Tips & Tricks with MBAM 2.5 - Part 1: Domain Controller and Group Policy Management

We have periodically received requests on some of the Tips and Tricks regarding Microsoft BitLocker Administration and Monitoring (MBAM).  So we will be posting a series of blogs and have them listed below.

Part 1: Domain Controller and Group Policy Management

This blog will be focused on Domain Controller and Group Policy Management.

Tip 1:

Before installing or adding MBAM web components, decide if you are going to use a custom name or a default hostname of your web server.

If you are going to use custom name, create an A Record in DNS and register the SPN for the custom name you have decided on.

setspn -s http/ contoso\AppPoolName

setspn -s http/custom contoso\AppPoolName

Tip 2:

If you plan on using SSL, issue the certificate to the hostname you are planning to use.

For example, I like to use the custom host name such as and my web server name as

Issue the certificate to

Tip 3:

Setting SPN and Delegation

To set the SPN, use the below command:

setspn -s http/ contoso\AppPoolName

If you have any preexisting SPN or duplicates, try deleting them and adding new ones.

setspn -d http/ contoso\AppPoolName

It is necessary to have set the SPN before proceeding with delegation. On the domain controller in the AD Users and Computers console, right mouse click on AppPoolName and on the Delegation Tab, select the below:

Click on Add and select Users or computers. For example, my app pool account name is IISAdmin

Once the user is selected, it should list the available services

Select it and say OK, then OK again on the properties window.

Tip 4:

If you are using the MBAM CM integration topology, do not specify 'MBAM Status reporting service endpoint' and set the 'configure MBAM Status reporting service' to Disabled

Tip 5:

For Groups & Accounts , the complete list is documented here. To simplify things, here is all we need.


MBAM-RW (MBAM Read Write group)

MBAM-RO (MBAM ReadOnly group, can be used as Report users group as well)

MBAMAdvHelpdesk (MBAM Advanced helpdesk group)

MBAMHelpdesk (MBAM Helpdesk Group)


AppPoolName (Application pool account -member of MBAM-RW)

CompUser (Compliance and Audit Database domain user account -member of MBAM-RO)

Good Luck!

Naziya Shaik
Support Escalation Engineer
Microsoft Enterprise Platforms Support