Long ago ,I did step by step guide series on how to Install MBAM 2.5 SP1 integration with SCCM Configmgr 2012/Current Branch . In that guide,I have used MBAM server which has SQL server and MBAM components installed on local server and integrate MBAM with Configmgr 2012 server.
Few days ago ,I was trying to install MBAM 2.5 SP1 and integrate with SCCM Configmgr Current Branch 1606 in my lab. In this setup ,my requirement was different .I do not want to install SQL Server on MBAM server (local) instead ,use existing SQL instance (remote) to install MBAM Databases and reports.
Since I already have SQL Server installed locally on my Configmgr server ,have decided to use this SQL instance for my MBAM setup.
Before I start the setup in my lab ,I followed the steps on my blog post but I encountered some issues during the installation of web components and reports.
In this blog post, I will share the steps (no screen shots),tips and PowerShell scripts that I have used to setup MBAM in my lab.
If you are looking for step by step guide series on how to install MBAM 2.5 SP1,please go through http://eskonr.com/2015/09/how-to-install-mbam-2-5-sp1-and-integrate-with-sccm-configmgr-2012-r2-sp1/
In my lab ,I already have SCCM CB 1606 installed with SQL (local) and I will use this SQL to install my MBAM databases and reports (remote).
Below is my lab setup:
1 Domain Controller (DC01 ,apac.eskonr.com)
1 SCCM server running on Current Branch (CMCB01) with SQL local
1 MBAM Server (MBM01 , Plane server with domain join)
Here are the steps what I followed in short .
1.Create required MABM Accounts.
2.Register SPN for MBAM Server
3.Login to MBAM Server (MBAM01) and install the prerequisites like IIS components (No SQL server is needed ,we will be using remote SQL) and ASP.net MVC 4
4.Login to SCCM server(CMCB01) ,perform the changes to MOF,Hardware inventory ,run the MBAM server setup to perform system center configuration manager integration. you must run this setup only in your SCCM Server .
5.Login to MBAM Server (MBAM01) ,Insert/Copy Supported Version of SQL server media and install SSRS Reporting services (native) . SSRS must be installed and running during the MBAM Server installation.
Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. You cannot use remote installed SSRS for MBAM Server.
6. On MBAM Server ,open Reporting services configuration manager ,click on connect ,go to web service URL ,create Virtual Directory ,move on to database tab ,create reportserver database (place the database on remote server that you wish to have ,in this case it will be on my SCCM Server) and to create the reportserver DB (I name it MBAMReportServer) on SCCM SQL , make sure you have full permissions on SCCM SQL database. Follow the steps reporting services configuration manager take you through.
7. Make sure the reporting services account that is running on your MBAM Server (MBAM01) must use domain account (cannot be system account and NT account) to connect to remotely configured Reportserver database . so open services.msc ,properties of SQL Service Reporting services ,choose account that permissions to connect to reportserver DB(MBAMReportServer) on SCCM Server.
8.Restart SQL Service reporting services.
9. Now its time to start the installation of MBAM components on MBAM Server (MBAM01).
10. Launch MBAM server setup ,go with default installation and open MBAM server Configuration ,click on add new features ,select databases (Compliance and Audit, Recovery Database) ,Reports .
11. when the databases are created ,launch MBAM Server setup,again and this time select the leftover component Web Applications (Administration and monitoring and self-service portal).
At this step ,I had some issues with Application pool account that failed to connect to MBAM recovery and hardware database which was installed on my Configmgr SQL server. so I had to look at the logs to troubleshoot the issue by providing the enough permissions to MBAM Recovery and hardware database on my SCCM server for MBAM_HD_AppPool account
Error:
Cannot connect to the database using specified connection string 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True'
Error: System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'APAC\MBAM_HD_AppPool'.
12. If you see any errors during the installation of any of the MBAM components, check the event viewer which will give you more information about the issue . Where to look at event viewer ?
Open event viewer ,Applications and service logs ,Microsoft ,windows ,MBAM-Setup ,in this ,you have 2 sections 1) Admin 2) Operational .
All these steps can be performed through PowerShell scripts right from creation of MBAM User accounts/Groups to installation of MBAM components.
Tanner Slayton Sr Consultant Cyber Security from Microsoft has posted MBAM scripts on Github ,can be downloaded from https://github.com/tslayton.
13. Configure GPO settings as per the requirement ,for more information on this ,you can read part 5 of my step by step guide series
14. If you want add support for the BitLocker XTS-AES encryption type ,then install September 2016 servicing release hotfix from https://support.microsoft.com/en-us/kb/3168628
Below are scripts /command lines that I have used while installing the MBAM components in my lab.
Adding IIS Features:
Write-Host 'Adding IIS and the components required for MBAM Installation of the Helpdesk and SelfService Portals'
$Features = 'Web-Server', 'Web-WebServer', 'Web-Common-Http', 'Web-Default-Doc', 'Web-Static-Content', 'Web-Security', 'Web-Filtering', 'Web-Windows-Auth', 'Web-App-Dev', 'Web-Net-Ext45',
'Web-Asp-Net45', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Mgmt-Tools', 'Web-Mgmt-Console', 'NET-WCF-Services45', 'NET-WCF-HTTP-Activation45', 'NET-WCF-TCP-Activation45',
'WAS', 'WAS-Process-Model', 'WAS-NET-Environment', 'WAS-Config-APIs'
Add-WindowsFeature -Name $Features
Install MBAM componets:
Import-Module 'C:\Program Files\Microsoft BitLocker Administration and Monitoring\WindowsPowerShell\Modules\Microsoft.MBAM\Microsoft.MBAM.psd1'
# Enable compliance and audit database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RW' -ComplianceAndAudit -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Compliance Status' -ReportAccount 'APAC\MBAM_DB_RO'
# Enable recovery database
Enable-MbamDatabase -AccessAccount 'APAC\MBAM_DB_RO' -ConnectionString 'Data Source=CMCB01.apac.eskonr.com;Integrated Security=True' -DatabaseName 'MBAM Recovery and Hardware' -Recovery
# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable report feature
Enable-MbamReport -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -ComplianceAndAuditDBCredential (Get-Credential -UserName "APAC\MBAM_DB_RO" -Message ComplianceAndAuditDBCredential) -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports'
# Enable agent service feature
Enable-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -DataMigrationAccessGroup 'APAC\MBAM_HD_DataMig' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable administration web portal feature
Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup 'APAC\MBAM_HD_Adv_Users' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskAccessGroup 'APAC\MBAM_HD_Users' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -ReportsReadOnlyAccessGroup 'APAC\MBAM_HD_Reports' -ReportUrl 'http://mbm01.apac.eskonr.com/ReportServer' -VirtualDirectory 'HelpDesk' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
# Enable self service web portal feature
Enable-MbamWebApplication -CompanyName 'Eskonr' -ComplianceAndAuditDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Compliance Status";Integrated Security=True' -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName 'MBM01.apac.eskonr.com' -InstallationPath 'C:\inetpub' -Port 80 -RecoveryDBConnectionString 'Data Source=CMCB01.apac.eskonr.com;Initial Catalog="MBAM Recovery and Hardware";Integrated Security=True' -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential (Get-Credential -UserName "APAC\MBAM_HD_AppPool" -Message WebServiceApplicationPoolCredential)
Hope it helps!