Sdílet prostřednictvím


MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies

Platí pro: Microsoft BitLocker Administration and Monitoring 2.5

Before starting the Ochrana koncového bodu Microsoft BitLocker (MBAM) installation, you must complete the prerequisites listed in this topic. These prerequisites apply to the MBAM Stand-alone topology and System Center Configuration Manager Integration topology.

If you are deploying MBAM with System Center Configuration Manager, you must complete additional prerequisites, which are listed in MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology.

For a list of the supported hardware and operating systems for MBAM, see MBAM 2.5 Supported Configurations.

Required MBAM roles and accounts

Prerequisite Details

Groups created in Active Directory Domain Services (AD DS)

See Planning for MBAM 2.5 Groups and Accounts for a description of these groups and accounts.

Prerequisites for the Recovery Database

Prerequisite Details

Supported version of SQL Server

Install Microsoft SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

Required SQL Server permissions

Required permissions:

  • SQL Server instance login server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install the Transparent Data Encryption (TDE) feature available in SQL Server

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.

Poznámka

TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.

SQL Server Database Engine Services

SQL Server Database Engine Services must be installed and running during MBAM Server installation.

Windows PowerShell 3.0 or later

 

Operating system Windows PowerShell already installed on the operating system?

Windows 8
Windows Server 2012

Yes

Windows 7 SP1
Windows Server 2008 R2

No. See Installing Windows PowerShell for the download link and installation instructions.

Windows PowerShell does not have to be installed on the Recovery Database server if you are using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Compliance and Audit Database

Prerequisite Details

Supported version of SQL Server

Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

Required SQL Server permissions

Required permissions:

  • SQL Server instance login server roles:

    • dbcreator

    • processadmin

  • SQL Server Reporting Services instance rights:

    • Create Folders

    • Publish Reports

Optional - Install the Transparent Data Encryption (TDE) feature in SQL Server

The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.

TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.

SQL Server Database Engine Services

SQL Server Database Engine Services must be installed and running during MBAM Server installation. However, SQL Server can be running remotely; it doesn’t have to be on the same server on which you are installing the MBAM Server software.

Windows PowerShell 3.0 or later

 

Operating system Windows PowerShell already installed on the operating system?

Windows 8
Windows Server 2012

Yes

Windows 7 SP1
Windows Server 2008 R2

No. See Installing Windows PowerShell for the download link and installation instructions.

Windows PowerShell does not have to be installed on the Compliance and Audit Database server if you are using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Reports

Prerequisite Details

Supported version of SQL Server

Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.

See MBAM 2.5 Supported Configurations for supported versions.

SQL Server Reporting Services (SSRS)

SSRS must be installed and running during the MBAM Server installation.

Configure SSRS in "native" mode and not in unconfigured or "SharePoint" mode.

SSRS instance rights – required for configuring Reports only if you are installing databases on a separate server from the server where Reports are configured.

Required instance rights:

  • Create Folders

  • Publish Reports

Windows PowerShell 3.0 or later

 

Operating system Windows PowerShell 3.0 already installed on the operating system?

Windows 8
Windows Server 2012

Yes

Windows 7 SP1
Windows Server 2008 R2

No. See Installing Windows PowerShell for the download link and installation instructions.

Windows PowerShell does not have to be installed on this Database server if you are using Windows PowerShell to configure the database from a remote computer.

Prerequisites for the Administration and Monitoring Server

The following table lists the installation prerequisites for the MBAM Administration and Monitoring Server.

Prerequisite Details

Windows Server Web Server Role

This role must be added to a server operating system that is supported for the Administration and Monitoring Server feature.

Web Server (IIS) Management Tools

Click IIS Management Scripts and Tools.

SSL Certificate

Optional. To secure communication between the client computers and the web services, you must obtain and install a certificate that a trusted security authority signed.

Web Server Role Services

Common HTTP Features:

  • Static Content

  • Default Document

Application Development:

  • ASP.NET

  • .NET Extensibility

  • ISAPI Extensions

  • ISAPI Filters

Security:

  • Windows Authentication

  • Request Filtering

Windows Server Features

.NET Framework 4.5 features:

  • .NET Framework 4.5

    • Windows Server 2012 or Windows Server 2012 R2 - .NET Framework 4.5 is already installed for these versions of Windows Server, but you must enable it.

    • Windows Server 2008 R2 - .NET Framework 4.5 is not included with Windows Server 2008 R2, so you must download Microsoft .NET Framework 4.5 and install it separately.

      Poznámka

      If you are upgrading from MBAM 2.0 or MBAM 2.0 SP1 and need to install .NET Framework 4.5, see Release Notes for MBAM 2.5 for an additional required step to make the websites work.

  • WCF Activation

    • HTTP Activation

    • Non-HTTP Activation



  • TCP Activation

Windows Process Activation Service:

  • Process Model

  • .NET Framework Environment

  • Configuration APIs

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.

If you do not have administrative rights to create SPNs, you must ask the Active Directory team to create the SPN for you by using the following command.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.

Poznámka

If you are configuring the web applications on separate servers and are using different host names for each web application, you must create a separate SPN for each web application. If you are setting up Load Balancing, use a virtual host name, which must the same for both web applications.

For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.

Prerequisites for the Self-Service Portal

Prerequisite Details

Supported version of Windows Server

See MBAM 2.5 Supported Configurations for supported versions.

ASP.NET MVC 4.0

ASP.NET MVC 4 download

Web Service IIS Management Tools

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.

If you do not have administrative rights to create SPNs, you must ask the Active Directory team to create the SPN for you by using the following command.

Setspn -s http/mbamvirtual contoso\mbamapppooluser
Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.

Poznámka

If you are configuring the web applications on separate servers and are using different host names for each web application, you must create a separate SPN for each web application. If you are setting up Load Balancing, use a virtual host name, which must the same for both web applications.

For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.

Prerequisites for the Management Workstation

Prerequisite Details

Before installing the MBAM Client, download the MBAM Group Policy Templates from How to Get MDOP Group Policy (.admx) Templates and configure them with the settings that you want to implement in your enterprise for BitLocker Drive Encryption.

Before installing the MBAM Client, do the following:

 

What to do Where to get instructions

Copy the MBAM Group Policy Templates

Copying the MBAM 2.5 Group Policy Templates

Edit the Group Policy settings

Editing the MBAM 2.5 Group Policy Settings

Got a suggestion for MBAM?

Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.

Viz také

Koncepty

MBAM 2.5 Supported Configurations

Další materiály

Preparing your Environment for MBAM 2.5
Planning to Deploy MBAM 2.5