This article covers the steps to fix SCCM Bitlocker Management Portal installer error. If you have recently tried to create the web interface of the BitLocker module integrated into SCCM, it fails with the error cannot export the certificate of SQL Server Identification.
You see this error in the installation stage of the web interface while using the script MBAMWEBSITEINSTALLER.ps1 provided by SCCM.
You are not the only one to see this error because the problem does not come from SCCM but rather from the PowerShell script.
Bitlocker Management Portal
Let’s try to understand some basics of BitLocker Management Point before we go ahead and fix the above error.
About Bitlocker Web Service
BitLocker Web service contains two sites the Self-Service portal and bitlocker administration and monitoring website.
About BitLocker self-service portal
The portal self-service is a web interface that help users to independently get access to their computers when the device is locked. The self-service portal requires no assistance from help desk staff.
About Administration and monitoring website
The BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption. Also known as help desk portal. Use this website to review reports, recover users drives, and manage device TPMs.
Fix SCCM Bitlocker Management Portal Installer Error
So let’s focus on fixing the SCCM bitlocker management portal installer error. The error that you see is cannot export the certificate of SQL Server Identification.
This error occurs because the script is optimized to export a certificate from the SQL server different than SCCM.
However, if your SQL server is installed on the same server as your SCCM server, you surely get this error. The script will be aborted.
Unable to find ConfigMgr SQL Server Identification Certificate + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException + PSComputerName : azukssccm.ukg.local Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling "FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string." At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16 + $success = + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer Install-MBAMWebSites : Failure acquring SQL identity certificate. At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5 + Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSite
Step 1. Manually create Certificate for SQL
You must manually create certificate “Server Identification Certificate” and assign it to SQL server. In order to do that you can find the steps in this Post.
Step 2. Create BitLocker Certificate in SCCM
You need to create a BitLocker certificate in SQL server. You can also find more details in this link doc.
Before you use this script in a production environment, change the following values:
- Site database name (CM_ABC)
- Password to create the master key (MyMasterKeyPassword)
- Certificate expiry date (20391022)
Run this code in SQL Server:
USE CM_ABC IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##') BEGIN CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword' END IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT') BEGIN CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore WITH SUBJECT = 'BitLocker Management', EXPIRY_DATE = '20391022' GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite END
Notice that after you run the above code, we see the BitLocker certificate.
Next, we will backup the certificate with the below script. Don’t forget to change database CM_ABC with your database.
USE CM_ABC BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT' WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY', ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')
Step 3 – Edit MBAMWEBSITEINSTALLER.ps1 Script
Now we must edit the script before we use it. Open MBAMWEBSITEINSTALLER.ps1 with PowerShell ISE.
Search or look for the line: “function Get-CertificateFromSqlServer“
Disable function “get-certificatefromsqlserver” as shown in the below screenshot.
We will disable the function.
Save the changes made to the above script.
After making the above changes, we can run the script. The script works fine, just ignore the error message.
Open IIS console and ensure you see the below two sites.
You can now see the web interface works fine. Congratulations, we have successfully fixed SCCM Bitlocker Management portal installer error.