MBAM agent for the changes to take effect.
Be aware that after you apply Group Policy to the computer, these values may change back to their original settings.
Be aware that after you apply Group Policy to the computer, these values may revert to their original settings.
### WMI issue
MBAM uses methods of the win32_encryptablevolume class for managing of BitLocker. If this module is unregistered or corrupted, the MBAM client will not operate correctly, and you will see the following event message in the MBAM Admin event log:
MBAM uses methods of the win32_encryptablevolume class to manage BitLocker. If this module is unregistered or corrupted, the MBAM client will not operate correctly, and you will see the following event entry in the MBAM Admin event log:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -224,9 +224,9 @@ MBAM uses methods of the win32_encryptablevolume class for managing of BitLocker
Details:
NULL
Additionally, you may notice that the Recovery and Hardware policies do not apply with Error Code 0x8007007e. This translates to The specified module could not be found.
Additionally, you may notice that the Recovery and Hardware policies do not apply with Error Code 0x8007007e. This translates to "The specified module could not be found."
To resolve this issue, you should reregister the win32_encryptablevolume class by using the following command:
To resolve this issue, you should reregister the **win32_encryptablevolume** class by using the following command:
```cmd
mofcomp c:\Windows\System32\wbem\win32_encryptablevolume.mof
@ -238,7 +238,7 @@ This section contains troubleshooting information for the following issues that
### Incorrect MBAM service URL
If the value of MBAM Compliance Status Service or Recovery and Hardware Service is incorrect, you'll see an event message that resembles the following in the MBAM Admin event log on the client computer:
If the value of MBAM Compliance Status Service or Recovery and Hardware Service is incorrect, you'll see an event entry that resembles the following in the MBAM Admin event log on the client computer:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -304,7 +304,7 @@ If the value of MBAM Compliance Status Service or Recovery and Hardware Service
Details:
The endpoint address URL is invalid.
Verify the values of KeyRecoveryServiceEndPoint and StatusReportingServiceEndpoint under the following registry subkey on the client computer: <br />
Verify the values of **KeyRecoveryServiceEndPoint** and **StatusReportingServiceEndpoint** under the following registry subkey on the client computer: <br />
**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
By default, the URL for KeyRecoveryServiceEndPoint (MBAM Recovery and Hardware service endpoint) is in the following format: <br />
@ -318,11 +318,11 @@ By default, the URL for StatusReportingServiceEndpoint (MBAM Status reporting se
If the service URL is incorrect, you should correct the service URL in the following Group Policy setting:
**Computer configuration** -> **Policies** -> **Administrative Templates** -> **Windows Components** -> **MDOP MBAM (BitLocker Management)** -> **Client Management** -> **Configure MBAM Services**
**Computer configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDOP MBAM (BitLocker Management)** > **Client Management** > **Configure MBAM Services**
### Connectivity issue with the MBAM administration server
### Connectivity issue that affects the MBAM administration server
The MBAM agent will be unable to post any updates to the database if there are connectivity issues between the client agent and the MBAM administration server. In this case, you will notice connectivity failure messages in the MBAM Admin event log on the client computer:
The MBAM agent will be unable to post any updates to the database if connectivity issues exist between the client agent and the MBAM administration server. In this case, you will notice connectivity failure entries in the MBAM Admin event log on the client computer:
Log Name: Microsoft-Windows-MBAM/Admin
Source: Microsoft-Windows-MBAM
@ -376,7 +376,7 @@ The MBAM agent will be unable to post any updates to the database if there are c
Basic checks:
* Verify basic connectivity by pinging the MBAM administration server by name and IP. Check whether you can connect to the MBAM administration website/service port by using telnet/portqry.
* Verify basic connectivity by pinging the MBAM administration server by name and IP. Check whether you can connect to the MBAM administration website or service port by using telnet or portqry.
* Verify that the IIS service is running on the MBAM administration and monitoring server and that the MBAM web service is listening on the same port that is configured on the MBAM client computer (`netstat ano | find "portnumber"`).
@ -386,7 +386,7 @@ Basic checks:
* If the communication between client and server is secure, make sure that you are using a valid SSL certificate.
* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You may check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You can check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL Server connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
#### Troubleshooting the connectivity issue
@ -395,18 +395,18 @@ Make sure that the service URL that is configured on the client is correct. Copy
Similarly, copy the value of the URL for StatusReportingServiceEndpoint (**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**), and open it in Internet Explorer.
>[!Note]
>If you cannot browse to the URL from the client computer, you should test basic network connectivity from the client to the server that is running IIS. Refer to points 1, 2, 3, and 4 in the previous section.
>If you cannot browse to the URL from the client computer, you should test basic network connectivity from the client to the server that is running IIS. See points 1, 2, 3, and 4 in the previous section.
In addition, review the Application logs on the administration and monitoring server for any errors.
Additionally, review the Application logs on the administration and monitoring server for any errors.
You may make a concurrent network trace between the client and the server and review the trace to determine the cause of connection failure between the client agent and the MBAM administration server.
You can make a concurrent network trace between the client and the server, and review the trace to determine the cause of connection failure between the client agent and the MBAM administration server.
>[!Note]
>If you can browse to the service URLs from the client computer and there are connectivity errors in the MBAM admin event logs, this might be due to a connectivity failure between the administration server and the database server.
>If you can browse to the service URLs from the client computer and there are connectivity error entries in the MBAM admin event logs, this might be because of a connectivity failure between the administration server and the database server.
If you can successfully browse to both service URLs, connectivity between the client and the server that is running, IIS is working. However, there may be a problem in communication between the server that is running IIS and the database server.
If you can successfully browse to both service URLs, connectivity between the client and the server that is running, and IIS is working. However, there may be a problem in communication between the server that is running IIS and the database server.
The MBAM services may be unable to connect to the database server because of a network issue or an incorrect database connection string setting.Review the Application logs on the administration and monitoring server. You might see errors or warnings from source ASP.NET 2.0.50727.0 that resemble the following log:
The MBAM services may be unable to connect to the database server because of a network issue or an incorrect database connection string setting. Review the Application logs on the administration and monitoring server. You might see errors entries or warnings from source ASP.NET 2.0.50727.0 that resemble the following log entry:
Log Name: Application
Source: ASP.NET 2.0.50727.0
@ -494,13 +494,13 @@ The administrator may have specified an invalid database instance name/database
You can verify and correct the database connection strings by using the IIS Management console. To do this, open IIS Manager, and browse to Microsoft BitLocker Administration and Monitoring. For each service that is listed on the left side, follow these steps to change the database connection strings:
1. In **Features View**, double-click **Connection Strings**.
1. In **Features View**, double-select **Connection Strings**.
2. On the **Connection Strings** page, select the connection string that you want to change.
3. In the **Actions** pane, click **Edit**.
3. In the **Actions** pane, select **Edit**.
4. In the **Edit Connection String** dialog box, change the properties that you want to change, and then click **OK**.
4. In the **Edit Connection String** dialog box, change the properties that you want to change, and then select **OK**.
##### Cause 2
@ -536,7 +536,7 @@ If no events are logged in the Application logs on the MBAM administration serve
You should primarily investigate the service trace logs of RecoveryandHardwareService and ComplianceStatusService. By default, web service logs are located in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder. There, each service writes its .svclog file under its own folder.
Review the activity in the service trace log for any errors or warnings. By default, error messages are highlighted in red. Click the error description on the right pane of the trace viewer to view detailed information about the error message. A sample error that was copied from the trace log follows:
Review the activity in the service trace log for any error or warning entries. By default, error entries are highlighted in red. Select the error description on the right pane of the trace viewer to view detailed information about the error entry. The following is a sample error entry from the trace log:
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
@ -557,7 +557,7 @@ Review the activity in the service trace log for any errors or warnings. By defa
## Re-installation or reconfiguration of MBAM infrastructure
To re-install or re-configure MBAM infrastructure, you must know the following things:
To re-install or reconfigure MBAM infrastructure, you must know the following things:
* Application Pool account
@ -581,27 +581,27 @@ The Service Principal Name (SPN) must be set in this account. This setting is ve
![MBAM Groups](images/troubleshooting-MBAM-installation-2.png)
This provides information such as Helpdesk Group, Advanced Helpdesk Group, Report Users group, and MBAM Reports URL. The MBAM Reports URL, which must be provided in the MBAM setup, should be: http(s)://servername/ReportServer.
This provides information such as Helpdesk Group, Advanced Helpdesk Group, Report Users group, and MBAM Reports URL. The MBAM Reports URL must be provided in the MBAM setup and should read as: http(s)://servername/ReportServer.
### SQL Server name and database (DB) names
To find the SQL Server names and instances that are hosting the MBAM DBs, log on to the MBAM Web (IIS) server and browse to this Registry subkey:
To find the SQL Server names and instances that are hosting the MBAM DBs, log on to the MBAM Web (IIS) server, and browse to the folowing registry subkey:
**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web**
![Regedit](images/troubleshooting-MBAM-installation-3.png)
The highlighted portions are connection strings, which should have the SQL Server name, database names, and instances (if named).
The highlighted portions are connection strings. These should have the SQL Server name, database names, and instances (if named).
### MBAM ReadWrite and ReadOnly accounts
This information will be in the SQL Server, which we already found the name of from the web server.
This information will be in the SQL Server database, for which we already found the name from the web server.
#### ReadWrite account
1. Log in to the SQL Management Studio.
2. Right-click **MBAM Recovery and Hardware**, click **Properties**, and then click **Permissions**.
2. Right-click **MBAM Recovery and Hardware**, select **Properties**, and then select **Permissions**.
For example, The name of account in the lab is **MBAMWrite**. The Application Pool and ReadWrite account are set to be the same.
@ -609,25 +609,25 @@ For example, The name of account in the lab is **MBAMWrite**. The Application Po
![DB properties](images/troubleshooting-MBAM-installation-5.png)
Browse to Security and then Logins in the SQL Management Studio. Browse to the account that is noted in previous screenshot.
Browse to **Security** and then **Logins** in SQL Management Studio. Browse to the account that is shown in the previous screenshot.
![SQL Security](images/troubleshooting-MBAM-installation-6.png)
Right-click the accounts, go to Properties User Mapping, and locate the MBAM Recovery and Hardware database:
Right-click the accounts, go to **Properties User Mapping**, and locate the MBAM Recovery and Hardware database:
![User Mapping](images/troubleshooting-MBAM-installation-7.png)
#### ReadOnly account
Open SQL Server Reporting Services Configuration Manager on the SSRS Server. Click **Report Manager URL**, and then browse the **URLs**:
Open SQL Server Reporting Services Configuration Manager on the SSRS Server. Select **Report Manager URL**, and then browse the **URLs**:
![Report Manager](images/troubleshooting-MBAM-installation-8.png)
Click **Microsoft Bitlocker Administration and Monitoring**:
Select **Microsoft Bitlocker Administration and Monitoring**:
![Bitlocker Administration and Monitoring](images/troubleshooting-MBAM-installation-9.png)
Click **MaltaDatasource**:
Select **MaltaDatasource**:
![DBs](images/troubleshooting-MBAM-installation-10.png)
@ -639,6 +639,6 @@ MaltaDataSource should have the ReadOnly Account name and should be used in MBAM
For more information, see the following articles.
[Deploying MBAM 2.5 in a stand-alone configuration](https://support.microsoft.com/help/3046555)
[Deploying MBAM 2.5 in a standalone configuration](https://support.microsoft.com/help/3046555)
[Microsoft BitLocker Administration and Monitoring 2.5](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/)