ce500fde9b
* Updated deployment-vdi-windows-defender-antivirus.md * Updated deployment-vdi-windows-defender-antivirus.md * Updated deployment-vdi-windows-defender-antivirus.md * updates for new vdi stuff * Adding important note to solve #3493 * Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Typo "<"→"<", ">"→">" https://docs.microsoft.com/en-us/windows/application-management/manage-windows-mixed-reality * Issue #2297 * Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Clarification * Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> * update troubleshoot-np.md * update configure-endpoints-gp.md * Removing a part which is not supported * Name change * update troubleshoot-np.md * removed on-premises added -hello * Added link into Domain controller guide * Line corections * corrected formatting of xml code samples When viewing the page in Win 10/Edge, the xml code samples stretched across the page, running into the side menu. The lack of line breaks also made it hard to read. This update adds line breaks and syntax highlighting, replaces curly double quotes with standard double quotes, and adds a closing tag for <appv:appconnectiongroup>for each code sample * Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * corrected formating of XML examples The XML samples here present the same formatting problems as in about-the-connection-group-file51.md (see https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847/) Perhaps we should open an issue to see if we have more versions of this code sample in the docs * corrected formatting of XML example section In the XML example on this page, the whitespace had been stripped out, so there were no spaces between adjacent attribute values or keys. This made it hard to read, though the original formatting allowed for a scroll bar, so the text was not running into the side of the page (compare to https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847 and https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3850, where the uncorrected formatting forced the text to run into the side menu). * update configure-endpoints-gp.md * Fixed error in registry path and improved description * Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> * Removing extra line in 25 Suggested by * update windows-analytics-azure-portal.md * re: broken links, credential-guard-considerations Context: * #3513, MVA is being retired and producing broken links * #3860 Microsoft Virtual Academy video links This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA). MVA is being retired. In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists. I removed the first link, as I could not find a similar video available describing which credentials are covered by credential guard. I replaced the second link with a video containing similar material, though it is not a "deep dive". Suggestions on handling this problem, as many pages contain similar links, would be appreciated,. * removed link to retired video re: #3867 Context: * #3513, MVA is being retired and producing broken links * #3867, Microsoft Virtual Academy video links This page contains a broken link to deprecated video content on Microsoft Virtual Academy (MVA). MVA is being retired. In addition, the Deep Dive course is already retired, and no replacement course exists. I removed the whole _See Also_ section, as I could not find a video narrowly or deeply addressing how to protect privelaged users with Credential Guard. The most likely candidate is too short and general: https://www.linkedin.com/learning/cism-cert-prep-1-information-security-governance/privileged-account-management * addressing broken mva links, #3817 Context: * #3513, MVA is being retired and producing broken links * #3817, Another broken link This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA). MVA is being retired. In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists. I removed the first link, as we no longer have a video with similar content for a similar audience. The most likely candidate is https://www.linkedin.com/learning/programming-foundations-web-security-2/types-of-credential-attacks, which is more general and for a less technical audience. I removed the second link and the _See Also_ section, as I could not find a similar video narrowly focused on which credentials are covered by Credential Guard. Most of the related material available now describes how to perform a task. * Update deployment-vdi-windows-defender-antivirus.md * typo fix re: #3876; DMSA -> DSMA * Addressing dead MVA links, #3818 This page, like its fellows in the mva-links label, contains links to a retired video course on a website that is retiring soon. The links listed by the user in issue #3818 were also on several other pages, related to Credentials Guard. These links were addressed in the pull requests #3875, #3872, and #3871 Credentials threat & lateral threat link: removed (see PR #3875 for reasoning) Virtualization link: replaced (see #3871 for reasoning) Credentials protected link: removed (see #3872 for reasoning) * Adding notes for known issue in script Solves #3869 * Updated the download link admx files Windows 10 Added link for April 2018 and Oct 2018 ADMX files. * added event logs path Referenced : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard * Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md Suggestions applied. Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> * Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> * Update deployment-vdi-windows-defender-antivirus.md * screenshot update * Add files via upload * update 4 scrrenshots * Update deployment-vdi-windows-defender-antivirus.md * Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> * Re: #3909 Top link is broken, #3909 > The link here does not work: > Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) The link to the pdf describing MDATP was broken. Thankfully, PR #2897 updated the same link in another page some time ago, so I didn't have to go hunting for an equivalent * CI Update * Updated as per task 3405344 * Updated author * Update windows-analytics-azure-portal.md * added the example query * Updated author fields * Update office-csp.md * update video for testing * update video * Update surface-hub-site-readiness-guide.md line 134 Fixed video link MD formatting * fixing video url * updates from Albert * Bulk replaced author to manikadhiman * Bulk replaced ms.author to v-madhi * Latest content is published (#371) * Added 1903 policy DDF link and fixed a typo * Reverted the DDF version * Latest update (#375) * Update deployment-vdi-windows-defender-antivirus.md * Update deployment-vdi-windows-defender-antivirus.md
16 KiB
title, description, author, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.mktglfcycl, ms.sitesec, ms.prod, ms.date
| title | description | author | ms.assetid | ms.reviewer | manager | ms.author | ms.pagetype | ms.mktglfcycl | ms.sitesec | ms.prod | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring MBAM 2.5 Server Features by Using Windows PowerShell | Configuring MBAM 2.5 Server Features by Using Windows PowerShell | dansimp | 826429fd-29bb-44be-b47e-5f5c7d20dd1d | dansimp | dansimp | mdop, security | manage | library | w10 | 08/30/2016 |
Configuring MBAM 2.5 Server Features by Using Windows PowerShell
After you install the MBAM 2.5 Server software, you can use configure MBAM 2.5 Server features by using Windows PowerShell cmdlets or the MBAM Server Configuration wizard. This topic describes how to configure MBAM 2.5 by using the Windows PowerShell cmdlets. To use the wizard instead, see Configuring the MBAM 2.5 Server Features.
In this topic
This topic includes the following information about using Windows PowerShell to configure MBAM:
-
Prerequisites and requirements for using Windows PowerShell to configure MBAM Server features
-
Using Windows PowerShell to configure MBAM on a remote computer
-
Required accounts and corresponding Windows PowerShell cmdlet parameters
For information about the Get-MbamBitLockerRecoveryKey and Get-MbamTPMOwnerPassword Windows PowerShell cmdlets, which are used to administer MBAM, see Using Windows PowerShell to Administer MBAM 2.5.
How to load Windows PowerShell Help for MBAM 2.5
For a list of the Windows PowerShell cmdlets on TechNet, see Microsoft Desktop Optimization Pack Automation with Windows PowerShell.
To load the MBAM 2.5 Help for Windows PowerShell cmdlets after installing the MBAM Server software
-
Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
-
Type Update-Help –Module Microsoft.MBAM.
How to get Help about an MBAM Windows PowerShell cmdlet
Windows PowerShell Help for MBAM is available in the following formats:
| Windows PowerShell Help format | More information |
|---|---|
At a Windows PowerShell command prompt, type Get-Help <cmdlet> |
To upload the latest Windows PowerShell cmdlets, follow the instructions in the previous section on how to load Windows PowerShell Help for MBAM. |
On TechNet as webpages |
|
On the Download Center as a Word .docx file |
|
On the Download Center as a .pdf file |
Configurations that you can do only with Windows PowerShell but not with the MBAM Server Configuration wizard
| Configurations that you can do only by using Windows PowerShell | Details |
|---|---|
Install the web services on a separate computer from the web applications. |
Using the wizard, you must install the web services and web applications on the same computer. |
Enable reports on a separate reporting services point without installing all of the Configuration Manager objects. |
|
Delete all of the objects from Configuration Manager. |
Deleting the objects in turn deletes all of the compliance data from Configuration Manager. |
Enter a custom connection string for the databases. |
Example: To configure the web applications to work with mirroring, you must use the Enable-MbamWebApplication cmdlet to specify the appropriate failover partner syntax in the connection string. |
Skip validation and configure a feature even though the prerequisite check failed. |
Note You cannot disable the MBAM databases with a Windows PowerShell cmdlet or the MBAM Server Configuration wizard. To prevent the accidental removal of your compliance and audit data, database administrators must remove databases manually.
Prerequisites and requirements for using Windows PowerShell to configure MBAM Server features
Before starting the configuration, complete the following prerequisites.
Account-related prerequisites
| Prerequisite | Details or additional information |
|---|---|
Create the required accounts. |
See section Required accounts and corresponding Windows PowerShell cmdlet parameters later in this topic. |
User accounts and groups that you pass as parameters to the Windows PowerShell cmdlets must be valid accounts in the domain. |
You cannot use local accounts. |
Specify accounts in the down-level format. |
Examples: domainNetBiosName\userdomainNetBiosName\group |
Permission-related prerequisites
| Prerequisite | Details or additional information | ||||||||
|---|---|---|---|---|---|---|---|---|---|
You must be an administrator on the local computer where you are configuring the MBAM feature. |
|||||||||
Use an elevated Windows PowerShell command prompt to run all Windows PowerShell cmdlets. |
|||||||||
For the Enable-MbamDatabase cmdlet only: You must have "create any database" permissions on the instance of the target Microsoft SQL Server database. This user account must be a part of the local administrators group or the Backup Operators group to register the MBAM Volume Shadow Copy Service (VSS) Writer. |
By default, the database administrator or system administrator has the required "create any database" permissions. For more information about VSS Writer, see Volume Shadow Copy Service. |
||||||||
For the System Center Configuration Manager Integration feature only: The user who enables this feature must have these rights in Configuration Manager: |
|
Using Windows PowerShell to configure MBAM on a remote computer
When to use this capability |
When you want to configure the MBAM 2.5 Server features on a remote computer. The Windows PowerShell cmdlets are running on one computer, and you are configuring the features on a different, remote computer. |
What you have to do |
To use Windows PowerShell to configure MBAM 2.5 Server features on a remote computer, you must:
|
Why you have to do it |
This protocol enables the Windows PowerShell cmdlets to connect to Active Directory Domain Services by using the user’s administrative credentials. You might get a validation error if you start the Windows PowerShell session without this protocol. |
How to start a Windows PowerShell session with the CredSSP protocol |
Type the following code at the Windows PowerShell prompt:
The following code shows an example.
|
Required accounts and corresponding Windows PowerShell cmdlet parameters
The following table describes the accounts that are required to configure MBAM 2.5 Server features. It also lists the corresponding Windows PowerShell cmdlet and parameter for which you have to specify the account during configuration.
Cmdlet Parameter Type (User or Group) Description Enable-MBAMDatabase
AccessAccount
User or Group
Specify a domain user or group that has read/write permission to this database to give the web applications access to data and reports in this database. If the value is a domain user, then the WebServiceApplicationPoolCredential parameter that is used when running the Enable-MbamWebApplication cmdlet must use the same user account. If the value is a domain Users group, then the domain account that is used by the WebServiceApplicationPoolCredential parameter must be a member of this group.
ReportAccount
User or Group
Specify a domain user or Users group that has read-only permission to this database to provide the MBAM reports access to the compliance and audit data. If the value is a domain user, then the ComplianceAndAuditDBCredential parameter of the Enable-MbamReport cmdlet must use the same user account. If the value is a domain Users group, then the domain account that is used by the ComplianceAndAuditDBCredential parameter must be a member of this group.
Enable-MbamReport
ComplianceAndAuditDBCredential
User
Specifies the administrative credential that the local SSRS instance uses to connect to the MBAM Compliance and Audit Database. The domain user in the administrative credential must be the same as the user account that is used for the ReportAccount parameter, which is used while running the Enable-MbamDatabase cmdlet. If a domain Users group was used with the ReportAccount parameter, this account should be a member of that group.
Important The account specified in the administrative credentials should have limited user rights for improved security. Also, the password of the account should be set to not expire.
ReportsReadOnlyAccessGroup
Group
Specifies the domain user group that has read permissions to the reports. The specified group must be the same group that is used for the ReportsReadOnlyAccessGroup parameter in the Enable-MbamWebApplication cmdlet.
Enable-MBAMWebApplication
AdvancedHelpdeskAccessGroup
Group
Specifies the domain Users group that has access to all areas of the Administration and Monitoring Website except the Reports area.
HelpdeskAccessGroup
Group
Specifies the domain Users group that has access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.
ReportsReadOnlyAccessGroup
Group
Specifies the domain Users group that has read permission to the Reports area of the Administration and Monitoring Website. The specified group must be the same group that is used for the ReportsReadOnlyAccessGroup parameter in the Enable-MbamReport cmdlet.
WebServiceApplicationPoolCredential
User
Specifies the domain user to be used by the application pool for the MBAM web applications. It must be the same domain user account that is specified in the AccessAccount parameter of the Enable-MbamDatabase cmdlet. If a domain Users group was used by the AccessAccount parameter when running the Enable-MbamDatabase cmdlet, the domain user that is specified here must be a member of that group. If you do not specify the administrative credentials, the administrative credentials that were specified by any previously enabled web application are used. All of the web applications use the same application pool identity. If it is specified multiple times, the most recently specified value is used.
Important For improved security, set the account that is specified in the administrative credentials to limited user rights. Also, set the password of the account to never expire. Ensure that either the built-in IIS_IUSRS account or the account that is used for the WebServiceApplicationPoolCredential parameter has been added to the Impersonate a client after authentication local security setting.
To view the local security setting, open the Local Security Policy editor, expand the Local Policies node, select the User Rights Assignment node, and then double-click the Impersonate a client after authentication and Log on as a batch job Group Policy settings in the details pane.
Related topics
Configuring the MBAM 2.5 Server Features
Validating the MBAM 2.5 Server Feature Configuration
Using Windows PowerShell to Administer MBAM 2.5
Got a suggestion for MBAM?
- Add or vote on suggestions here.
- For MBAM issues, use the MBAM TechNet Forum.