MBAM Database configuration – minimum permissions
Hello
It’s Rafal Sosnowski from Microsoft Dubai Security PFE Team. For some of my customers it is unclear what are required minimum permissions to install MBAM Database components. Some time ago I have done some analysis of this and want to share with you my findings.
Microsoft BitLocker Administration and Monitoring (MBAM) provides enterprise management capabilities for BitLocker and BitLocker To Go. MBAM simplifies deployment and key recovery, provides centralized compliance monitoring and reporting. For big enterprises that have or plan to have machines encrypted with Bitlocker – we recommend using MBAM.
MBAM works in client – server mode where MBAM agent installed on the end user laptops communicates with MBAM frontend (IIS) to send compliance data and Bitlocker recovery keys. Then this data is sent to MBAM backend (SQL) and stored there.
Since version 2.5 installation and configuration of MBAM components have been separated. To install MBAM binaries you just need to be local admin on the box. To configure these binaries, you need to have different permissions depending on the MBAM component you want to configure.
To configure MBAM 2.5 SP1 Database Components on your backend you have to have SQL Server 2008 R2 SP1 or higher and have following permissions on the SQL:
| Task executed by MBAM setup | Min. permissions required | Database affected |
| Create security logins and groups | securityadmin | master |
| Create databases | dbcreator | - |
| Check SQL Agent service * | processadmin | - |
| Create MBAM certificate from Master Key ** | sysadmin | master |
| Create job “CreateCache” (only MBAM 1.0 and 2.0) *** | sysadmin | msdb |
* only for MBAM 1.0 and 2.0. Setup was checking if the SQL Agent was started and start-up type was set to “Automatic”. This was required by the Job “CreateCache” described below.
** it was required during installation of MBAM 1.0. Since MBAM 2.0 it is optional task done manually in order to enable TDE (Transparent Data Encryption).
*** this job was used by SQL to refresh data for Enterprise Compliance Report every 6 hours. This job is no longer required since MBAM 2.5 because data is always up to date in all reports.
If you don’t have any of these permissions, you will see very generic error:
Now if you go to the Event Log and look at MBAM-Setup\Admin Log you will find more comprehensive error 401:
Exception:
Microsoft.Mbam.Setup.Common.SetupException: An error occurred deploying the Data Tier Application ---> System.Data.SqlClient.SqlException: User does not have permission to perform this action. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
If you don’t have enough permissions your installation will fail. Let’s see some examples of failing steps in SQL Profiler during MBAM installation (below trace is from MBAM 2.0):
Create logins (example 1):
Create logins (example 2):
Create logins (example 3):
Create job:
Of course if you don’t want to bother with all of these permissions you can simply assign sysadmin role to user which is configuring MBAM Database components – but in general it is not good practice to give sysadmin role to anyone.
So to summarize, in order to install and configure MBAM 2.5 SP1 you need following permissions:
Securityadmin and dbcreator.
Minimum required permissions to install MBAM 1.0 and 2.0 are : sysadmin
I hope it has been informative for you and see you soon.
Comments
- Anonymous
February 02, 2017
Rafał,Maybe you know when I trying to get recovery code as Helpdesk User, when I type domain/user login it saying me thats recovery key not found. When I use Advanced Helpdesk User (without typing domain/user) it works!What can be problem? - Anonymous
February 17, 2017
Probably different user is owner of the machine. Check existing user profiles on the machine to verify that