How to deploy MBAM 2.5 in a Stand-Alone Configuration:
This video is divided into three part:
- How to install MBAM server with stand-alone configuration.
- How to add MBAM ADMX file into Group Policy Management.
- How to install the MBAM client and turn on BitLocker.
You can turn on BitLocker without TPM, but if you have a system designed with TPM chip, please turn on it, I am not going to explain to you what TPM is, I trust you and on your google skills that you can find out by yourself, but generally, TPM is a physical chip which embedded on your board and stores RSA encryption keys, not only this chip includes multiple physical security mechanisms, by the way, Microsoft recommends deploying BitLocker only for devices which are fitted with a Trusted Platform Module (TPM).
- By the way, today there is the ability to turn on TPM by SCCM remotely.
- it is one of credential guard requirements which demands “TPM 2.0 either discrete or firmware (preferred – provides binding to hardware)”
You can get more information about your TPM by opening “TPM.msc”, you can deploy some GPO’s which are available for you.
For further information about Trusted Platform Module:
Before deploying MBAM you have to perform some prerequisites:
I would suggest going to the following URL which describes you perfectly the MBAM prerequisites, installation, and best practices settings you might set up:
There are many important points you have to ensure during the prerequisites:
Server Roles & Features:
- Web Server (IIS) Management Tools (Click IIS Management Scripts and Tools.)
Web Server Role Services
Common HTTP features
Web Service IIS Management Tools
- .NET Framework 4.5 features
- The Microsoft .NET Framework 4.5
For Windows Server 2012 or Windows Server 2012 R2, the .NET Framework 4.5 is already installed on these versions of Windows Server. However, you must enable it.
For Windows Server 2008 R2, the .NET Framework 4.5 is not included with Windows Server 2008 R2. So, you must download the .NET Framework 4.5 and install it separately.
- WCF Activation
- TCP Activation
- Windows Process Activation Service:
.NET Framework Environment
- The Microsoft .NET Framework 4.5
Creating users and group in Active Directory Domain Services:
MBAMAppPool – Domain user who has read/write permission to the Compliance and Audit Database
MBAMROUser – Domain user who will have read-only access to the Compliance and Audit Database
MBAMAdvHelpDsk – MBAM Advanced Helpdesk Users access group: Domain user group whose members have access to all areas of the Administration and Monitoring Website
MBAMHelpDsk – MBAM Helpdesk Users access group: Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the MBAM Administration and Monitoring Website
MBAMRUGrp – Domain user group whose members have read-only access to the reports in the Reports area of the Administration and Monitoring Website.
Go back to SQL server and grant to “MBAMAppPool” user the following roles:
Register SPNS for the application pool account and configure constrained delegation:
Open PowerShell and the following command:
SetSpn -s http/MBAMFQDN.DOMAIN.co.il PELEGIT\MBAMAppPool
- Go to Active Directory, and find the app pool credentials that you configured for MBAM websites in the earlier steps.
- Right-click, and go to properties.
- Click the delegation
- Click the option for Kerberos authentication.
Installing, Configure, deploying, MBAM 2.5 sp1 Step by step: