SCCM 2012 : Configure your Clients for internet and workgroup clients

1. SCCM 2012 : Server Authentication Certificate Templates 
2. SCCM 2012 : Client Authentication Certificate Templates
3. SCCM 2012 : Deploying Server Authentication Certificate
4. SCCM 2012 : Configure your Clients for internet and workgroup clients

• Adding Client Certificate through AD Group Policy
• Create Certificate Using a Script

Adding Client Certificate through AD Group Policy

Once you have completed Tasks 1-3, you are ready to configure your environment for the internet/workgroup client. Each computer needs to have a certificate created and installed. If these are Domain joined computers, you can do Auto Enrolment through AD Group Policy. 

1. On a computer with the RSAT (Remote Server Administration Tools) or from a Domain Controller, open Group Policy Management Console.

2. Now you can either use an existing GPO or create a new one and link it to an OU with your internet Client in it. For our purposes we will create a GPO and Link it to our Workstations OU. So right click on the Workstations OU and select "Create a GPO in this domain and Link it here..."

3. Give it a name.

4. now expand the Workstations (or whatever yours is named) and right click on your newly created GPO. Select Edit.

5. Under Computer Configuration, go to "Policies→Windows Settings→Security Settings→Public Key Policies" and right click on "Certificate Services Client - Auto Enrollment" and select Properties.

6. Under Properties Enable Configuration Model, and check "Renew expired Certificates, update pending certificates, and remove revoked certificates" and  check "Update certificates that use certificate templates".

7. Close All GPO MMCs.

8. Install from AD Certificate:

Now we need to install it with the client. copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer. create text file and name it "internetsetup.bat" in the folder. Past the following script into it and modify the yellow highlighted areas according to your environment. Blue highlights provide directions:

 

​Rem     Use your internet SCCM server for all of the SCCMSERVER.DOMAIN.COM hightlights below
Rem     Replace ABC for SMSSITECODE to your environments 3 diget site code
Rem    If the computer will be Internet/Workgroup only set CCMALWAYSINF t0=1
Rem   IF the computer is a domain computer and will be connect to the internal network sometime, and sometimes be in the internet set CCMALWAYSINF=0
"%~dp0Setup\ccmsetup.exe" /usePKICert /NOCRLCheck  mp=https://sccmServer.domain.com FSP=sccmServer.domain.com DNSSUFFIX=domain.com  SMSSITECODE=ABC CCMALWAYSINF=1 CCMFIRSTCERT=1 CCMHOSTNAME=sccmServer.Domain.com

Make Certificate from a Script

I have written the following script create a certificate from a batch file. you will run this on a domain joined computer logged in as a domain admin, and right clicking the batch file and doing a 'run as Administratior'. 

1. in the   "\\<PrimarySiteServer>\SMS_ITH\Client" folder do 2-5.

2. create a text file and name it "CreateCert.bat".

3. Edit the "CreateCert.bat" file with notepad.

4. copy the following text into it. Change the yellow highlighted text to your environment. the blue highlighted REM line above the highlight provides instructions:

echo type NetbiosName of computer

set /p input1=:

for /f "tokens=* delims= " %%c in ("%input1%") do set input=%%c

for /l %%a in (1,1,100) do if "!input1:~-1!"==" " set input=!input1:~0,-1!

echo %input1%

Rem Change "domain.com" in the following line to your internal AD DNS domain name
set input=%input1%.domain.com

echo %input%

rem Create an INF request file with the specified subjectname

echo Generating *.inf file for certificate request for server %input%

REM Change ConfigurationManagerClientTemplate below to the name of the Certificate Template you create HERE. Remember use the Cert Name NOT the Display Name.
echo ;-----ConfigurationManagerClientTemplate.inf----– > %input%.in

echo [NewRequest] >> %input%.inf

echo Subject="cn=%input%" >> %input%.inf

echo Exportable=TRUE >> %input%.inf

echo KeyLength=2048 >> %input%.inf

echo KeySpec=1 ;key exchange >> %input%.inf

echo KeyUsage=0xA0 >> %input%.inf

echo MachineKeySet=TRUE >> %input%.inf

echo [RequestAttributes] >> %input%.inf

REM Change ConfigurationManagerClientTemplate below to the name of the Certificate Template you create HERE. Remember use the Cert Name NOT the Display Name.
echo CertificateTemplate="ConfigurationManagerClientTemplate" ; this is for Client Authentication >> %input%.inf

echo SAN="DNS=%input%" >> %input%.inf

rem Create the a binary request file from the INF

​echo Generating certificate request for server %input%

CertReq -new -f %input%.inf %~dp0%input%.req

echo Retrieving certificate for server %input%...

REM : in the  next line you need to have Change CAServerFQN to the FQN Name domain name (server.domain.com) and Change CAName to the name of the CA (default is Domain-Servername-CA You can get this in your CA Console)
CertReq -Submit -q -f -config "CAServerFQN\CAName" "%~dp0%input%.req" "%~dp0%input1%.cer"

Echo Importing certificate into Local Computer Store...

certreq -accept "%~dp0%input%.cer"

Echo Exporting certificate with private key...

certutil  -f -p SCCMPassword -exportpfx %input% "%~dp0%input1%.pfx"

Echo Cleaning up....

certutil -delstore "MY" %input%

del "%~dp0%input%.req" /q

del "%~dp0%input%.inf" /q

echo Certificate generation for server %input% complete

Now we need to install it with the client. copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer. create text file and name it "internetsetup.bat" in the folder. Past the following script into it and modify the yellow highlighted areas according to your environment. Blue highlights provide directions:

certutil -f -addstore "ROOT" "%~dp0%computername%.cer" 

certutil -p SCCMPassword -importPFX "%~dp0%computername%.pfx"  NoExport

​Rem     Use your internet SCCM server for all of the SCCMSERVER.DOMAIN.COM hightlights below
Rem     Replace ABC for SMSSITECODE to your environments 3 diget site code
Rem    If the computer will be Internet/Workgroup only set CCMALWAYSINF t0=1
Rem   IF the computer is a domain computer and will be connect to the internal network sometime, and sometimes be in the internet set CCMALWAYSINF=0
"%~dp0ccmsetup.exe" /usePKICert /NOCRLCheck SMSSIGNCERT="%~dp0%Computername%.cer" mp=https://sccmServer.domain.com FSP=sccmServer.domain.com DNSSUFFIX=domain.com  SMSSITECODE=ABC CCMALWAYSINF=1 CCMFIRSTCERT=1 CCMHOSTNAME=sccmServer.Domain.com

del "%~dp0%Computername%.pfx" /q

5. Run the CreateCert.bat as administrator. It did not run properly on the client computer so I ran it on the server and it worked properly.

6.  copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer.  Run the created internetsetup.bat as administrator. Once if is finished your computer should now work on the internet/workgroup.