High-level architecture of MBAM 2.5 with stand-alone topology

This article describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager stand-alone topology. In this topology, MBAM is deployed as a stand-alone product. You can alternatively deploy MBAM with the Configuration Manager Integration topology, which integrates MBAM with Configuration Manager. For more information, see High-level architecture of MBAM 2.5 with Configuration Manager integration topology.

For a list of the supported versions of the software mentioned in this article, see MBAM 2.5 supported configurations.

Recommended number of servers and supported number of clients

The following table lists the recommended number of servers and supported number of clients in a production environment:

Recommended MBAM high-level architecture with the stand-alone topology

The following diagram and sections describe the recommended high-level, two-server architecture for MBAM with the stand-alone topology. MBAM multi-forest deployments require a one-way or two-way trust. One-way trusts require that the server domain trusts the client domain.

Compliance and Audit Database

This feature is configured on a server running Windows Server and supported SQL Server instance. The Compliance and Audit Database stores compliance data, which is used primarily for reports that SQL Server Reporting Services hosts.

Recovery Database

This feature is configured on a server running Windows Server and supported SQL Server instance. The Recovery Database stores recovery data that is collected from MBAM client computers.

Reports

This feature is configured on a server running Windows Server and supported SQL Server instance. The Reports provide recovery audit and compliance status data about the client computers in your enterprise. You can access the reports from the Administration and Monitoring Website or directly from SQL Server Reporting Services.

Administration and Monitoring Server

Administration and Monitoring website

This feature is configured on a computer running Windows Server. The Administration and Monitoring Website is used to:

• Help users regain access to their computers when they're locked out. This area of the website is commonly called the Help Desk.

• View reports that show compliance status and recovery activity for client computers.

Self-Service Portal

This feature is configured on a computer running Windows Server. The Self-Service Portal is a website that enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.

Monitoring web services for this website

This feature is configured on a computer running Windows Server. The monitoring web services are used by the MBAM client and the websites to communicate to the database.

Management workstation

MBAM group policy templates

• The MBAM group policy templates are group policy settings that define implementation settings for MBAM, which enable you to manage BitLocker Drive Encryption.

• Before you run MBAM, you must download the group policy templates from How to download and deploy MDOP group policy (.admx) templates and copy them to a server or workstation that is running a supported Windows Server or Windows operating system.

• The workstation doesn't have to be a dedicated computer.

MBAM client and Configuration Manager client computer

MBAM client software

The MBAM client:

• Uses group policy Objects to enforce BitLocker Drive Encryption on client computers in the enterprise.

• Collects the BitLocker recovery key for three data drive types: operating system drives, fixed data drives, and removable (USB) data drives.

• Collects recovery information and computer information about the client computers.

Related articles

About MBAM 2.5 SP1

High-level architecture of MBAM 2.5 with Configuration Manager integration topology

Illustrated features of an MBAM 2.5 deployment