diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md
new file mode 100644
index 0000000000..fbfb264e67
--- /dev/null
+++ b/mdop/mbam-v25/deploy-mbam.md
@@ -0,0 +1,584 @@
+# Deploying MBAM 2.5 in a stand-alone configuration
+
+This article provides step-by-step instructions for installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a stand-alone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that is running Microsoft SQL Server 2012. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."
+
+## Preparation steps before installing MBAM 2.5 server software
+
+### Step 1: Installation and configuration of servers
+
+Before we start to configure MBAM 2.5, we have to make sure that we have both servers configured as per MBAM system requirements. Refer to the [MBAM minimum system requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-supported-configurations#-mbam-server-system-requirements) and select a configuration that meets these requirements.
+
+#### Step 1.1: Deploying prerequisites for database and reporting server
+
+1. Install and configure a server with Windows Server 2008 R2 or a later operating system.
+
+2. Install Windows PowerShell 3.0.
+
+3. Install Microsoft SQL Server 2008 R2 or a later version with the latest service pack. If you are installing a new instance of SQL Server for MBAM, make sure that you Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation. You’ll have to install the following SQL Server features:
+
+ * Database Engine
+ * Reporting Services
+ * Client Tools Connectivity
+ * Management Tools – Complete
+
+ >[!Note]
+ >Optionally, you may also install the [Transparent Data Encryption (TDE) feature in SQL Server](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-security-considerations).
+
+ SQL Server Reporting Services must be installed and configured in "native" mode and not in unconfigured or "SharePoint" mode.
+
+ 
+
+4. If you plan to use SSL for the Administration and Monitoring website, make that you configure SQL Server Reporting Services (SSRS) to use the Secure Sockets Layer (SSL) protocol before you configure the Administration and Monitoring website. Otherwise, the Reports feature will use HTTP instead of HTTPS.
+
+ You may follow Configure SSL Connections on a Native Mode Report Server to configure SSL on Report Server.
+
+ >[!Note]
+ >You may follow the SQL Server Installation Guide for your respective version of SQL Server to install SQL Server. Links are as follows:
+ >* [SQL Server 2014](https://docs.microsoft.com/sql/sql-server/install/planning-a-sql-server-installation?view=sql-server-2014)
+ >* [SQL Server 2012](https://docs.microsoft.com/previous-versions/sql/sql-server-2012/bb500442(v=sql.110))
+ >* [SQL Server 2008 R2](https://docs.microsoft.com/previous-versions/sql/sql-server-2012/bb500442(v=sql.110))
+
+5. In the post-installation of SQL Server, make sure that you provision the user account in SQL Server and assign the following permissions to the user who will configure the MBAM database and reporting roles on the database server:
+
+ Roles for the instance of SQL Server:
+
+ * dbcreator
+ * processadmin
+
+ Rights for the instance of SQL Server Reporting Services:
+
+ * Create Folders
+ * Publish Reports
+
+Your database server is ready for configuration of MBAM 2.5 roles. Let’s move to the next server.
+
+#### Step 1.2: Deploying prerequisites for administration and monitoring server
+
+Choose a server that meets the hardware configuration as explained in the [MBAM system requirements document](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-supported-configurations#-mbam-server-system-requirements). It must be running Windows Server 2008 R2 or a later operating system together with latest service pack and updates. After the server is ready, install the following roles and features:
+
+##### Roles
+
+* Web Server (IIS) Management Tools (Click IIS Management Scripts and Tools.)
+
+* Web Server Role Services
+
+ * Common HTTP features
+ Static Content
+ Default Document
+
+ * Application development
+ ASP.NET
+ .NET Extensibility
+ ISAPI Extensions
+ ISAPI Filters
+ Security
+ Windows Authentication
+ Request Filtering
+
+ * Web Service IIS Management Tools
+
+##### Feature
+
+* .NET Framework 4.5 features
+
+ * The Microsoft .NET Framework 4.5
+
+ For Windows Server 2012 or Windows Server 2012 R2, the .NET Framework 4.5 is already installed for these versions of Windows Server. However, you must enable it.
+
+ For Windows Server 2008 R2, the .NET Framework 4.5 is not included with Windows Server 2008 R2. So, you must download the .NET Framework 4.5 and install it separately.
+
+ * WCF Activation
+ HTTP Activation
+ Non-HTTP Activation
+
+ * TCP Activation
+
+ * Windows Process Activation Service:
+ Process Model
+ .NET Framework Environment
+ Configuration APIs
+
+For the self-service portal to work, you should also [download and install ASP.NET MVC 4.0](http://go.microsoft.com/fwlink/?linkid=392271).
+
+The next step is to create the required MBAM users and groups in Active Directory.
+
+### Step 2: Creating users and groups in Active Directory Domain Services
+
+As part of the prerequisites, you must define certain roles and accounts that are used in MBAM to provide security and access rights to specific servers and features, such as the databases that are running on the instance of SQL Server and the web applications that are running on the Administration and Monitoring Server.
+
+Create the following groups and users in Active Directory. (You can use any name for the groups and users.) Users do not have to have greater user rights. A domain user account is good enough. You’ll have to specify the name of these groups during configuration of MBAM 2.5:
+
+* **MBAMAppPool**
+
+ **Type**: Domain User
+
+ **Description**: Domain user who has read/write permission to the Compliance and Audit Database and the Recovery Database to enable the web applications to access the data and reports in these databases. It will also be used by the application pool for the web applications.
+
+ **Account Roles (During Configuration of MBAM)**:
+
+ 1. Web service application pool domain account
+
+ 2. Compliance and Audit Database and Recovery Database read/write user for reports
+
+* **MBAMROUser**
+
+ **Type**: Domain User
+
+ **Description**: Domain user who will have read-only access to the Compliance and Audit Database to enable the reports to access the compliance and audit data in this database. It will also be the domain user account that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database.
+
+ **Account Roles (During Configuration of MBAM)**:
+
+ 1. Compliance and Audit Database read-only user for reports
+
+ 2. Compliance and Audit Database domain user account
+
+* **MBAMAdvHelpDsk**
+
+ **Type**: Domain Group
+
+ **Description**: MBAM Advanced Helpdesk Users access group: Domain user group whose members have access to all areas of the Administration and Monitoring Website. Users who have this role have to enter only the recovery key, and not the end-user’s domain and user name, when they are helping end-users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Group permissions.
+
+ **Account Roles (During Configuration of MBAM)**: MBAM Advanced Helpdesk Users
+
+* **MBAMHelpDsk**
+
+ **Type**: Domain Group
+
+ **Description**: MBAM Helpdesk Users access group: Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the MBAM Administration and Monitoring Website. People who have this role must fill in all fields when they use either option. This includes the end-user’s domain and account name.
+
+ **Account Roles (During Configuration of MBAM)**: MBAM Helpdesk Users
+
+* **MBAMRUGrp**
+
+ **Type**: Domain Group
+
+ **Description**: Domain user group whose members have read-only access to the reports in the Reports area of the Administration and Monitoring Website.
+
+ **Account Roles (During Configuration of MBAM)**:
+
+ 1. Reports read-only domain access group
+
+ 2. MBAM Report Users access group
+
+### Step 3 (Optional): Configure and install SSL certificate on administration and monitoring server
+
+Although it’s optional, we highly recommend that you use a certificate to help secure the communication between the MBAM Client and the Administration and Monitoring Website and the Self-Service Portal websites. We do not recommend that you use self-signed certificates because of obvious security reasons. We suggest that you use a Web Server Type Certificate from a trusted Certification Authority. To do this, you can refer the "Using Certificate Approved by Certificate Authority" section from [KB 2754259](https://support.microsoft.com/help/2754259).
+
+After the certificate is issued, you should add the certificate to the personal store of the Administration and Monitoring Server. To add the certificate, open the Certificates store on the local computer. To do this, follow these steps:
+
+1. Right-click Start, and then click Run.
+
+ 
+
+2. Type "MMC.EXE" (without the quotation marks), and then click **OK**.
+
+ 
+
+3. Click **File** in the new MMC that you opened, and then click **Add/Remove Snap-in**.
+
+ 
+
+4. Highlight the **Certificates** snap-in, and then click **Add**.
+
+ 
+
+5. Select the **Computer account** option, and then click **Next**.
+
+ 
+
+6. Select **Local Computer** on the next screen, and then click **Finish**.
+
+ 
+
+7. You have now added the Certificates snap-in. This will enable you to work with any certificates in your computer's certificate store.
+
+ 
+
+8. Import the web server certificate into your computer's certificate store.
+
+ Now that you have access to the Certificates snap-in, you can import the web server certificate into your computer's certificate store. To do this, follows next steps.
+
+9. Open the Certificates (Local Computer) snap-in and browse to **Personal** and then **Certificates**.
+
+ 
+
+ >[!Note]
+ >The Certificates snap-in may not be listed. If it is not, no certificates are installed.
+
+10. Right-click **Certificates**, select **All Tasks**, and then click **Import**.
+
+ 
+
+11. When the wizard starts, click **Next**. Browse to the file that you created that contains your server certificate and private key, and then click **Next**.
+
+ 
+
+12. Enter the password if any you gave to the file when you created it.
+
+ 
+
+ >[!Note]
+ >Make sure that the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to make sure that no one can make a backup of your private key.
+
+13. Click **Next**, and then select the **Certificate Store** to which you want to save the certificate.
+
+ 
+
+ >[!Note]
+ >You should select **Personal**, because it is a web server certificate. If you included the certificate in the certification hierarchy, it will also be added to this store.
+
+14. Click **Next**, and then click **Finish**.
+
+ 
+
+You will now see the server certificate for your web server in the Personal Certificates list. It will be denoted by the common name of the server. (You can find this in the subject section of the certificate.)
+
+For further reference:
+
+[MBAM 2.5 Security Considerations](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-security-considerations)
+
+[Planning How to Secure the MBAM Websites](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites)
+
+The next step is to register a service principle name for the application pool account.
+
+### Step 4: Configuring SSL certificate for MBAM Web Server
+
+If you are using SSL communication between the client and server, you should make sure that the certificate has Enhanced Key Usage OIDs (1.3.6.1.5.5.7.3.1) and (1.3.6.1.5.5.7.3.2). That is, you should make sure that Server Authentication and Client Authentication are added.
+
+If you receive a certificate error when you try to browse service URLs, you are using a certificate that was issued to a different name, or you are browsing by using an incorrect URL.
+
+Although the browser may prompt you with a certificate error message but let you continue, the MBAM web service will not ignore certificate errors and will block the connection. You will notice certificate-related errors in the MBAM client’s MBAM Admin event log. If you are using an alias to connect to the Administration and Monitoring server, you should issue a certificate to the alias name. That is, the subject name of the certificate should be the alias name, and the local server’s DNS name should be added to the Subject Alternative Name field of the certificate.
+
+Example:
+
+If the virtual name is "bitlocker.contoso.com" and the MBAM Administration and Monitoring server name is "adminserver.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name), and adminserver.contoso.com should be added to Subject Alternative Name field of the certificate.
+
+Similarly, if you have multiple Administration and Monitoring servers installed to balance the load by using a load balancer, you should issue the SSL certificate to the virtual name. That is, the subject name field of the certificate should have the virtual name, and the names of all the local servers should be added in the Subject Alternative Name field of the certificate.
+
+Example:
+
+If the virtual name is "bitlocker.contoso.com" and the servers are "adminserver1.contoso.com" and "adminiserver2.contoso.com," the certificate should be issued to bitlocker.contoso.com (subject name) and adminserver1.contoso.com, and adminiserver2.contoso.com should be added to the Subject Alternative Name field of the certificate.
+
+The steps to configure SSL communication with MBAM are described in the following Knowledge Base article: [KB 2754259](https://support.microsoft.com/help/2754259).
+
+### Step 5: Register SPNS for the application pool account and configure constrained delegation
+
+>[!Note]
+>Constrained delegation is required only for 2.5 and is not required for 2.5 Service Pack 1 and later.
+
+To enable the MBAM servers to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal, you must register a Service Principal Name (SPN) for the host name under the domain account that you are using for the web application pool. The following article contains step-by-step instructions on how to register SPNs: [Planning How to Secure the MBAM Websites](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites)
+
+After you have the SPN configured, you should set up constrained delegation on the SPN:
+
+1. Go to Active Directory, and find the app pool credentials that you configured for MBAM websites in the earlier steps.
+
+2. Right-click, and go to **properties**.
+
+3. Click the **delegation** tab.
+
+4. Click the option for Kerberos authentication.
+
+5. Click **browse**, and browse again for your app pool credentials. You should then see the all the SPNs set up on the app pool creds account. (The SPN should be something that resembles "http/bitlocker.fqdn.com"). Highlight the SPN that is the same as the host name that you specified during the MBAM installation.
+
+6. Click **OK**.
+
+Now you are good with prerequisites. In the next steps, you will install the MBAM software on the servers and configure it.
+
+## Installing and configuring MBAM 2.5 server software
+
+### Step 6: Install MBAM 2.5 server software
+
+To install the MBAM Server software by using the Microsoft BitLocker Administration and Monitoring Setup wizard both on Database Server and on Administration and Monitoring Server, follow these steps.
+
+1. On the server where you want to install MBAM, run MBAMserversetup.exe to start the Microsoft BitLocker Administration and Monitoring Setup wizard.
+
+2. On the Welcome page, click **Next**.
+
+3. Read and accept the Microsoft Software License Agreement, and then click **Next** to continue the installation.
+
+4. Decide whether to use Microsoft Update when you check for updates, and then click **Next**.
+
+5. Decide whether to participate in the Customer Experience Improvement Program, and then click **Next**.
+
+6. To start the installation, click **Install**.
+
+7. To configure the server features after the MBAM Server software finishes installing, select the **Run MBAM Server Configuration after the wizard closes** check box. Or, you can configure MBAM later by using the **MBAM Server Configuration** shortcut that the server installation creates on your **Start** menu.
+
+8. Click **Finish**.
+
+For more information, refer to [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
+
+### Step 7: Configure MBAM 2.5 database and reports role
+
+In this step, we will configure the MBAM 2.5 databases and reporting component by using the MBAM Wizard:
+
+1. Configure the Compliance and Audit Database and the Recovery Database by using the wizard:
+
+ 1. On the server where you want to configure the databases, start the **MBAM Server Configuration wizard**. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
+
+ 2. Click **Add New Features**, select **Compliance and Audit Database**, **Recovery Database and Reports**, and then click **Next**. The wizard checks that all prerequisites for the databases are met.
+
+ 3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
+
+ 4. Using the following descriptions, enter the field values in the wizard:
+
+2. Compliance and audit database
+
+ |Field |Description|
+ |-------|-------|
+ |SQL Server name |Name of the server where you are configuring the Compliance and Audit Database. You must add an exception on the Compliance and Audit Database computer to enable incoming inbound traffic on the Microsoft SQL Server port. The default port number is 1433.|
+ |SQL Server database instance |Name of the database instance where the compliance and audit data will be stored. If you are using the default instance, you must leave this field blank. You must also specify where the database information will be located.|
+ |Database name |Name of the database that will store the compliance data. You must note the name of the database that you are specifying here because you will have to provide this information in later steps.|
+ |Read/write permission domain user or group |Specify the name of the MBAMAppPool user as configured in step 2.|
+ |Read-only access domain user or group |Specify the name of the MBAMROUser user as configured in step 2.|
+
+3. Recovery database.
+
+ |Field |Description|
+ |-----|-----|
+ |SQL Server name |Name of the server where you are configuring the Recovery Database. You must add an exception on the Recovery Database computer to enable incoming inbound traffic on the Microsoft SQL Server port. The default port number is 1433.|
+ |SQL Server database instance |Name of the database instance where the recovery data will be stored. If you are using the default instance, you must leave this field blank. You must also specify where the database information will be located.|
+ |Database name |Name of the database that will store the recovery data.|
+ |Read/write permission domain user or group |Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database. If you enter a user in this field, it must be the same value as the value in the **Web service application pool domain account** field on the **Configure Web Applications** page. If you enter a group in this field, the value in the **Web service application pool domain account** field on the **Configure Web Applications** page must be a member of the group that you enter in this field.|
+
+ When you finish your entries, click **Next**. The wizard checks that all prerequisites for the databases are met.
+
+ If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Next** again.
+
+4. Reports.
+
+ |Field |Description|
+ |----|----|
+ |SQL Server Reporting Services instance |Instance of SQL Server Reporting Services where the reports will be configured. If you are using the default instance, you must leave this field blank.|
+ |Reporting role domain group |Specify the name of the MBAMRUGrp as mentioned in step 2.|
+ |SQL Server name |Name of the server where the Compliance and Audit Database is configured.|
+ |SQL Server database instance |Name of the database instance where the compliance and audit data is configured. If you are using the default instance, you must leave this field blank. You must add an exception on the Reports computer to enable incoming traffic on the port of the Reporting Server. (The default port is 80.)|
+ |Database name| Name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status.|
+ |Compliance and Audit Database domain account |Specify the name of the MBAMROUser user as configured in step 2.|
+
+ When you finish your entries, click **Next**. The wizard checks that all prerequisites for the Reports feature are met. Click Next to continue. On the **Summary** page, review the features that will be added.
+
+ For more information, refer to the following article: [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
+
+### Step 8: Configure the MBAM 2.5 Web applications role
+
+1. On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select **MBAM Server Configuration** on the **Start** menu to open the wizard.
+
+2. Click **Add New Features**, select **Administration and Monitoring Website** and **Self-Service Portal**, and then click **Next**. The wizard checks that all prerequisites for the databases are met.
+
+3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
+
+4. Use the following descriptions to enter the field values in the wizard.
+
+ |Field |Description|
+ |-----|-----|
+ |Security certificate |Select a previously created certificate in step 3 to optionally encrypt the communication between the web services and the server on which you are configuring the Administration and Monitoring Website. If you select Do not use a certificate, your web communication may not be secure.|
+ |Host name |Name of the host computer where you are configuring the Administration and Monitoring Website. It does not have to be the hostname of the machine, it could be anything. However, if the hostname is different than the netbios name of the computer, you have to create an A record and make sure the SPN uses the custom hostname, not the netbios name. This is common on load balancing scenarios.|
+ |Installation path |Path where you are installing the Administration and Monitoring Website.|
+ |Port |Port number to use for website communication. You must set a firewall exception to enable communication through the specified port.|
+ |Web service application pool domain account and password |Specify the user account and password of the MBAMAppPool user as configured in step 2. For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.|
+
+5. Verify that the built-in IIS_IUSRS account or the application pool account was added to the **Impersonate a client after authentication** and the **Log on as a batch job** local security settings.
+
+ To check whether the account was added to the local security settings, open the **Local Security Policy editor**, expand the **Local Policies** node, click the **User Rights Assignment** node, and double-click **Impersonate a client after authentication** and **Log on as a batch job** policies in the right-side pane.
+
+6. Use the following field descriptions to configure the connection information in the wizard for the Compliance and Audit Database.
+ |Field |Description|
+ |------|------|
+ |SQL Server name |Name of the server where the Compliance and Audit Database is configured.|
+ |SQL Server database instance |Name of the instance of SQL Server (for example, \) where the Compliance and Audit Database is configured. Leave this blank if you are using the default instance.|
+ |Database name |Name of the Compliance and Audit Database. By default, it’s "MBAM Compliance Status".|
+
+7. Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.
+ |Field |Description|
+ |----|----|
+ |SQL Server name |Name of the server where the Recovery Database is configured.|
+ |SQL Server database instance |Name of the instance of SQL Server (for example, \) where the Recovery Database is configured. Leave this blank if you are using default instance.|
+ |Database name |Name of the Recovery Database. By default, it’s "MBAM Recovery and Hardware".|
+
+8. Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.
+ |Field |Description|
+ |----|----|
+ |Advanced Helpdesk role domain group |Specify the name of the MBAMAdvHelpDsk Group as configured in step 2.|
+ |Helpdesk role domain group |Specify the name of the MBAMHelpDsk Group as configured in step 2.|
+ |Use System Center Configuration Manager Integration |Click to clear this check box. |
+ |Reporting role domain group |Specify the name of the MBAMRUGrp Group as configured in step 2. |
+ |SQL Server Reporting Services URL |Specify the Web Service URL for the SSRS server where the MBAM reports are configured. You can find this information by logging in to Reporting Services Configuration Manager on the Database Server. Example of a fully qualified domain name: https://MyReportServer.Contoso.com/ReportServer Example of a custom host name: https://MyReportServer/ReportServer|
+ |Virtual directory |Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name. For example: http(s)://*\*:*\*/HelpDesk/ If you do not specify a virtual directory, the value HelpDesk will be used. |
+
+9. Use the following description to enter the field values in the wizard to configure the Self-Service Portal.
+
+ |Field |Description|
+ |----|----|
+ |Virtual directory |Virtual directory of the web application. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name. For example: http(s)://*\*:*\*/SelfService/ If you do not specify a virtual directory, the value SelfService will be used.|
+
+10. When you finish your entries, click **Next**. The wizard checks that all prerequisites for the web applications are met.
+
+11. Click **Next** to continue.
+
+12. On the **Summary** page, review the features that will be added.
+
+13. Click **Add** to add the web applications to the server, and then click **Close**.
+
+## Customizing and validating steps after installing MBAM 2.5 server software
+
+### Step 9: Customizing the self-server portal for your organization
+
+To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see [Customizing the Self-Service Portal for Your Organization](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/customizing-the-self-service-portal-for-your-organization).
+
+### Step 10: Configure the self-server portal if client computers cannot access the CDN
+
+Determine whether your client computers have access to the Microsoft AJAX Content Delivery Network (CDN).
+The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you don’t configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the end-user signed in will be displayed. No error message will be shown.
+
+Do one of the following:
+
+* If your client computers have access to the CDN, do nothing. Your Self-Service Portal configuration is complete.
+
+* If your client computers do not have access to the CDN, follow the steps in How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network.
+
+### Step 11: Validate the MBAM 2.5 server feature configuration
+
+To validate your MBAM Server deployment with the Stand-alone topology, follow these steps.
+
+1. On each server where an MBAM feature is deployed, click **Control Panel** > **Programs** > **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
+ >[!Note]
+ >To perform the validation, you must use a domain account that has local computer administrative credentials on each server.
+
+2. On the server where the Recovery Database is configured, open SQL Server Management Studio, and verify that the **MBAM Recovery and Hardware** database is configured.
+
+3. On the server where the Compliance and Audit Database is configured, open SQL Server Management Studio, and verify that the MBAM Compliance Status Database is configured.
+
+4. On the server where the Reports feature is configured, open a web browser with administrative credentials, and browse to the "Home" of the SQL Server Reporting Services site.
+
+ The default Home location of a SQL Server Reporting Services site instance is as follows:
+ http(s)://*\*:*\*/Reports.aspx
+
+ To find the actual URL, use the Reporting Services Configuration Manager tool, and select the instances that you specified during setup.
+
+5. Confirm that a reports folder named Microsoft BitLocker Administration and Monitoring contains a data source called MaltaDataSource. This data source contains folders that have names that represent languages (for example, en-us). The reports are in the language folders.
+
+ >[!Note]If SQL Server Reporting Services (SSRS) was configured as a named instance, the URL should resemble the following:
+ >http(s)://\:\/Reports_\
+ >
+ >If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM server. If you then go to the Administration and Monitoring Website (also known as Help Desk) and select a report, you receive the following message: "Only Secure Content is Displayed." To show the report, click **Show All Content**.
+
+6. On the server where the Administration and Monitoring Website feature is configured, run Server Manager, browse to **Roles**, and then select **Web Server (IIS)** > **Internet Information Services (IIS)** Manager.
+
+7. In **Connections**, browse to \ and then select **Sites** > **Microsoft BitLocker Administration and Monitoring**. Verify that the following are listed:
+
+ * MBAMAdministrationService
+ * MBAMComplianceStatusService
+ * MBAMRecoveryAndHardwareService
+
+8. On the server where the Administration and Monitoring Website and Self-Service Portal are configured, open a web browser with administrative credentials.
+
+9. Browse to the following websites to verify that they load successfully:
+ * https(s)://\:\/HelpDesk/ (confirm each link for navigation and reports)
+ * http(s)://\:\/SelfService/
+
+ >[!Note]
+ >It is assumed that you configured the server features on the default port without network encryption. If you configured the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example:
+ >http(s)://\:\/HelpDesk/
+ >http(s)://\:\/\/
+ >If the server features were configured to use network encryption, change http:// to https://.
+
+10. Browse to the following web services to verify that they load successfully. A page opens to indicate that the service is running. However, the page displays no metadata.
+
+ * http(s)://\:\/MBAMAdministrationService/AdministrationService.svc
+ * http(s)://\:\/MBAMUserSupportService/UserSupportService.svc
+ * http(s)://\:\/MBAMComplianceStatusService/StatusReportingService.svc
+ * http(s)://\:\/MBAMRecoveryAndHardwareService/CoreService.svc
+
+### Step 12: Configure the MBAM Group policy templates
+
+To deploy MBAM, you have to set Group Policy settings that define MBAM implementation settings for BitLocker drive encryption. To complete this task, you must copy the MBAM Group Policy templates to a server or workstation that can run Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM), and then edit the settings.
+
+>[!Important]
+>Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
+
+#### Copying the MBAM 2.5 Group Policy templates
+
+Before you install the MBAM Client, you must copy MBAM-specific Group Policy Objects (GPOs) to the management workstation. These GPOs define MBAM implementation settings for BitLocker drive encryption. You can copy the Group Policy templates to any server or workstation that is a supported Windows-based server or client computer and can run the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).
+
+For more information, refer to [Copying the MBAM 2.5 Group Policy Templates](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/copying-the-mbam-25-group-policy-templates).
+
+#### Editing MBAM 2.5 GPO settings
+
+After you create the necessary GPOs, you must deploy the MBAM Group Policy settings to your organization’s client computers. To view and create GPOs, you must have Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) installed.
+
+For more information, refer to [Editing the MBAM 2.5 Group Policy Settings](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/editing-the-mbam-25-group-policy-settings) and [Planning for MBAM 2.5 Group Policy Requirements](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements).
+
+### Step 13: Deploying the MBAM 2.5 client
+
+Depending on when you deploy the Microsoft BitLocker Administration and Monitoring Client software, you can enable BitLocker Drive Encryption on a computer in your organization either before the end-user receives the computer or afterward by configuring Group Policy and deploying the MBAM Client software by using an enterprise software deployment system.
+
+#### Deploy the MBAM Client to desktop or portable computers
+
+After you configure Group Policy settings, you can use an enterprise software deployment system product such as Microsoft System Center 2012 Configuration Manager or Active Directory Domain Services to deploy the MBAM Client installation Windows Installer files to target computers. You can use either the 32-bit or 64-bit MbamClientSetup.exe files or the 32-bit or 64-bit MBAMClient.msi files. These are provided with the MBAM Client software.
+
+For more information, refer to [How to Deploy the MBAM Client to Desktop or Laptop Computers](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25).
+
+#### Deploy the MBAM Client as part of a Windows deployment
+
+In organizations where computers are received and configured centrally, you can install the MBAM Client to manage BitLocker Drive Encryption on each computer before any user data is written to it. The benefit of this process is that every computer is then BitLocker Drive Encryption-compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization is to install a corporate Windows image before the computer is delivered to the user. If the Group Policy settings are configured to require a PIN, users are prompted to set a PIN after they receive the policy.
+
+For more information, refer to [How to Deploy the MBAM Client as Part of a Windows Deployment](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25).
+
+#### How to deploy the MBAM Client by using a command line
+
+For more information refer to [How to Deploy the MBAM Client by Using a Command Line](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line).
+
+#### Post-deployment of clients
+
+Now that you have finished the deployment activity, you should review the following logs and determine whether the clients are reporting successfully to the MBAM database.
+
+## FAQ
+
+### How to create a Load balanced IIS servers?
+
+* SPN must be registered only to the friendly name (For example: bitlocker.corp.net), and must not be registered to individual IIS servers.
+
+* If certificate is used, certificate must have Subject Alternative Name field filled in with both FQDN and NetBIOS names for all IIS servers in the load balance group as well as the Friendly Name (ex: bitlocker.corp.net). Otherwise, the certificate will be reported as not trusted by the browser when browsing load balanced address.
+
+For more information, see [IIS Network Load Balancing](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-high-availability#a-href-idbkmk-load-balanceaiis-network-load-balancing) and [Registering SPNs for the application pool account](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites#registering-spns-for-the-application-pool-account).
+
+### How to configure a certificate?
+
+* You’ll need two certificates. One certificate is used for SQL server, and the other is used for IIS. They need to be installed before starting MBAM installation.
+
+* We recommend you use installer to add certificate to the IIS configuration instead of manually editing the web.config file.
+
+* The certificate will not be accepted by the MBAM Configurator if the “Issued To” field on the certificate does not match the name of the server. When the issue occurs, temporarily create a Self-Signed certificate from IIS Console and use it to proceed with the configurator, which will ensure the Web Apps are installed for SSL and HTTPS. After that, the certificate can be changed to the one desired from IIS bindings for the MBAM Website.
+
+### The SQL permissions requirement for installation.
+
+Create an account for MBAM App Pool, and give it only SecurityAdmin, Public, and DBCreator permissions.
+
+See [MBAM Database configuration – minimum permissions](https://blogs.technet.microsoft.com/dubaisec/2016/02/02/mbam-database-configuration-minimum-permissions/) for more information.
+
+>[!Note]
+>* In some situations, more permissions are required for the initial install and upgrade operations.
+>* Use an account with temp SA for the installation.
+>* Launching the configurator in the context of a user account (Run As) that does not have enough permissions to make changes to SQL will result in install errors.
+>* You must be logged on as an account which has Permissions on SQL server. Only SQL Databases can be created or updated by runing MBAM Configurator remotely. For SSRS server, you must install MBAM and run configurator Locally to install or update the MBAM SSRS Reports.
+
+### The permission required for SPN Registration.
+
+Account used for IIS portal installation needs to have Write ServicePrincipalName and Write validated SPN permissions.
+
+Without these permissions, the installation will warn that it cannot register the SPN.
+
+>[!Note]
+>You will receive warning messages twice. That does not mean that the SPN needs two objects registered to it.
+
+For more information, see [MBAM Setup fails with “Register SPN Deferred” error message](https://support.microsoft.com/help/2754138/).
+
+### Did I need to update the ADMX templates to the latest version?
+
+You'll see multiple OS options in the MBAM root node for GPO after update the ADMX templates to the latest version. For example, Windows 7, Windows 8.1, Windows 10 version 1511 and later versions.
+
+For more information on how to update the ADMX templates, see the following articles.
+* [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates)
+* [Planning for MBAM 2.5 Group Policy Requirements](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements)
+* [Microsoft Desktop Optimization Pack Group Policy Administrative Templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
diff --git a/mdop/mbam-v25/images/deploying-MBAM-1.png b/mdop/mbam-v25/images/deploying-MBAM-1.png
new file mode 100644
index 0000000000..eeb70cba71
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-1.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-10.png b/mdop/mbam-v25/images/deploying-MBAM-10.png
new file mode 100644
index 0000000000..69c5ddf7c5
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-10.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-11.png b/mdop/mbam-v25/images/deploying-MBAM-11.png
new file mode 100644
index 0000000000..6a33a96097
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-11.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-12.png b/mdop/mbam-v25/images/deploying-MBAM-12.png
new file mode 100644
index 0000000000..c21dda4c80
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-12.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-13.png b/mdop/mbam-v25/images/deploying-MBAM-13.png
new file mode 100644
index 0000000000..3fec7c2d3a
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-13.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-14.png b/mdop/mbam-v25/images/deploying-MBAM-14.png
new file mode 100644
index 0000000000..514a80cce5
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-14.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-2.png b/mdop/mbam-v25/images/deploying-MBAM-2.png
new file mode 100644
index 0000000000..c7f7bc2b42
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-2.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-3.png b/mdop/mbam-v25/images/deploying-MBAM-3.png
new file mode 100644
index 0000000000..a4c20e2096
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-3.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-4.png b/mdop/mbam-v25/images/deploying-MBAM-4.png
new file mode 100644
index 0000000000..e1f8c45c3f
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-4.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-5.png b/mdop/mbam-v25/images/deploying-MBAM-5.png
new file mode 100644
index 0000000000..93886bc19e
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-5.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-6.png b/mdop/mbam-v25/images/deploying-MBAM-6.png
new file mode 100644
index 0000000000..4822eaf50b
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-6.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-7.png b/mdop/mbam-v25/images/deploying-MBAM-7.png
new file mode 100644
index 0000000000..11232fc2ed
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-7.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-8.png b/mdop/mbam-v25/images/deploying-MBAM-8.png
new file mode 100644
index 0000000000..707cf78794
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-8.png differ
diff --git a/mdop/mbam-v25/images/deploying-MBAM-9.png b/mdop/mbam-v25/images/deploying-MBAM-9.png
new file mode 100644
index 0000000000..cdd490f4d5
Binary files /dev/null and b/mdop/mbam-v25/images/deploying-MBAM-9.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-1.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-1.png
new file mode 100644
index 0000000000..3ae07ddf32
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-1.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-10.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-10.png
new file mode 100644
index 0000000000..d4f0ccd596
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-10.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-11.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-11.png
new file mode 100644
index 0000000000..c6835166f1
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-11.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-2.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-2.png
new file mode 100644
index 0000000000..488b60ea4c
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-2.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-3.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-3.png
new file mode 100644
index 0000000000..3ad922e3a5
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-3.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-4.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-4.png
new file mode 100644
index 0000000000..3bfaf4918a
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-4.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-5.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-5.png
new file mode 100644
index 0000000000..1cf43b2ba3
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-5.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-6.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-6.png
new file mode 100644
index 0000000000..8aab8a27a5
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-6.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-7.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-7.png
new file mode 100644
index 0000000000..35d487937f
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-7.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-8.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-8.png
new file mode 100644
index 0000000000..11a30cde0f
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-8.png differ
diff --git a/mdop/mbam-v25/images/troubleshooting-MBAM-installation-9.png b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-9.png
new file mode 100644
index 0000000000..0c7ab8f429
Binary files /dev/null and b/mdop/mbam-v25/images/troubleshooting-MBAM-installation-9.png differ
diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md
new file mode 100644
index 0000000000..138f639ffe
--- /dev/null
+++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md
@@ -0,0 +1,632 @@
+# Troubleshooting MBAM 2.5 installation problems
+
+This article introduces how to troubleshoot Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 installation issues in a stand-alone configuration.
+
+## Referring MBAM log files for troubleshooting purpose
+
+MBAM includes logging for server installation, client installation, and events. This logging should be referred to for troubleshooting purpose.
+
+### MBAM server installation log files
+
+MBAMServerSetup.exe generates the following log files in the user’s %temp% folder during MBAM installation: **Microsoft_BitLocker_Administration_and_Monitoring_<14 numbers>.log**
+
+MBAMServerSetup.exe logs the actions that were taken during MBAM setup and MBAM server feature installation: **Microsoft_BitLocker_Administration_and_Monitoring_<14_numbers>_0_MBAMServer.msi.log**
+
+MBAMServerSetup.exe logs additional actions that were taken during installation.
+
+### MBAM client installation log file
+
+The client installation log consists of the following log file, which is in the %temp% folder (or a custom location, depending on how the client was installed): **MSI\.log**
+
+This log contains the actions that are taken during MBAM client installation.
+
+### MBAM client event-logging channel
+
+MBAM has separate event-logging channels. The Admin, Analytical, and Operational log files are located in Event Viewer, under **Application and Services Logs** -> **Microsoft** -> **Windows** -> **MBAM**.
+
+The following table provides a brief description of each event log.
+
+|Event log| Description|
+|----------|-------|
+|Microsoft-Windows-MBAM/Admin| Contains error messages|
+|Microsoft-Windows-MBAM/Analytic| Contains advanced logging information|
+|Microsoft-Windows-MBAM/Operational| Contains success messages|
+
+### MBAM server event-logging channel
+
+The log files are located in Event Viewer, under **Application and Services Logs** -> **Microsoft** -> **Windows** -> **MBAM**. The following table includes server event logs that were introduced with MBAM 2.5:
+
+|Event log| Description|
+|--------|-------------|
+|Microsoft-Windows-MBAM/Admin| Contains error messages|
+|Microsoft-Windows-MBAM/Analytic| Contains advanced logging information|
+|Microsoft-Windows-MBAM/Operational| Contains success messages|
+
+### MBAM web service logs
+
+Each MBAM web service log writes logging information in an SVCLOG file. By default, each web service writes the trace file under a folder that uses its name in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder.
+
+You can use the service trace viewer tool (part of Microsoft Visual Studio) to review the svclog traces.
+
+## Troubleshooting encryption and reporting issues
+
+This section contains troubleshooting information for server functionality, client functionality, configuration settings, and known issues:
+
+### MBAM client installation, Group Policy settings
+
+Determine whether the MBAM agent is installed on the client computer. When MBAM is installed, it creates a service that is named BitLocker Management Client Service. This service is configured to start automatically. Determine whether the service is running.
+
+Make sure that MBAM Group Policy settings are applied on the client computer. The following registry subkey is created if the Group Policy settings were applied on the client computer:
+**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
+
+Verify that this key exists and is populated with values as per Group Policy settings.
+
+### MBAM Agent in the initial delay period
+
+The MBAM client doesn't start the operation immediately after installation. There is an initial random delay of 1minute to 18 minutes before the MBAM Agent starts its operation. In addition to the initial delay, there is a delay of at least 90 minutes. (The delay depends on the Group Policy settings that are configured for client checking status frequency.) Therefore, the total delay before a client starts operation is *random startup delay* + *client checking frequency delay*.
+
+If the Operational and Admin event logs are blank, the client has not started the operation yet and is in the delay period that was mentioned earlier. If you want to bypass the delay, follow these steps:
+
+1. Stop the BitLocker Management Client Service service.
+
+2. Create the registry value NoStartupDelay of type REG_DWORD under the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM** registry subkey, and set it to **1**.
+
+3. Set the ClientWakeupFrequency and StatusReportingFrequency values under **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement** to **1**. These two values will change to their original settings after Group Policy updates are on the computer.
+
+4. Start the BitLocker Management Client Service service.
+
+If, after the service starts, you log in locally on the computer and there are no errors, you should receive a request to encrypt the computer in a minute. If you do not receive a request, you should review the MBAM Admin logs for any error messages.
+
+### Computer does not have a TPM device, or the TPM device is not enabled in the BIOS
+
+Review the MBAM Admin event log. You will see an event message that resembles the following in the MBAM Admin event log:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 12:31:10 PM
+ Event ID: 9
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ The TPM hardware is missing.
+ TPM is needed to encrypt the operating system drive with any TPM protector.
+
+Open TPM Management (tpm.msc), and check whether the computer has a TPM device. If tpm.msc does not show a device, open Device Manager (devmgmt.msc), and check for a Trusted Platform Module under Security Devices. If you do not see a Trusted Platform Module device, this might be due to one of the following reasons:
+
+* Your system doesn't have a Trusted Platform Module (TPM/Security) device.
+
+* The TPM device is disabled in the BIOS.
+
+* TPM Device is enabled in the BIOS, but management of the TPM device from the operating system setting is disabled in the BIOS.
+
+* You aren't using a Microsoft driver for the TPM device. Review the devices that are listed in device manager to identify the Microsoft TPM device driver.
+
+If the TPM device is not using the C:\Windows\System32\tpm.sys driver, you should update the driver by selecting the C:\Windows\Inf\tpm.inf file.
+
+### Computer does not have a valid SYSTEM partition
+
+Review the MBAM Admin event log. You will see an event message that resembles the following in the MBAM Admin event log:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 4:13:37 AM
+ Event ID: 8
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: BITTESTVM.xtremelabs.com
+ Description:
+ The system volume is missing.
+ SystemVolume is needed to encrypt the operating system drive.
+
+BitLocker requires a SYSTEM partition to enable encryption ([BitLocker Drive Encryption in Windows 7: Frequently Asked Questions](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee449438(v=ws.10)?redirectedfrom=MSDN#bkmk_partitions)).
+
+MBAM doesn't create the system partition automatically. You can use the BitLocker drive preparation utility (bdehdcfg.exe) to create the system partition and move the required startup files.
+
+For example, you can use the command %windir%\system32\bdeHdCfg.exe -target default -size 300 –quiet to prepare the drive silently before you deploy MBAM to encrypt the drives. This requires a restart. You can also script the action if this is required. The following document describes the BitLocker Drive Preparation Tool:
+
+[Description of the BitLocker Drive Preparation Tool](https://support.microsoft.com/help/933246)
+
+### Drives are not formatted with a compatible file system
+
+Refer to the [TechNet article for file system requirements for BitLocker](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/ee449438(v=ws.10)?redirectedfrom=MSDN#bkmk_hsrequirements).
+
+### Group Policy conflict
+
+You will see an event message that resembles the following in the MBAM Admin event log:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 7/25/2013 9:27:58 PM
+ Event ID: 22
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ Detected Fixed Data Drive volume encryption policies conflict.
+ Check BitLocker and MBAM policies related to FDD drive protectors.
+
+Verify your Group Policy settings to make sure that you do not have a conflicting setting among the MBAM Group Policy settings.
+
+You should configure Group Policy by using the MDOP MBAM template and not the BitLocker Drive Encryption template.
+
+For example:
+
+Under Operating system drive encryption settings, you selected TPM as protector, and you also selected Allow enhanced PINs for startup. This is a conflicting setting because TPM-only protection doesn't require a PIN. Therefore, you should disable the enhanced PINs setting.
+
+### User may have requested an exemption
+
+If you enabled the Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Client Management\Configure user exemption policy Group Policy setting, users will be offered a choice to request an exemption.
+
+By default, if the user requests an exemption, it will be valid for 7 days, and the user will not receive prompts to encrypt during this period. (The default value can be increased or decreased during policy configuration.) After the exemption period is over, the user is prompted to encrypt.
+
+You will see the following message in the MBAM Admin event log when a computer is under user exemption.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 3:06:40 PM
+ Event ID: 13
+ Task Category: None
+ Level: Warning
+ Keywords:
+ User: SYSTEM
+ Computer: MBAMCLIENT.contoso.com
+ Description:
+ The user is exempt from encryption.
+
+If you want to manually override for a computer that is under user exemption, follow these steps:
+
+1. Set the AllowUserExemption value to 0 under the following registry subkey:
+**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
+
+2. Delete all the registry values under the following registry subkey except for AgentVersion, EncodedComputerName, and Installed:
+**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM**
+
+ **Note** You must restart the MBAM agent for changes to take effect.
+
+Be aware that after you apply Group Policy to the computer, these values may change back to their original settings.
+
+### WMI issue
+
+MBAM uses methods of the win32_encryptablevolume class for managing of BitLocker. If this module is unregistered or corrupted, the MBAM client will not operate correctly, and you will see the following event message in the MBAM Admin event log:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 7/27/2013 11:18:51 PM
+ Event ID: 4
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: BITTEST.xtremelabs.com
+ Description:
+ An error occurred while sending encryption status data.
+ Error code:
+ 0x80041016
+ Details:
+ NULL
+
+Additionally, you may notice that the Recovery and Hardware policies do not apply with Error Code 0x8007007e. This translates to The specified module could not be found.
+
+To resolve this issue, you should reregister the win32_encryptablevolume class by using the following command:
+
+```cmd
+mofcomp c:\Windows\System32\wbem\win32_encryptablevolume.mof
+```
+
+## Troubleshooting MBAM Agent communication issues
+
+This section contains troubleshooting information for the following issues that are related to MBAM agent communication:
+
+### Incorrect MBAM service URL
+
+If the value of MBAM Compliance Status Service or Recovery and Hardware Service is incorrect, you'll see an event message that resembles the following in the MBAM Admin event log on the client computer:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 4:13:36 PM
+ Event ID: 4
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ An error occurred while sending encryption status data.
+ Error code:
+ 0x803d0010
+ Details:
+ The remote endpoint was not reachable.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 4:13:33 PM
+ Event ID: 18
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ Unable to connect to the MBAM Recovery and Hardware service.
+ Error code:
+ 0x803d0010
+ Details:
+ The remote endpoint was not reachable.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 4:20:32 PM
+ Event ID: 4
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ An error occurred while sending encryption status data.
+ Error code:
+ 0x803d0020
+ Details:
+ The endpoint address URL is invalid.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 8/3/2013 4:20:32 PM
+ Event ID: 18
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: Mbamclient.contoso.com
+ Description:
+ Unable to connect to the MBAM Recovery and Hardware service.
+ Error code:
+ 0x803d0020
+ Details:
+ The endpoint address URL is invalid.
+
+Verify the values of KeyRecoveryServiceEndPoint and StatusReportingServiceEndpoint under the following registry subkey on the client computer:
+**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**
+
+By default, the URL for KeyRecoveryServiceEndPoint (MBAM Recovery and Hardware service endpoint) is in the following format:
+**http://\:\/MBAMRecoveryAndHardwareService/CoreService.svc**
+
+By default, the URL for StatusReportingServiceEndpoint (MBAM Status reporting service endpoint) is in the following format:
+**http://\:\/MBAMComplianceStatusService/StatusReportingService.svc**
+
+>[!Note]
+>There should be no spaces in the URL.
+
+If the service URL is incorrect, you should correct the service URL in the following Group Policy setting:
+
+**Computer configuration** -> **Policies** -> **Administrative Templates** -> **Windows Components** -> **MDOP MBAM (BitLocker Management)** -> **Client Management** -> **Configure MBAM Services**
+
+### Connectivity issue with the MBAM administration server
+
+The MBAM agent will be unable to post any updates to the database if there are connectivity issues between the client agent and the MBAM administration server. In this case, you will notice connectivity failure messages in the MBAM Admin event log on the client computer:
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 29-04-2014 18:21:22
+ Event ID: 2
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: TESTLABS.CONTOSO.COM
+ Description:
+ An error occured while applying MBAM policies.
+ Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\
+ Error code:
+ 0x803D0010
+ Details:
+ The remote endpoint was not reachable.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 29-04-2014 23:06:48
+ Event ID: 2
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: TESTLABS.CONTOSO.COM
+ Description:
+ An error occured while applying MBAM policies.
+ Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\
+ Error code:
+ 0x803D0006
+ Details:
+ The operation did not complete within the time allotted.
+
+ Log Name: Microsoft-Windows-MBAM/Admin
+ Source: Microsoft-Windows-MBAM
+ Date: 02-09-2013 02:02:04
+ Event ID: 18
+ Task Category: None
+ Level: Error
+ Keywords:
+ User: SYSTEM
+ Computer: TESTLABS.CONTOSO.COM
+ Description:
+ Unable to connect to the MBAM Recovery and Hardware service.
+ Error code:
+ 0x803D0010
+ Details:
+ The remote endpoint was not reachable.
+
+Basic checks:
+
+* Verify basic connectivity by pinging the MBAM administration server by name and IP. Check whether you can connect to the MBAM administration website/service port by using telnet/portqry.
+
+* Verify that the IIS service is running on the MBAM administration and monitoring server and that the MBAM web service is listening on the same port that is configured on the MBAM client computer (`netstat –ano | find "portnumber"`).
+
+* Verify that the port number that is configured for the MBAM website is using IIS Manager (inetmgr). Make sure that the port number is the same as the port number on which the client is listening. Make sure that the port number is not shared by another application. For example, another application on the server should not be using the same port.
+
+* If there is a firewall, make sure that the port is open in the firewall or proxy server.
+
+* If the communication between client and server is secure, make sure that you are using a valid SSL certificate.
+
+* Verify network connectivity between the web server and the database server to which the data is sent for insertion. You may check database connectivity from the web server to the database server by using ODBC Data Source Administrator. Detailed SQL connection troubleshooting information is available in [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
+
+#### Troubleshooting the connectivity issue
+
+Make sure that the service URL that is configured on the client is correct. Copy the value of the URL for KeyRecoveryServiceEndPoint (**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**) from the registry, and open it in Internet Explorer.
+
+Similarly, copy the value of the URL for StatusReportingServiceEndpoint (**HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement**), and open it in Internet Explorer.
+
+>[!Note]
+>If you cannot browse to the URL from the client computer, you should test basic network connectivity from the client to the server that is running IIS. Refer to points 1, 2, 3, and 4 in the previous section.
+
+In addition, review the Application logs on the administration and monitoring server for any errors.
+
+You may make a concurrent network trace between the client and the server and review the trace to determine the cause of connection failure between the client agent and the MBAM administration server.
+
+>[!Note]
+>If you can browse to the service URLs from the client computer and there are connectivity errors in the MBAM admin event logs, this might be due to a connectivity failure between the administration server and the database server.
+
+If you can successfully browse to both service URLs, connectivity between the client and the server that is running, IIS is working. However, there may be a problem in communication between the server that is running IIS and the database server.
+
+The MBAM services may be unable to connect to the database server because of a network issue or an incorrect database connection string setting.Review the Application logs on the administration and monitoring server. You might see errors or warnings from source ASP.NET 2.0.50727.0 that resemble the following log:
+
+ Log Name: Application
+ Source: ASP.NET 2.0.50727.0
+ Date: 7/11/2013 6:16:34 PM
+ Event ID: 1310
+ Task Category: Web Event
+ Level: Warning
+ Keywords: Classic
+ User: N/A
+ Computer: MBAM2-Admin.contoso.com
+ Description:
+ Event code: 100001
+ Event message: SQL error occured
+ Event time: 7/11/2013 6:16:34 PM
+ Event time (UTC): 7/11/2013 12:46:34 PM
+ Event ID: 6615fb8eb9d54e778b933d5bb7ca91ed
+ Event sequence: 2
+ Event occurrence: 1
+ Event detail code: 0
+ Application information:
+ Application domain: /LM/W3SVC/2/ROOT/MBAMAdministrationService-1-130180202570338699
+ Trust level: Full
+ Application Virtual Path: /MBAMAdministrationService
+ Application Path: C:\inetpub\Microsoft BitLocker Management Solution\Administration Service\
+ Machine name: MBAM2-ADMIN
+
+ Process information:
+ Process ID: 1940
+ Process name: w3wp.exe
+ Account name: NT AUTHORITY\NETWORK SERVICE
+
+ Exception information:
+ Exception type: SqlException
+ Exception message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
+
+ Request information:
+ Request URL:
+ Request path:
+ User host address:
+ User:
+ Is authenticated: False
+ Authentication Type:
+ Thread account name: NT AUTHORITY\NETWORK SERVICE
+
+ Thread information:
+ Thread ID: 7
+ Thread account name: NT AUTHORITY\NETWORK SERVICE
+ Is impersonating: False
+ Stack trace: at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
+ at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
+ at System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, SqlConnection owningObject)
+ at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
+ at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
+ at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
+ at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
+ at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
+ at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
+ at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
+ at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
+ at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
+ at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
+ at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
+ at System.Data.SqlClient.SqlConnection.Open()
+ at System.Data.Linq.SqlClient.SqlConnectionManager.UseConnection(IConnectionUser user)
+ at System.Data.Linq.SqlClient.SqlProvider.get_IsSqlCe()
+ at System.Data.Linq.SqlClient.SqlProvider.InitializeProviderMode()
+ at System.Data.Linq.SqlClient.SqlProvider.System.Data.Linq.Provider.IProvider.Execute(Expression query)
+ at System.Data.Linq.DataContext.ExecuteMethodCall(Object instance, MethodInfo methodInfo, Object[] parameters)
+ at Microsoft.Mbam.Server.ServiceCommon.KeyRecoveryModelDataContext.GetRecoveryKeyIds(String partialRecoveryKeyId, String reason)
+ at Microsoft.Mbam.ApplicationSupportService.AdministrationService.GetRecoveryKeyIds(String partialRecoveryKeyId, String reasonCode)
+
+ Custom event details:
+ Application: MBAMAdministrationService
+ Sql Server:
+ Database: MBAM Recovery and Hardware
+ Database: MBAM Compliance Status
+ Sql ErrorCode: 5
+ Error Message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
+
+#### Possible causes
+
+##### Cause 1
+
+The administrator may have specified an invalid database instance name/database name during installation of administration and monitoring server components.
+
+You can verify and correct the database connection strings by using the IIS Management console. To do this, open IIS Manager, and browse to Microsoft BitLocker Administration and Monitoring. For each service that is listed on the left side, follow these steps to change the database connection strings:
+
+1. In **Features View**, double-click **Connection Strings**.
+
+2. On the **Connection Strings** page, select the connection string that you want to change.
+
+3. In the **Actions** pane, click **Edit**.
+
+4. In the **Edit Connection String** dialog box, change the properties that you want to change, and then click **OK**.
+
+##### Cause 2
+
+SQL Server port blocked in firewall. Verify the port number to which SQL Server is configured to listen, and make sure that the port is open in the firewall between the administration server and database server.
+
+##### Cause 3
+
+Incorrect SQL server TCP/IP bindings. Verify SQL TCP/IP bindings in SQL Server Configuration Manager on the database server. MBAM requires that the TCP/IP and Named Pipes protocols are enabled to connect to the database.
+
+##### Cause 4
+
+The NT Authority\Network Service account or the MBAM Administration Server’s computer account doesn't have the required permissions to connect to the SQL database.
+
+During the installation of database components on the database server, the installer creates two local groups: MBAM Compliance Auditing DB Access and MBAM Recovery and Hardware DB Access.
+
+The NT Authority\Network Service account, the MBAM administration server’s computer account, and the user who installs the database components are automatically added to these groups.
+
+These groups are granted the required permissions on the database during the installation. All users who are part of this group automatically receive the required permissions on the database.
+
+The web service may not connect to the database server because of a permissions issue if one or more of the following conditions are true:
+
+* The groups that were mentioned earlier are removed from the local groups on the database server.
+
+* The NT Authority\Network Service account and the MBAM administration server’s computer account are not members of these groups.
+
+* These groups do not have the required permissions on the database.
+
+You will notice permissions-related errors in the Application logs on the MBAM administration and monitoring server if any of the previous conditions are true. In that case, you should manually add the NT Authority\Network Service account and MBAM administration server’s computer account and grant them a server-wide public role on the SQL database server that is using SQL Server Management Studio (http://msdn.microsoft.com/en-us/library/aa337562.aspx).
+
+#### Review the web service logs
+
+If no events are logged in the Application logs on the MBAM administration server, it’s time to review the web service logs (.svclog) of the MBAM web service that is hosted on the MBAM administration and monitoring server. You will have to use the Service Trace Viewer Tool (SvcTraceViewer.exe) http://msdn.microsoft.com/en-us/library/ms732023.aspx to view the log file.
+
+You should primarily investigate the service trace logs of RecoveryandHardwareService and ComplianceStatusService. By default, web service logs are located in the C:\inetpub\Microsoft BitLocker Management Solution\Logs folder. There, each service writes its .svclog file under its own folder.
+
+Review the activity in the service trace log for any errors or warnings. By default, error messages are highlighted in red. Click the error description on the right pane of the trace viewer to view detailed information about the error message. A sample error that was copied from the trace log follows:
+
+
+
+ 15183
+ 3
+ 0
+ 2
+
+
+
+
+
+ XXXXXXXXXXX
+
+ AddUpdateVolume: While executing sql transaction for add volume to store exception occured Key Recovery Data Store processing error: Violation of UNIQUE KEY constraint 'UniqueRecoveryKeyId'. Cannot insert duplicate key in object 'RecoveryAndHardwareCore.Keys'. The duplicate key value is (8637036e-b379-4798-bd9e-5a0b36296de3).
+
+
+
+## Re-installation or reconfiguration of MBAM infrastructure
+
+To re-install or re-configure MBAM infrastructure, you must know the following things:
+
+* Application Pool account
+
+* MBAM Groups (Helpdesk, Advanced, Report Users Group)
+
+* MBAM Reports URL
+
+* SQL Server name and database names
+
+* MBAM ReadWrite and ReadOnly Accounts
+
+### Application Pool account
+
+To find the Application Pool account, log on to the MBAM Web Server, open **Internet Information Services (IIS) Manager**, and then select **Application Pools**:
+
+
+
+The Service Principal Name (SPN) must be set in this account. This setting is very important to the functionality of MBAM.
+
+### MBAM Groups (Helpdesk, Advanced, Report Users Group and Reports URL)
+
+
+
+This provides information such as Helpdesk Group, Advanced Helpdesk Group, Report Users group, and MBAM Reports URL. The MBAM Reports URL, which must be provided in the MBAM setup, should be: http(s)://servername/ReportServer.
+
+### SQL Server name and database (DB) names
+
+To find the SQL Server names and instances that are hosting the MBAM DBs, log on to the MBAM Web (IIS) server and browse to this Registry subkey:
+
+**HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web**
+
+
+
+The highlighted portions are connection strings, which should have the SQL Server name, database names, and instances (if named).
+
+### MBAM ReadWrite and ReadOnly accounts
+
+This information will be in the SQL Server, which we already found the name of from the web server.
+
+#### ReadWrite account
+
+1. Log in to the SQL Management Studio.
+
+2. Right-click **MBAM Recovery and Hardware**, click **Properties**, and then click **Permissions**.
+
+For example, The name of account in the lab is **MBAMWrite**. The Application Pool and ReadWrite account are set to be the same.
+
+
+
+
+
+Browse to Security and then Logins in the SQL Management Studio. Browse to the account that is noted in previous screenshot.
+
+
+
+Right-click the accounts, go to Properties User Mapping, and locate the MBAM Recovery and Hardware database:
+
+
+
+#### ReadOnly account
+
+Open SQL Server Reporting Services Configuration Manager on the SSRS Server. Click **Report Manager URL**, and then browse the **URLs**:
+
+
+
+Click **Microsoft Bitlocker Administration and Monitoring**:
+
+
+
+Click **MaltaDatasource**:
+
+
+
+
+
+MaltaDataSource should have the ReadOnly Account name and should be used in MBAM setup.
+
+##Reference
+
+For more information, see the following articles.
+
+[Deploying MBAM 2.5 in a stand-alone configuration](https://support.microsoft.com/help/3046555)
+
+[Microsoft BitLocker Administration and Monitoring 2.5](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/)