Step By Step installing MBAM 2.5 sp1 on Windows Server 2016

How to deploy MBAM 2.5 in a Stand-Alone Configuration:

This video is divided into three part:

  • How to install MBAM server with stand-alone configuration.
  • How to add MBAM ADMX file into Group Policy Management.
  • How to install the MBAM client and turn on BitLocker.

You can turn on BitLocker without TPM, but if you have a system designed with TPM chip, please turn on it, I am not going to explain to you what TPM is, I trust you and on your google skills that you can find out by yourself, but generally, TPM is a physical chip which embedded on your board and stores RSA encryption keys, not only this chip includes multiple physical security mechanisms, by the way, Microsoft recommends deploying BitLocker only for devices which are fitted with a Trusted Platform Module (TPM).

  • By the way, today there is the ability to turn on TPM by SCCM remotely.
  • it is one of credential guard requirements which demands “TPM 2.0 either discrete or firmware (preferred – provides binding to hardware)”

You can get more information about your TPM by opening “TPM.msc”, you can deploy some GPO’s which are available for you.

For further information about Trusted Platform Module:

Before deploying MBAM you have to perform some prerequisites:

I would suggest going to the following URL which describes you perfectly the MBAM’s prerequisites, installation, and best practices settings you might set up:

There are many important points you have to ensure during the prerequisites:

SQL Deployment: (Credit Microsoft TechNet)

Server Roles & Features:


  • Web Server (IIS) Management Tools (Click IIS Management Scripts and Tools.)
    Web Server Role Services
    Common HTTP features
    Static Content
    Default Document
    Application development

    .NET Extensibility
    ISAPI Extensions
    ISAPI Filters

    Windows Authentication
    Request Filtering
    Web Service IIS Management Tools


  • .NET Framework 4.5 features
    • The Microsoft .NET Framework 4.5 
      For Windows Server 2012 or Windows Server 2012 R2, the .NET Framework 4.5 is already installed on these versions of Windows Server. However, you must enable it.
      For Windows Server 2008 R2, the .NET Framework 4.5 is not included with Windows Server 2008 R2. So, you must download the .NET Framework 4.5 and install it separately.
    • WCF Activation
      HTTP Activation
      Non-HTTP Activation
    • TCP Activation
    • Windows Process Activation Service:
      Process Model
      .NET Framework Environment
      Configuration APIs


Creating users and group in Active Directory Domain Services:

Creating users:

MBAMAppPool – Domain user who has read/write permission to the Compliance and Audit Database
MBAMROUser – Domain user who will have read-only access to the Compliance and Audit Database
MBAMAdvHelpDsk – MBAM Advanced Helpdesk Users access group: Domain user group whose members have access to all areas of the Administration and Monitoring Website
MBAMHelpDsk – MBAM Helpdesk Users access group: Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the MBAM Administration and Monitoring Website
MBAMRUGrp – Domain user group whose members have read-only access to the reports in the Reports area of the Administration and Monitoring Website.

Go back to SQL server and grant to “MBAMAppPool” user the following roles:



For deeper information:

Register SPNS for the application pool account and configure constrained delegation:

Open PowerShell and the following command:

SetSpn -s http/ PELEGIT\MBAMAppPool


  1. Go to Active Directory, and find the app pool credentials that you configured for MBAM websites in the earlier steps.
  2. Right-click, and go to properties.
  3. Click the delegation
  4. Click the option for Kerberos authentication.



Installing, Configure, deploying, MBAM 2.5 sp1 Step by step: