Windows Server: Installation and Setup Guide

Windows Server Installation and Setup

Overview

The purpose of this guide is to describe the environmental requirements and steps required to configure the PK Endpoint Manager and associated PK Protect Application (Agent).

What you will need:

A Windows Server to host the PK Endpoint Manager. This server should be joined to an Active Directory domain.
A SQL Server or PostgreSQL 9.5 Database where PK Endpoint Manager application data will live. Before installing you should obtain:
1. Database server instance name
2. Database name
3. Database username with access to the above database
4. Database user password
5. The port the database server connects to
An SSL certificate that matches the hostname you wish to use for the PK Endpoint Manager
(optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The PK Protect application will look for this record by default.
(optional) To test local search, install Java 11 (AdoptOpenJDK) and ElasticSearch

What this guide will cover:

Scripted installation.
SQL database requirements and setup.
IIS website / application pool requirements and setup.
TLS / SSL configuration and connectivity.
Deployment of the PK Endpoint Manager.

Active Directory Authentication Note:

Note

The Windows Server that will host the PK Endpoint Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Windows Server Core Installations:

Looking for instructions for installing on Windows Server Core? We've got you covered here: 2022-10-06_05-51-19_Windows Server Core Installation and Setup Guide

Scripted InstallationSince v15.3, you have the option to perform a scripted installation of the PK Endpoint Manager. Contact your PKWARE account representative to obtain the appropriate package for your platform.
Steps performedThe script performs the following steps, in order:
Checks numerous system dependencies.
Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
Allows the Administrator to select a database type for PK Endpoint Manager. Choose from:A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
Configures the PK Endpoint Manager website and an associated Application Pool in IIS.
Generates and binds a Self-Signed Certificate to the website.
Prompts the administrator to supply a default encryption master password.
Prompts the administrator to supply a default system administration account for the Smartycrypt Manager.
Notes for the scripted deployment option:The use of the Self-Signed Certificate created during the scripted installation is intended for PK Protect use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please follow the steps below
To import a certificate in Windows 2012
Open the Certificates snap-in for the local machine's certificate store: Start | Run | certlm.msc
In the console tree, click the Personal store
On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
This certificate should have a private key (PKCS #12 file)
Type the password used to encrypt the private key.
(Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
Select Place all certificates in the following store, click Browse, and choose the Personal store.
When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry, pointing directly to one or more IP addresses (an A record), will be required for client machines to connect back to the Manager.
Running the installation scriptLog in to the Windows Server environment and copy the SEM installation package to the Windows Server. Extract the .ZIP package.
Run Microsoft PowerShell as an Administrator.
Change to the directory location where you extracted the SEM installer.
Execute ./sc_install.ps1.
Press R when asked "Do you want to run <install.ps1>?
The system (if network connected) will attempt to download/install all Windows features required to run the SEM, including all prerequisite Microsoft Internet Information Server (IIS) modules and .NET Core Server.
PS C:\Windows\system32> cd C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152
PS C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152> .\install.ps1
Checking Prerequisites...
Checked Prerequisites.
Enabling IIS-WebServerRole...
Enabled IIS-WebServerRole.
IIS-WebServer is enabled.
IIS-CommonHttpFeatures is enabled.
IIS-DefaultDocument is enabled.
IIS-HttpErrors is enabled.
IIS-StaticContent is enabled.
IIS-HealthAndDiagnostics is enabled.
IIS-HttpLogging is enabled.
IIS-Performance is enabled.
IIS-HttpCompressionStatic is enabled.
IIS-Security is enabled.
Enabling IIS-WindowsAuthentication...
Enabled IIS-WindowsAuthentication.
IIS-ApplicationDevelopment is enabled.
Enabling NetFx4Extended-ASPNET45...
Enabled NetFx4Extended-ASPNET45.
Enabling IIS-NetFxExtensibility45...
Enabled IIS-NetFxExtensibility45.
Enabling IIS-ASPNET45...
Enabled IIS-ASPNET45.
IIS-ISAPIExtensions is enabled.
IIS-ISAPIFilter is enabled.
IIS-WebServerManagementTools is enabled.
IIS-ManagementConsole is enabled.
Installing .NET Core 2.1.7 Server Hosting...
Installed .NET Core 2.1.7 Server Hosting.
Installing PostgreSQLPK Endpoint Manager supports Microsoft SQL Server and PostgreSQL 9.5 database management systems. The SEM installation script will prompt you to "install postgres to use later." Press enter to skip installation, or Y to install and configure PostgreSQL locally.
If you choose not to install PostgreSQL, it is assumed a remote database server will be used.
Below is the sample output from a basic installation. The installation script will also prompt for hostname. This is used to generate a self-signed certificate and set up the hostname and SSL bindings for the site that is created

Would you like to install postgres to use later?
[Y] Yes  [N] No (default is N): n
Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"->"C:\PKWARE\SmartcryptEnterpri
seManager")...
Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-18.0.152.zip"->"C:\PKWARE\SmartcryptEnterpris
eManager").
Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"->"C:\PKWARE\SmartcryptEnte
rpriseManager")...
Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\pkmds-tde-18.0.152.zip"->"C:\PKWARE\SmartcryptEnter
priseManager").
Configuring PK Endpoint ManagerThe script continues to create the PK Endpoint Manager database.
You'll be asked to configure S\PEM.
Existing or New site: Default is New, but if you have already set up SEM on IIS, type E.
Name the Site: Default is PK Protect
Physical Site Location: Default is c:\inetpub\wwwroot. Edit as required.
Application Name: Default is mds.
Existing Sites:
Name              Physical Path
----              -------------
Default Web Site  C:\inetpub\wwwroot

Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a new Smartcrypt enterprise manager site?
[E] Existing  [N] New  [Escape] Cancel (default is "N"): N

Confirm Configure New Smartcrypt Enterprise Manager Site
Are you sure you want to configure a new Smartcrypt enterprise manager site?
[Y] Yes  [N] No (default is "Y"): Y

Setting Up New Smartcrypt Site...
Confirm Site Name
Configure site name to be "Smartcrypt"?
[Y] Yes  [N] No (default is "Y"):

Confirm Physical Site Location
Configure physical site location to be "C:\inetpub\wwwroot"?
[Y] Yes  [N] No (default is "Y"):

Confirm Application Name
Configure application name to be "mds"?
[Y] Yes  [N] No (default is "Y"):
The script will display the existing Application Pools on IIS.
New Application Pool: Default is New. Highly recommended.
Application Pool Name: Default is PK Protect.
Hostname: Default is the current machine.
HTTPS Certificate: Default is to create a new self-signed X.509 certificate for the host.
The script will create a new self-signed certificate, and ask you to confirm that you want to use it.
Existing AppPools:
Name               Runtime Version
----               ---------------
DefaultAppPool     v4.0
.NET v4.5 Classic  v4.0
.NET v4.5          v4.0

Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a new application pool?
[E] Existing  [N] New  [Escape] Cancel (default is "N"):

Confirm Configure New Application Pool
Are you sure you want to configure a new application pool?
[Y] Yes  [N] No (default is "Y"):

Confirm Application Pool Name
Configure application pool name to be "Smartcrypt"?
[Y] Yes  [N] No (default is "Y"):

Hostname: mkesrv-jd01.qanet.dom
Confirm Hostname
Set hostname to be "mkesrv-jd01.qanet.dom"?
[Y] Yes  [N] No (default is "Y"): y

Current Certificates:
Thumbprint  Subject  Friendly Name
----------  -------  -------------

Https Certificate
Would you like to create a new certificate, import a certificate, or use an existing installed certificate?
[N] New  [E] Existing (default is "N"):

Confirm Certificate
Are you sure you want to create a new self signed certificated for host=mkesrv-jd01.qanet.dom
[Y] Yes  [N] No (default is "Y"):

Creating New Self Signed Certificate...
Created New Self Signed Certificate.
Confirm Certificate
Do you want to use this certificate?
Thumbprint                                Subject                   Friendly Name
----------                                -------                   -------------
07C844B4E67F4F9D3929D3DD20510571B8F51F09  CN=mkesrv-jd01.qanet.dom  Smartcrypt

[Y] Yes  [N] No (default is "Y"):
Connecting to the DatabaseThe script then checks for a connection to the database, and allows you to configure the connection.
Confirm Database Platform: Default is SQL Server. To change to PostgreSQL, type N and enter postgresql.
Database Server: Identify the location of the database server.
Confirm Port: Enter the port for the database.
Database: Name the database.
User Id: Identify the owner of the SEM database.
Password: Supply the database server password for the user you just identified.
Add Extra Parameter: Default is No. If you want to set an additional required string to access the database, define that here.
The script displays the Connection Information you've entered, and tries to connect. If the database connection is valid, you are asked to confirm the configuration.
Database Connection Information:
  Platform:  SQLServer
  Server:
  Database:
  User Id:

Database connection is invalid.

Confirm Database Platform
Set database platform to be "SQLServer"?
[Y] Yes  [N] No (default is "Y"):

Database Server: qasrv-db01.qanet.dom
Confirm Database Server
Set database server to be "qasrv-db01.qanet.dom"?
[Y] Yes  [N] No (default is "Y"): y

Confirm Port
Set port to be "1433"?
[Y] Yes  [N] No (default is "Y"):

Database: 180
Confirm Database
Set database to be "180"?
[Y] Yes  [N] No (default is "Y"):

User Id: qa
Confirm User Id
Set user id to be "qa"?
[Y] Yes  [N] No (default is "Y"):

Password:
Add Extra Parameter
Would you like to add an extra connection string parameter?
[Y] Yes  [N] No (default is "N"):

Database Connection Information:
  Platform:  SQLServer
  Server:    qasrv-db01.qanet.dom
  Database:  180
  User Id:   qa
  Port:      1433

Testing Connection... [                    ]   100 %


Database connection is valid.

Confirm Database Connection Configuration
Would you like to use this database connection configuration?
[Y] Yes  [N] No (default is "Y"): y
Configuring PK Endpoint Manager in IISEnter the PK Endpoint Manager Account Password to access SEM.
You'll next be asked to configure the local Administrator user. Supply a username (default is Administrator) and password.
The script will set up an Application Pool, Site and Application in IIS on the server.
Smartcrypt Enterprise Manager Account Password:
Smartcrypt Enterprise Manager Account Password (confirmation):

Confirm Local Administrator User
Configure local administrator user to be "Administrator"?
[Y] Yes  [N] No (default is "Y"): y

Local Administrator Password:
Local Administrator Password (confirmation):

Creating New AppPool "Smartcrypt"...
Created New AppPool "Smartcrypt".
Creating New Site "Smartcrypt"...
Created New Site "Smartcrypt".
Setting Application "/" AppPool...
Set Application "/" AppPool.
Creating New Application "mds"...
Created New Application "mds".
Setting Application "mds" AppPool...
Set Application "mds" AppPool.
Setting Application "mds" Windows Authentication...
Set Application "mds" Windows Authentication.
Upgrading database
INFO:  Database is currently at version: 0.0
INFO:  Current version is not equal to the target version
INFO:  Upgrading to version: 1.0.60
INFO:  Upgrading to version: 1.0.61
INFO:  Upgrading to version: 1.0.62
INFO:  Upgrading to version: 1.0.63
INFO:  Upgrading to version: 1.64
INFO:  Upgrading to version: 1.65
INFO:  Upgrading to version: 1.66
INFO:  Upgrading to version: 1.67
INFO:  Upgrading to version: 1.68
INFO:  Upgrading to version: 1.69
INFO:  Upgrading to version: 1.70
INFO:  Upgrading to version: 1.71
INFO:  Upgrading to version: 1.72
INFO:  Upgrading to version: 1.72.1
INFO:  Upgrading to version: 1.72.2
INFO:  Upgrading to version: 1.73
INFO:  Upgrading to version: 1.74
INFO:  Upgrading to version: 1.75
INFO:  Upgrading to version: 1.76
INFO:  Upgrading to version: 1.77
INFO:  Upgrading to version: 1.78
INFO:  Upgrading to version: 1.79
INFO:  Upgrading to version: 1.80
INFO:  Upgrading to version: 1.80.1
INFO:  Upgrading to version: 1.81
INFO:  Upgrading to version: 1.82
INFO:  Upgrading to version: 1.83
INFO:  Upgrading to version: 1.83.1
INFO:  Upgrading to version: 1.84
INFO:  Upgrading to version: 1.85
INFO:  Upgrading to version: 1.86
INFO:  Upgrading to version: 1.87
INFO:  Upgrading to version: 1.88
INFO:  Upgrading to version: 1.89
INFO:  Upgrading to version: 1.90
INFO:  Upgrading to version: 1.91
INFO:  Upgrading to version: 1.92
INFO:  Upgrading to version: 1.93
INFO:  Upgrading to version: 1.94
INFO:  Upgrading to version: 1.95
INFO:  Upgrading to version: 1.96
INFO:  Upgrading to version: 1.97
INFO:  Upgrading to version: 1.98
INFO:  Upgrading to version: 1.99
INFO:  Upgrading to version: 2.0
INFO:  Upgrading to version: 2.1
INFO:  Upgrading to version: 2.1.1
INFO:  Upgrading to version: 2.2
INFO:  Upgrading to version: 2.3
INFO:  Upgrading to version: 2.4
INFO:  Upgrading to version: 2.5
INFO:  Upgrading to version: 2.6
INFO:  Upgrading to version: 2.7
INFO:  Upgrading to version: 2.8
INFO:  Upgrading to version: 2.9
INFO:  Database is currently at version: 0.0
INFO:  Current version is not equal to the target version
INFO:  Upgrading to version: 1.0
INFO:  Upgrading to version: 1.1
INFO:  Upgrading to version: 1.2
INFO:  Upgrading to version: 1.3
INFO:  Upgrading to version: 1.4
INFO:  Upgrading to version: 1.5
INFO:  Upgrading to version: 1.6
INFO:  Upgrading to version: 1.7
Saving IIS Changes
Starting AppPool

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
You are now able to open SEM on https://<hostname>/mds. If you are not able to reach the site, confirm the hostname is routeable via DNS or a hostfile.
TroubleshootingMobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.

SQL Server database requirements and setup:

The PK Endpoint Manager requires an empty database, appropriate authentication credentials and permissions. Please perform the following actions, consulting the documentation for your version of SQL Server, if necessary.

1. 1. Login to your SQL Server and create an empty database
    1. Give the database a name and note the name down for later (e.g. "PK Protect")
    2. Set the database collation to: Latin1_General_CI_AS
  2. Create a database user which the PK Endpoint Manager will use to authenticate to this instance (e.g. pk protect-user)
    1. Set a database user password and be sure to uncheck options for "Must change password at next logon
    2. Give the database user the "db_owner" right to the PK Protect database you created above

For More Information about how to authenticate to Microsoft SQL Server, see:

- - Windows Server: Using Windows Authentication with SQL Server or
  - Windows Server: Using SQL Authentication with SQL Server

IIS website / application pool requirements and setup:

Perform the following steps on the Windows Server running IIS:

Install the Visual C++ 2012 Runtime

PK Protect is developed with Microsoft^® Visual Studio^® 2012. The Microsoft Visual C++ redistributable enables some required features for PK Protect. Since PK Protect was created using Visual Studio 2012, the 2012 redistributables are required.

1. 1. Download and install the 64-bit version of the redistributable found here: https://www.microsoft.com/en-us/download/details.aspx?id=30679

Configure Internet Information Server for PK Protect

Prior to installing the PK Endpoint Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.

If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Enterprise Manager.”

Setting up IIS in Windows Server 2012 R2

Setting up IIS in Windows Server 2008 R2

Launch the Server Manager and select IIS

1. 1. Click Add Roles and Features
  2. Skip the Before you begin page. Click Next
  3. On the Installation Type page, select Role-based or feature-based installation. Click Next
  4. On the Select destination server page, choose the server you will install PK Protect on. Click Next
  5. Existing installations of IIS, Skip to Step 10
  6. On the Server Roles page, select Web Server (IIS)
  7. On the Features page, expand .NET Framework 4.5 Features and check: ASP.NET 4.5
  8. On the Roles Services page
    1. Expand Security and check Windows Authentication
    2. Expand Application Development and check .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions and ISAPI Filters.
  9. New installations of IIS, Skip to Step 11
  10. Existing Installations of IIS, verify that the following Server Roles are enabled:
    1. Web Server (IIS) | Web Server | Security | Windows Authentication
    2. Web Server (IIS) | Application Development | .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions, ISAPI Filters
  11. Confirm your installation selections and click Install.

Windows Add Server Roles Wizard

Launch the Server Manager and select Web Server (IIS).

1. 1. If ASP.NET and/or Windows Authentication appear as Not Installed in the Role Services list, click Add Role Services
  2. Under Application Development, check ASP.NET
  3. Click Add Required Role Services and add:
    1. .NET Extensibility
    2. ISAPI Extensions
    3. ISAPI Filters
  4. Expand Security and check the Windows Authentication box
  5. Click Install

Enabling .NET Framework 4 Support in IIS (Windows Server 2008)

After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.

1. 1. Open the Command Prompt.
  2. Go to C:\Windows\Microsoft.NET\Framework64\v4.0.xxxx
  3. Run the following command:
```
aspnet_regiis.exe -i
```
    CODE
  4. ASP.NET RegIIS will install ASP.NET.

Install Web Deploy with Microsoft Web Platform Installer

Install Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.iis.net/downloads/microsoft/web-deploy

After you download wpilauncher.exe, run it to see the Web Platform Installer screen. Click the Search box in the upper right corner and type "Web Deploy." Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. At the time this was written, 3.5 was the latest version so for example, Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.

Configure Windows Authentication

After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:

1. 1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
  2. In the Management section, select Feature Delegation
  3. Change the Authentication - Windows setting to Read/Write
  4. From the main window, click Authentication.
  5. Right click on Windows Authentication and select Enable (it not already enabled)

Windows Authentication - Enable

Adding an Application Pool

1. 1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
  2. Click View Application Pools to display existing pools.
  3. Click Add Application Pool.
  4. Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.

Application pool settings

Adding a website

1. 1. Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
  2. In IIS Manager, go to Sites.
  3. Click Add Website. Name it PK Endpoint Manager. The Add Website dialog will open.
  4. Choose a Site name. This can be the same as the Application Pool.
  5. Use the Select button to make sure you select the application pool you created in the previous section.
  6. Define the physical path to the content directory
  7. (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.

If you are accessing PK Endpoint Manager from outside your internal network domain, you also need to create a public DNS entry.
Make sure that the DNS entry points to one or more defined IP addresses (an A Record). PK Endpoint Manager needs a fully qualified domain name to authenticate agents.

Click OK to complete this step and add the website.
Configure New Website

Configuring the website for SSL

The PK Endpoint Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.

1. 1. Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right.
  2. The Add Site Binding screen appears. Select https from the Type: dropdown menu.
  3. Click Select to choose the SSL Certificate to use for this site.

Site binding settings

Bind SSL certificate to website

Verify SSL is working properly!

Verify the site is working properly by pointing your browser to https://<server>/ – you should see the IIS Welcome Page.

Verify the certificate is trusted on your other devices!

If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.

Installing PK Endpoint Manager

Now that the prerequisites are fulfilled, we are ready to install the PK Endpoint Manager.

Note: The next section assumes you have a .ZIP file containing the PK Endpoint Manager deployment package.

Importing the .ZIP file containing the PK Endpoint Manager web application with Web Deploy

1. 1. Highlight the website created above
  2. In the Action menu on the right side of the screen, select Import Application from the Deploy section
  3. Web Deploy will launch and ask you to select the PK Endpoint Manager .ZIP file. Browse to the directory where the PK Protect package is located, select the ZIP, and click Next
  4. Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm
  5. Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
  6. Set the Application Path to "mds" without the quotes. This is the name of the web application. This name the will appear in the URL you will use to access the Manager
  7. Set the PK Endpoint Manager Server Password. This password is used to encrypt your encryption keys. It should be securely backed up and not shared with PKWARE.
  8. Define a root administrator account for the PK Endpoint Manager. This can be a domain account or a local account.
    1. Domain Account: set a username (AD SysAdmin) only and leave the next two fields blank.
    2. Local Account: set a username (Local SysAdmin) and a password (Local SysAdmin Password) and leave the AD SysAdmin field blank.
  9. Set the parameters of the connection string with the information from your database administrator. This value connects PK Endpoint Manager to the database you initially setup
    1. datasource: The database server name or IP
    2. initial catalog: The name of the database to be used by the PK Endpoint Manager
    3. dbuser: The database server username
    4. dbpassword: The database user password
    5. Click Next to install PK Endpoint Manager via Web Deploy

Web deploy progress

Creating the PK Protect database schema

Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the PK Protect database with the initial schema. PK Protect comes with a tool to complete this task for you called SmartcryptDB.exe. From the application server running IIS:

1. 1. Open a command window (cmd).
  2. Change directory to the location you installed the website to (above) and look for the bin directory.
  3. Now execute SmartcryptDB.exe.
  4. The tool should run and set up the required scheme for the version of the PK Endpoint Manager you have.

Manually updating Smartcrypt Database schema

Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using PK Protect.

e.g.: https://smartcrypt.pkware.com/mds/SuperUser