MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
Platí pro: Microsoft BitLocker Administration and Monitoring 2.5
Before starting the Ochrana koncového bodu Microsoft BitLocker (MBAM) installation, you must complete the prerequisites listed in this topic. These prerequisites apply to the MBAM Stand-alone topology and System Center Configuration Manager Integration topology.
If you are deploying MBAM with System Center Configuration Manager, you must complete additional prerequisites, which are listed in MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology.
For a list of the supported hardware and operating systems for MBAM, see MBAM 2.5 Supported Configurations.
Required MBAM roles and accounts
Prerequisite | Details |
---|---|
Groups created in Active Directory Domain Services (AD DS) |
See Planning for MBAM 2.5 Groups and Accounts for a description of these groups and accounts. |
Prerequisites for the Recovery Database
Prerequisite | Details | ||||||
---|---|---|---|---|---|---|---|
Supported version of SQL Server |
Install Microsoft SQL Server with SQL_Latin1_General_CP1_CI_AS collation. See MBAM 2.5 Supported Configurations for supported versions. |
||||||
Required SQL Server permissions |
Required permissions:
|
||||||
Optional - Install the Transparent Data Encryption (TDE) feature available in SQL Server |
The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries. Poznámka TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations. |
||||||
SQL Server Database Engine Services |
SQL Server Database Engine Services must be installed and running during MBAM Server installation. |
||||||
Windows PowerShell 3.0 or later |
Windows PowerShell does not have to be installed on the Recovery Database server if you are using Windows PowerShell to configure the database from a remote computer. |
Prerequisites for the Compliance and Audit Database
Prerequisite | Details | ||||||
---|---|---|---|---|---|---|---|
Supported version of SQL Server |
Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation. See MBAM 2.5 Supported Configurations for supported versions. |
||||||
Required SQL Server permissions |
Required permissions:
|
||||||
Optional - Install the Transparent Data Encryption (TDE) feature in SQL Server |
The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries. TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations. |
||||||
SQL Server Database Engine Services |
SQL Server Database Engine Services must be installed and running during MBAM Server installation. However, SQL Server can be running remotely; it doesn’t have to be on the same server on which you are installing the MBAM Server software. |
||||||
Windows PowerShell 3.0 or later |
Windows PowerShell does not have to be installed on the Compliance and Audit Database server if you are using Windows PowerShell to configure the database from a remote computer. |
Prerequisites for the Reports
Prerequisite | Details | ||||||
---|---|---|---|---|---|---|---|
Supported version of SQL Server |
Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation. See MBAM 2.5 Supported Configurations for supported versions. |
||||||
SQL Server Reporting Services (SSRS) |
SSRS must be installed and running during the MBAM Server installation. Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode. |
||||||
SSRS instance rights – required for configuring Reports only if you are installing databases on a separate server from the server where Reports are configured. |
Required instance rights:
|
||||||
Windows PowerShell 3.0 or later |
Windows PowerShell does not have to be installed on this Database server if you are using Windows PowerShell to configure the database from a remote computer. |
Prerequisites for the Administration and Monitoring Server
The following table lists the installation prerequisites for the MBAM Administration and Monitoring Server.
Prerequisite | Details |
---|---|
Windows Server Web Server Role |
This role must be added to a server operating system that is supported for the Administration and Monitoring Server feature. |
Web Server (IIS) Management Tools |
Click IIS Management Scripts and Tools. |
SSL Certificate |
Optional. To secure communication between the client computers and the web services, you must obtain and install a certificate that a trusted security authority signed. |
Web Server Role Services |
Common HTTP Features:
Application Development:
Security:
|
Windows Server Features |
.NET Framework 4.5 features:
Windows Process Activation Service:
|
Service Principal Name (SPN) |
The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools. If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs. If you do not have administrative rights to create SPNs, you must ask the Active Directory team to create the SPN for you by using the following command.
In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser. Poznámka If you are configuring the web applications on separate servers and are using different host names for each web application, you must create a separate SPN for each web application. If you are setting up Load Balancing, use a virtual host name, which must the same for both web applications. For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites. |
Prerequisites for the Self-Service Portal
Prerequisite | Details |
---|---|
Supported version of Windows Server |
See MBAM 2.5 Supported Configurations for supported versions. |
ASP.NET MVC 4.0 |
|
Web Service IIS Management Tools |
|
Service Principal Name (SPN) |
The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools. If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs. If you do not have administrative rights to create SPNs, you must ask the Active Directory team to create the SPN for you by using the following command.
In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser. Poznámka If you are configuring the web applications on separate servers and are using different host names for each web application, you must create a separate SPN for each web application. If you are setting up Load Balancing, use a virtual host name, which must the same for both web applications. For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites. |
Prerequisites for the Management Workstation
Prerequisite | Details | ||||||
---|---|---|---|---|---|---|---|
Before installing the MBAM Client, download the MBAM Group Policy Templates from How to Get MDOP Group Policy (.admx) Templates and configure them with the settings that you want to implement in your enterprise for BitLocker Drive Encryption. |
Before installing the MBAM Client, do the following:
|
Got a suggestion for MBAM?
Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.
Viz také
Koncepty
MBAM 2.5 Supported Configurations
Další materiály
Preparing your Environment for MBAM 2.5
Planning to Deploy MBAM 2.5