FSiglmueller Posted February 20, 2020 Report post Posted February 20, 2020 Hi All, I have the following problem. Today, we have the SCCM CB1910 Bitlocker Selfservice and the Helpdesk on the SCCM Primary Site Server. Now, we want to move out, those mainly used services to another server (in our case a distribution server which is located in another data center). First: Is this possible, or must those services be located on a Primary Site ? Second: How can I get rid of the actual IIS Sites (Self Service and Helpdesk) or move them to another server ? Third: What are the prereqs, we have to do, before we move it to the other server (install additional roles, or something like that) I would appreciate a quick answer. Florian Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 20, 2020 Report post Posted February 20, 2020 you can move them by running the powershell script to install the helpdesk and self service desk on another site server, it must have IIS installed along with the prerequisites below In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager. To integrate the BitLocker recovery service in Configuration Manager requires a HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS. Note In version 1910, it doesn't support Enhanced HTTP. To use the BitLocker management reports, install the reporting services point site system role. For more information, see Configure reporting. Note In version 1910, for the Recovery Audit Report to work from the administration and monitoring website, only use a reporting services point at the primary site. To use the self-service portal or the administration and monitoring website, you need a Windows server running IIS. You can reuse a Configuration Manager site system, or use a standalone web server that has connectivity to the site database server. Use a supported OS version for site system servers. Note In version 1910, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site. On the web server that will host the self-service portal, install Microsoft ASP.NET MVC 4.0. The user account that runs the portal installer script needs SQL sysadmin rights on the site database server. During the setup process, the script sets login, user, and SQL role rights for the web server machine account. You can remove this user account from the sysadmin role after you complete setup of the self-service portal and the administration and monitoring website. Quote Share this post Link to post Share on other sites More sharing options...
FSiglmueller Posted February 20, 2020 Report post Posted February 20, 2020 Hi Niall, thanks for your quick reply. 1. Can you please post the commandlines I have to use for moving those roles to another server ? 2. If I understand correctly, I don't have to prepare something, because: - I am a full admin in Configuration Manager - My MPs are all HTTPs enabled - The reporting service point is on my primary site (here it can stay, or must it be also installed on the Distribution Point, where I want the Helpdesk and SelfService to be ?) - I only have to install the ASP.NET MVC 4.0 on the Distribution Point, where I want to host the SelfService and the Helpdesk, correct ? - My user is a sql sysadmin I would appreciate a quick answer. Florian Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 20, 2020 Report post Posted February 20, 2020 it's covered in this video, simply point it to the servername where you intend those services to run and the command lines are here. Quote Share this post Link to post Share on other sites More sharing options...
FSiglmueller Posted February 20, 2020 Report post Posted February 20, 2020 Hi Niall, thanks for your reply. OK, I installed the Helpdesk and the SelfService on the Distribution Point. How can I now remove the old installation (Helpdesk and Selfservice) from the primary site ? Can you also tell me, if it is a must to set the ssl settings for both iis sites (Helpdesk and SelfService) to RequireSSL ? Thanks in advance. Florian Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 20, 2020 Report post Posted February 20, 2020 hi Florian, I'd suggest you look inside the powershell script itself, and use switches based on that, here's a hint, post your results here. And as regards the Bitlocker Management websites being in SSL or not, Microsoft recommends but doesn't require the use of HTTPS for the Bitlocker websites (HTTPS is still required in CM1910 for the MP recovery service endpoint though) https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites Quote Share this post Link to post Share on other sites More sharing options...
FSiglmueller Posted February 21, 2020 Report post Posted February 21, 2020 Hi Niall, thanks for your reply. I did everything you mentioned, but now I got a really strange error message, when I try to load a report (via the browser URL to the Reportserver): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.) I tried that from the Reportserver itself, which is hosted on the SCCM Primary Site (The SQL Server is also on that Server - Primary Site) I don't know why, because if I click on the lock in the browser to see the certificate and its chain, everything looks ok. Have you got an idea, what I did wrong ? Thanks in advance. Florian Quote Share this post Link to post Share on other sites More sharing options...
