MBAM SQL Database Permissions

Indications

MBAM SQL Database Permission errors are most often identified when a user enters MBAM database information in the Configure Recast Console Extension application or in the Recast Management Server settings. This type of error may also show up in the BitLocker Administration Dashboard as results in the center MBAM section listed as 'Unknown'.

Probable Cause

The Right Click Tools BitLocker Administration Dashboard is able to use the MBAM database to retrieve needed information. However, if the user running the console (or the Service Account, if using a Recast Proxy) does not have permission to log into SQL or read from the SQL database, the data will be considered 'Unknown'.

Resolution

To resolve the issue, ensure that the user running the console (or the Service Account, if you are using a Recast Proxy) has at least read-only permissions to the MBAM databases.

Add a user account via SQL Server Management Studio

If the user account does not exist in SQL, users will need to add the account manually. The User Account will need to be added as a Login Account and as a Database User account.

To add the User Account as a Login Account:

1. Open SSMS and expand the folder of the instance in which you want to create the new login.

2. Right-click on the Security folder, point to New, and select Login.

3. In the Login - New dialog box on the General page, enter the name of the account in the following format: domain\username.

4. Open the User Mapping page, and select the ConfigMgr database in the top right box. 

5. In the bottom right box, select at least db_datareader as a permission.

To add the User Account as a Database User:

1. Open SSMS and navigate to MBAM Databases > Security > Users.

2. Right-click on the Users folder and select New User.

3. Switch the user type to 'Windows' and add the user name and the login name in the following format: domain\username.

NOTE: User Name and Login are the same.

4. On the Membership tab, select the db_datareader box and assign the account db_datareader permissions for the MBAM databases by clicking OK.

NOTE: Users must be added to both the MBAM Compliance Status and MBAM Recovery and Hardware Status databases.


Copyright © 2023 Recast Software, LLC. All rights reserved.