Manually modifying IIS bindings to use SSL for MBAM services
Microsoft BitLocker Administration and Monitoring (MBAM) needs web services no matter what topology you are using. These MBAM web services can be installed with or without SSL Certificates. To install MBAM web features using SSL, it is required to have a certificate ready to use and issued to the web server or whatever the hostname you are planning to use for MBAM. We can manually modify the binding of the MBAM web services to use SSL if one of the below applies:
- you have already installed the MBAM web features without SSL and would like to add it later
- you don’t see the certificate
- you did not have the certificate ready by the time you were installing MBAM web features
However, the suggested method is to remove MBAM web features and add the features back with SSL.
It can be a tedious process, so stay with me. To modify the IIS binding:
Step 1:
Import the certificate to your web server using these steps. My assumptions are that the certificate is valid and is verified.
Step 2:
Browse each of the MBAM subfolders on your web server with the default location being C:\inetpub\Microsoft BitLocker Management Solution\
1. Administration Service - web.config
Modify the Endpoint Binding and BindingConfiguration to the following:
<endpoint address="" binding=" wsHttpBinding " bindingConfiguration= "TransportSecurity "
2. Compliance Status service – web.config
Modify the Endpoint Binding and BindingConfiguration to the following:
<endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" MaltaHttpsBinding"
3. Helpdesk website –web.config
Modify the endpoint address to use HTTPS and also Binding and Binding configuration to the following:
<endpoint address=" https ://<hostname>/MBAMAdministrationService/AdministrationService.svc"
behaviorConfiguration="AdministrationEndpointBehavior" binding=" wsHttpBinding "
bindingConfiguration="Microsoft.Mbam.ApplicationSupportService. AdministrationService1 "
4. Recovery and Hardware Service – web.config
Modify Binding and bindingConfiguration to the following:
<endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" TransportSecurity "
5. SelfService –web.config
Modify Binding and bindingConfiguration to the following:
binding=" wsHttpBinding " bindingConfiguration="Microsoft.Mbam.Server.UserSupportService. UserSupportService1"
6. User Support Service -web.config
Modify binding and bindingConfiguration to the following:
<endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" TransportSecurity "
Once you have modified all the above web.config files, restart the MBAM web server from IIS Manager and verify you are able to browse all the URLs using HTTPS.
Good Luck!
Naziya Shaik
Support Escalation Engineer
Microsoft Enterprise Platforms Support