SCCM PKI Client on Workgroup Computers: Part 1
Recently, I was asked to install the SCCM client on a workgroup computer, meaning that the computer was not a member of the domain. This is easy enough if you do not have PKI and HTTPS communication. If you run HTTP communication, you just it install it manually with the right parameters and links up with SCCM.
If you have PKI and HTTPS, and more importantly, if you want to manage the computer on the Internet, there are several extra steps that you must take. The client still requires a certificate from your CA, even though it is not on your domain. If the machine is on the domain, domain communication takes care of the certificates for you. If you not, then everything must be done by hand, from generating a certificate to install it on the machine, to actually installing the client.
This is part one of a two part series on getting workgroup computer into your SCCM HTTPS infrastructure. This part will focus on a few administrative tasks, as well as getting your CA configured to issue the proper certificate.
Things to Keep in Mind
One thing to keep in mind when doing this are boundary groups. The machine that you add must be in a SCCM boundary group. You will have to determine the best way to accomplish this for your organization.
Next, you must have at least one HTTPS management point and distribution point available to the client. BOTH of these must be HTTPS. I recommend for Internet facing clients that this be the same server. This box should also be different from your on premise management point and distribution point. It is not recommended that the same management point and distribution point server both internal and external clients.
One thing you will notice, as I did, is that if you do NOT have a HTTPS distribution point, it will take your client roughly four hours to install, and will see errors in the logs about not being able to find a distribution point. It takes four hours because ccmsetup.exe will try to find a DP for that long before reverting to getting it from your assigned management point. This is very good indicator as to whether or not your infrastructure is configured correctly. Learn from me – I thought I had my DP set as HTTPS, but didn’t realize it until AFTER I waited the four hours and then tried to install some software.
Create Workgroup Certificate Template
Steps:
- From a computer running the certificate authority console, right click Certificate Templates.
- Right-click “Workstation Authentication” for the Template Display Name column, and select “Duplicate Template”.
- In the template window, make sure that “Windows 2003 Server, Enterprise Edition” is selected. This will not work with any other template. Click OK.
- In the properties dialog box, give the template a name, such as “SCCM Workgroup Certificate”.
- Click the Subject Name tab, and select “Supply in the request”.
- Click the Request Handling tab to be sure that “Allow private key to be exported” is checked. Click OK.
- From the console, right-click “Certificate Templates” and select “New”.
- Click “Certificate Template to Issue”.
- From the “Enable Certificate Templates” box, select your new template and click OK.
You now have your certificate template. You can close the certificate authority.
Come back next week for requesting the certificate and installing the client.
