Share via


Planning for MBAM 2.0 Server Deployment

The Microsoft BitLocker Administration and Monitoring (MBAM) server infrastructure depends on a set of server features that can be installed on one or more server computers, based on the requirements of the enterprise. If you are installing Microsoft BitLocker Administration and Monitoring with the Configuration Manager topology, see Planning to Deploy MBAM with Configuration Manager.

Note   Installations of Microsoft BitLocker Administration and Monitoring on a single server are recommended only for test environments.

Planning for MBAM Server Deployment

The infrastructure for an MBAM Server deployment includes the following features:

  • Recovery Database

  • Compliance and Audit Database

  • Compliance and Audit Reports

  • Self-Service Portal

  • Administration and Monitoring Server

  • MBAM Group Policy Template

MBAM Server databases and features can be installed in different configurations, depending on your scalability requirements. All MBAM Server features can be installed on a single server or distributed across multiple servers. We recommend that you use a two-server configuration for production environments, although configurations of two to four servers can also be used, depending on your computing requirements.

Each MBAM feature has specific prerequisites. For a full list of server feature prerequisites and hardware and software requirements, see MBAM 2.0 Deployment Prerequisites and MBAM 2.0 Supported Configurations.

In addition to the server-related MBAM features, the Server Setup application includes an MBAM Group Policy template. The template contains Group Policy Object (GPO) settings that you configure to manage BitLocker Drive Encryption in the enterprise. You can install this template on any computer that can run the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).

As you plan the MBAM Server deployment, consider that BitLocker recovery keys in MBAM are intended for single use only, after which recovery keys expire. In order for the keys to expire after use, they must be retrieved through the Help Desk Portal or the Self-Service Portal.

Order of Deployment of MBAM Server Features

To deploy MBAM features on multiple servers, you have to install the features in the following order:

  1. Recovery Database

  2. Compliance and Audit Database

  3. Compliance Audit and Reports

  4. Self-Service Portal

  5. Administration and Monitoring Server

  6. MBAM Group Policy Template

Note   Keep track of the names of the computers on which you install each feature. You have to use this information throughout the installation process. You can print and use a deployment checklist to assist in this effort. For more information about the MBAM Deployment Checklist, see MBAM 2.0 Deployment Checklist.

Planning to Deploy MBAM 2.0

Deploying the MBAM 2.0 Server Infrastructure