Use PowerShell scripts to install/upgrade MBAM

This post is a follow up to my “Managing BitLocker using MBAM” session at the Midwest Management Summit 2017 (MMS).

In this post I will try to explain the installation process a bit more in detail, and why I use PowerShell for the installation.

Installing Microsoft BitLocker Administration and Monitoring (MBAM)

When installing MBAM the first thing to do is to run the MbamServerSetup.exe installer which contains the MBAM 2.5 SP1 installer components. This installer installs the PowerShell modules that are used by the MBAM Configuration wizard which is used to install the actual MBAM features such as databases, web services and reports.

One thing that I have seen go wrong for may IT admins attempting to install MBAM for the first time, is the fact that the server setup allows you to launch the roles wizard after installation.

2016-08-29 12_13_54-Greenshot

Do NOT run the wizard yet, if you do so you will install using the RTM version, and not the latest version.

Applying MBAM servicing releases

Before installing the MBAM features, the latest servicing release needs to be applied, as this will update the MBAM Configuration wizard and the underlying PowerShell modules and binaries.

The latest servicing release (while writing this post) is the March 2017, which can be downloaded from here: https://support.microsoft.com/en-us/help/4014009/march-2017-servicing-release-for-microsoft-desktop-optimization-pack

After applying the MBAM2.5_Server_x64_KB4014009.msp the MBAM Configuration wizard can be launched from the start menu.

2017-05-29 11_01_24-MBAM01

Adding MBAM features

Depending on infrastructure requirements and the MBAM topology selected for the implementation, MBAM features needs to be installed and configured on different servers. This requires installing and patching the MbamServerSetup.exe on each server. before adding features.

Once the MBAM Configuration wizard is installed and patched, it is time to add the needed roles:

For this I recommend using the PowerShell modules directly, as opposed to using the wizard. The reason for this is the fact that every time a new service release is released, it is necessary to remove all MBAM features (database is left untouched) and install/configure again after applying the service release. Reason for this is the fact that only the wizard and underlying binaries are touched by the update.

By using PowerShell, this process becomes much simpler and less time consuming, as the scripts can simply be rerun to install and configure components again.

In my lab I have MBAM installed in a hybrid topology, where compliance is reported to both the MBAM database (stand-alone topology) and Configuration Manager HW Inventory (CM integrated topology).

I have created a DNS A-record (mbam.corp.viamonstra.com) that points to the IP of the IIS server that hosts the MBAM web services. This allows easier conversion to a high-availability scenario later, without having to reconfigure endpoints for all clients.

The SSL certificate is issued against the a-record, and installed in the IIS servers private certificate store.

Installing database components

In my lab I have placed the DBs on the ConfigMgr server, but in a real-world environment I always try to put the databases on a HA (SQL Always ON) Cluster.

The following script can be used for installing the MBAM databases:

<# Name : Add-MBAM-Databases.ps1 Version : 1.0 Author : Henrik Rading, CT Global A/S Date : 2017-01-17 Command : powershell.exe -executionpolicy bypass -file Add-MBAM-Databases.ps1 Arguments : <n/a> Purpose : Creates MBAM databases on SQL server. can be run from any server with the MBAMServerSetup and SQL Server ScriptDom installed. #> # *** UPDATE THESE VARIABLES TO MATCH ENVIRONMENT *** #Enter the fqdn and port of the SQL server (port is only needed if port is different from 1433). $databaseServer = 'sql1.viamonstra.com,1433' #Name of the Recovery and Hardware database that is created. $RecoveryDBName = 'MBAM Recovery and Hardware' #Name of the Compliance database that is created. $ComplianceDBName = 'MBAM Compliance Status' #Name of the Active Directory group created for the "MBAM DataBase Read Write" group. In <domain>\<groupname> format. $GroupDataBaseRW = 'VIAMONSTRA\MBAM-DB Access Read_write' #Name of the Active Directory group created for the "MBAM DataBase Read Only" group. In <domain>\<groupname> format. $GroupDataBaseRO = 'VIAMONSTRA\MBAM-DB Access Read_only' # *** END OF USER VARIABLES, DO NOT MODIFY SCRIPT AFTER THIS LINE! *** #Enable Recovery database Enable-MbamDatabase -AccessAccount $GroupDataBaseRW -Recovery ` -ConnectionString "Data Source=$($databaseServer);Integrated Security=True" -DatabaseName $RecoveryDBName #Enable compliance and audit database Enable-MbamDatabase -AccessAccount $GroupDataBaseRW -ComplianceAndAudit ` -ConnectionString "Data Source=$($databaseServer);Integrated Security=True" -DatabaseName $ComplianceDBName ` -ReportAccount $GroupDataBaseRO

Installing CM Integration

The Configuration Manger integration consist of collections, Configuration Items, Baseline and reports.

To install these use the following script:

<# Name : Add-MBAM-Reports-and-CMintegration.ps1 Version : 1.0 Author : Henrik Rading, CT Global A/S Date : 2017-01-17 Command : powershell.exe -executionpolicy bypass -file Add-MBAM-Reports-and-CMintegration.ps1 Arguments : <n/a> Purpose : Creates MBAM reports on SQL Server Reporting Server and creates Configuration Manager items. The script must be run from the ConfigMgr Primary Site server with the MBAMServerSetup installed. #> # *** UPDATE THESE VARIABLES TO MATCH ENVIRONMENT *** #Name of the MBAM Compliance and Audit Database service account created in AD. Use <domain>\<groupname> format. $username = "VIAMONSTRA\MBAM-SVC-CA" #Password of the service account in clear text. remove this from script after execution # or change script to prompt for credentials. $password = 'MySecretPassword' #Name of the Active Directory group created for the "MBAM Audit Report". Use <domain>\<groupname> format. $ReadOnlyAccessGroup = 'VIAMONSTRA\MBAM-Role Audit Report Users' #Enter the fqdn and port of the SQL server (port is only needed if port is different from 1433). $databaseServer = 'sql1.viamonstra.com,1433' #Name of the Recovery and Hardware database that is created. $RecoveryDBName = 'MBAM Recovery and Hardware' #Name of the Compliance database that is created. $ComplianceDBName = 'MBAM Compliance Status' # *** END OF USER VARIABLES, DO NOT MODIFY SCRIPT AFTER THIS LINE! *** $password = $password | ConvertTo-SecureString -asPlainText -Force $credential = New-Object System.Management.Automation.PSCredential($username,$password) # Enable report feature Enable-MbamReport -ComplianceAndAuditDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($ComplianceDBName)';Integrated Security=True" ` -ComplianceAndAuditDBCredential $credential -ReportsReadOnlyAccessGroup $ReadOnlyAccessGroup # Enable System Center Configuration Manager integration feature Enable-MbamCMIntegration

Install Web Services

In my Lab I have all web services on a single server, these can be split up or duplicated in a HA scenario.

To install the web services use the following script:

<# Name : Add-MBAM-Websites.ps1 Version : 1.0 Author : Henrik Rading, CT Global A/S Date : 2017-01-17 Command : powershell.exe -executionpolicy bypass -file Add-MBAM-Websites.ps1 Arguments : <n/a> Purpose : Installs MBAM websites to IIS and configures SSL certificate and application pools. The script must be run from the MBAM IIS server with the MBAMServerSetup installed. #> # *** UPDATE THESE VARIABLES TO MATCH ENVIRONMENT *** #Webservice credentials #Name of the MBAM Web Application Pool service account created in AD. Use <domain>\<groupname> format. $wsusername = "VIAMONSTRA\MBAM-SVC-AppPool" #Password of the service account in clear text. remove this from script after execution #or change script to prompt for credentials. $wspassword = 'MySecretPassword' #Name of the Active Directory group created for the "MBAM HelpDesk Users". Use <domain>\<groupname> format. $GroupHelpdesk = 'VIAMONSTRA\MBAM-Role HelpDesk Users' #Name of the Active Directory group created for the "MBAM Advanced HelpDesk Users". Use <domain>\<groupname> format. $GroupAdvancedHelpdesk = 'VIAMONSTRA\MBAM-Role Advanced HelpDesk Users' #Name of the Active Directory group created for the "MBAM Compliance Report Users". Use <domain>\<groupname> format. $GroupComplianceReport = 'VIAMONSTRA\MBAM-Role Compliance Report Users' #Name of the organzation as it should appear on the Self Service Portal. $CompanyName = 'ViaMonstra Inc.' #Name of the DNS alias created and used for the web server certificate. $hostname = 'mbam.viamonstra.com' #Enter the fqdn and port of the SQL server (port is only needed if port is different from 1433). $databaseServer = 'sql1.viamonstra.com,1433' #Name of the Recovery and Hardware database that is created. $RecoveryDBName = 'MBAM Recovery and Hardware' #Name of the Compliance database that is created. $ComplianceDBName = 'MBAM Compliance Status' #url to the SQL Server Report Server on the ConfigMgr server. in the format http(s)://<server fqdn>/reportserver $ReportUrl = 'http://cm1.viamonstra.com/reportserver' # *** END OF USER VARIABLES, DO NOT MODIFY SCRIPT AFTER THIS LINE! *** $wspassword = $wspassword | ConvertTo-SecureString -asPlainText -Force $wscredential = New-Object System.Management.Automation.PSCredential($wsusername,$wspassword) $Cert=Get-ChildItem cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$($hostname)*"} # Enable agent service feature Enable-MbamWebApplication -AgentService -Certificate $Cert ` -ComplianceAndAuditDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($ComplianceDBName)';Integrated Security=True" ` -DataMigrationAccessGroup $GroupDataMigration -HostName $hostname -InstallationPath 'C:\inetpub' -Port 443 ` -RecoveryDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($RecoveryDBName)';Integrated Security=True" ` -WebServiceApplicationPoolCredential $wscredential # Enable administration web portal feature Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup $GroupAdvancedHelpdesk -Certificate $Cert ` -ComplianceAndAuditDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($ComplianceDBName)';Integrated Security=True" ` -HelpdeskAccessGroup $GroupHelpdesk -HostName $hostname -InstallationPath 'C:\inetpub' -Port 443 ` -RecoveryDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($RecoveryDBName)';Integrated Security=True" ` -ReportsReadOnlyAccessGroup $GroupComplianceReport -ReportUrl $ReportUrl -VirtualDirectory 'HelpDesk' ` -WebServiceApplicationPoolCredential $wscredential # Enable self service web portal feature Enable-MbamWebApplication -Certificate $Cert -CompanyName $CompanyName ` -ComplianceAndAuditDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($ComplianceDBName)';Integrated Security=True" ` -DisableNoticePage -HelpdeskUrlText 'Contact Helpdesk or IT department.' -HostName $hostname ` -InstallationPath 'C:\inetpub' -Port 443 ` -RecoveryDBConnectionString "Data Source=$($databaseServer);Initial Catalog='$($RecoveryDBName)';Integrated Security=True" ` -SelfServicePortal -VirtualDirectory 'SelfService' -WebServiceApplicationPoolCredential $wscredential

Testing scripts before installing

The MBAM CmdLets allow for testing of pre-requisites etc. before running the actual Enable CmdLets. To do this simply replace Enable- with Test- and run the scripts.

Remove features before applying service release

Before applying a service release, remove any installed features by running the appropriate PS CmdLets.

These are the cmdlets I use for removing features in my Lab.

# Disable administration web portal feature Disable-MbamWebApplication -AdministrationPortal -force # Disable agent service feature Disable-MbamWebApplication -AgentService -force # Disable self service web portal feature Disable-MbamWebApplication -SelfServicePortal -force # Disable CM Integration Disable-MbamCMIntegration -Force # Disable report feature Disable-MbamReport

Note: There are no CmdLets for removing the databases, as these must be kept during an upgrade. If for some reason the databases must be deleted, they must be deleted through SQL tools.

Examining setup logs

All MBAM features uses the Event Logs to log information, warnings and errors. to view the logs open the event viewer and browse to the following node:

Applications and Services Logs –> Microsoft –> Windows –> MBAM-Setup

2017-05-29 12_14_47-MBAM01

To show the Debug logs, click view –> Show Analytic and Debug Logs

2017-05-29 12_15_09-MBAM01

I hope this blog helps clarify some of the questions on the MBAM setup process.


Comments (%):

Leave a Reply