How to install MBAM 2.0 with ConfigMgr Integration

One of the new features of MBAM 2.0 is the ability to integrate with ConfigMgr. This allows the ConfigMgr client to report compliance data into ConfigMgr for a better reporting experience than was available in MBAM 1.0. The downside is that compliance data is only retained for the same period of time as hardware inventory data so some are opting for hybrid installations which I’ll cover in a later blog.

This blog assumes you are on ConfigMgr 2012 without a CAS and you have already configured a SQL server for the MBAM databases and another for the MBAM web based roles. In MBAM 1.0 a requirement was that you use SQL Server Enterprise Edition and enable TDE for real-time encryption of the SQL database however SQL Standard is now supported because TDE is not required. I always recommend placing SQL locally on the ConfigMgr primary site server. I’d suggest you not use the ConfigMgr server for the MBAM databases, mainly for performance reasons, however it is supported to do so. For the most secure installation you should install the MBAM web components on a dedicated server.

To get started we first need to edit the configuration.mof file then add some custom classes to hardware inventory.

1. You can grab the mof edits from TechNet and save them as configuration.mof and sms_def.mof on the ConfigMgr primary site server.

2. On the ConfigMgr primary site server browse to <CMInstallLocation>\Inboxes\clifiles.src\hinv\ and open the configuration.mof file using notepad.

3. Copy the contents of configuration.txt from the files attached to this blog and append that info to the end of your configuration.mof file and save it.

4. To add the MBAM classes to hardware inventory open the ConfigMgr console go to Administration>Client Settings, Properties of the default client agent settings then Hardware Inventory.

5. Click set classes and then import, browse to the sms_def.mof file you saved earlier. Ensure the MBAM classes are displayed to be imported, click Import then click ok.

clip_image001

Enable reporting for the Win32_TPM Spec Version before exiting the default client agent settings.

clip_image002

If you haven’t already done so you’ll need to download MDOP 2013 from MVLS before proceeding. Extract the MBAM\Installers\2.0 directory to your ConfigMgr primary site server, your MBAM SQL Server and your MBAM Web server or place them on a network share.

1. Review the permissions required to install MBAM on Technet and ensure appropriate permissions have been granted before getting started.

2. Run MBAM\Installers\2.0\x64\mbamsetup.exe on your ConfigMgr primary site server.

3. On the Welcome screen click Start, accept the license agreement and click Next.

4. On the Topology Selection screen select “System Center Configuration Manager Integration” and click Next.

5. On the Features to install screen select only Configuration Manager Integration, Audit Reports and Policy Template then click Next. (I am assuming the GPMC is installed on the ConfigMgr server.)

6. Review and remediate and failed prerequisites (I had to install ASP.net MVC 2.0 and rerun the prereq checker) then click Next.

7. On the Configure network communication security page you have the option to use a certificate to encrypt network traffic. Make the selection that fits best in your environment and click Next.

8. On the Configure the location of the Compliance Status Database screen enter the name of the SQL server that will host the database, leave the default database name then click Next.

9. On the Configure the Compliance and Audit Reports screen enter the name of the server that hosts your ConfigMgr SSRS reporting instance, provide a username and password that can be used to access that instance then click Next.

10. Choose whether or not you’d like to opt into Microsoft updates then click Next.

11. Click Install.

clip_image004

1. Run MBAM\Installers\2.0\x64\mbamsetup.exe on your MBAM SQL server.

2. On the Welcome screen click Start, accept the license agreement and click Next.

3. On the Topology Selection screen select “System Center Configuration Manager Integration” and click Next.

4. On the Features to install screen select only the Recovery Database and the Audit Database then click Next.

5. Provide the name of your ConfigMgr server on the Provide account used to access the MBAM databases then click Next.

6. On the Provide the user account to access the Compliance Status database enter a user account that has permissions to SQL.

7. On the Configure the Recovery database screen you can change the location of the SQL data and log files if you’d like then click Next.

8. On the Configure the Compliance and Audit database screen you can change the location of the SQL data and log files if you’d like then click Next.

9. Choose whether or not you’d like to opt into Microsoft updates then click Next.

10. Click Install.

clip_image006

1. Run MBAM\Installers\2.0\x64\mbamsetup.exe on your MBAM Self Service Web server.

2. On the Welcome screen click Start, accept the license agreement and click Next.

3. On the Topology Selection screen select “System Center Configuration Manager Integration” and click Next.

4. On the Features to install screen select only the Self Service Server and the Administration and Monitoring Server then click Next.

5. If you see the Configure network communication security screen just click Next.

6. On the Configure the location of the Compliance Status Database enter the name of your MBAM SQL server, leave the default Database name then click Next.

7. On the Configure the location of the Recovery Database enter the name of your MBAM SQL server, leave the default Database name then click Next.

8. On the Configure the Compliance and Audit Reports screen enter the URL to your ConfigMgr SSRS instance, click Test. Once you have successfully tested the URL click Next.

9. On the Configure the Self-Service Portal screen accept the defaults and click Next.

10. On the Configure the Administration and Monitoring screen accept the defaults and click Next.

11. Choose whether or not you’d like to opt into Microsoft updates then click Next.

12. Click Install.

clip_image008

You have now successfully completed the installation of the MBAM server components. Keep an eye out for a follow-up blog post detailing the next steps required to ensure your clients are properly configured for MBAM.

email

Written by , Posted .
  • jamescavery

    John, have you finished detailing the next steps? Very interested in what you have so far. BTW, Great Article!

  • Shawn Dunham

    John – thanks for posting this article! I am experiencing an issue where my canned MBAM reports and baselines are now on my primary site server. But when I attempt to run a report, I get zero data to populate? Have you had experience with this issue? Thanks again!