How to install a ConfigMgr Client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode.

NativeModeWorkgroup To install a ConfigMgr Client on a WORKGROUP computer is always a nice battle, when the ConfigMgr Site is in Native Mode. I think I am not the only one who didn’t work that much with certificates before ConfigMgr. So to make the basics of this process for everyone a bit easier I wrote down these seven steps for implementing the correct certificates and installing the ConfigMgr Client on a WORKGROUP client. These same steps can also be used for separate forests.

Step 1. Export the Root Certificate for use on the WORKGROUP computer

  1. Logon to the Certification Authority server and create a folder to contain your certificate files (eg C:\Certificates).
  2. Open a command prompt and go to the just created folder.
  3. Use the following command to export the Root Certificate: certutil -ca.cert RootCertificate.cer

 

Step 2. Create a Certificate Template for the WORKGROUP computer

  1. Open the Certification Authority Console, right-click Certificate Templates, and click Manage to load the Certificates Templates console.
  2. Select Windows Server 2003 Enterprise and click Ok.
  3. Right-click the Workstation Authentication template and click Duplicate Template.
  4. In the Properties of New Template dialog box, type the name for Template display name. As my normal Client Certificate Template is named ConfigMgr Client Certificate, I will name this one ConfigMgr Client Certificate for Export.
  5. Click the Request Handling tab and select Allow private key to be exported.
  6. Click the Subject Name tab, select Supply in the request.  This allows you to supply each FQDN of the client in the separate WORKGROUP at the time you request the certificate.
  7. Click OK to close the Properties of New Template and close the Certificates Template Console.
  8. In the Certification Authority Console, right-click Certificate Templates, click New, click Certificate Template to Issue, select the certificate template name you just created (eg ConfigMgr Client Certificate for Export), and then click OK.

 

Step 3. Request and Install the Client Certificate for the WORKGROUP computer

  1. Open a text editor and copy and paste the following text into the file (replace< FQDN> with the fully qualified domain name of the server that has to use this certificate):

    [NewRequest]
    Subject = "CN=<FQDN>"
    MachineKeySet = True
    Exportable = TRUE
    KeyLength = 2048
    [RequestAttributes]
    CertificateTemplate = ConfigMgrClientCertificateforExport

  2. Save the file as ConfigMgrClientCertificate.inf in the folder created in Step 1.
  3. Open a command prompt and go to the same folder as the saved file.
  4. Use the following command to create a certificate request: certreq –new ConfigMgrClientCertificate.inf ConfigMgrClientCertificate.req
  5. Use the following command to submit the certificate request: certreq –submit ConfigMgrClientCertificate.req ConfigMgrClientCertificate.cer
  6. In the Select Certification Authority dialog box, select the CA, and then click OK.
  7. Use the following command to accept the requested certificate: certreq –accept ConfigMgrClientCertificate.cer

 

Step 4. Export the Client Certificate for the WORKGROUP computer

  1. Open the Certificates Console for the local computer, right-click the certificate that is issued to <FQDN>, click All Tasks, and then click Export to launch the Certificate Export Wizard.
  2. On the Welcome page, click Next.
  3. On the Export Private Key page select Yes, export the private key and click Next.
  4. On the Export File Format page confirm that Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
  5. On the Password page specify a password and click Next.
  6. On the File to Export page specify the path and name of the file and click Next.
  7. On the Summary page click Finish and click OK to close the confirmation popup.

 

Step 5. Import the Root Certificate in the WORKGROUP computer

  1. On the computer in the WORKGROUP, open the Certificates Console for the local computer and navigate to Trusted Root Certification Authorities\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the root certificate file that you created. After that click Open and then click Next.
  5. On the Certificate Store page click Next.
  6. Click Finish to close the wizard and click OK to close the confirmation popup.

 

Step 6. Import the Client Certificate in the WORKGROUP computer

  1. Open the Certificates Console for the local computer and this time navigate to Personal\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the exported certificate file that you created. Next click Open and then click Next.
  5. On the Password page type the password that you specified earlier and then click Next.
  6. On the Certificate Store page click Next.
  7. Click Finish to close the wizard and click OK to close the confirmation popup.

 

To confirm that the certificates got imported well, navigate to Personal\Certificates and select the certificate that is issued to <FQDN>. Double-click the certificate and click the Certificate Path tab, this checks that the certificate successfully chains to the issuing root CA certificate.  You should see the certificate and the root CA certificate, with the Certificate status displaying This certificate is OK.  Click OK to close the certificate properties.

Step 7. Install the ConfigMgr Client on the WORKGROUP computer

  1. Open a command prompt and go to the location of the ccmsetup.exe.
  2. Use the following, or similar, command to install the ConfigMgr Client: ccmsetup.exe  /Native:FALLBACK SMSSITECODE=<SiteCode> SMSSLP=<SLP>

 

Reminder: Don’t forget to add a Boundary to your ConfigMgr Site that includes the WORKGROUP computer.

Share

Prepare ConfigMgr Client for Capture doesn’t remove the AllowedRootCAHashCode value

In the most situations it doesn’t matter that the AllowedRootCAHashCode value doesn’t get removed during a Capture of the client, but there is one situation where it does matter. This one situation is when there has to be one image for multiple domains and every domain has its own issuing CA’s. This situation is a problem because the client stores a copy of the Root Certificate in the AllowedRootCAHashCode key. Because it contains the wrong value for the Root Certificate the client isn’t able to get a new Site Signing Certificate (which is also stored in the registry), so the client isn’t able to check the policies.

As workaround for this I created a Task Sequence step (in the install Task Sequence) to delete the HKLM\SOFTWARE\Microsoft\CCM\Security\AllowedRootCAHashCode.

Another workaround (which is probably a bit easier) can be found at the ConfigMgr Technet forum (http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/3ac574ca-c562-4a44-92da-5c640a71c3c6) where I posted this situation. The workaround posted here is to create a Task Sequence step (in the Build and Capture Task Sequence) to delete the whole HKLM\SOFTWARE\Microsoft\CCM\Security\ key.

More information about the Task Sequence Step Prepare ConfigMgr Client for Capture: http://technet.microsoft.com/en-us/library/bb633049.aspx
More information about Renewing or Changing the Site Signing Certificate: http://technet.microsoft.com/en-us/library/bb633098.aspx

Share

Certificates needed for Native Mode

The biggest problem, for me, with Native Mode were all the certificates that were needed. That’s why I created an table for myself with the basic certificates that are needed for Native Mode and where to add them. The “Where to add” column is based on Windows Server 2008.

ConfigMgr Component Use Where to add
Primary Site Server Document Signing ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode
Management Point, Proxy Management Point, Distribution Point, Software Update Point en (State Migration Point) Server Authentication (Web Server Template) IIS > -Right-click- Sites > Edit Bindings > HTTPS -Edit-
Client computers Client Authentication (Computer Template) GPO > Policies > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > -Right-click- Certificate Services Client –Auto-enrollment
Operating System Deployment/PXE Client Authentication (Workstation Template) Don’t forget the option: Allow Private Key to be exported ConfigMgr > Site Management > Site Database > Primary Site > Site Settings > Site Systems > Properties ConfigMgr PXE Service Point > Tab Database
Root CA for OSD Root ConfigMgr > Site Management > Site Database > Properties Primary Site > Tab Site Mode > Specify Root CA Certificates…

 

For more detailed information: http://technet.microsoft.com/en-us/library/bb680733.aspx

Share