Hi everyone,
first of all, thanks for your help and your suggestions. With some help by "Computacenter", we were finally able to solve the problem.
We needed to export the masterkey out of the old database and imported it again into our new database. After the successful migration of the server, we only did this with the bitlocker certificate, but missed the masterkey. If someone has the same problem in the future, just use the same procedure:
- Delete the bitlocker certificate in the NEW database (if it already had been imported like in our environment)
- Export masterkey from the OLD database with SQL query:
USE CM_T01;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'Bitlocker masterkey password';
BACKUP MASTER KEY TO FILE = 'C:\Cert\CM_T01_master_key'
ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password';
GO
- Import masterkey into the NEW database with SQL query:
Use CM_T01
RESTORE MASTER KEY FROM FILE = 'C:\Cert\CM_T01_master_key'
DECRYPTION BY PASSWORD = 'Bitlocker masterkey password'
ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password'
FORCE
- Import bitlocker certificate into NEW database with SQL query (as described in https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data):
USE CM_T01
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password'
END
IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
FROM FILE = 'C:\Cert\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
DECRYPTION BY PASSWORD = 'Bitlocker exportkey password')
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END
Afterwards everything worked for us like a charm.
Probably this helps someone in the future facing the same problem.
Again thank you all for your time and thoughts!
Regards
st3ff