none
Converting a Stand-alone Architecture to Config Manager Integrated

    Question

  • We are currently planning a MBAM 2.5 proof of concept in our organization.  we have split roles, myself in security, infrastructure and platform, which is the reasoning behind my question. Our platform team which owns config manager doesn't have a lot of spare time.  I would like to get started on this POC as soon as possible so am wondering;

    Is it possible to take a stand alone architecture (2 server design- SQL DB server and Administration monitoring server) and later down the road integrate Config manager in to the mix.  If so, how much extra work would it be to go this route, or is it basically setting up config manager and fairly straight forward?

    My reasoning behind this is if this inst' too much rework, we can stand up MBAM and test in a stand alone environment, then once time permits, we can integrate Config manager, swap over reporting to there, and continue testing with a full blown collection build

    Thanks in advance, any help is greatly apprecated

    Wednesday, July 09, 2014 6:53 PM

Answers

  • Hi,

    Here's the main steps in order to achieve this :

    1. Install MBAM 2.5 in your SCCM primary site with the prerequisites
    2. Rerun MBAM 2.5 setup on the Administration and Monitoring Server with CCM integration
    3. Change your GPO to point the Reporting service endpoint to CCM

    Keep in mind that you will lost the reporting, indeed it's not possible to migrate the data to the CCM DB. You will need to wait for the next reporting cycle through CCM agent.

    Regards,


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Thursday, July 10, 2014 7:35 AM
  • If you go to CM integrated later, you will lose all of your compliance data that you have accrued.  It will repopulate in CM instead of standalone as machines check in.  When you make the switch, back up your compliance data from SSRS in standalone so that you can use it if you need to while you wait for machines to check into CM.

    @GlennHoppy,

    You can install MBAM on machines that are already encrypted.  The first time MBAM wakes up, it will reset and re-escrow the key to get it into a known good state.  There is no negative impact.  The only time a user would see a popup is if they were out of compliance with your policies.  Make sure that you remove any BitLocker policies you have and only configure the Bitlocker policies via the MBAM GPO node or you will have problems.

    Monday, July 14, 2014 2:39 PM

All replies

  • Hi,

    Here's the main steps in order to achieve this :

    1. Install MBAM 2.5 in your SCCM primary site with the prerequisites
    2. Rerun MBAM 2.5 setup on the Administration and Monitoring Server with CCM integration
    3. Change your GPO to point the Reporting service endpoint to CCM

    Keep in mind that you will lost the reporting, indeed it's not possible to migrate the data to the CCM DB. You will need to wait for the next reporting cycle through CCM agent.

    Regards,


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Thursday, July 10, 2014 7:35 AM
  • Hi,

    there is no need to start directly with SCCM integrated you can add this option later. The only thing that changes is how you do your reporting.

    btw. GPO setting for reporting should be disbaled according to the documentation when you integrate it with ConfigMgr as MBAM client is not doing this but the sccm agent.

    /Oliver


    • Edited by SoftD Thursday, July 10, 2014 1:46 PM
    Thursday, July 10, 2014 1:44 PM
  • Thanks Guys, i appreciate the feedback. 

    From the documentation i have researched so far the overall configuration doesn't appear to be to much work at all so a complete rework doesn't scare me too bad seeing as how its a throw away POC anyway.  It is nice to hear though that integrating Config Manger later inst' a big deal

    thanks again!!!!

    Thursday, July 10, 2014 2:07 PM
  • Hi,

    Here's the main steps in order to achieve this :

    1. Install MBAM 2.5 in your SCCM primary site with the prerequisites
    2. Rerun MBAM 2.5 setup on the Administration and Monitoring Server with CCM integration
    3. Change your GPO to point the Reporting service endpoint to CCM

    Keep in mind that you will lost the reporting, indeed it's not possible to migrate the data to the CCM DB. You will need to wait for the next reporting cycle through CCM agent.

    Regards,


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Hi everyone,

    I have a question regarding an already implemented Bitlocker "home grown" method.  Bitlocker was implemented using scripts and manage-bde.exe.  All the keys are stored in a secure location on a file share and a scheduled task runs every Monday to report on status.  This does not work well with our Compliance dept. as the reporting is... well, archaic.  We are migrating from SCCM 2007 to 2012 this year.  I would like to implement MBAM 2.5 then integrate into SCCM later. 

    Are there any repercussions in implementing MBAM on machines that are already configured with Bitlocker?  I guess I'm not familiar enough as to whether it will negatively impact Bitlocker as it has already checked in with the TPM and created the recovery keys.  Can MBAM recreate the keys and reconfigure the TPM via GPO without any negative impact?

    Any help or suggestions would be greatly appreciated.

    Thanks!

    Friday, July 11, 2014 5:48 PM
  • Is this a true statement?

    "If a machine is already BitLocker-encrypted before the MBAM client is installed, then when the MBAM client is installed, the recovery key is extracted from the machine’s local store and sent to the MBAM SQL Server database."

    if that's the case, then I guess it answered my own question.  Thanks!

    http://windowsitpro.com/security/q-if-i-deploy-microsoft-bitlocker-administration-and-monitoring-client-machine-already-encr

    Friday, July 11, 2014 7:59 PM
  • If you go to CM integrated later, you will lose all of your compliance data that you have accrued.  It will repopulate in CM instead of standalone as machines check in.  When you make the switch, back up your compliance data from SSRS in standalone so that you can use it if you need to while you wait for machines to check into CM.

    @GlennHoppy,

    You can install MBAM on machines that are already encrypted.  The first time MBAM wakes up, it will reset and re-escrow the key to get it into a known good state.  There is no negative impact.  The only time a user would see a popup is if they were out of compliance with your policies.  Make sure that you remove any BitLocker policies you have and only configure the Bitlocker policies via the MBAM GPO node or you will have problems.

    Monday, July 14, 2014 2:39 PM
  • Awesome!  We currently have no policies set so this should be a straightforward implementation of MBAM.

    Thanks for the reply and info!

    Monday, July 14, 2014 3:52 PM