Uncategorized

Managing BitLocker with Configuration Manager: Preparation Part 2

April 18, 2020

This guide is broken into five parts:

  1. Preparation Part 1 – Get your Certificate
  2. Preparation Part 2 – Configure IIS and SQL
  3. Deployment
  4. Administration
  5. Reporting

Preparation Continued:

To set up IIS to use the web server certificate

1. Open Internet Information Services (IIS) Manager.
2. Expand Sites, right-click Default Web Site, and then choose Edit Bindings.

3. Choose the https entry, and then choose Edit

4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then choose OK. Look for the friendly name you set in the certificate request.

5. Choose OK in the Edit Site Binding dialog box, and then choose Close.
6. Repeat steps 2-5 for the WSUS Administration site if applicable.

NOTE: If you have considered full HTTPS in your Configuration Manager environment, you are now well on your way there. Completing that is outside the scope of this post series, but if you got this far, you could easily finish by following the Example Guide.

Create SQL Encryption Certificate

These instructions use the steps from the Configuration Manager documentation for BitLocker Management Example Scripts.

1. Open SQL Server Management Server and connect to your SQL Server/Instance for Configuration Manager.
2. Click New Query

2. In the new query window, paste the code below and modify your ConfigMgr database name, the key for the certificate and the desired expiration date.

USE CM_ABC
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
    CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword'
END

IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
    CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
    WITH SUBJECT = 'BitLocker Management',
    EXPIRY_DATE = '20391022'

    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
    GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END

3. Click Execute to run the query and you will see a complete message.

4. Click New Query again and in the new window paste the code below, changing the ConfigMgr database name, the paths for the exported files, and the password for the exported key.

NOTE: The path you set must exist, SSMS is not smart enough to create the folder for you.

USE CM_ABC
BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT'
    WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
        ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')

5. Click Execute and you will see a complete message

6. Open the directory you set in the previous step and find your two files.

7. Take these two files and store them in a safe location. These two files, in combination with the password you set, could allow someone to gain access to all BitLocker recovery keys stored in your database. I would recommend an actual safe over just stashing them in an old copy of your “Administering Windows 7 Professional” book you hollow out and leave on the shelf.

8. Back in SSMS, click New Query one more time. Paste in the code below and modify the ConfigMgr database name.

USE CM_ABC
declare @count int
select @count = count(distinct u.name) from sys.database_principals u
join sys.database_permissions p on p.grantee_principal_id = u.principal_id or p.grantor_principal_id = u.principal_id
join sys.certificates c on c.certificate_id = p.major_id
where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead', 'RecoveryAndHardwareWrite') and
c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL'
if(@count >= 3) select 1
else select 0

9. Click Execute and if you get a result of 1, the certificate is setup correctly.

Continue to Part 3: Deploying BitLocker Management