Fix SCCM Bitlocker Management Portal Installer Error

This article covers the steps to fix SCCM Bitlocker Management Portal installer error. If you have recently tried to create the web interface of the BitLocker module integrated into SCCM, it fails with the error cannot export the certificate of SQL Server Identification.

You see this error in the installation stage of the web interface while using the script MBAMWEBSITEINSTALLER.ps1 provided by SCCM.

You are not the only one to see this error because the problem does not come from SCCM but rather from the PowerShell script.

SCCM Bitlocker Management Portal Installer Error
SCCM BitLocker Management Portal Installer Error

Bitlocker Management Portal

Let’s try to understand some basics of BitLocker Management Point before we go ahead and fix the above error.

About Bitlocker Web Service

BitLocker Web service contains two sites the Self-Service portal and bitlocker administration and monitoring website.

About BitLocker self-service portal

The portal self-service is a web interface that help users to independently get access to their computers when the device is locked. The self-service portal requires no assistance from help desk staff.

About Administration and monitoring website

The BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption. Also known as help desk portal. Use this website to review reports, recover users drives, and manage device TPMs.

Fix SCCM Bitlocker Management Portal Installer Error

So let’s focus on fixing the SCCM bitlocker management portal installer error. The error that you see is cannot export the certificate of SQL Server Identification.

This error occurs because the script is optimized to export a certificate from the SQL server different than SCCM.

However, if your SQL server is installed on the same server as your SCCM server, you surely get this error. The script will be aborted.

Unable to find ConfigMgr SQL Server Identification Certificate
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException
    + PSComputerName        : azukssccm.ukg.local
Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling
"FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string."
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16
+     $success = 
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer
Install-MBAMWebSites : Failure acquring SQL identity certificate.
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSite

Step 1. Manually create Certificate for SQL

You must manually create certificate “Server Identification Certificate” and assign it to SQL server. In order to do that you can find the steps in this Post.

Step 2. Create BitLocker Certificate in SCCM

You need to create a BitLocker certificate in SQL server. You can also find more details in this link doc.

Before you use this script in a production environment, change the following values:

  • Site database name (CM_ABC)
  • Password to create the master key (MyMasterKeyPassword)
  • Certificate expiry date (20391022)

Run this code in SQL Server:

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

Notice that after you run the above code, we see the BitLocker certificate.

Create BitLocker Certificate in SCCM

Next, we will backup the certificate with the below script. Don’t forget to change database CM_ABC with your database.

USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

Step 3 – Edit MBAMWEBSITEINSTALLER.ps1 Script

Now we must edit the script before we use it. Open MBAMWEBSITEINSTALLER.ps1 with PowerShell ISE.

Search or look for the line: “function Get-CertificateFromSqlServer

Disable function “get-certificatefromsqlserver” as shown in the below screenshot.

SCCM Bitlocker Management Portal Installer Error Snap3

We will disable the function.

SCCM Bitlocker Management Portal Installer Error Snap4

Save the changes made to the above script.

After making the above changes, we can run the script. The script works fine, just ignore the error message.

SCCM Bitlocker Error

Open IIS console and ensure you see the below two sites.

SCCM Bitlocker Management Portal Installer Error Snap6

You can now see the web interface works fine. Congratulations, we have successfully fixed SCCM Bitlocker Management portal installer error.

Fix SCCM BitLocker Error
Fix SCCM BitLocker Error

7 Comments

  1. Avatar photo Frank Rojas says:

    This is not a known issue in the product. The PowerShell script normally works fine whether SQL is remote or local. We have had many customers use this script successfully without having to take all of the steps outlined in this article. In fact from our experiences this error usually occurs because the user running the script does not have proper access to SQL (e.g. not a sysadmin in SQL) or they have some typo in the command line of the script (e.g. misspelled SQL server names or added unneeded options such as instance name). I would not take the steps in this article. Instead find the root cause of why the issue is occurring and then fix the root cause. It should be completely unnecessary to make manual modifications in SQL and/or in the script.

  2. Hello Sir,

    Please help, i am getting below error, I have SCCM on server1, SQL database on server2 and reporting point on server3.

    event though machine account is added into local admin groups on all three servers. also have sysadmin permissions on SQL server.

    Set-MachineUserOnSql : Unable to set permissions for machine on SQL server: Exception calling “ExecuteNonQuery” with
    “0” argument(s): “Windows NT user or group ‘domainname\SCCMServername$’ not found. Check the name again.
    Windows NT user or group ‘DomainName\SCCMServername$’ not found. Check the name again.
    Cannot add the principal ‘domainname\SCCMServername$’, because it does not exist or you do not have permission.”
    At E:\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64\MBAMWebSiteInstaller.ps1:1223 char:16
    +   $success = Set-MachineUserOnSql
    +        ~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo     : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-MachineUserOnSql

    Install-MBAMWebSites : Failure setting machine account privileges on SQL
    At E:\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64\MBAMWebSiteInstaller.ps1:1367 char:5
    +   Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa …
    +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo     : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites

    Uninstalling MBAM web site registry

    Thanks!!!

    1. Had the same problem. Solved by using domain name instead of FQDN after -DomainName in the install string

      1. Avatar photo Khan Miller says:

        Not sure what you mean by -DomainName ?

        1. -DomainName is a parameter used in the install script.
          If you open the MBAMWebSiteInstaller.ps1 with Notepad you’ll find a bunch of optional parameters you could use, “DomainName” being one of them.

          Also shoutout to @Marcin because I was running into the same problem and his comment fixed it.

      2. Had the exact same problem and this worked a treat. Thanks!

  3. Great post. Saved my time at work.

Comments are closed.