Wednesday, 18 May 2016

Microsoft Bit-locker Administration & Monitoring (MBAM) - Prerequisites, Deployment Process & Testing - Part 1

Hello Everyone,

In this blog, I will explain about MBAM (Microsoft Bit-locker Administration & Monitoring). 

MBAM tool is used to encrypt drives using PIN to increase the security layer for OS drives, fixed drives or external drives.

This tool is used to configure Bit-locker Drive Encryption for client machines to secure official data from unauthorised access. Microsoft provide MBAM Group Policy Templates which can be configured as per requirements & then deploy them on Client's machines. After that You can monitor client's machines for compliance status using reports. 

Using MBAM, it is also easy to recover the key or Lost PIN using self service portal. 

Let's start with prerequisites, deployment process & testing for MBAM.


Prerequisites:

  • Hardware Requirement for MBAM Server:
  • OS Requirements for MBAM Server & it's Database Server:
  • SQL Server requirements for MBAM Database:
  • Hardware Requirements for MBAM Database Server:
  • Supported Client Machine Operating System Requirements:

  • Required Software:

           NOTE: MDOP Setup can be downloaded from Microsoft License Portal.
  • Required Accounts:
  • MBAM Server Informations:
For MBAM, 2 Servers will be required. One Server for MBAM Database & other server MBAM Server itself. MBAM include multiple roles which needs to configured on both servers respectively as per requirement & details are explained below for each components:


These are the basic prerequisites which needs to be ready before starting deployment. I will explain other prerequisites during deployment with step by step further.

MBAM Database Server - SQL Server 2012 SP1 Installation & Configuration:

Prerequisites:


  • Install IIS Role & .Net Framework Features from Server Manager using Add Roles & Features:






SQL Server 2012 SP1 Installation:

Run the set-up as administrator:


Follow further instructions by clicking next, next, accept license agreement & select below mentioned features for Database installation:
  • Database Engine Services
  • Reporting Service - Native
  • Client Tools Connectivity
  • Management Tools - Basic & Complete
Change the drive path for installation if You want to install it in other drive then default:



Choose Default Instance:


Provide SQL service accounts credentials:



Check Collation:



Give SA account password and add all accounts:



Select Install & Configure for Reporting Service Configurations:



Click Next & Install:



After Installation, Connect to SQL Server:



Open Account Properties:



Give below permissions to accounts:

  • DBReader
  • Processadmin

Now, Register SPN for Application Pool Account for Administration & Monitoring Website & Self-Service Portal. 

To register SPN, Go to Domain machine, Open command prompt as administration & Run below command:

Setspn -s http/"FQDN of MBAM Server" Domain_Name/ApplicationPoolAccount_Name


MBAM Roles configurations on MBAM Database Server:

Run the MBAM 2.5 SP1 Setup:



Click Next:



Accept License Agreement:



Click Next:



Click Next:



Click Install:


Click Finish:





Post-Configurations:

Open the MBAM Console and add below roles:

  • Compliance & Audit Database
  • Recovery Database
  • Reports
Click on Add New Features:


Select above mentioned features and Click Next:


Click Next:


Provide Details as per below mentioned to configure database:


and,


Provide below details to configure reports:


and,


Click Next, Next & Close:


Check if Database is created:



Check if Required Folder for MBAM is created in Reports:


Expand Folder and check if required database is created:


MBAM Server - Prerequisites & MBAM 2.5 SP1 Installation:

Prerequisites for MBAM Server Role:

Install complete IIS Role & .Net Framework features from Add Roles & Features:



and,



Install AspNetMVC4Setup for Self Service Portal configurations on MBAM Server:



Click Install:


Click Close:




MBAM 2.5 SP1 Installation:

Run the MBAM 2.5 SP1 Setup on MBAM Server:



Click Next:



Accept License Agreement:



Click Next:




Click Next:




Click Install:




Click Finish:





Post Configurations:

Open MBAM Console & Click on Add Features to add below features:

  • Administration & Monitoring Websites
  • Self Service Portal
Click on Add New Features:


Select above mentioned features:


Click Next:




Provide the required details as shown in below screenshots:




and,



and,




and,



Click Add & Close:


Open IIS Manager and check if all websites are configured correctly:



Open:  
http://MBAM_Server_FQDN/HelpDesk/ using MBAMAppPool user account:


Open: 
http://MBAM_Server_FQDN/SelfService/  using MBAMAppPool user account:


Accept & Click Continue:


Open: http://MBAM_Server_FQDN/MBAMAdministrationService/:



Click on AdministrationService.svc:


Open: http://MBAM_Server_FQDN/MBAMComplianceStatusService/:


Click on StatusReportingService,svc:


Open: http://MBAM_Server_FQDN/MBAMRecoveryAndHardwareService/:


Click on CoreServices.svc:


All configurations are completed now.

Next task is to configure MBAM GPO Templates.

MBAM Group Policy Template configuration & deployment:

You need to download and configure group policy template for MBAM as per requirements. Below are the steps & reference links given which needs to be followed:


NOTE: For each OS Version, You must configure separate Policies like for Windows 7, Windows 8 or Windows 10 will be having separate policies.

  • After that create separate OU's based on client's machines OS Version and add respective OS Machines to particular OU's.
  • Deploy configured policies to OU's respectively based on OS version.

MBAM Client Deployment:


There are many ways to deploy MBAM Client to the test machines, like using SCCM, Group Policies or manually using command.

Copy the MBAM Client set-up to Client Machine & Run the below command in elevated command prompt:

MBAMClientSetup.exe /acceptEula=Yes

This set-up is available in MBAM Set-up folder only.

Note: When configuring the MBAM services via Group Policy there are two policy timers that are configured. Client Checking Status Frequency (Default: 90 Minutes) and Status Reporting Frequency (Default: 720 Minutes)
These timers have corresponding registry settings that can be manually changed to initiate their checks immediately when the MBAM client is restarted. This is generally performed quickly to initiate the user prompt for starting the encryption process as well as forcing the status reporting to update. These Keys and the values to which they should be changed to initiate their checks are listed below:

HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement

Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1

After making changes in system Registry, Restart the MBAM Client Agent on client machines.

From the Start screen, type cmd, Right-click the cmd tile and then click Run as administrator. At the command prompt, run the following commands to restart the MBAM Client Agent: 

net stop mbamagent
net start mbamagent


If above times are not changed then you have to wait for the above time to auto prompt for encryption as per configured in policy.

MBAM 2.5 SP1 Testing on Client Machine:

Either wait for 90 minutes to Auto Prompt to start the encryption windows of MBAM Client or open the MBAMClient UI from C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe.

Click start once the set-up console opens:


Enter the password for encryption:


Monitor the process:

Note: This process may takes several hours depending upon size of used disk space. There is no such particular time period for any disk size.

Also, If in any case during encryption, If You shut-down the machine then encryption will start from last point where it was stopped after next time machine starts.



Once encryption is completed, Click exit & restart the machine:


Once machine is restarted then It will ask to provide encryption password so provide the PIN:



If in case You forget the PIN then You can recover it through self-service Portal. 

After credentials verified, It will prompt for User Login:


Same process is followed to encrypt the fixed drives. After encryption of fixed drive, once You restart the machine then a lock symbol is created on fixed drive as shown below:


To unlock fixed drive, double click on it then a console will open to provide password:


Click unlock:


Once password is verified, Drive will be decrypted and You can access the data:


You can check the status report as well:


In reports, You can see the reason for non-compliant status as well.


This is all about MBAM 2.5 SP1 Deployment Process as standalone.

Reference Link:

https://technet.microsoft.com/en-gb/itpro/mdop/mbam-v25/index

Happy Reading!!!

If You like my posts then follow my updates:

http://www.mdtechskillssolutions.com

Join my Facebook group for updates on trending technologies/technical references/issues etc:

https://www.facebook.com/groups/technicalskillsenhancementworld/

8 comments:

  1. I get "access is denied" when opening the MBAMAdministrationService. Why is this? Also, the technet MBAM documentation says that you should not have access to this site so that the access denied is normal. Did you make any modification?

    ReplyDelete
  2. Hi,

    Apologies for delay in response!

    Make sure the account used for installation have administrative rights... else this will create this issue. I have used administrative rights with full permission on all accounts and didn't faced such message.

    Thanks,
    Mayank Dhama

    ReplyDelete
  3. Thank you for a nice post.May please send me step by step guide on how to deploy the same on SCCM 2012?My emaill:lelojohnmmasi@outlook.com
    Thanks

    ReplyDelete
  4. How would you configure this to connect to a remote SQL server?

    ReplyDelete
  5. HI , After using above steps , I am giving error " error message 401.2 Unauthorized : Logon failed due to server configuration "

    ReplyDelete
  6. Hi , thanks for above article , In my selfservice portal i can only see rge Contoso IT page and my user name , Rest all is blank

    ReplyDelete
  7. Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job. Website Load Test

    ReplyDelete