Fix SCCM Bitlocker Management Portal Installer Error

Prajwal Desai
Posted by Prajwal Desai

This article covers the steps to fix SCCM Bitlocker Management Portal installer error. If you have recently tried to create the web interface of the BitLocker module integrated into SCCM, it fails with the error cannot export the certificate of SQL Server Identification.

You see this error in the installation stage of the web interface while using the script MBAMWEBSITEINSTALLER.ps1 provided by SCCM.

You are not the only one to see this error because the problem does not come from SCCM but rather from the PowerShell script.

SCCM Bitlocker Management Portal Installer Error
SCCM BitLocker Management Portal Installer Error

Bitlocker Management Portal

Let’s try to understand some basics of BitLocker Management Point before we go ahead and fix the above error.

About Bitlocker Web Service

BitLocker Web service contains two sites the Self-Service portal and bitlocker administration and monitoring website.

About BitLocker self-service portal

The portal self-service is a web interface that help users to independently get access to their computers when the device is locked. The self-service portal requires no assistance from help desk staff.

About Administration and monitoring website

The BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption. Also known as help desk portal. Use this website to review reports, recover users drives, and manage device TPMs.

Fix SCCM Bitlocker Management Portal Installer Error

So let’s focus on fixing the SCCM bitlocker management portal installer error. The error that you see is cannot export the certificate of SQL Server Identification.

This error occurs because the script is optimized to export a certificate from the SQL server different than SCCM.

However, if your SQL server is installed on the same server as your SCCM server, you surely get this error. The script will be aborted.

Unable to find ConfigMgr SQL Server Identification Certificate
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException
    + PSComputerName        : azukssccm.ukg.local
Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling
"FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string."
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16
+     $success = 
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer
Install-MBAMWebSites : Failure acquring SQL identity certificate.
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSite

Step 1. Manually create Certificate for SQL

You must manually create certificate “Server Identification Certificate” and assign it to SQL server. In order to do that you can find the steps in this Post.

Step 2. Create BitLocker Certificate in SCCM

You need to create a BitLocker certificate in SQL server. You can also find more details in this link doc.

Before you use this script in a production environment, change the following values:

  • Site database name (CM_ABC)
  • Password to create the master key (MyMasterKeyPassword)
  • Certificate expiry date (20391022)

Run this code in SQL Server:

IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite

Notice that after you run the above code, we see the BitLocker certificate.

Create BitLocker Certificate in SCCM

Next, we will backup the certificate with the below script. Don’t forget to change database CM_ABC with your database.

BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',


Now we must edit the script before we use it. Open MBAMWEBSITEINSTALLER.ps1 with PowerShell ISE.

Search or look for the line: “function Get-CertificateFromSqlServer

Disable function “get-certificatefromsqlserver” as shown in the below screenshot.

SCCM Bitlocker Management Portal Installer Error Snap3

We will disable the function.

SCCM Bitlocker Management Portal Installer Error Snap4

Save the changes made to the above script.

After making the above changes, we can run the script. The script works fine, just ignore the error message.

SCCM Bitlocker Error

Open IIS console and ensure you see the below two sites.

SCCM Bitlocker Management Portal Installer Error Snap6

You can now see the web interface works fine. Congratulations, we have successfully fixed SCCM Bitlocker Management portal installer error.

Fix SCCM BitLocker Error
Fix SCCM BitLocker Error
Share This Article
Prajwal Desai
Posted by Prajwal Desai
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.