OS Deployment with PKI (HTTPS) | Quisitive
Solutions
Integration & Consulting
Help you move, operate, innnovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Azure
Microsoft Teams
Microsoft 365
Power Platform
Dynamics 365
Power BI
Microsoft Copilot
Power Apps
Azure OpenAI
Sharepoint
Microsoft Fabric
Microsoft Sentinel
Azure Synapse
Windows
SQL Server
ERP Technologies
System Center
Microsoft Viva
Azure Virtual Desktop
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Products
EmPerform
Provide people managers with flexible employee performance management software.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
AgeChecker.net
Ensure local and federal compliance with our age verification tool for retail.
PowerGov
Engage citizens with a community development app for city maintenance and management.
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
AMS
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Spyglass
Take a proactive, continuous approach to optimizing your security environment and strategy.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Data & AI Program
Operational support for running, monitoring and managing services for the Azure Data Platform.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
Security Program
Take a proactive, continuous approach to optimizing your security environment and strategy.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
Newsletters
Events
News
Learning Channels
About
Investors
Leadership
Microsoft
Our Approach
Our Partners
Our Story
Awards & Recognition
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Azure OpenAI
Microsoft Copilot
Microsoft Fabric
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Products
Back
Products
EmPerform
AgeChecker.net
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
AMS
Spyglass
Managed Services
Back
Managed Services
Azure Management Services
Data & AI Program
Digital Workplace Program
Power Platform Program
App Dev Program
Dynamics Program
Security Program
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
Blogs
Events
Case Studies
News
Library
Learning Channels
Newsletters
Investors
Back
Investors
Financial Reports & Results
Investor News
Earning calls
Contact
Contact us
About
Back
About
Our Story
Investors
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy
OS Deployment with PKI (HTTPS)
May 25, 2018
Quisitive
More and more organizations are implementing Configuration Manager with PKI (HTTPS) enabled. Recently, I worked with a customer who planned to do just that (OS Deployment with PKI).

More and more organizations are implementing Configuration Manager with PKI (HTTPS) enabled. Recently, I worked with a customer who planned to do just that (OS Deployment with PKI).

Initially we set up the site without any certificates installed because the PKI Implementation within the domain was not yet completed. Once it was complete, we changed the site and client communication to be HTTPS only. This presented us with issues in regard to (Operating System) OS Deployment with PKI.

Once the mode was changed, none of our boot disks or Task Sequences would work. After we finished scratching our head, reading blogs, and flipping through TechNet doc and articles we were able to get it working again.

Here are the steps that we went through to get OS Deployment with PKI back up and running again…assuming that your site is already in HTTPS and you have a healthy/ functional PKI environment.

  1. Create a ConfigMgr Workgroup Client Certificate.
  2. Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority.
  3. Export the ConfigMgr Workgroup Client Certificate.
  4. Modify the MDT Toolkit Package so that our new certificate is available when building the image and deploying it.
    • Alternatively you could create a new package that contains the exported certificate and the answer file created in step 5 below.
  5. Create a new answer file for our OS Installation Package used in our Build task sequence.
  6. Create a package for the new answer file.
  7. Modified our Build task sequence to include the answer file and tell the ConfigMgr Client Package to install for PKI.
  8. Recreate our Boot disk ISO to include the exported certificate.
  9. Build and Capture our new OS Image.

Create the ConfigMgr Workgroup Client Certificate

These are modified steps from TechNet for “Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name that will be used, such as ConfigMgr Workgroup Client Certificate.
  5. Click the Request Handling tab, ensure that “Allow private key to be exported” is checked.
  6. Click the Subject Name tab, select “Supply in the request” at the top.
  7. Click OK and close Certificate Templates Console.
  8. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  9. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Workgroup Client Certificate, and then click OK.
  10. Close Certification Authority.

Request the ConfigMgr Workgroup Client Certificate from the Certificate Authority

These steps can be performed from any domain joined system including the Certificate Authority.

  1. Launch Microsoft Management Console (MMC) by opening a run dialog, type MMC then click OK.
  2. Click FILE -> ADD/REMOVE SNAP-IN to open the “Add or Remove Snap-ins” dialog.
  3. Choose “Certificates” from the list of available snap-ins, then click the button labeled “Add >”.
  4. When prompted, select “Computer Account” and click Next.
  5. Select “Local Computer: (the computer this console is running on)”, then click Finish.
  6. Click OK to close the “Add or Remove Snap-ins” dialog.
  7. Expand “Certificates (Local Computer)” -> Personal, and click on “Certificates”
  8. Right-click on “Certificates” and choose All Tasks -> Request New Certificate from the menu.
  9. In the Certificate Enrollment wizard that opens, click Next.
  10. Select Active Directory Enrollment Policy, then click Next.
  11. Check the box for ConfigMgr Workgroup Client Certificate that was created earlier, then click the link below it that says “More information is required…”
  12. Under Subject name, choose Common name as the type and enter Workgroup PKI as the value, then click the button labeled “Add >” and click OK.
  13. Click Enroll. If done correctly, you should see a “STATUS: Succeeded” in the results dialog.
  14. Click Finish

Export the ConfigMgr Workgroup Client Certificate

  1. The “Workgroup PKI” certificate should now show in the certificate console under Personal -> Certificates.
  2. Right-click on the “Workgroup PKI” certificate and choose “All Tasks” -> “Export…” from the menu.
  3. In the Certificate Export Wizard, click Next on the welcome screen.
  4. Select “Yes, export the private key”, then click Next.
  5. Select Personal Information Exchange – PCKS #12 (.PFX), and ensure that “Include all certificates in the certification path if possible” AND “Export all extended properties” are checked, then click Next.
  6. Type in a password and confirm it in the boxes provided on the Password screen, then click Next. (Save this password for later use)
  7. Browse for a location to export the certificate to. Make sure that it is somewhere accessible from SCCM, give it a name (ex. – WorkgroupPKI.pfx) and click Save.
  8. Click Next on the File to Export dialog.
  9. Click Finish on the completion dialog.

Modify the MDT Toolkit Package

  1. Open windows explorer and locate the certificate file that you just exported.
  2. Copy the file to the Scripts folder within your MDT Toolkit Package.
  3. Open the Configuration Manager Console and locate the MDT Toolkit Package.
  4. Update the Distribution Point(s) for the package.

Create Answer File

  1. Open the Windows System Image Manager on a computer that has the Windows Automated Installation Kit (WAIK) installed.
  2. Create a new answer file by clicking the icon in the upper left corner, clicking “FILE” -> “New Answer File…”, or by pressing CTRL+N on the keyboard.
  3. Under “Windows Image”, right-click on “Select a Windows Image or Catalog File” and choose Select Windows Image.
  4. Browse to your Operating System Installation Media, and choose the catalog file (.clg) for the desired OS you are trying to deploy, then click “Open”. The CLG file is usually located on the installation media in the Sources directory. (EX – for Windows 7 Enterprise the file name is “install_Windows 7 ENTERPRISE.clg”)
  5. Expand Components.
  6. Locate the appropriate Microsoft-Windows-Deployment–neutral component for the desired architecture. (for Windows 7 Enterprise 64bit, the component is – amd64_Microsoft-Windows-Deployment_6.1.7600.16385_neutral)
  7. Expand Microsoft-Windows-Deployment -> RunSynchronous.
  8. Right-click on RunSynchronousCommand and choose “Add Setting to Pass 4 specialize”
  9. In the Answer File section, click on “RunSynchronousCommand” to highlight it.
  10. For the properties of “RunSynchronousCommand”, enter the following:
    • Description: Import Workgroup Certificate
    • Order: 5
    • Path: cmd.exe /c certutil –f –p (PASSWORD) -importpfx (DRIVE):_SMSTaskSequencePackages(PACKAGEID)Scripts(NAMEOFCERTIFICATE).pfx
      • (PASSWORD) = The password set on the certificate when it was exported.
      • (DRIVE) = The system drive where the Operating System will be installed. This is usually drive C.
      • (NAMEOFCERTIFICATE) = The name of the certificate file that was exported earlier.
  11. Richt-click “Credentials” below “RunSynchronousCommand” and choose delete.
  12. Click File -> Save Answer File As, then browse to a location easily accessible by the Configuration Manager Server.
  13. Name the answer file “Unattend.xml” and then click Save.

Create Answer File Package

  1. Open the Configuration Manager Console and navigate to Software Library -> Application Management -> Packages.
  2. Create a new Package called “OSD – Windows 7 Enterprise 64bit Answer File”
  3. Check the box for “This package contains source files”.
  4. Browse to the location where the new answer file was saved. (Ensure that you use the UNC path and not a local volume path when creating packages in Configuration Manager)
  5. Click next
  6. For Program Type, select “Do not create a program”, then click next.
  7. Click next on the Summary screen, then click close on the Completion screen.
  8. Right-click on the package you’ve just created and distribute the content.

Modify the Task Sequence

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Select the task sequence used for Build and Capture of your operating system image.
  3. Right-click on the task sequence and choose Edit.
  4. Select the step called Partition Disk 0
  5. Add a Use Toolkit Package step by clicking Add -> MDT -> Use Toolkit Package
  6. Browse for and choose your MDT Toolkit package from the available packages.
  7. Select the step called Apply Operating System
  8. Ensure that the box is checked for “Use an unattended or Sysprep answer file for a custom installation”
  9. Browse for the answer file package we just created.
  10. For the File Name, enter the name given to the answer file created earlier. (unattend.xml)
  11. Click on the Apply Device Drivers step, then click Add -> MDT -> Use Toolkit Package
  12. Browse for and choose your MDT Toolkit package from the available packages.
  13. Click on the step called Setup Windows and Configuration Manager
  14. In the area provided for “Installation Properties”, enter the following:
    • /UsePKICert /NoCRLCheck /MP:(FQDN) DNSSUFFIX=(DOMAIN) CCMHTTPSSTATE=31
      • (FQDN) = Fully Qualified Domain Name of your Configuration Manager Management Point Server
      • (DOMAIN) = Name of the domain where your SCCM Management Point Server resides. (EX – QUISITIVE.COM)
  15. Click Apply to save the changes to the Task Sequence.
  16. Click OK to close the Task Sequence.

Recreate Boot ISO

  1. Open the Configuration Manager Console and navigate to Software Library -> Operating Systems -> Task Sequences.
  2. Right-Click on Task Sequences and choose “Create Task Sequence Media” from the menu.
  3. Select “Bootable Media” as the media type and then click next.
  4. On the next screen, choose the option that works best within your environment. For this example, I chose Dynamic Media.
  5. The next screen is the media type screen. If you have access to the local USB ports where you are running the wizard from, you can choose USB Flash Drive. I personally like to use CD/DVD Set, this gives me the option of using the ISO that is created to make several USB boot drives if I need to.
    • For this blog post, I’ve chosen CD/DVD Set. Once selected, browse for a location to place the ISO (CD Image) file to be created, give it a name with the .iso extension and click next.
  6. On the Security Settings screen, set a password if you wish, or you can uncheck the box for “Protect media with a password”.
  7. Ensure that Import PKI Certificate is selected, then browse to the location where the “Workgroup PKI” certificate was exported.
  8. Select the certificate, then type in the password in the space provided and click next.
    • If you’ve already used the certificate on another boot disk, you will get a prompt telling you that the certificate is already in use. Click yes to use the certificate again, or you can go back and request a new one from the CA and export it again.
  9. On the next screen, choose your boot image to use, the distribution point and the desired management point. Then click next.
  10. Do not enter any customizations at this time. If you wish, you can create another boot disk and customize that one. Simply click next here.
  11. Click next on the summary screen to begin creation of the USB or ISO image.
  12. Once completed, you will have a boot disk to use for build and capture (and deployment) of your image. Click Close on the completion screen.

Build and Capture the Image

Using a Virtual Machine, mount the ISO image that we just created and boot from it. If you’ve deployed the Build and Capture task sequence to the “All Unknown Computers” collection, you should have the task sequence available.

Related posts
|
Read more
CFSA Case Study Feature Image - dc.gov logo
Infrastructure | 7 Dec
Quisitive helps CFSA Launch Kinship Navigator Platform
Read more
Infrastructure | 12 Aug
Greene Tweed Develops and Deploys Smart Factory with Quisitive
Read more
Infrastructure | 7 Mar
Discover 5 Reasons to Migrate SQL Servers to Azure
Read more