How to install a ConfigMgr Client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode.

NativeModeWorkgroup To install a ConfigMgr Client on a WORKGROUP computer is always a nice battle, when the ConfigMgr Site is in Native Mode. I think I am not the only one who didn’t work that much with certificates before ConfigMgr. So to make the basics of this process for everyone a bit easier I wrote down these seven steps for implementing the correct certificates and installing the ConfigMgr Client on a WORKGROUP client. These same steps can also be used for separate forests.

Step 1. Export the Root Certificate for use on the WORKGROUP computer

  1. Logon to the Certification Authority server and create a folder to contain your certificate files (eg C:\Certificates).
  2. Open a command prompt and go to the just created folder.
  3. Use the following command to export the Root Certificate: certutil -ca.cert RootCertificate.cer

 

Step 2. Create a Certificate Template for the WORKGROUP computer

  1. Open the Certification Authority Console, right-click Certificate Templates, and click Manage to load the Certificates Templates console.
  2. Select Windows Server 2003 Enterprise and click Ok.
  3. Right-click the Workstation Authentication template and click Duplicate Template.
  4. In the Properties of New Template dialog box, type the name for Template display name. As my normal Client Certificate Template is named ConfigMgr Client Certificate, I will name this one ConfigMgr Client Certificate for Export.
  5. Click the Request Handling tab and select Allow private key to be exported.
  6. Click the Subject Name tab, select Supply in the request.  This allows you to supply each FQDN of the client in the separate WORKGROUP at the time you request the certificate.
  7. Click OK to close the Properties of New Template and close the Certificates Template Console.
  8. In the Certification Authority Console, right-click Certificate Templates, click New, click Certificate Template to Issue, select the certificate template name you just created (eg ConfigMgr Client Certificate for Export), and then click OK.

 

Step 3. Request and Install the Client Certificate for the WORKGROUP computer

  1. Open a text editor and copy and paste the following text into the file (replace< FQDN> with the fully qualified domain name of the server that has to use this certificate):

    [NewRequest]
    Subject = "CN=<FQDN>"
    MachineKeySet = True
    Exportable = TRUE
    KeyLength = 2048
    [RequestAttributes]
    CertificateTemplate = ConfigMgrClientCertificateforExport

  2. Save the file as ConfigMgrClientCertificate.inf in the folder created in Step 1.
  3. Open a command prompt and go to the same folder as the saved file.
  4. Use the following command to create a certificate request: certreq –new ConfigMgrClientCertificate.inf ConfigMgrClientCertificate.req
  5. Use the following command to submit the certificate request: certreq –submit ConfigMgrClientCertificate.req ConfigMgrClientCertificate.cer
  6. In the Select Certification Authority dialog box, select the CA, and then click OK.
  7. Use the following command to accept the requested certificate: certreq –accept ConfigMgrClientCertificate.cer

 

Step 4. Export the Client Certificate for the WORKGROUP computer

  1. Open the Certificates Console for the local computer, right-click the certificate that is issued to <FQDN>, click All Tasks, and then click Export to launch the Certificate Export Wizard.
  2. On the Welcome page, click Next.
  3. On the Export Private Key page select Yes, export the private key and click Next.
  4. On the Export File Format page confirm that Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
  5. On the Password page specify a password and click Next.
  6. On the File to Export page specify the path and name of the file and click Next.
  7. On the Summary page click Finish and click OK to close the confirmation popup.

 

Step 5. Import the Root Certificate in the WORKGROUP computer

  1. On the computer in the WORKGROUP, open the Certificates Console for the local computer and navigate to Trusted Root Certification Authorities\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the root certificate file that you created. After that click Open and then click Next.
  5. On the Certificate Store page click Next.
  6. Click Finish to close the wizard and click OK to close the confirmation popup.

 

Step 6. Import the Client Certificate in the WORKGROUP computer

  1. Open the Certificates Console for the local computer and this time navigate to Personal\Certificates.
  2. Right-click Certificates select All Tasks and click Import to load the Certificate Import Wizard.
  3. On the Welcome page click Next.
  4. On the File to Import page click Browse and select the exported certificate file that you created. Next click Open and then click Next.
  5. On the Password page type the password that you specified earlier and then click Next.
  6. On the Certificate Store page click Next.
  7. Click Finish to close the wizard and click OK to close the confirmation popup.

 

To confirm that the certificates got imported well, navigate to Personal\Certificates and select the certificate that is issued to <FQDN>. Double-click the certificate and click the Certificate Path tab, this checks that the certificate successfully chains to the issuing root CA certificate.  You should see the certificate and the root CA certificate, with the Certificate status displaying This certificate is OK.  Click OK to close the certificate properties.

Step 7. Install the ConfigMgr Client on the WORKGROUP computer

  1. Open a command prompt and go to the location of the ccmsetup.exe.
  2. Use the following, or similar, command to install the ConfigMgr Client: ccmsetup.exe  /Native:FALLBACK SMSSITECODE=<SiteCode> SMSSLP=<SLP>

 

Reminder: Don’t forget to add a Boundary to your ConfigMgr Site that includes the WORKGROUP computer.