SCCM Bitlocker Management Portal Installer Error

If you have recently tried to create the web interface of the BitLocker module integrated into SCCM, it fails with the error cannot export the certificate of SQL Server Identification.

You see this error in the installation stage of the web interface while using the script MBAMWEBSITEINSTALLER.ps1 provided by SCCM.

You are not the only one to see this error because the problem does not come from SCCM but rather from the PowerShell script.

SCCM Bitlocker Management Portal Installer Error
SCCM BitLocker Management Portal Installer Error

Bitlocker Management Portal

Let’s try to understand some basics of BitLocker Management Point before we go ahead and fix the above error.

About Bitlocker Web Service

BitLocker Web service contains two sites the Self-Service portal and bitlocker administration and monitoring website.

About BitLocker self-service portal

The portal self-service is a web interface that help users to independently get access to their computers when the device is locked. The self-service portal requires no assistance from help desk staff.

About Administration and monitoring website

The BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption. Also known as help desk portal. Use this website to review reports, recover users drives, and manage device TPMs.

SCCM Bitlocker Management Portal Installer Error

So let’s focus on fixing the SCCM bitlocker management portal installer error. The error that you see is cannot export the certificate of SQL Server Identification.

This error occurs because the script is optimized to export a certificate from the SQL server different than SCCM.

However if your SQL server is installed on the same server as your SCCM server, you surely get this error. The script will be aborted.

Unable to find ConfigMgr SQL Server Identification Certificate
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException
    + PSComputerName        : azukssccm.ukg.local
Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling
"FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string."
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16
+     $success = 
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer
Install-MBAMWebSites : Failure acquring SQL identity certificate.
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSite

Step 1 – Manually create Certificate for SQL

You must manually create certificate “Server Identification Certificate” and assign it to SQL server. In order to do that you can find the steps in this Post.

Step 2 – Create BitLocker Certificate in SCCM

You need to create a BitLocker certificate in SQL server. You can also find more details in this link doc.

Before you use this script in a production environment, change the following values:

  • Site database name (CM_ABC)
  • Password to create the master key (MyMasterKeyPassword)
  • Certificate expiry date (20391022)

Run this code in SQL Server:

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

Notice that after you run the above code, we see the BitLocker certificate.

Create BitLocker Certificate in SCCMNext, we backup the certificate with the below script. Don’t forget to change database CM_ABC with your database.

USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

Step 3 – Edit MBAMWEBSITEINSTALLER.ps1 Script

Now we must edit the script before we use it. Open MBAMWEBSITEINSTALLER.ps1 with PowerShell ISE.

Search or look for the line: “function Get-CertificateFromSqlServer

Disable function “get-certificatefromsqlserver” as shown in the below screenshot.

We will disable the function.

Save the changes made to the above script.

After making the above changes, we can run the script. The script works fine, just ignore the error message.

SCCM Bitlocker Error

Open IIS console and ensure you see the below two sites.

You can now see the web interface works fine. Congratulations, we have successfully fixed SCCM Bitlocker Management portal installer error.

BitLocker Administration and Monitoring Web Interface

Related Posts
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Rajesh S

Great post. Saved my time at work.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More