SCCM 2012 R2 – OS Deployment with PKI (HTTPS)

More and more organizations are implementing Configuration Manager with PKI (HTTPS) enabled. Recently, I worked with a customer who planned to do just that.

Initially we set up the site without any certificates installed because the PKI Implementation within the domain was not yet completed. Once it was complete, we changed the site and client communication to be HTTPS only. This presented us with issues in regard to Operating System Deployment.

Once the mode was changed, none of our boot disks or Task Sequences would work. After we finished scratching our head, reading blogs, and flipping through TechNet doc and articles we were able to get it working again.

Here are the steps that we went through to get OSD back up and running again…assuming that your site is already in HTTPS and you have a healthy/ functional PKI environment.

  1. Create a ConfigMgr Workgroup Client Certificate.
  2. Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority.
  3. Export the ConfigMgr Workgroup Client Certificate.
  4. Modify the MDT Toolkit Package so that our new certificate is available when building the image and deploying it.
    • Alternatively you could create a new package that contains the exported certificate and the answer file created in step 5 below.
  5. Create a new answer file for our OS Installation Package used in our Build task sequence.
  6. Create a package for the new answer file.
  7. Modified our Build task sequence to include the answer file and tell the ConfigMgr Client Package to install for PKI.
  8. Recreate our Boot disk ISO to include the exported certificate.
  9. Build and Capture our new OS Image.

Create the ConfigMgr Workgroup Client Certificate

These are modified steps from TechNet for “Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name that will be used, such as ConfigMgr Workgroup Client Certificate.
  5. Click the Request Handling tab, ensure that “Allow private key to be exported” is checked.
  6. Click the Subject Name tab, select “Supply in the request” at the top.
  7. Click OK and close Certificate Templates Console.
  8. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  9. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Workgroup Client Certificate, and then click OK.
  10. Close Certification Authority.

Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority

These steps can be performed from any domain joined system including the Certificate Authority.

  1. Launch Microsoft Management Console (MMC) by opening a run dialog, type MMC then click OK.
  2. Click FILE -> ADD/REMOVE SNAP-IN to open the “Add or Remove Snap-ins” dialog.
  3. Choose “Certificates” from the list of available snap-ins, then click the button labeled “Add >”.
  4. When prompted, select “Computer Account” and click Next.
  5. Select “Local Computer: (the computer this console is running on)”, then click Finish.
  6. Click OK to close the “Add or Remove Snap-ins” dialog.
  7. Expand “Certificates (Local Computer)” -> Personal, and click on “Certificates”
  8. Right-click on “Certificates” and choose All Tasks -> Request New Certificate from the menu.
  9. In the Certificate Enrollment wizard that opens, click Next.
  10. Select Active Directory Enrollment Policy, then click Next.
  11. Check the box for ConfigMgr Workgroup Client Certificate that was created earlier, then click the link below it that says “More information is required…”
  12. Under Subject name, choose Common name as the type and enter Workgroup PKI as the value, then click the button labeled “Add >” and click OK.
  13. Click Enroll. If done correctly, you should see a “STATUS: Succeeded” in the results dialog.
  14. Click Finish

Export the ConfigMgr Workgroup Client Certificate

  1. The “Workgroup PKI” certificate should now show in the certificate console under Personal -> Certificates.
  2. Right-click on the “Workgroup PKI” certificate and choose “All Tasks” -> “Export…” from the menu.
  3. In the Certificate Export Wizard, click Next on the welcome screen.
  4. Select “Yes, export the private key”, then click Next.
  5. Select Personal Information Exchange – PCKS #12 (.PFX), and ensure that “Include all certificates in the certification path if possible” AND “Export all extended properties” are checked, then click Next.
  6. Type in a password and confirm it in the boxes provided on the Password screen, then click Next. (Save this password for later use)
  7. Browse for a location to export the certificate to. Make sure that it is somewhere accessible from SCCM, give it a name (ex. – WorkgroupPKI.pfx) and click Save.
  8. Click Next on the File to Export dialog.
  9. Click Finish on the completion dialog.

Modify the MDT Toolkit Package

  1. Open windows explorer and locate the certificate file that you just exported.
  2. Copy the file to the Scripts folder within your MDT Toolkit Package.
  3. Open the Configuration Manager Console and locate the MDT Toolkit Package.
  4. Update the Distribution Point(s) for the package.

Create Answer File

  1. Open the Windows System Image Manager on a computer that has the Windows Automated Installation Kit (WAIK) installed.
  2. Create a new answer file by clicking the icon in the upper left corner , clicking “FILE” -> “New Answer File…”, or by pressing CTRL+N on the keyboard.
  3. Under “Windows Image”, right-click on “Select a Windows Image or Catalog File” and choose Select Windows Image.
  4. Browse to your Operating System Installation Media, and choose the catalog file (.clg) for the desired OS you are trying to deploy, then click “Open”. The CLG file is usually located on the installation media in the Sources directory. (EX – for Windows 7 Enterprise the file name is “install_Windows 7 ENTERPRISE.clg”)
  5. Expand Components.
  6. Locate the appropriate Microsoft-Windows-Deployment-<version>-neutral component for the desired architecture. (for Windows 7 Enterprise 64bit, the component is – amd64_Microsoft-Windows-Deployment_6.1.7600.16385_neutral)
  7. Expand Microsoft-Windows-Deployment -> RunSynchronous.
  8. Right-click on RunSynchronousCommand and choose “Add Setting to Pass 4 specialize”
  9. In the Answer File section, click on “RunSynchronousCommand” to highlight it.
  10. For the properties of “RunSynchronousCommand”, enter the following:
    • Description: Import Workgroup Certificate
    • Order: 5
    • Path: cmd.exe /c certutil –f –p <password> -importpfx <drive>:\_SMSTaskSequence\Packages\<PackageID>\Scripts\<nameofcertificate>.pfx
      • <password> = The password set on the certificate when it was exported.
      • <drive> = The system drive where the Operating System will be installed. This is usually drive C.
      • <nameofcertificate> = The name of the certificate file that was exported earlier.
  11. Richt-click “Credentials” below “RunSynchronousCommand” and choose delete.
  12. Click File -> Save Answer File As, then browse to a location easily accessible by the Configuration Manager Server.
  13. Name the answer file “Unattend.xml” and then click Save.

Create Answer File Package

  1. Open the Configuration Manager Console and navigate to Software Library -> Application Management -> Packages.
  2. Create a new Package called “OSD – Windows 7 Enterprise 64bit Answer File”
  3. Check the box for “This package contains source files”.
  4. Browse to the location where the new answer file was saved. (Ensure that you use the UNC path and not a local volume path when creating packages in Configuration Manager)
  5. Click next
  6. For Program Type, select “Do not create a program”, then click next.
  7. Click next on the Summary screen, then click close on the Completion screen.
  8. Right-click on the package you’ve just created and distribute the content.

Modify the Task Sequence

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Select the task sequence used for Build and Capture of your operating system image.
  3. Right-click on the task sequence and choose Edit.
  4. Select the step called Partition Disk 0
  5. Add a Use Toolkit Package step by clicking Add -> MDT -> Use Toolkit Package
  6. Browse for and choose your MDT Toolkit package from the available packages.
  7. Select the step called Apply Operating System
  8. Ensure that the box is checked for “Use an unattended or Sysprep answer file for a custom installation”
  9. Browse for the answer file package we just created.
  10. For the File Name, enter the name given to the answer file created earlier. (unattend.xml)
  11. Click on the Apply Device Drivers step, then click Add -> MDT -> Use Toolkit Package
  12. Browse for and choose your MDT Toolkit package from the available packages.
  13. Click on the step called Setup Windows and Configuration Manager
  14. In the area provided for “Installation Properties”, enter the following:
    • /UsePKICert /NoCRLCheck /MP:<FQDN> DNSSUFFIX=<DOMAIN> CCMHTTPSSTATE=31
      • <FQDN> = Fully Qualified Domain Name of your Configuration Manager Management Point Server
      • <DOMAIN> = Name of the domain where the SCCM Management Point Server resides. (EX – ADVENTURESINSYSCTR.NET)
  15. Click Apply to save the changes to the Task Sequence.
  16. Click OK to close the Task Sequence.

Recreate Boot ISO

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Right-Click on Task Sequences and choose “Create Task Sequence Media” from the menu.
  3. Select “Bootable Media” as the media type and then click next.
  4. On the next screen, choose the option that works best within your environment. For this example, I chose Dynamic Media.
  5. The next screen is the media type screen. If you have access to the local USB ports where you are running the wizard from, you can choose USB Flash Drive. I personally like to use CD/DVD Set, this gives me the option of using the ISO that is created to make several USB boot drives if I need to.
    • For this blog post, I’ve chosen CD/DVD Set. Once selected, browse for a location to place the ISO (CD Image) file to be created, give it a name with the .iso extension and click next.
  6. On the Security Settings screen, set a password if you wish, or you can uncheck the box for “Protect media with a password”.
  7. Ensure that Import PKI Certificate is selected, then browse to the location where the “Workgroup PKI” certificate was exported.
  8. Select the certificate, then type in the password in the space provided and click next.
    • If you’ve already used the certificate on another boot disk, you will get a prompt telling you that the certificate is already in use. Click yes to use the certificate again, or you can go back and request a new one from the CA and export it again.
  9. On the next screen, choose your boot image to use, the distribution point and the desired management point. Then click next.
  10. Do not enter any customizations at this time. If you wish, you can create another boot disk and customize that one. Simply click next here.
  11. Click next on the summary screen to begin creation of the USB or ISO image.
  12. Once completed, you will have a boot disk to use for build and capture (and deployment) of your image. Click Close on the completion screen.

Build and Capture the Image

Using a Virtual Machine, mount the ISO image that we just created and boot from it. If you’ve deployed the Build and Capture task sequence to the “All Unknown Computers” collection, you should have the task sequence available.

Advertisements

Windows 7: Allow Domain logon using biometrics (Fingerprint reader)

More and more laptops are sold these days with fingerprint readers as “standard equipment”. With that, comes the end user request (sometimes requirement) of being able to logon using the swipe of their finger.

By default, only local logon is allowed in Windows 7. There are a few ways to enable domain logon using biometrics, I will cover two of them here.

  1. Biometrics settings within the control panel
  2. Domain Policy (GPO)

Control Panel

To enable biometric (fingerprint) logon through the Windows 7 control panel, do the following.

  1. Navigate to:
    START > CONTROL PANEL
  2. Once in the Control Panel, open the “Biometric Devices” applet.
  3. On the left side of the applet window, click  “Change biometric settings”
  4. Ensure that the “Biometrics on” radio button is selected, then check both boxes below it.

Domain Policy (GPO)

To enable biometric logon in Domain Policy (GPO) for Windows 7 (this will work for Windows XP as well):

  1. Open the Group Policy Editor on your admin workstation or server where you manage group policies from.
  2. Create a new policy.
  3. Navigate to COMPUTER CONFIGURATION > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > BIOMETRICS
  4. Set the following policies to “Enabled”
    1. Allow the use of biometrics
    2. Allow users to log on using biometrics
    3. Allow domain users to log on using biometrics
  5. Link the policy to the appropriate/ desired OU where computers with biometric devices exist.

Enjoy!