How to Configure the MBAM 2.5 Web Applications

This topic explains how to configure the Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 web applications for the recommended High-Level Architecture for MBAM 2.5 by using one of the following methods:

  • A Windows PowerShell cmdlet

  • The MBAM Server Configuration wizard

The web applications comprise the following websites and their corresponding web services:

Website Description

Administration and Monitoring Website

Website where specified users can view reports and help end users recover their computers when they forget their PIN or password

Self-Service Portal

Website that end users can access to independently regain access to their computers if they forget their PIN or password

Before you start the configuration:

Step Where to get instructions

Review the recommended architecture for MBAM.

High-Level Architecture for MBAM 2.5

Review the supported configurations for MBAM.

MBAM 2.5 Supported Configurations

Complete the required prerequisites on each server.

Note

Ensure that you configure SQL ServerReporting Services (SSRS) to use the Secure Sockets Layer (SSL) before you configure the Administration and Monitoring Website. Otherwise, the Reports feature will use HTTP instead of HTTPS.

Register service principal names (SPNs) for the application pool account for the websites. You need to do this step only if you do not have administrative domain rights in Active Directory Domain Services (AD DS). If you do have these rights in AD DS, MBAM will create the SPNs for you.

Planning How to Secure the MBAM Websites

Install the MBAM Server software on each server where you will configure an MBAM Server feature.

Note

If you plan to install the websites on one server and the web services on another, you will be able to configure them only by using the Enable-MbamWebApplication Windows PowerShell cmdlet. The MBAM Server Configuration wizard does not support configuring these items on separate servers.

Installing the MBAM 2.5 Server Software

Review the prerequisites for using Windows PowerShell if you plan to use cmdlets to configure MBAM Server features.

Configuring MBAM 2.5 Server Features by Using Windows PowerShell

To configure the web applications by using Windows PowerShell

  1. Before you start the configuration, see Configuring MBAM 2.5 Server Features by Using Windows PowerShell to review the prerequisites for using Windows PowerShell.

  2. Use the Enable-MbamWebApplication cmdlet to configure the web applications using Windows PowerShell. To get information about this cmdlet, type Get-Help Enable-MbamWebApplication.

To configure the settings for all web applications using the wizard

  1. On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select MBAM Server Configuration from the Start menu to open the wizard.

  2. Click Add New Features, select Administration and Monitoring Website and Self-Service Portal, and then click Next. The wizard checks that all prerequisites for the web applications have been met.

  3. If the prerequisite check is successful, click Next to continue. Otherwise, resolve any missing prerequisites, and then click Check prerequisites again.

  4. Use the following descriptions to enter the field values in the wizard.

    Field Description

    Security certificate

    Select a previously created certificate to optionally encrypt the communication between the web services and the server on which you are configuring the websites. If you choose Do not use a certificate, your web communication may not be secure.

    Host name

    Name of the host computer where you are configuring the websites.

    Installation path

    Path where you are installing the websites.

    Port

    Port number to use for website and service communication.

    Note

    You must set a firewall exception to enable communication through the specified port.

    Web service application pool domain account and password

    Domain user account and password for the web service application pool.

    If you enter a user name in the Read/write access domain user or group field on the Configure Databases page, you must enter that same value in this field.

    If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group.

    If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used.

    Important

    For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.

  5. Verify that the built-in IIS_IUSRS account or the application pool account has been added to the Impersonate a client after authentication and the Log on as a batch job local security settings.

    To check whether it has been added to the local security settings, open the Local Security Policy editor, expand the Local Policies node, click the User Rights Assignment node, and double-click Impersonate a client after authentication and Log on as a batch job policies in the right pane.

To configure connection information for the databases by using the wizard

  1. Use the following field descriptions to configure the connection information in the wizard for the Compliance and Audit Database.

    Field Description

    SQL Server name

    Name of the server where the Compliance and Audit Database is configured.

    SQL Server database instance

    SQL Server instance name where the Compliance and Audit Database is configured.

    Database name

    Name of the Compliance and Audit Database.

  2. Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.

    Field Description

    SQL Server name

    Name of the server where the Recovery Database is configured.

    SQL Server database instance

    SQL Server instance name where the Recovery Database is configured.

    Database name

    Name of the Recovery Database.

To configure the web applications by using the wizard

  1. Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.

    Field Description

    Advanced Helpdesk role domain group

    Domain user group whose members have access to all areas of the Administration and Monitoring Website except the Reports area.

    Helpdesk role domain group

    Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.

    Use System Center Configuration Manager Integration

    Select this check box if you are configuring MBAM with the Configuration Manager Integration topology. Selecting this check box makes all reports, except the Recovery Audit report, appear in Configuration Manager instead of in the Administration and Monitoring Website.

    Reporting role domain group

    Domain user group whose members have read-only access to the Reports area of the Administration and Monitoring Website.

    SQL Server Reporting Services URL

    URL for the SSRS server where the MBAM Reports are configured.

    Examples of report URLs:

    Type of host name Example

    Example with a fully qualified domain name

    https://MyReportServer.Contoso.com/ReportServer

    Example with a custom host name

    https://MyReportServer/ReportServer

    Virtual directory

    Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name, for example:

    http(s)://<hostname>:<port>/HelpDesk/

    If you do not specify a virtual directory, the value HelpDesk will be used.

    Data Migration role domain group (optional)

    Domain user group whose members have access to use the Write-Mbam*Information Cmdlets to write recovery information via this endpoint.

  2. Use the following description to enter the field values in the wizard to configure the Self-Service Portal.

    Field Description

    Virtual directory

    Virtual directory of the web application. This name corresponds to the website’s physical directory on the server, and is appended to the website’s host name, for example:

    http(s)://<hostname>:<port>/SelfService/

    If you do not specify a virtual directory, the value SelfService will be used.

    Company name

    Specify a company name for the Self-Service Portal, for example:

    Contoso IT

    This company name is viewed by all Self-Service Portal users.

    Helpdesk URL text

    Specify a text statement that directs users to your organization's Helpdesk website, for example:

    Contact Helpdesk or IT department

    Helpdesk URL

    Specify the URL for your organization's Helpdesk website, for example:

    http(s)://<companyHelpdeskURL>/

    Notice text file

    Select a file that contains the notice you want displayed to users on the Self-Service Portal landing page.

    Do not display notice text to users

    Select this check box to specify that the notice text is not displayed to users.

  3. When you finish your entries, click Next.

    The wizard checks that all prerequisites for the web applications have been met.

  4. Click Next to continue.

  5. On the Summary page, review the features that will be added.

    Note
    To create a Windows PowerShell script for the entries you made, click Export PowerShell Script and save the script.

  6. Click Add to add the web applications to the server, and then click Close.

    To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see Customizing the Self-Service Portal for Your Organization.

To configure the Self-Service Portal if client computers cannot access the CDN

  1. Determine whether you are running Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1. If so, do nothing. Your Self-Service Portal configuration is complete.

    Note
    Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 installs the JavaScript files in setup, and so does not need to be connected to the Microsoft Ajax Content Delivery Network in order to configure the Self-Service Portal. The following steps are necessary only if you are using a version of Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 previous to SP1.

  2. Determine if your client computers have access to the Microsoft Ajax Content Delivery Network (CDN).

    The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you don’t configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the end user signed in will be displayed. No error message will be shown.

  3. Do one of the following:

    Got a suggestion for MBAM? Add or vote on suggestions here. Got a MBAM issue? Use the MBAM TechNet Forum.

Server Event Logs

Configuring the MBAM 2.5 Server Features

How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network

Customizing the Self-Service Portal for Your Organization

Validating the MBAM 2.5 Server Feature Configuration