Cmdlet Reference for Microsoft BitLocker Administration ...download.microsoft.com/download/C/E/5/CE5197B2-8490-4964-A46… · Cmdlet Reference for Microsoft BitLocker Administration

Cmdlet Reference for Microsoft BitLocker Administration and Monitoring (MBAM)

Microsoft Corporation

Published: May 1, 2014

Applies To

Microsoft BitLocker Administration and Monitoring (MBAM) 2.5

Feedback Send suggestions and comments about this document to [email protected].

mailto:[email protected]?subject=Feedback%20on%20MBAM%20cmdlet%20content

mailto:[email protected]?subject=Feedback%20on%20MBAM%20cmdlet%20content

Copyright

This document is provided "as-is". Information and views expressed in this document, including URL

and other Internet website references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association

or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft

product. You may copy and use this document for your internal, reference purposes. You may modify

this document for your internal, reference purposes.

© 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Bing, Excel, Hyper-V, Internet Explorer, Silverlight, SQL Server, Windows,

Windows Intune, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the

Microsoft group of companies. All other trademarks are property of their respective owners.

Revision History

Release Date Changes

May 1, 2014 Initial release of this document.

Contents

Disable-MbamCMIntegration ..................................................................................................................... 4

Disable-MbamReport ................................................................................................................................. 7

Disable-MbamWebApplication................................................................................................................... 9

Enable-MbamCMIntegration .................................................................................................................... 13

Enable-MbamDatabase ........................................................................................................................... 18

Enable-MbamReport ................................................................................................................................ 23

Enable-MbamWebApplication ................................................................................................................. 27

Get-MbamBitLockerRecoveryKey ........................................................................................................... 38

Get-MbamCMIntegration ......................................................................................................................... 42

Get-MbamReport ..................................................................................................................................... 44

Get-MbamTPMOwnerPassword .............................................................................................................. 46

Get-MbamWebApplication ....................................................................................................................... 49

Test-MbamCMIntegration ........................................................................................................................ 53

Test-MbamDatabase ............................................................................................................................... 58

Test-MbamReport .................................................................................................................................... 63

Test-MbamWebApplication ...................................................................................................................... 67

Disable-MbamCMIntegration


Disables the MBAM System Center Configuration Manager Integration feature.

Syntax

Parameter Set: Default

Disable-MbamCMIntegration [-Force] [-RemoveComplianceData] [-Confirm] [-WhatIf] [

<CommonParameters>]

Detailed Description

The Disable-MbamCMIntegration cmdlet disables the Microsoft BitLocker Administration and

Monitoring (MBAM) System Center Configuration Manager Integration feature.

Parameters

-Force

Indicates that the cmdlet performs the operation without prompting you for confirmation.

Aliases none

Required? false

Position? named

Default Value none

Accept Pipeline Input? false

Accept Wildcard Characters? false

-RemoveComplianceData

Indicates that this cmdlet removes compliance data, as well as reports, from Configuration Manager. If

you do not specify this parameter, this cmdlet only removes the Configuration Manager reports.

Aliases none

Required? false

Position? named

Default Value none



-Confirm

Prompts you for confirmation before executing the command.

Required? false

Position? named

Default Value none



-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required? false

Position? named

Default Value none



<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -

OutBuffer, and -OutVariable. For more information, see about_CommonParameters.

http://technet.microsoft.com/en-us/library/dd315352.aspx

Examples

Example 1: Disable the System Center Configuration Manager

Integration feature

This command disables the MBAM System Center Configuration Manager Integration feature after you

confirm the operation.

PS C:\> Disable-MbamCMIntegration

Are you sure you want to perform this action?

Performing operation "Disable MBAM CM Integration feature"

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

Related topics

Enable-MbamCMIntegration

Get-MbamCMIntegration

Test-MbamCMIntegration

Disable-MbamReport

Disable-MbamReport

Disables the Reports feature.

Syntax


Disable-MbamReport [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]


The Disable-MbamReport cmdlet disables the Microsoft BitLocker Administration and Monitoring

(MBAM) Reports feature.

Parameters

-Force


Aliases none

Required? false

Position? named

Default Value none



-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Disable the Reports feature

This command disables the Reports feature. The command does not specify the Force parameter, and,

therefore, the command prompts you for confirmation.

PS C:\> Disable-MbamReport


Performing operation "Disable MBAM Reports feature"


Related topics

Enable-MbamReport

Get-MbamReport

Test-MbamReport


Disable-MbamWebApplication


Disables a web application.

Syntax

Parameter Set: ParameterSetAdministrationPortal

Disable-MbamWebApplication -AdministrationPortal [-Force] [-Confirm] [-WhatIf] [

<CommonParameters>]

Parameter Set: ParameterSetAgentService

Disable-MbamWebApplication -AgentService [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ParameterSetSelfServicePortal

Disable-MbamWebApplication -SelfServicePortal [-Force] [-Confirm] [-WhatIf] [

<CommonParameters>]


The Disable-MbamWebApplication cmdlet disables a Microsoft BitLocker Administration and

Monitoring (MBAM) web application. This cmdlet removes any website files that the Enable-

MbamWebApplication cmdlet installed when you enabled the application.

Parameters

-AdministrationPortal

Indicates that this cmdlet acts on the Administration and Monitoring Website web application.

Aliases none

Required? true

Position? named

Default Value none



-AgentService

Indicates that this cmdlet acts on the Agent Services web application.

Aliases none

Required? true

Position? named

Default Value none



-Force


Aliases none

Required? false

Position? named

Default Value none



-SelfServicePortal

Indicates that this cmdlet acts on the Self-Service Portal web application.

Aliases none

Required? true

Position? named

Default Value none



-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Disable Administration and Monitoring Website

This command disables the Administration and Monitoring Portal feature. The cmdlet prompts you to

confirm the operation.

PS C:\> Disable-MbamWebApplication -AdministrationPortal


Performing operation "Disable MBAM Web Application (AdministrationPortal) feature"



Example 2: Disable the Self-Service Portal

This command disables the Self-Service Portal feature. The command specifies the Force parameter,

and, therefore, the cmdlet does not prompt you to confirm the operation.

PS C:\> Disable-MbamWebApplication -SelfServicePortal -Force

Example 3: Disable Agent Services

This command disables the Agent Services feature. The cmdlet prompts you to confirm the operation.

PS C:\> Disable-MbamWebApplication -AgentService


Performing operation "Disable MBAM Web Application (AgentService) feature"


Related topics

Enable-MbamWebApplication

Get-MbamWebApplication

Test-MbamWebApplication



Enables the MBAM System Center Configuration Manager Integration feature.

Syntax

Parameter Set: ParameterSetCMReportsOnly

Enable-MbamCMIntegration -BitLockerProtectionBaselineLogicalName <String> -

FixedDataDriveConfigurationItemLogicalName <String> -

OperatingSystemDriveConfigurationItemLogicalName <String> -ReportsCollectionID <String> -

ReportsOnly [-SkipValidation] [-SsrsInstance <String> ] [-SsrsServer <String> ] [-Confirm]

[-WhatIf] [ <CommonParameters>]

Parameter Set: ParameterSetDefault

Enable-MbamCMIntegration [-SkipValidation] [-SsrsInstance <String> ] [-SsrsServer <String> ]

[-Confirm] [-WhatIf] [ <CommonParameters>]


The Enable-MbamCMIntegration cmdlet enables the Microsoft BitLocker Administration and

Monitoring (MBAM) System Center Configuration Manager Integration feature. This feature integrates

Configuration Manager with MBAM, and moves the compliance and reporting infrastructure into the

Configuration Manager environment.

Parameters

-BitLockerProtectionBaselineLogicalName<String>

Specifies the logical name of the BitLocker protection baseline.

Aliases BaselineLogicalName

Required? true

Position? named

Default Value none

Accept Pipeline Input? True (ByPropertyName)


-FixedDataDriveConfigurationItemLogicalName<String>

Specifies the logical name of the fixed data drive configuration item.

Aliases FDDLogicalName

Required? true

Position? named

Default Value none



-OperatingSystemDriveConfigurationItemLogicalName<String>

Specifies the logical name of the operating system drive configuration item.

Aliases OSDLogicalName

Required? true

Position? named

Default Value none



-ReportsCollectionID<String>

Specifies an existing collection ID. This ID is used by the reports to set the default collection for which

the reports display compliance data.

Aliases none

Required? true

Position? named

Default Value none



-ReportsOnly

Indicates that only the Configuration Manager reports are deployed.

Aliases none

Required? true

Position? named

Default Value none



-SkipValidation

Indicates that this cmdlet bypasses validation of parameter values. If you specify this parameter, the

feature may not function properly after you enable it.

Aliases none

Required? false

Position? named

Default Value none



-SsrsInstance<String>

Specifies the SQL Server Reporting Services instance. This instance hosts the Configuration Manager

reports. This parameter is ignored if the server has System Center 2012Configuration Manager

installed.

Aliases none

Required? false

Position? named

Default Value MSSQLSERVER



-SsrsServer<String>

Specifies the server with the SQL Server Reporting Services point role. This server hosts the

Configuration Manager reports. If you do not specify a server, the Configuration Manager reports are

deployed to the local server.

Aliases none

Required? false

Position? named

Default Value none



-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Enable the Integration feature

This command enables the MBAM System Center Configuration Manager Integration feature on the

local Configuration Manager server. The MBAM reports are deployed on the default SQL Server

Reporting Services instance, MSSQLSERVER.

PS C:\> Enable-MbamCMIntegration

Related topics





Enable-MbamDatabase

Enable-MbamDatabase

Enables the Compliance and Audit and Recovery databases.

Syntax

Parameter Set: ParameterSetCompliance

Enable-MbamDatabase -AccessAccount <String> -ComplianceAndAudit -ConnectionString <String> -

ReportAccount <String> [-DatabaseName <String> ] [-SkipValidation] [-Confirm] [-WhatIf] [

<CommonParameters>]

Parameter Set: ParameterSetRecovery

Enable-MbamDatabase -AccessAccount <String> -ConnectionString <String> -Recovery [-

DatabaseName <String> ] [-SkipValidation] [-Confirm] [-WhatIf] [ <CommonParameters>]


The Enable-MbamDatabase cmdlet enables a Compliance and Audit or a Recovery Database.

Parameters

-AccessAccount<String>

Specifies a domain user or group. This domain user or group has read/write permission to this

database, which enables web applications to access the data and reports. If the value is a domain user,

the WebServiceApplicationPoolCredential parameter in the Enable-MbamWebApplication cmdlet

must use the same user account. If the value is a group, the domain account used by the

WebServiceApplicationPoolCredential parameter must be a member of this group.

Aliases none

Required? true

Position? named

Default Value none



-ComplianceAndAudit

Indicates that the Compliance and Audit Database is enabled.

Aliases none

Required? true

Position? named

Default Value none



-ConnectionString<String>

Specifies the connection string used to connect to the data store. The Integrated Security field must be

in the connection string.

Aliases none

Required? true

Position? named

Default Value none



-DatabaseName<String>

Specifies the name of the database. This parameter cannot contain leading or trailing spaces or non-

printable characters. If you do not specify a name, the Compliance and Audit Database is given the

name MBAM Compliance Status, and the Recovery database is given the name MBAM Recovery and

Hardware.

Aliases none

Required? false

Position? named

Default Value "MBAM Compliance Status" for Compliance DB;

"MBAM Recovery and Hardware" for Recovery

DB



-Recovery

Indicates that the Recovery Database is enabled.

Aliases none

Required? true

Position? named

Default Value none



-ReportAccount<String>

Specifies a domain user or group. This domain user or group has read-only permission to this

database, which enables reports to access the compliance and audit data. If the value is a domain user,

the ComplianceAndAuditDBCredential parameter in the Enable-MbamReport cmdlet must use the

same user account. If the value is a domain user group, the domain account used by the

ComplianceAndAuditDBCredential parameter must be a member of this group.

Aliases none

Required? true

Position? named

Default Value none



-SkipValidation



Aliases none

Required? false

Position? named

Default Value none



-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Enable the Compliance and Audit Database

This command enables the Compliance and Audit Database on MyDatabaseServer. The name of the

database is MyComplianceDatabaseName. The domain account MyAccessAccount has read/write

permission to the database, and MyReportAccount has read-only permission to the database for

reporting purposes. The current Windows account credentials are used for authentication.

PS C:\> Enable-MbamDatabase -ComplianceAndAudit -ConnectionString "Integrated

Security=SSPI;Data Source=MyDatabaseServer" -AccessAccount "MyDomain\MyAccessAccount" -

ReportAccount "MyDomain\MyReportAccount" -DatabaseName "MyComplianceDatabaseName"

Example 2: Enable the Recovery Database

This command enables the Recovery database on MyRecoveryDatabaseServer. The name of the

database is MyRecoveryDatabaseName. The domain account MyAccessAccount has read/write

permission to the database. The command uses the current Windows account credentials for

authentication.

PS C:\> Enable-MbamDatabase -Recovery -ConnectionString "Integrated Security=SSPI;Data

Source=MyDatabaseServer" -AccessAccount "MyDomain\MyAccessAccount" -DatabaseName

"MyRecoveryDatabaseName"

Related topics

Enable-MbamReport


Test-MbamDatabase


Enable-MbamReport

Enable-MbamReport

Enables the Reports feature on the local server.

Syntax


Enable-MbamReport -ComplianceAndAuditDBCredential <PSCredential> -ReportsReadOnlyAccessGroup

<String> [-ComplianceAndAuditDBConnectionString <String> ] [-SkipValidation] [-SsrsInstance

<String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]


The Enable-MbamReport cmdlet enables the Microsoft BitLocker Administration and Monitoring

(MBAM) Reports feature on a local Microsoft SQL Server Reporting Services instance.

Parameters

-ComplianceAndAuditDBConnectionString<String>

Specifies a connection string. The local SQL Server Reporting Services uses the string that this

parameter specifies to connect to the Compliance and Audit Database feature. The connection string

must contain values for the Integrated Security and Initial Catalog fields.

Aliases ComplianceDB

Required? false

Position? named

Default Value none



-ComplianceAndAuditDBCredential<PSCredential>

Specifies the domain account credentials that the local SQL Server Reporting Services instance uses to

connect to the Compliance and Audit Database. The domain user in the credentials must be the same

as the user that you specify for the ReportAccount parameter in the Enable-MbamDatabase cmdlet. If

you specified a domain user group for the ReportAccount parameter, the credentials that you specify for

the current parameter must be a member of that group.

Important: For improved security, use an account that has limited privileges. Also, configure the account

so that the password never expires.

Aliases ComplianceDBCred

Required? true

Position? named

Default Value none

Accept Pipeline Input? True (ByValue, ByPropertyName)


-ReportsReadOnlyAccessGroup<String>

Specifies a domain user group. Specify a group that has read permission for the reports.

Aliases ReportsGroup

Required? true

Position? named

Default Value none



-SkipValidation



Aliases none

Required? false

Position? named

Default Value none




Specifies the SQL Server Reporting Services instance. After installation, this instance hosts the reports.

If you do not specify an instance, the cmdlet uses the default instance, MSSQLSERVER.

Aliases none

Required? false

Position? named




-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Enable the Reports feature

This command enables the Reports feature on the local server. The feature uses the Compliance and

Audit Database on ContosoDatabaseServer. The command prompts you to enter credentials to access

the Compliance and Audit Database. The reports group is Contoso\ReportsGroup. The command

installs reports on the default SQL Server Reporting Services instance.

PS C:\> Enable-MbamReport -ComplianceAndAuditDBConnectionString "Integrated

Security=SSPI;Data Source=ContosoDatabaseServer;Initial Catalog=MBAM Compliance Status" -

ComplianceAndAuditDBCredential (Get-Credential) -ReportsReadOnlyAccessGroup

"Contoso\ReportsGroup"

Related topics

Disable-MbamReport

Get-MbamReport

Test-MbamReport

Enable-MbamDatabase




Enables a web application.

Syntax


Enable-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup <String> -

HelpdeskAccessGroup <String> -ReportsReadOnlyAccessGroup <String> -ReportUrl <Uri> [-

Certificate <X509Certificate2> ] [-CMIntegrationMode] [-ComplianceAndAuditDBConnectionString

<String> ] [-HostName <String> ] [-InstallationPath <String> ] [-Port <Int32> ] [-

RecoveryDBConnectionString <String> ] [-SkipValidation] [-VirtualDirectory <String> ] [-

WebServiceApplicationPoolCredential <PSCredential> ] [-Confirm] [-WhatIf] [

<CommonParameters>]


Enable-MbamWebApplication -AgentService [-Certificate <X509Certificate2> ] [-

CMIntegrationMode] [-ComplianceAndAuditDBConnectionString <String> ] [-HostName <String> ]

[-InstallationPath <String> ] [-Port <Int32> ] [-RecoveryDBConnectionString <String> ] [-

SkipValidation] [-WebServiceApplicationPoolCredential <PSCredential> ] [-Confirm] [-WhatIf]

[ <CommonParameters>]


Enable-MbamWebApplication -SelfServicePortal [-Certificate <X509Certificate2> ] [-

ComplianceAndAuditDBConnectionString <String> ] [-HostName <String> ] [-InstallationPath

<String> ] [-Port <Int32> ] [-RecoveryDBConnectionString <String> ] [-SkipValidation] [-

VirtualDirectory <String> ] [-WebServiceApplicationPoolCredential <PSCredential> ] [-

Confirm] [-WhatIf] [ <CommonParameters>]


The Enable-MbamWebApplication cmdlet enables a Microsoft BitLocker Administration and

Monitoring (MBAM) web application on the local server. The cmdlet enables one of the following web

applications:

-- Administration and Monitoring Website

-- Agent Services

-- Self-Service Portal

Parameters



Aliases none

Required? true

Position? named

Default Value none



-AdvancedHelpdeskAccessGroup<String>

Specifies a domain user group. This group has permissions for all areas of the Administration and

Monitoring Website web application, except for reports.

Aliases AdvancedHelpdeskGroup

Required? true

Position? named

Default Value none



-AgentService


Aliases none

Required? true

Position? named

Default Value none



-Certificate<X509Certificate2>

Specifies the certificate to use for encrypted web communications. If you do not specify a certificate,

web communications are not encrypted.

Aliases none

Required? false

Position? named

Default Value none



-CMIntegrationMode

Indicates that all reports, except the Recovery Audit Report, are integrated into Microsoft System

Center Configuration Manager. If you enable the System Center Configuration Manager Integration

feature, specify this parameter.

Aliases CMMode

Required? false

Position? named

Default Value none




Specifies a connection string. The web application uses the string that this parameter specifies to

connect to the Compliance and Audit Database feature. The connection string must contain values for

the Integrated Security and Initial Catalog fields.

If you do not specify this parameter, the cmdlet uses the connection string that you previously specified

for any enabled web application. All of the web applications connect to the Compliance and Audit

Database by using the same connection string. If you specify connection strings more than once, web

applications use the most recent value.


Required? false

Position? named

Default Value none



-HelpdeskAccessGroup<String>

Specifies the domain user group that has permissions for the Manage TPM and Drive Recovery areas

of the Administration and Monitoring Website web application.

Aliases HelpdeskGroup

Required? true

Position? named

Default Value none



-HostName<String>

Specifies a host name. If you do not specify a host name, the cmdlet uses the fully qualified host name

of the local computer. Ensure that you specify the same host name for all of the web applications.

Aliases none

Required? false

Position? named

Default Value <fully qualified local machine name>



-InstallationPath<String>

Specifies the installation path of the web application. The installation process creates a folder named

Microsoft BitLocker Management Solution in location that this parameter specifies. If you do not specify

a path, the cmdlet uses <IIS inetpub path>. Specify the same installation path for all of the web

applications.

Aliases none

Required? false

Position? named

Default Value <IIS inetpub path>\Microsoft BitLocker Management

Solution



-Port<Int32>

Specifies the web service port. If you do not specify a port, unencrypted communications use port 80,

and encrypted communications use port 443. Specify the same value for all of the web applications.

You must configure your firewall to allow communication through the ports for the Self-Service Portal

and the Administration and Monitoring Website web applications.

Aliases none

Required? false

Position? named

Default Value 80 if certificate is not specified, 443 otherwise



-RecoveryDBConnectionString<String>


connect to the Recovery Database. The connection string must contain values for the Integrated

Security and Initial Catalog fields.

If you do not specify this parameter, the cmdlet uses the connection string that you previously specified

for any enabled web application. All of the web applications connect to the Recovery Database by using

the same connection string. If you specify connection strings more than once, web applications use the

most recent value.

Aliases RecoveryDB

Required? false

Position? named

Default Value none




Specifies a domain user group. Specify a group that has read permissions for the Reports area of the

Administration and Monitoring Website web application. The value for this parameter must be the same

as the group that you specify for the ReportsReadOnlyAccessGroup parameter in the Enable-

MbamReport cmdlet.


Required? true

Position? named

Default Value none



-ReportUrl<Uri>

Specifies the URL for the reports that the Microsoft SQL Server Reporting Services instance publishes.

Aliases none

Required? true

Position? named

Default Value none



-SelfServicePortal


Aliases none

Required? true

Position? named

Default Value none



-SkipValidation



Aliases none

Required? false

Position? named

Default Value none



-VirtualDirectory<String>

Specifies a virtual directory for the web application. If you do not specify a virtual directory, the cmdlet

uses the value HelpDesk for the Administration and Monitoring Website, or it uses the value SelfService

for the Self-Service Portal.

Aliases none

Required? false

Position? named

Default Value "HelpDesk" for AdministrationPortal feature; "SelfService" for

SelfServicePortal



-WebServiceApplicationPoolCredential<PSCredential>

Specifies the domain user that the application pool for the web applications uses. If you specified a

domain user group for the AccessAccount parameter when you ran the Enable-MbamDatabase

cmdlet, the domain user that you specify for this parameter must be a member of that group.

If you do not specify this parameter, the cmdlet uses the credentials that you previously specified for

any enabled web application. All of the web applications use the same application pool credentials. If

you specify credentials for web applications more than once, web applications use the most recent

value.

Important: For improved security, use an account that has limited user rights. Also, configure the

account so that the password never expires. Verify that the account that you specify for this parameter

is a built-in IIS_IUSRS account or has been added to the Impersonate a client after authentication

and Log on as a batch job local security settings. To view the local security setting, open the Local

Security Policy editor, expand the Local Policies node, click the User Rights Assignment node, and

then double-click the Impersonate a client after authentication and Log on as a batch job policies in

the right pane.

Aliases AppPoolCred

Required? false

Position? named

Default Value NetworkService



-Confirm


Required? false

Position? named

Default Value none



-WhatIf


Required? false

Position? named

Default Value none



<CommonParameters>



Examples

Example 1: Enable Administration and Monitoring Website

This command enables the Administration and Monitoring Website web application on the current

server. The portal uses the Compliance and Audit Database and the Recovery Database on

ContosoDatabaseServer, and it uses the reports on ContosoReportsServer.

PS C:\> Enable-MbamWebApplication -AdministrationPortal -

ComplianceAndAuditDBConnectionString "Integrated Security=SSPI;Data

Source=ContosoDatabaseServer;Initial Catalog=MBAM Compliance Status" -

RecoveryDBConnectionString "Integrated Security=SSPI;Data

Source=ContosoDatabaseServer;Initial Catalog=MBAM Recovery and Hardware" -

AdvancedHelpdeskAccessGroup "Contoso\AdvancedUserGroup" -HelpdeskAccessGroup

"Contoso\StandardUserGroup" -ReportsReadOnlyAccessGroup "Contoso\ReportUserGroup" -ReportUrl

"https://ContosoReportsServer/ReportServer" -Port 443 -WebServiceApplicationPoolCredential

(Get-Credential) -Certificate (dir

cert:\LocalComputer\My\E2A7EA5533890D6567E40DFC46F53B3D31D6B689)

Example 2: Enable Self-Service Portal

This command enables the Self-Service Portal web application on the current server. The Self-Service

Portal uses the Compliance and Audit Database and the Recovery Database on

ContosoDatabaseServer.

PS C:\> Enable-MbamWebApplication -SelfServicePortal -ComplianceAndAuditDBConnectionString

"Integrated Security=SSPI;Data Source=ContosoDatabaseServer;Initial Catalog=MBAM Compliance

Status" -RecoveryDBConnectionString "Integrated Security=SSPI;Data

Source=ContosoDatabaseServer;Initial Catalog=MBAM Recovery and Hardware" -Port 443 -


WebServiceApplicationPoolCredential (Get-Credential) -Certificate (dir


Example 3: Enable Agent Services

This command enables the Agent Services feature on the current server. The services use the

Compliance and Audit Database and the Recovery Database on ContosoDatabaseServer.

PS C:\> Enable-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString






Example 4: Enable Administration and Monitoring Website for a

mirrored environment

This command enables the Administration and Monitoring Website web application, and it configures

web applications to use a mirrored Microsoft SQL Server environment. The connection strings specify a

failover partner.

PS C:\> Enable-MbamWebApplication -AdministrationPortal -

ComplianceAndAuditDBConnectionString "Integrated Security=SSPI;Data

Source=ContosoDatabaseServer;Failover Partner=ContosoMirror;Initial Catalog=MBAM Compliance


Source=ContosoDatabaseServer;Failover Partner=ContosoMirror;Initial Catalog=MBAM Recovery

and Hardware" -AdvancedHelpdeskAccessGroup "Contoso\AdvancedUserGroup" -HelpdeskAccessGroup


"https://ContosoReportsServer/ReportServer" -Port 443 -WebServiceApplicationPoolCredential



Example 5: Enable the Self-Service Portal for a mirrored

environment

This command enables the Self-Service Portal on the current server, and it configures web applications

to use a mirrored SQL Server environment. The connection strings specify a failover partner.

PS C:\> Enable-MbamWebApplication -SelfServicePortal -ComplianceAndAuditDBConnectionString

"Integrated Security=SSPI;Data Source=ContosoDatabaseServer;Failover

Partner=ContosoMirror;Initial Catalog=MBAM Compliance Status" -RecoveryDBConnectionString

"Integrated Security=SSPI;Data Source=ContosoDatabaseServer;Failover

Partner=ContosoMirror;Initial Catalog=MBAM Recovery and Hardware" -Port 443 -



Related topics




Enable-MbamReport

Enable-MbamDatabase

Get-MbamBitLockerRecoveryKey

Get-MbamBitLockerRecoveryKey

Requests an MBAM recovery key.

Syntax


Get-MbamBitLockerRecoveryKey -HelpDeskUrl <Uri> -KeyID <String> -Reason <String> [-

UserDomain <String> ] [-UserID <String> ] [ <CommonParameters>]


The Get-MbamBitLockerRecoveryKey cmdlet requests a Microsoft BitLocker Administration and

Monitoring (MBAM) recovery key. This recovery key enables a user to unlock a volume that is in

recovery mode. A volume can enter recovery mode due to a forgotten BitLocker PIN or password, a

Windows update, or a change to the BIOS settings of the computer.

Parameters

-HelpDeskUrl<Uri>

Specifies the URL for the MBAM help desk site.

Aliases url

Required? true

Position? named

Default Value none



-KeyID<String>

Specifies the recovery key ID. You can specify the first eight digits of the recovery key ID for this

parameter or you can specify the complete ID. For example, if the recovery key ID is 4734f3b9-58c7-

4a41-87a5-0701d4fdbb86, you can specify 4734f3b9 for this parameter.

Aliases key,k

Required? true

Position? named

Default Value none



-Reason<String>

Specifies the reason for the recovery key request. Reasons can include a forgotten BitLocker PIN or

password, a Windows update, or a change to BIOS settings of the computer.

Aliases r

Required? true

Position? named

Default Value none



-UserDomain<String>

Specifies the domain of the user.

Aliases ud

Required? false

Position? named

Default Value none



-UserID<String>

Specifies the ID of the user.

Aliases uid

Required? false

Position? named

Default Value none



<CommonParameters>



Outputs

The output type is the type of the objects that the cmdlet emits.

string

The BitLocker recovery key for the specified volume.

Examples

Example 1: Get a recovery key by specifying an eight-digit recovery

key ID

This command gets the recovery key from the specified help desk server for the user ContosoUser. The

command specifies only the first eight digits of the key ID.

PS C:\> Get-MbamBitLockerRecoveryKey -KeyID "4374f3b9" -Reason "Forgot PIN" -HelpDeskUrl

https://helpdeskserver/HelpDesk -UserDomain "ContosoDomain" -UserID "ContosoUser"


Example 2: Get a recovery key by specifying the complete recovery

key ID

This command gets the recovery key from the specified help desk server for the user ContosoUser. The

command specifies the complete key ID.

PS C:\> Get-MbamBitLockerRecoveryKey -KeyID "4374f3b9-58c7-4a41-87a5-0701d4fdbb86" -Reason

"Forgot PIN" -HelpDeskUrl https://helpdeskserver/HelpDesk -UserDomain "ContosoDomain" -

UserID "ContosoUser"



Gets the configuration of the MBAM System Center Configuration Manager Integration feature.

Syntax

Get-MbamCMIntegration [ <CommonParameters>]


The Get-MbamCMIntegration cmdlet gets the configuration of the Microsoft BitLocker Administration

and Monitoring (MBAM) System Center Configuration Manager Integration feature.

Parameters

<CommonParameters>



Outputs


Microsoft.MBAM.Server.Commands.CMIntegrationConfiguration

Examples

Example 1: Get the configuration of the System Center

Configuration Manager Integration feature

This command gets the configuration of the MBAM System Center Configuration Manager Integration

feature in the local server.

PS C:\> Get-MbamCMIntegration

Name : Configuration Manager Integration

Enabled : False


Description : This feature will integrate MBAM with a Microsoft System Center Configuration

Manager server.

Related topics




Get-MbamReport

Get-MbamReport

Gets the configuration of the Reports feature.

Syntax

Get-MbamReport [ <CommonParameters>]


The Get-MbamReport cmdlet gets the configuration of the Microsoft BitLocker Administration and

Monitoring (MBAM) Reports feature.

Parameters

<CommonParameters>



Outputs


Microsoft.MBAM.Server.Commands.ReportConfiguration

Examples

Example 1: Get configuration of the Reports feature

Gets the configuration of the Reports feature on the local server.

PS C:\> Get-MbamReport

Name : Reports

Enabled : True

Description : This feature includes reports for the Compliance and

Auditing data that has been gathered by the MBAM Client.


ComplianceAndAuditDBConnectionString : Integrated Security=SSPI;Data

Source=ContosoDatabaseServer;Initial Catalog="MBAM Compliance Status";

ComplianceAndAuditDBUser : ContosoDomain\ReportAccount

SsrsInstance : MSSQLSERVER

ReportsReadOnlyAccessGroup : ContosoDomain\ReportGroup

ReportUrl :

https://ContosoReportsServer:443/ReportServer/ReportService2005.asmx

Related topics

Disable-MbamReport

Enable-MbamReport

Test-MbamReport

Get-MbamTPMOwnerPassword

Get-MbamTPMOwnerPassword

Gets a TPM owner password.

Syntax


Get-MbamTPMOwnerPassword -ComputerDomain <String> -ComputerName <String> -HelpDeskUrl <Uri>

-Reason <String> [-UserDomain <String> ] [-UserID <String> ] [ <CommonParameters>]


The Get-MbamTPMOwnerPassword cmdlet gets an owner password for a Trusted Platform Module

(TPM). If a TPM does not accept the user PIN, it becomes locked. The user unlocks the TPM by using

the owner password.

Parameters

-ComputerDomain<String>

Specifies the domain of the locked computer.

Aliases cd

Required? true

Position? named

Default Value none



-ComputerName<String>

Specifies the name of the locked computer.

Aliases cn

Required? true

Position? named

Default Value none



-HelpDeskUrl<Uri>

Specifies the URL for the Microsoft BitLocker Administration and Monitoring (MBAM) help desk site.

Aliases url

Required? true

Position? named

Default Value none



-Reason<String>

Specifies the reason for the password request.

Aliases r

Required? true

Position? named

Default Value none



-UserDomain<String>

Specifies the domain of the user.

Aliases ud

Required? false

Position? named

Default Value none



-UserID<String>

Specifies the ID of the user.

Aliases uid

Required? false

Position? named

Default Value none



<CommonParameters>



Outputs


StringThe TPM owner password.

Examples

Example 1: Get the TPM owner password

This command gets the TPM owner password from the MBAM help desk server for the specified

computer and user. The command also specifies the reason the TPM is locked.

PS C:\> Get-MbamTPMOwnerPassword -ComputerDomain "ContosoDomain" -ComputerName

"ContosoComputer" -Reason "Forgot PIN" -HelpDeskUrl https://helpdeskserver/HelpDesk -

UserDomain "ContosoDomain" -UserID "ContosoUser"




Gets the configuration of a web application.

Syntax


Get-MbamWebApplication -AdministrationPortal [ <CommonParameters>]


Get-MbamWebApplication -AgentService [ <CommonParameters>]


Get-MbamWebApplication -SelfServicePortal [ <CommonParameters>]


The Get-MbamWebApplication cmdlet gets the configuration of a Microsoft BitLocker Administration

and Monitoring (MBAM) web application.

Parameters



Aliases none

Required? true

Position? named

Default Value none



-AgentService


Aliases none

Required? true

Position? named

Default Value none



-SelfServicePortal


Aliases none

Required? true

Position? named

Default Value none



<CommonParameters>



Outputs


Microsoft.MBAM.Server.Commands.AdministrationPortalConfiguration,

Microsoft.MBAM.Server.Commands.SelfServicePortalConfiguration,

Microsoft.MBAM.Server.Commands.AgentServiceConfiguration


Examples

Example 1: Get the configuration of Administration and Monitoring

Website

This command gets the configuration of the Administration and Monitoring Website feature on the local

server.

PS C:\> Get-MbamWebApplication -AdministrationPortal

Name : Administration Web Portal

Enabled : True

Description : This feature includes the Help Desk web application

for administration.

InstallationPath : C:\inetpub

HostName : MYSERVER.contoso.com

Port : 443

CertificateThumbprint : E2A7EA5533890D6567E40DFC46F53B3D31D6B689


Source=MyDatabaseServer;Initial Catalog="MBAM Compliance Status";

RecoveryDBConnectionString : Integrated Security=SSPI;Data

Source=MyDatabaseServer;Initial Catalog="MBAM Recovery and Hardware";

WebServiceApplicationPoolUser : MyDomain\MBAMWebServicesAccount

VirtualDirectory : /HelpDesk

CMIntegrationMode : False

ReportUrl : https://MyReportsServer/ReportServer

AdvancedHelpdeskAccessGroup : MyDomain\AdvancedHelpdeskUserGroup

HelpdeskAccessGroup : MyDomain\HelpdeskUserGroup

ReportsReadOnlyAccessGroup : MyDomain\ReportsUserGroup

Example 2: Get the configuration of the Self-Service Portal

This command gets the configuration of the Self-Service Portal feature on the local server.

PS C:\> Get-MbamWebApplication -SelfServicePortal

Name : Self Service Web Portal

Enabled : True

Description : This feature includes the Self Service web

application that allows users to recover their own BitLocker keys.



Port : 443

CertificateThumbprint : E2A7EA5533890D6567E40DFC46F53B3D31D6B689






VirtualDirectory : /SelfService

Example 3: Get the configuration of the Agent Services feature

This command gets the configuration of the Agent Services feature on the local server.

PS C:\> Get-MbamWebApplication -AgentService

Name : Agent Web Services

Enabled : True

Description : This feature includes the web services to support the

MBAM agent.



Port : 443






CMIntegrationMode : False

Related topics






Checks server prerequisites and validates parameters.

Syntax

Parameter Set: ParameterSetCMReportsOnly

Test-MbamCMIntegration -BitLockerProtectionBaselineLogicalName <String> -

FixedDataDriveConfigurationItemLogicalName <String> -

OperatingSystemDriveConfigurationItemLogicalName <String> -ReportsCollectionID <String> -

ReportsOnly [-Detailed] [-SsrsInstance <String> ] [-SsrsServer <String> ] [

<CommonParameters>]

Parameter Set: ParameterSetDefault

Test-MbamCMIntegration [-Detailed] [-SsrsInstance <String> ] [-SsrsServer <String> ] [

<CommonParameters>]


The Test-MbamCMIntegration cmdlet checks the server prerequisites and validates the parameters

for the Microsoft BitLocker Administration and Monitoring (MBAM) System Center Configuration

Manager Integration feature.

Parameters

-BitLockerProtectionBaselineLogicalName<String>

Specifies the logical name of the BitLocker protection baseline.

Aliases BaselineLogicalName

Required? true

Position? named

Default Value none



-Detailed

Indicates that the cmdlet displays detailed information about the prerequisite check and parameter

validation failures.

Aliases none

Required? false

Position? named

Default Value none



-FixedDataDriveConfigurationItemLogicalName<String>

Specifies the logical name of the fixed data drive configuration item.

Aliases FDDLogicalName

Required? true

Position? named

Default Value none



-OperatingSystemDriveConfigurationItemLogicalName<String>

Specifies the logical name of the operating system drive configuration item.

Aliases OSDLogicalName

Required? true

Position? named

Default Value none



-ReportsCollectionID<String>

Specifies an existing collection ID. This ID is used by the reports to set the default collection for which

the reports display compliance data.

Aliases none

Required? true

Position? named

Default Value none



-ReportsOnly

Indicates that only the Configuration Manager reports are deployed.

Aliases none

Required? true

Position? named

Default Value none




Specifies the SQL Server Reporting Services instance. This instance hosts the Configuration Manager

reports. This parameter is ignored if the server has System Center 2012 Configuration Manager

installed.

Aliases none

Required? false

Position? named




-SsrsServer<String>

Specifies the server with the SQL Server Reporting Services point role. This server hosts the

Configuration Manager reports. If you do not specify a server, the Configuration Manager reports are

deployed to the local server.

Aliases none

Required? false

Position? named

Default Value none



<CommonParameters>



Outputs


bool

Examples

Example 1: Check prerequisites to enable integration

This command tests the prerequisites for enabling the MBAM System Center Configuration Manager

Integration on the local Configuration Manager server. The MBAM reports are deployed on the default

SQL Server Reporting Services instance, MSSQLSERVER.

PS C:\> Test-MbamCMIntegration

Example 2: Check prerequisites to enable integration with detailed

output

This command checks the prerequisites to enable the MBAM System Center Configuration Manager

Integration feature on the local Configuration Manager server with detailed output.

PS C:\> Test-MbamCMIntegration -Detailed


ID Type Message

-- ---- -------

CmInstallation Error This feature can be installed only on a server that is running System

Center Configuration Manager.

Related topics




Test-MbamDatabase

Test-MbamDatabase

Checks server prerequisites and validates parameters for an MBAM database.

Syntax

Parameter Set: ParameterSetCompliance

Test-MbamDatabase -AccessAccount <String> -ComplianceAndAudit -ConnectionString <String> -

ReportAccount <String> [-DatabaseName <String> ] [-Detailed] [ <CommonParameters>]

Parameter Set: ParameterSetRecovery

Test-MbamDatabase -AccessAccount <String> -ConnectionString <String> -Recovery [-

DatabaseName <String> ] [-Detailed] [ <CommonParameters>]


The Test-MbamDatabase cmdlet checks the server prerequisites and validates the parameters for the

Microsoft BitLocker Administration and Monitoring (MBAM) database feature.

Parameters

-AccessAccount<String>

Specifies a domain user or group. This domain user or group must have read/write permission to this

database, which enables web applications to access the data and reports. If the value is a domain user,

the WebServiceApplicationPoolCredential parameter in the Enable-MbamWebApplication cmdlet

must use the same user account. If the value is a group, the domain account used by the

WebServiceApplicationPoolCredential parameter must be a member of this group.

Aliases none

Required? true

Position? named

Default Value none



-ComplianceAndAudit

Indicates that the cmdlet checks the server prerequisites and validates the parameter values for the

Compliance and Audit Database.

Aliases none

Required? true

Position? named

Default Value none



-ConnectionString<String>

Specifies the connection string used to connect to the data store. The Integrated Security field must be

in the connection string.

Aliases none

Required? true

Position? named

Default Value none



-DatabaseName<String>

Specifies the name of the database. This parameter cannot contain leading or trailing spaces or non-

printable characters. If you do not specify a name, the Compliance and Audit Database is given the

name MBAM Compliance Status, and the Recovery Database is given the name MBAM Recovery and

Hardware.

Aliases none

Required? false

Position? named

Default Value "MBAM Compliance Status" for Compliance DB;

"MBAM Recovery and Hardware" for Recovery

DB



-Detailed



Aliases none

Required? false

Position? named

Default Value none



-Recovery

Indicates that the cmdlet checks the server prerequisites and validates the parameter values for the

Recovery Database.

Aliases none

Required? true

Position? named

Default Value none



-ReportAccount<String>

Specifies a domain user or group. This domain user or group must have read-only permission to this

database, which enables reports to access the compliance and audit data. If the value is a domain user,

then the Compliance and Audit Database domain account of the report feature must be the same as the

user. If the value is a group, then the Compliance and Audit Database domain account of the report

feature must be a member of this group.

Aliases none

Required? true

Position? named

Default Value none



<CommonParameters>



Outputs


bool

Examples

Example 1: Check prerequisites and validate parameters for the

Compliance and Audit Database

This command checks the prerequisites and validates the parameters to enable the Compliance and

Audit Database on MyDatabaseServer. The name of the database is MyComplianceDatabaseName.

The domain account MyAccessAccount has read/write permission to the database, and

MyReportAccount has read-only permission to the database for reporting purposes. The command

uses the current Windows account credentials for authentication.

PS C:\> Test-MbamDatabase -ComplianceAndAudit -ConnectionString "Integrated


ReportAccount "MyDomain\MyReportAccount" -DatabaseName MyComplianceDatabaseName


Recovery Database

This command checks the prerequisites and validates the parameters to enable the Recovery

Database on MyRecoveryDatabaseServer. The name of the database is MyRecoveryDatabaseName.


The domain account MyAccessAccount has read/write permission to the database. The command uses

the current Windows account credentials for authentication.

PS C:\> Test-MbamDatabase -Recovery -ConnectionString "Integrated Security=SSPI;Data

Source=MyDatabaseServer" -AccessAccount "MyDomain\MyAccessAccount" -DatabaseName

"MyRecoveryDatabaseName"

Example 3: Check prerequisites and validate parameters with

detailed output

This command checks the prerequisites and validates the parameters to enable the Compliance and

Audit Database on MyDatabaseServer with detailed output.

PS C:\> Test-MbamDatabase -ComplianceAndAudit -ConnectionString "Integrated


ReportAccount "MyDomain\MyReportAccount" -DatabaseName "MyComplianceDatabaseName" -Detailed

ID Type Message

-- ---- -------

ComplianceConnectionString Error Cannot connect to the database with the provided

connection string.

ComplianceDatabaseAccessAccount Error The user or group 'MyDomain\MyAccessAccount' cannot be

found in Active Directory.

Related topics

Enable-MbamDatabase


Test-MbamReport

Test-MbamReport

Checks server prerequisites and validates parameter values for the Reports feature.

Syntax


Test-MbamReport -ComplianceAndAuditDBCredential <PSCredential> -ReportsReadOnlyAccessGroup

<String> [-ComplianceAndAuditDBConnectionString <String> ] [-Detailed] [-SsrsInstance

<String> ] [ <CommonParameters>]


The Test-MbamReport cmdlet checks server prerequisites and validates parameter values for the

Microsoft BitLocker Administration and Monitoring (MBAM) Reports feature.

Parameters


Specifies a connection string. The local Microsoft SQL Server Reporting Services uses the string that

this parameter specifies to connect to the Compliance and Audit Database feature. The connection

string must contain values for the Integrated Security and Initial Catalog fields.


Required? false

Position? named

Default Value none



-ComplianceAndAuditDBCredential<PSCredential>

Specifies the domain account credentials that the local SQL Server Reporting Services instance uses to

connect to the Compliance and Audit Database. The domain user in the credentials must be the same

as or a member of the report account of the Compliance and Audit Database.

Important: For improved security, use an account that has limited privileges. Also, configure the account

so that the password never expires.

Aliases ComplianceDBCred

Required? true

Position? named

Default Value none



-Detailed



Aliases none

Required? false

Position? named

Default Value none




Specifies a domain user group. Specify a group that has read permissions for the reports.


Required? true

Position? named

Default Value none




Specifies the SQL Server Reporting Services instance. After installation, this instance hosts the reports.

If you do not specify an instance, the cmdlet uses the default instance, MSSQLSERVER.

Aliases none

Required? false

Position? named




<CommonParameters>



Outputs


bool

Examples


Reports feature

This command checks the prerequisites and validates the parameters for the Reports feature on the

local server. The connection string specifies that ContosoDatabaseServer hosts the Compliance and

Audit Database. The cmdlet prompts you to enter credentials for the Compliance and Audit Database.

The reports group is ContosoDomain\ReportsGroup.

PS C:\> Test-MbamReport -ComplianceAndAuditDBConnectionString "Data

Source=MyDatabaseServer;Initial Catalog=MBAM Compliance Status;Integrated Security=True" -

ReportsReadOnlyAccessGroup "MyDomain\MyReportsGroup"

True


Example 2: View details about prerequisites and validation for the

Reports feature

This command displays detailed information about prerequisites and validation of parameters for the

Reports feature. This command specifies the Detailed parameter.

PS C:\> Test-MbamReport -ComplianceAndAuditDBConnectionString "Data

Source=MyDatabaseServer;Initial Catalog=MBAM Compliance Status;Integrated Security=True" -

ReportsReadOnlyAccessGroup "MyDomain\MyReportsGroup" -Detailed

ID Type Message

-- ---- -------

ReportsInstallation Error Unable to connect to the Reporting Services web service. Error

message: The request failed with HTTP status 504: Proxy Timeout (The connection timed out.).

False

Related topics

Disable-MbamReport

Enable-MbamReport

Get-MbamReport



Checks server prerequisites and validates parameter values for a web application feature.

Syntax


Test-MbamWebApplication -AdministrationPortal -AdvancedHelpdeskAccessGroup <String> -

HelpdeskAccessGroup <String> -ReportsReadOnlyAccessGroup <String> -ReportUrl <Uri> [-

Certificate <X509Certificate2> ] [-CMIntegrationMode] [-ComplianceAndAuditDBConnectionString

<String> ] [-Detailed] [-HostName <String> ] [-InstallationPath <String> ] [-Port <Int32> ]

[-RecoveryDBConnectionString <String> ] [-VirtualDirectory <String> ] [-

WebServiceApplicationPoolCredential <PSCredential> ] [ <CommonParameters>]


Test-MbamWebApplication -AgentService [-Certificate <X509Certificate2> ] [-

CMIntegrationMode] [-ComplianceAndAuditDBConnectionString <String> ] [-Detailed] [-HostName

<String> ] [-InstallationPath <String> ] [-Port <Int32> ] [-RecoveryDBConnectionString

<String> ] [-WebServiceApplicationPoolCredential <PSCredential> ] [ <CommonParameters>]


Test-MbamWebApplication -SelfServicePortal [-Certificate <X509Certificate2> ] [-

ComplianceAndAuditDBConnectionString <String> ] [-Detailed] [-HostName <String> ] [-

InstallationPath <String> ] [-Port <Int32> ] [-RecoveryDBConnectionString <String> ] [-

VirtualDirectory <String> ] [-WebServiceApplicationPoolCredential <PSCredential> ] [

<CommonParameters>]


The Test-MbamWebApplication cmdlet checks server prerequisites and validates parameter values

for a Microsoft BitLocker Administration and Monitoring (MBAM) web application feature. The cmdlet

validates the current computer for one of the following web applications:

-- Administration and Monitoring Website

-- Agent Services

-- Self-Service Portal

Parameters



Aliases none

Required? true

Position? named

Default Value none



-AdvancedHelpdeskAccessGroup<String>

Specifies a domain user group. This group has permissions for all areas of the Administration and

Monitoring Website web application, except for reports.

Aliases AdvancedHelpdeskGroup

Required? true

Position? named

Default Value none



-AgentService


Aliases none

Required? true

Position? named

Default Value none



-Certificate<X509Certificate2>

Specifies the certificate to use for encrypted web communications. If you do not specify a certificate,

web communications are not encrypted.

Aliases none

Required? false

Position? named

Default Value none



-CMIntegrationMode

Indicates that all reports, except the Recovery Audit Report, are integrated into Microsoft System

Center Configuration Manager. If you enable the System Center Configuration Manager Integration

feature, specify this parameter.

Aliases CMMode

Required? false

Position? named

Default Value none





connect to the Compliance and Audit Database feature. The connection string must contain values for

the Integrated Security and Initial Catalog fields.

All of the web applications connect to the Compliance and Audit Database by using the same

connection string.


Required? false

Position? named

Default Value none



-Detailed



Aliases none

Required? false

Position? named

Default Value none



-HelpdeskAccessGroup<String>

Specifies the domain user group that has permissions for the Manage TPM and Drive Recovery areas

of the Administration and Monitoring Website web application.

Aliases HelpdeskGroup

Required? true

Position? named

Default Value none



-HostName<String>

Specifies a host name. If you do not specify a host name, the cmdlet uses the fully qualified host name

of the local computer. Ensure that you specify the same host name for all of the web applications.

Aliases none

Required? false

Position? named

Default Value <fully qualified local machine name>



-InstallationPath<String>

Specifies the installation path of the web application. The installation process creates a folder named

Microsoft BitLocker Management Solution in the location that this parameter specifies. If you do not

specify a path, the cmdlet uses <IIS inetpub path>. Specify the same installation path for all of the web

applications.

Aliases none

Required? false

Position? named

Default Value <IIS inetpub path>\Microsoft BitLocker Management

Solution



-Port<Int32>

Specifies the web service port. If you do not specify a port, unencrypted communications use port 80,

and encrypted communications use port 443. Specify the same value for all of the web applications.

You must configure your firewall to allow communication through the ports for the Self-Service Portal

and the Administration and Monitoring Website web applications.

Aliases none

Required? false

Position? named

Default Value 80 if certificate is not specified, 443 otherwise



-RecoveryDBConnectionString<String>


connect to the Recovery Database. The connection string must contain values for the Integrated

Security and Initial Catalog fields. Ensure that all of the web applications connect to the Recovery

Database by using the same connection string.

Aliases RecoveryDB

Required? false

Position? named

Default Value none




Specifies a domain user group. Specify a group that has read permissions for the Reports area of the

Administration and Monitoring Website web application.


Required? true

Position? named

Default Value none



-ReportUrl<Uri>

Specifies the URL for the reports that the Microsoft SQL Server Reporting Services instance publishes.

Aliases none

Required? true

Position? named

Default Value none



-SelfServicePortal


Aliases none

Required? true

Position? named

Default Value none



-VirtualDirectory<String>

Specifies a virtual directory for the web application. If you do not specify a virtual directory, the cmdlet

uses the value HelpDesk for Administration and Monitoring Website, or it uses the value SelfService for

Self-Service Portal.

Aliases none

Required? false

Position? named

Default Value "HelpDesk" for AdministrationPortal feature; "SelfService" for

SelfServicePortal



-WebServiceApplicationPoolCredential<PSCredential>

Specifies the domain user that the application pool for the web applications uses.

If you do not specify this parameter, the cmdlet uses the credentials that you previously specified for

any enabled web application. All of the web applications use the same application pool credentials. If

you specify credentials for web applications more than once, web applications use the most recent

value.

Important: For improved security use an account that has limited user rights. Also, configure the

account so that the password never expires.

Aliases AppPoolCred

Required? false

Position? named

Default Value NetworkService



<CommonParameters>



Outputs


bool

Examples

Example 1: Check prerequisites and validate parameters for

Administration and Monitoring Website

This command checks the prerequisites and validates parameter values for enabling the Administration

and Monitoring Website web application on the current server. The command tests a configuration of

the website that uses the Compliance and Audit Database and the Recovery Database present in the

ContosoDatabaseServer and the reports present in the ContosoReportsServer.

PS C:\> Test-MbamWebApplication -AdministrationPortal -ComplianceAndAuditDBConnectionString







"https://ContosoReportServer/ReportServer" -Port 443 -WebServiceApplicationPoolCredential



True

Example 2: Check prerequisites and validate parameters for Self-

Service Portal

This command checks the prerequisites and validates parameter values for enabling the Self-Service

Portal web application on this server. The command checks the configuration of the Portal that uses the

Compliance and Audit Database and the Recovery Database present in the ContosoDatabaseServer.

PS C:\> Test-MbamWebApplication -SelfServicePortal -ComplianceAndAuditDBConnectionString






True

Example 3: Check prerequisites and validate parameters for Agent

Services

This command checks the prerequisites and validates parameter values for enabling the Agent

Services feature on the current server. The cmdlets verify a configuration of services that uses the

Compliance and Audit Database and the Recovery Database present in the ContosoDatabaseServer.

PS C:\> Test-MbamWebApplication -AgentService -ComplianceAndAuditDBConnectionString






True

Example 4: View detailed information

This command checks the prerequisites and validates parameter values for enabling the Administration

and Monitoring Website on this server. The command specifies the Detailed parameter, and, therefore,

displays detailed information.

PS C:\> Test-MbamWebApplication -AdministrationPortal -ComplianceAndAuditDBConnectionString






"https://ContosoReportServer/ReportServer" -Port 443 -WebServiceApplicationPoolCredential


cert:\LocalComputer\My\E2A7EA5533890D6567E40DFC46F53B3D31D6B689) -Detailed

Type Message

---- -------

Error Parameter "ComplianceAndAuditDBConnectionString" using value "Integrated

Security=SSPI;Data Source=ContosoDatabaseServer;Initial Catalog=MBAM Compliance Status" is

...

Warning The application pool credential has a password that is set to expire.

Warning The application pool credential has administrator rights.

Warning Server communications have been configured without a certificate, which is not a

secure configuration.

False

Related topics




Documents

Cmdlet Reference for Microsoft BitLocker Administration ...download.microsoft.com/download/C/E/5/CE5197B2-8490-4964-A46… · Cmdlet Reference for Microsoft BitLocker Administration