This guide is broken into five parts:
- Preparation Part 1 – Get your Certificate
- Preparation Part 2 – Configure IIS and SQL
To set up IIS to use the web server certificate
1. Open Internet Information Services (IIS) Manager.
2. Expand Sites, right-click Default Web Site, and then choose Edit Bindings.
3. Choose the https entry, and then choose Edit
4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then choose OK. Look for the friendly name you set in the certificate request.
5. Choose OK in the Edit Site Binding dialog box, and then choose Close.
6. Repeat steps 2-5 for the WSUS Administration site if applicable.
NOTE: If you have considered full HTTPS in your Configuration Manager environment, you are now well on your way there. Completing that is outside the scope of this post series, but if you got this far, you could easily finish by following the Example Guide.
Create SQL Encryption Certificate
These instructions use the steps from the Configuration Manager documentation for BitLocker Management Example Scripts.
1. Open SQL Server Management Server and connect to your SQL Server/Instance for Configuration Manager.
2. Click New Query
2. In the new query window, paste the code below and modify your ConfigMgr database name, the key for the certificate and the desired expiration date.
USE CM_ABC IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##') BEGIN CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyMasterKeyPassword' END IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT') BEGIN CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore WITH SUBJECT = 'BitLocker Management', EXPIRY_DATE = '20391022' GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite END
3. Click Execute to run the query and you will see a complete message.
4. Click New Query again and in the new window paste the code below, changing the ConfigMgr database name, the paths for the exported files, and the password for the exported key.
NOTE: The path you set must exist, SSMS is not smart enough to create the folder for you.
USE CM_ABC BACKUP CERTIFICATE BitLockerManagement_CERT TO FILE = 'C:\BitLockerManagement_CERT' WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY', ENCRYPTION BY PASSWORD = 'MyExportKeyPassword')
5. Click Execute and you will see a complete message
6. Open the directory you set in the previous step and find your two files.
7. Take these two files and store them in a safe location. These two files, in combination with the password you set, could allow someone to gain access to all BitLocker recovery keys stored in your database. I would recommend an actual safe over just stashing them in an old copy of your “Administering Windows 7 Professional” book you hollow out and leave on the shelf.
8. Back in SSMS, click New Query one more time. Paste in the code below and modify the ConfigMgr database name.
USE CM_ABC declare @count int select @count = count(distinct u.name) from sys.database_principals u join sys.database_permissions p on p.grantee_principal_id = u.principal_id or p.grantor_principal_id = u.principal_id join sys.certificates c on c.certificate_id = p.major_id where u.name in('RecoveryAndHardwareCore', 'RecoveryAndHardwareRead', 'RecoveryAndHardwareWrite') and c.name = 'BitLockerManagement_CERT' and p.permission_name like 'CONTROL' if(@count >= 3) select 1 else select 0
9. Click Execute and if you get a result of 1, the certificate is setup correctly.
Continue to Part 3: Deploying BitLocker Management