High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology
Tuotteet: Microsoft BitLocker Administration and Monitoring 2.5
This topic describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager Integration topology. This topology integrates MBAM with System Center Configuration Manager. To deploy MBAM with the Stand-alone topology, see High-Level Architecture of MBAM 2.5 with Stand-alone Topology.
For a list of the supported versions of the software mentioned in this topic, see MBAM 2.5 Supported Configurations.
Tärkeä
Windows To Go is not supported for the Configuration Manager Integration topology installation when you are using Configuration Manager 2007.
Recommended number of servers and supported number of clients
The recommended number of servers and supported number of clients in a production environment is as follows:
Recommended architecture | Details |
---|---|
Number of servers and other computers |
Three servers One workstation |
Number of client computers supported |
500,000 |
Differences between Configuration Manager Integration and Stand-alone topologies
The main differences between the topologies are:
The compliance and reporting features are removed from MBAM and are accessed from Configuration Manager.
Reports are viewed from the Configuration Manager Management Console, with the exception of the Recovery Audit Report, which you continue to view from the MBAM Administration and Monitoring Website.
Recommended MBAM high-level architecture with the Configuration Manager Integration topology
The following diagram and table describe the recommended high-level architecture for MBAM with the Configuration Manager Integration topology. MBAM multi-forest deployments require a one-way or two-way trust. One-way trusts require that the server domain trusts the client domain.
Server | Features to configure on this server | Description | ||
---|---|---|---|---|
Database Server |
Recovery Database |
This feature is configured on a computer running Windows Server and supported SQL Server instance. The Recovery Database stores recovery data that is collected from MBAM Client computers. |
||
Audit Database |
This feature is configured on a computer running Windows Server and supported SQL Server instance. The Audit Database stores audit activity data that is collected from client computers that have accessed recovery data. |
|||
Reports |
This feature is configured on a computer running Windows Server and supported SQL Server instance. The Reports provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services. |
|||
Configuration Manager Primary Site Server |
System Center Configuration Manager Integration feature |
|
||
Administration and Monitoring Server |
Administration and Monitoring Website |
This feature is configured on a computer running Windows Server. The Administration and Monitoring Website is used to:
|
||
Self-Service Portal |
This feature is configured on a computer running Windows Server. The Self-Service Portal is a website that enables end users on client computers to independently log on to a website to get a recovery key if they lose or forget their BitLocker password. |
|||
Monitoring web services for this website |
This feature is installed on a computer running Windows Server. The monitoring web services are used by the MBAM Client and the websites to communicate to the database. |
|||
Management Workstation |
MBAM Group Policy Templates |
|
||
MBAM Client and Configuration Manager Client computer |
MBAM Client software |
The MBAM Client:
|
||
Configuration Manager Client |
The Configuration Manager Client enables Configuration Manager to collect hardware compatibility data about the client computers and report compliance information. |
Differences in MBAM deployment for supported Configuration Manager versions
When you deploy MBAM with the Configuration Manager Integration topology, you can install MBAM on a primary site server. However, the MBAM installation works differently for System Center 2012 Configuration Manager and Configuration Manager 2007.
Configuration Manager version | Description |
---|---|
System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager |
If you install MBAM on a primary site server or on a central administration server, MBAM performs all of the installation actions on that site server. |
Configuration Manager 2007 R2 Configuration Manager 2007 |
If you install MBAM on a primary site server that is part of a larger Configuration Manager hierarchy with a central site parent server, MBAM identifies the central site parent server and performs all of the installation actions on that parent server. The installation includes checking prerequisites and installing the Configuration Manager objects and reports. For example, if you install MBAM on a primary site server that is a child of a central site parent server, MBAM installs all of the Configuration Manager objects and reports on the parent server. If you install MBAM on the parent server, MBAM performs all of the installation actions on that parent server. |
How MBAM works with Configuration Manager
The integration of MBAM with Configuration Manager is based on a configuration pack that installs the items described in the following table.
Items installed into Configuration Manager | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Configuration data |
The configuration data installs a configuration baseline, called “BitLocker Protection,” which contains two configuration items:
The configuration baseline is deployed to the MBAM Supported Computers collection, which is also created when MBAM is installed. The two configuration items provide the basis for evaluating the compliance status of the client computers. This information is captured, stored, and evaluated in Configuration Manager. The configuration items are based on the compliance requirements for operating system drives and fixed data drives. The required details for the deployed computers are collected so that the compliance for those drive types can be evaluated. By default, the configuration baseline evaluates the compliance status every 12 hours and sends the compliance data to Configuration Manager. |
||||||||||
MBAM Supported Computers collection |
MBAM creates a collection that is called MBAM Supported Computers. The configuration baseline is targeted to client computers that are in this collection. This is a dynamic collection. By default, it runs every 12 hours and evaluates membership, based on three criteria:
The collection is evaluated against all computers and a subset of compatible computers is created, which provides the basis for compliance evaluation and reporting for the MBAM integration. |
||||||||||
Reports |
When you configure MBAM with the Configuration Manager Integration topology, you view all reports in Configuration Manager, except the Recovery Audit Report, the latter of which you continue to view in the MBAM Administration and Monitoring Website. The reports available in Configuration Manager are:
|
Got a suggestion for MBAM?
Add or vote on suggestions here. For MBAM issues, use the MBAM TechNet Forum.
Katso myös:
High-Level Architecture of MBAM 2.5 with Stand-alone Topology
Illustrated Features of an MBAM 2.5 Deployment