Use PowerShell scripts to install/upgrade MBAM

This post is a follow up to my “Managing BitLocker using MBAM” session at the Midwest Management Summit 2017 (MMS).

In this post I will try to explain the installation process a bit more in detail, and why I use PowerShell for the installation.

Installing Microsoft BitLocker Administration and Monitoring (MBAM)

When installing MBAM the first thing to do is to run the MbamServerSetup.exe installer which contains the MBAM 2.5 SP1 installer components. This installer installs the PowerShell modules that are used by the MBAM Configuration wizard which is used to install the actual MBAM features such as databases, web services and reports.

One thing that I have seen go wrong for may IT admins attempting to install MBAM for the first time, is the fact that the server setup allows you to launch the roles wizard after installation.

2016-08-29 12_13_54-Greenshot

Do NOT run the wizard yet, if you do so you will install using the RTM version, and not the latest version.

Applying MBAM servicing releases

Before installing the MBAM features, the latest servicing release needs to be applied, as this will update the MBAM Configuration wizard and the underlying PowerShell modules and binaries.

The latest servicing release (while writing this post) is the March 2017, which can be downloaded from here:

After applying the MBAM2.5_Server_x64_KB4014009.msp the MBAM Configuration wizard can be launched from the start menu.

2017-05-29 11_01_24-MBAM01

Adding MBAM features

Depending on infrastructure requirements and the MBAM topology selected for the implementation, MBAM features needs to be installed and configured on different servers. This requires installing and patching the MbamServerSetup.exe on each server. before adding features.

Once the MBAM Configuration wizard is installed and patched, it is time to add the needed roles:

For this I recommend using the PowerShell modules directly, as opposed to using the wizard. The reason for this is the fact that every time a new service release is released, it is necessary to remove all MBAM features (database is left untouched) and install/configure again after applying the service release. Reason for this is the fact that only the wizard and underlying binaries are touched by the update.

By using PowerShell, this process becomes much simpler and less time consuming, as the scripts can simply be rerun to install and configure components again.

In my lab I have MBAM installed in a hybrid topology, where compliance is reported to both the MBAM database (stand-alone topology) and Configuration Manager HW Inventory (CM integrated topology).

I have created a DNS A-record ( that points to the IP of the IIS server that hosts the MBAM web services. This allows easier conversion to a high-availability scenario later, without having to reconfigure endpoints for all clients.

The SSL certificate is issued against the a-record, and installed in the IIS servers private certificate store.

Installing database components

In my lab I have placed the DBs on the ConfigMgr server, but in a real-world environment I always try to put the databases on a HA (SQL Always ON) Cluster.

The following script can be used for installing the MBAM databases:

The Configuration Manger integration consist of collections, Configuration Items, Baseline and reports.

To install these use the following script:

Install Web Services

In my Lab I have all web services on a single server, these can be split up or duplicated in a HA scenario.

To install the web services use the following script:

Testing scripts before installing

The MBAM CmdLets allow for testing of pre-requisites etc. before running the actual Enable CmdLets. To do this simply replace Enable- with Test- and run the scripts.

Remove features before applying service release

Before applying a service release, remove any installed features by running the appropriate PS CmdLets.

These are the cmdlets I use for removing features in my Lab.

Note: There are no CmdLets for removing the databases, as these must be kept during an upgrade. If for some reason the databases must be deleted, they must be deleted through SQL tools.

Examining setup logs

All MBAM features uses the Event Logs to log information, warnings and errors. to view the logs open the event viewer and browse to the following node:

Applications and Services Logs –> Microsoft –> Windows –> MBAM-Setup

2017-05-29 12_14_47-MBAM01

To show the Debug logs, click view –> Show Analytic and Debug Logs

2017-05-29 12_15_09-MBAM01

I hope this blog helps clarify some of the questions on the MBAM setup process.

By | 2017-08-30T11:35:07+00:00 May 29th, 2017|Security|4 Comments

About the Author:

Henrik Rading


  1. […] Install MBAM using a script – Advanced ConfigMgr Logging – […]

  2. Garrett August 25, 2017 at 22:53 - Reply

    It looks like this post would be incredibly helpful… if it was not posted with this code highlighter app.
    All I get is tons of junk of the colors its trying to make the text. The Webapp you have for posting code already has the powershell highlights.

  3. Henrik Rading
    Henrik Rading August 30, 2017 at 11:39 - Reply

    Thanks for the heads-up!
    We moved our blog site, and there was a screw-up with a code plugin. The post is now updated and code is again readable 🙂
    /Dr. Rading

  4. Garrett August 30, 2017 at 22:03 - Reply

    Thanks! 🙂

Leave A Comment