Tips & Tricks with MBAM 2.5 - Part 1: Domain Controller and Group Policy Management
We have periodically received requests on some of the Tips and Tricks regarding Microsoft BitLocker Administration and Monitoring (MBAM). So we will be posting a series of blogs and have them listed below.
Part 1: Domain Controller and Group Policy Management
This blog will be focused on Domain Controller and Group Policy Management.
Before installing or adding MBAM web components, decide if you are going to use a custom name or a default hostname of your web server.
If you are going to use custom name, create an A Record in DNS and register the SPN for the custom name you have decided on.
setspn -s http/custom.contoso.com contoso\AppPoolName
setspn -s http/custom contoso\AppPoolName
If you plan on using SSL, issue the certificate to the hostname you are planning to use.
For example, I like to use the custom host name such as MBAMRecovery.contoso.com and my web server name as server1.contoso.com.
Issue the certificate to MBAMRecovery.contoso.com.
Setting SPN and Delegation
To set the SPN, use the below command:
setspn -s http/server1.contoso.com contoso\AppPoolName
If you have any preexisting SPN or duplicates, try deleting them and adding new ones.
setspn -d http/server.contoso.com contoso\AppPoolName
It is necessary to have set the SPN before proceeding with delegation. On the domain controller in the AD Users and Computers console, right mouse click on AppPoolName and on the Delegation Tab, select the below:
Click on Add and select Users or computers. For example, my app pool account name is IISAdmin
Once the user is selected, it should list the available services
Select it and say OK, then OK again on the properties window.
If you are using the MBAM CM integration topology, do not specify 'MBAM Status reporting service endpoint' and set the 'configure MBAM Status reporting service' to Disabled
For Groups & Accounts , the complete list is documented here. To simplify things, here is all we need.
MBAM-RW (MBAM Read Write group)
MBAM-RO (MBAM ReadOnly group, can be used as Report users group as well)
MBAMAdvHelpdesk (MBAM Advanced helpdesk group)
MBAMHelpdesk (MBAM Helpdesk Group)
AppPoolName (Application pool account -member of MBAM-RW)
CompUser (Compliance and Audit Database domain user account -member of MBAM-RO)
Support Escalation Engineer
Microsoft Enterprise Platforms Support