Configuring Permissions for the MBAM SQL Database

How does this present itself

This error is most often identified when a user enters the MBAM database information in the Configure Recast RCT application or into the Recast Management Server settings, but when using the BitLocker Administration Dashboard the results in the center MBAM section are listed as "Unknown."

Why this is happening

The Right Click Tools BitLocker Administration Dashboard is able to use the MBAM database to retrieve their needed information. However, if the user running the console (or the Service Account if using a Recast Proxy) does not have permission to log into SQL or read from the SQL database the data will be considered "unknown."

How to Resolve the Issue

To resolve the issue, the user that is running the console (or the Service Account that is being used if you are using a Recast Proxy) need to have at least read-only permission to the MBAM databases.

Adding a user account via SQL Server Management Studio

  • If the user account does not exist in SQL, users will need to add the account manually. The account will have the following name format: domain\user
  • The User Account will need to be added in two places, as a Login Account, and as a Database User account.

Adding the User Account as a Login Account

  • To create the account open SSMS and expand the folder of the instance in which you want to create the new login.
  • Right Click on the Security folder, point to New, and select Login
  • in the Login - New dialog box, on the General page, enter the name of the domain\username

Select User Mapping page, and Select the ConfigMgr Database in the top right box. In the bottom right box select at least db_datareader.

Adding the User Account as a Database User

Users need to be added to both the MBAM Compliance Status and MBAM Recovery and Hardware status databases.

  • To create the account open SSMS > locate one of the MBAM Databases > Security > Users
  • Right Click on the Users folder > select New User > switch user type to windows user > add to user name and login name domain\username
  • Note: User Name and Login are the same
  • After creating or locating the newly added user account, you will need to assign it at least db_datareader permissions for the MBAM databases.
  • To do so switch to the membership tab and select the db_datareader box:
  • click okay and the user will be added with read access to the database.