Microsoft BitLocker Administration and Monitoring 2.5 installation and Configuration Manager 2012 R2 integration

First, a bit of official documentation is here:

MBAM 2.5 has the following features:

  • Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
  • Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
  • Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
  • Reduces the workload on the Help Desk to assist end users with BitLocker PIN and recovery key requests.
  • Enables end users to recover encrypted devices independently by using the Self-Service Portal.
  • Enables security officers to easily audit access to recover key information.
  • Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.

MBAM enforces the BitLocker encryption policy options that you set for your enterprise, monitors the compliance of client computers with those policies, and reports on the encryption status of the enterprise’s and individual’s computers. In addition, MBAM lets you access the recovery key information when users forget their PIN or password, or when their BIOS or boot records change.

The following groups might be interested in using MBAM to manage BitLocker:

  • Administrators, IT security professionals, and compliance officers who are responsible for ensuring that confidential data is not disclosed without authorization
  • Administrators who are responsible for computer security in remote or branch offices
  • Administrators who are responsible for client computers that are running Windows

Architecture of MBAM service:

113

In this article I will describe the installation of MBAM 2.5 and integration with Configuration Manager 2012 R2.

This installation will involve three virtual servers: the domain controller, the ConfigMgr site server and SQL server, which will store the MBAM databases.

My SQL server already has default MSSQLSERVER instance with:

  • Database engine
  • Reporting services (native)
  • Management tools complete

and several instances for the family of products System Center. I need to add the Analysis services:

1
2

In addition, MBAM Administration and Monitoring Server will be installed on the same server (SQL), so we need to install IIS and some components of Windows Server:

NET Framework 3.5.1 features:

  • .NET Framework 3.5.1
  • WCF Activation
    • HTTP Activation
    • Non-HTTP Activation

NET Framework 4.5 features

  •  WCF Services
    • TCP Activation

Windows Process Activation Service:

  • Process Model
  • .NET Environment
  • Configuration APIs

IIS:

Common HTTP Features:

  • Static Content
  • Default Document

Application Development:

  • ASP.NET
  • .NET Extensibility
  • ISAPI Extensions
  • ISAPI Filters

Security:

  • Windows Authentication
  • Request Filtering

3
5

In addition, you need to install ASP.NET MVC 4:

6

After that create user accounts and groups for MBAM:

8

For the user, which will be used by the application pool for our web application, register SPN:

Setspn -S HTTP/sql.firma.com FIRMA\MBAM_HD_AppPool

Then check to see whether the registered SPN:

Setspn -L FIRMA\MBAM_HD_AppPool

After registering an SPN for this account, an additional Delegation tab is appeared. Activate the option Trust this user for delegation to any service (Kerberos only):

10

On the Configuration Manager Server, browse to the location <CMInstallLocation>\Inboxes\clifiles.src\hinv\ and add the MBAM classes to Configuration.mof:

11

Create a .mof file:

12

Open the default client settings, section Hardware Inventory – Set Classes, import information from .mof-file and activate the new classes:

13
14
15
16

On the Configuration Manager server mount image with Microsoft Desktop Optimization Pack 2014 R2 run MBAM server installation:

17
18
19
20
21
22

Run the Configuration Wizard and select the integration with Configuration Manager:

23
24
25
26

Specify the database server reports and complete the installation:

27
28
29
30

After the completion of the integration Configuration Items and Configuration Baseline appear in Configuration Manager , and they are deployed to MBAM Supported Computers collection, which was created automatically:

31
32
33

For what it’s done, it will be clear at the end of the article.

MBAM Supported Computers collection is a dynamic collection based on a query that we need to edit, because in my lab I use only the VMs, ie, they should be selected by query and we need to remove restrictions for VMs:

34
35

Before installing databases and Web applications we need to prepare the SQL-server. User MBAM_HD_AppPool is added to the Administrators local group and give the appropriate permissions to SQL-Server:

36
37
38

Mount the same image with Microsoft Desktop Optimization Pack 2014 R2, run MBAM server installation under MBAM_HD_AppPool account and then launch the Configuration Wizard:

44

SQL-Server will store the database MBAM, web-based application for managing keys and report BitLocker Recovery Audit Report (this is the only one report of a Web application, the rest of the reports are available from the SCCM console after integration), and self-service portal for user:

45
46
47

Set the FQDN database server and accounts that we created earlier:

48

Specify the accounts to work with reports:

49

Specify accounts and path for the web application files:

50
51
52
53

The result is:

100
101

Move on to a domain controller. Download the Microsoft Desktop Optimization Pack Group Policy Administrative Templates and unpack. We need two files .admx and two files .adml:

55
56

Copy .admx files in %systemroot%\policyDefinitions and copy .adml files in a folder with the appropriate language version:

57

Create OU with a test computer. I used Windows 8.1 and Windows 10, which, I remind you, is in the testing phase and is not officially supported by Configuration Manager:

58

Create a group policy for this OU (attention, do not change the other group policies that apply to the BitLocker Drive Encryption, otherwise MBAM will not work properly):

59
60

Add http(s)://<servername>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc for MBAM Recovery service and disable MBAM Status reporting service, because we have turned on the integration of MBAM and SCCM:

61

Turn on encryption policy for system disk and allow Bitlocker without Trusted Platform Module:

62
63

Configure the password to the system drive:

64

Set the number of days during which the user can postpone the application of policies MBAM system drive:

66

Set Bitlocker settings on a removable drives:

65
65-1

Proceed to install the client MBAM. You can create an application from the .msi file instead of install the client manually :

67
69
70
71
72

Deploy an application:

73
74
76
77
78
79
80
81
82
83
84

Than wait automatic launch of MBAM client run MBAMClientUI.exe from C:\Program Files\Microsoft\MDOP MBAM:

86
87
88

We get the error message from the fact that the virtual machine has no TMP. To encrypt a system disk, use the applet in the Control Panel:

89
90
91

Save the recovery key:

93
92
92-1

Are we ready to encrypt a system drive?

94
95
96
97
98
99

To obtain the recovery key you need to know first eight digits of ID:

102

Open a web application and make a request for key recovery:

103
104

Enter the key, press Enter and get access to the operating system:

105

Manage TPM:

106

There is the only one report Recovery Audit Report in Microsoft BitLocker Administration and Monitoring:

107

The remaining reports are in the Configuration Manager, which are filled with data after checking for compliance with the parameters specified in configuration baseline BitLocker Protection:

108
109
110
111
112

11 thoughts on “Microsoft BitLocker Administration and Monitoring 2.5 installation and Configuration Manager 2012 R2 integration”

  1. Why not use Bitlocker Encryption Options? For machine without TPM-module I make Group Policy, encrypt with password.

    1. Microsoft doesn’t recommend to change this settings:

      Do not change the Group Policy settings in the BitLocker Drive Encryption node, or MBAM will not work correctly. MBAM automatically configures the settings in this node for you when you configure the settings in the MDOP MBAM (BitLocker Management) node.

  2. I enable this option in Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive – “Allow BitLocker without a compatible TPM (requires a password)”.

  3. hi
    while generating reports , we getting bellow error
    ” the mbam view policy doesnot exist ”

    could you help me how to reslove this

  4. Hi,
    Excellent instructions, it is complete.

    I am having some problem when running the initial wizard to add new features for the first time for MBAM.

    When choosing the option System Center Configuration Manager Integration, the prerequisite check is ok, but on the next step it failed with error when connecting to the database server.
    Error: This feature requires that you configure system center configuration manager with sql server reporting services.

    The database server must have configuration manager installed on it?

    Thank you.

  5. Hello Guys,

    I am getting this weird error when I am trying to add hardware inventory classes. Any Idea how to fix it?

    C:\Users\scwi\Desktop>mofcomp sms_def.mof
    Microsoft (R) MOF Compiler Version 6.3.9600.16384
    Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
    Parsing MOF file: sms_def.mof
    MOF file has been successfully parsed
    Storing data in the repository…
    An error occurred while creating object 2 defined on lines 10 – 42:
    0X80041002 Class, instance, or property ‘SMS_Class_Template’ was not found.
    Compiler returned error 0x80041002

  6. Have the same error…
    I used Default client settings…..
    There is a problem with mbam section in sms_def.mof file. The rest three sections are ok and can be imported properly if you put them into separate mof files….

    C:\Users\scwi\Desktop>mofcomp sms_def.mof
    Microsoft (R) MOF Compiler Version 6.3.9600.16384
    Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
    Parsing MOF file: sms_def.mof
    MOF file has been successfully parsed
    Storing data in the repository…
    An error occurred while creating object 2 defined on lines 10 – 42:
    0X80041002 Class, instance, or property ‘SMS_Class_Template’ was not found.
    Compiler returned error 0x80041002

  7. I can’t find the policy named “Disallow standard users form changing the PIN or password”
    I’ve done importing MBAM 2.5 sp1
    please help.

Leave a Reply

Your email address will not be published. Required fields are marked *