How to Configure the MBAM 2.5 Web Applications

This topic explains how to configure the Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 web applications for the recommended High-Level Architecture for MBAM 2.5 by using one of the following methods:

• A Windows PowerShell cmdlet

• The MBAM Server Configuration wizard

The web applications comprise the following websites and their corresponding web services:

Website	Description
Administration and Monitoring Website	Website where specified users can view reports and help end users recover their computers when they forget their PIN or password
Self-Service Portal	Website that end users can access to independently regain access to their computers if they forget their PIN or password

Before you start the configuration:

Step	Where to get instructions
Review the recommended architecture for MBAM.	High-Level Architecture for MBAM 2.5
Review the supported configurations for MBAM.	MBAM 2.5 Supported Configurations
Complete the required prerequisites on each server. Note Ensure that you configure SQL ServerReporting Services (SSRS) to use the Secure Sockets Layer (SSL) before you configure the Administration and Monitoring Website. Otherwise, the Reports feature will use HTTP instead of HTTPS.	MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology (if applicable)
Register service principal names (SPNs) for the application pool account for the websites. You need to do this step only if you do not have administrative domain rights in Active Directory Domain Services (AD DS). If you do have these rights in AD DS, MBAM will create the SPNs for you.	Planning How to Secure the MBAM Websites
Install the MBAM Server software on each server where you will configure an MBAM Server feature. Note If you plan to install the websites on one server and the web services on another, you will be able to configure them only by using the Enable-MbamWebApplication Windows PowerShell cmdlet. The MBAM Server Configuration wizard does not support configuring these items on separate servers.	Installing the MBAM 2.5 Server Software
Review the prerequisites for using Windows PowerShell if you plan to use cmdlets to configure MBAM Server features.	Configuring MBAM 2.5 Server Features by Using Windows PowerShell

To configure the web applications by using Windows PowerShell

1. Before you start the configuration, see Configuring MBAM 2.5 Server Features by Using Windows PowerShell to review the prerequisites for using Windows PowerShell.

2. Use the Enable-MbamWebApplication cmdlet to configure the web applications using Windows PowerShell. To get information about this cmdlet, type Get-Help Enable-MbamWebApplication.

To configure the settings for all web applications using the wizard

1. On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select MBAM Server Configuration from the Start menu to open the wizard.

2. Click Add New Features, select Administration and Monitoring Website and Self-Service Portal, and then click Next. The wizard checks that all prerequisites for the web applications have been met.

3. If the prerequisite check is successful, click Next to continue. Otherwise, resolve any missing prerequisites, and then click Check prerequisites again.

4. Use the following descriptions to enter the field values in the wizard.

   Field	Description
   Security certificate	Select a previously created certificate to optionally encrypt the communication between the web services and the server on which you are configuring the websites. If you choose Do not use a certificate, your web communication may not be secure.
   Host name	Name of the host computer where you are configuring the websites.
   Installation path	Path where you are installing the websites.
   Port	Port number to use for website and service communication. Note You must set a firewall exception to enable communication through the specified port.
   Web service application pool domain account and password	Domain user account and password for the web service application pool. If you enter a user name in the Read/write access domain user or group field on the Configure Databases page, you must enter that same value in this field. If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group. If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used. Important For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.

5. Verify that the built-in IIS_IUSRS account or the application pool account has been added to the Impersonate a client after authentication and the Log on as a batch job local security settings.

   To check whether it has been added to the local security settings, open the Local Security Policy editor, expand the Local Policies node, click the User Rights Assignment node, and double-click Impersonate a client after authentication and Log on as a batch job policies in the right pane.

To configure connection information for the databases by using the wizard

1. Use the following field descriptions to configure the connection information in the wizard for the Compliance and Audit Database.

   Field	Description
   SQL Server name	Name of the server where the Compliance and Audit Database is configured.
   SQL Server database instance	SQL Server instance name where the Compliance and Audit Database is configured.
   Database name	Name of the Compliance and Audit Database.

2. Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.

   Field	Description
   SQL Server name	Name of the server where the Recovery Database is configured.
   SQL Server database instance	SQL Server instance name where the Recovery Database is configured.
   Database name	Name of the Recovery Database.

To configure the web applications by using the wizard

1. Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.

   Field	Description
   Advanced Helpdesk role domain group	Domain user group whose members have access to all areas of the Administration and Monitoring Website except the Reports area.
   Helpdesk role domain group	Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.
   Use System Center Configuration Manager Integration	Select this check box if you are configuring MBAM with the Configuration Manager Integration topology. Selecting this check box makes all reports, except the Recovery Audit report, appear in Configuration Manager instead of in the Administration and Monitoring Website.
   Reporting role domain group	Domain user group whose members have read-only access to the Reports area of the Administration and Monitoring Website.
   SQL Server Reporting Services URL	URL for the SSRS server where the MBAM Reports are configured. Examples of report URLs: Type of host name Example Example with a fully qualified domain name https://MyReportServer.Contoso.com/ReportServer Example with a custom host name https://MyReportServer/ReportServer
   Virtual directory	Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name, for example: http(s)://<hostname>:<port>/HelpDesk/ If you do not specify a virtual directory, the value HelpDesk will be used.
   Data Migration role domain group (optional)	Domain user group whose members have access to use the Write-Mbam*Information Cmdlets to write recovery information via this endpoint.

2. Use the following description to enter the field values in the wizard to configure the Self-Service Portal.

   Field	Description
   Virtual directory	Virtual directory of the web application. This name corresponds to the website’s physical directory on the server, and is appended to the website’s host name, for example: http(s)://<hostname>:<port>/SelfService/ If you do not specify a virtual directory, the value SelfService will be used.
   Company name	Specify a company name for the Self-Service Portal, for example: Contoso IT This company name is viewed by all Self-Service Portal users.
   Helpdesk URL text	Specify a text statement that directs users to your organization's Helpdesk website, for example: Contact Helpdesk or IT department
   Helpdesk URL	Specify the URL for your organization's Helpdesk website, for example: http(s)://<companyHelpdeskURL>/
   Notice text file	Select a file that contains the notice you want displayed to users on the Self-Service Portal landing page.
   Do not display notice text to users	Select this check box to specify that the notice text is not displayed to users.

3. When you finish your entries, click Next.

   The wizard checks that all prerequisites for the web applications have been met.

4. Click Next to continue.

5. On the Summary page, review the features that will be added.

   Note
   To create a Windows PowerShell script for the entries you made, click Export PowerShell Script and save the script.

6. Click Add to add the web applications to the server, and then click Close.

   To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see Customizing the Self-Service Portal for Your Organization.

To configure the Self-Service Portal if client computers cannot access the CDN

1. Determine whether you are running Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1. If so, do nothing. Your Self-Service Portal configuration is complete.

   Note
   Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 installs the JavaScript files in setup, and so does not need to be connected to the Microsoft Ajax Content Delivery Network in order to configure the Self-Service Portal. The following steps are necessary only if you are using a version of Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 previous to SP1.

2. Determine if your client computers have access to the Microsoft Ajax Content Delivery Network (CDN).

   The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you don’t configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the end user signed in will be displayed. No error message will be shown.

3. Do one of the following:

   • If your client computers have access to the CDN, do nothing. Your Self-Service Portal configuration is complete.

   • If your client computers do not have access to the CDN, complete the steps in How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network.

Related topics

Server Event Logs

Configuring the MBAM 2.5 Server Features

How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network

Customizing the Self-Service Portal for Your Organization

Validating the MBAM 2.5 Server Feature Configuration

Got a suggestion for MBAM?

For MBAM issues, use the MBAM TechNet Forum.