Very nice! I will have to try this out next time I'm working with a large amount of workgroup clients.
Thanks, Justin Chalfant Premier Field Engineer - Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected]<mailto:[email protected]> If you have any feedback about my work, please let either myself or my manager Rusty Gray know at [email protected]<mailto:[email protected]> From: [email protected] [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Wednesday, September 24, 2014 12:51 PM To: [email protected] Subject: [mssms] RE: SCCM 2012 R2 CU2 - PKI to workgroup computers This isn't out of the box automated, but I wrote a powershell script to generate all of the files needed for enrolling a workgroup computer. We use it primarily to enroll linux hosts for a cert for SCCM, but it works equally as well for windows hosts off domain. Uses certreq and certutil to do all the work, I do some other file manipulations to keep it clean, but this has worked quite well for us. You could conceivably change things around to automate this for another domain, and you can see you could use it with an input file. It accepts and imports the cert to the machine you run it on then exports the cert to pfx, then removes it from the local host. In the end you're left with a .pfx that you can take to the workgroup machine and import. After that it's just the same as on domain, client installs, and picks the cert. Todd param( [string] $hostname, $fqdn ) #$InputFile = "D:\LinuxSCCM\serverstest.txt" $records = $hostname <#Get-Content $InputFile#> ForEach ($record in $records) { $certreq = "certreq -new D:\LinuxSCCM\inf\$record.inf D:\LinuxSCCM\req\$record.req" $certsubmit = "certreq -submit -config ""hostname.of.your.CA\FriendlyNameofYourCA"" -UserName username -p password D:\LinuxSCCM\req\$record.req D:\LinuxSCCM\cer\$record.cer" $certaccept = "certreq -accept D:\LinuxSCCM\cer\$record.cer" $certexport = "certutil -privatekey -p $record -exportpfx ""$record"" D:\LinuxSCCM\pfx\$record.pfx" If (test-path D:\LinuxSCCM\inf\$record.inf){ remove-item D:\LinuxSCCM\inf\$record.inf new-item D:\LinuxSCCM\inf\$record.inf -type file add-content D:\LinuxSCCM\inf\$record.inf "[NewRequest]`r`nSubject = ""CN=$record""`r`nMachineKeySet = True`r`nExportable = TRUE`r`nKeyLength = 2048`r`n[RequestAttributes]`r`nCertificateTemplate = ConfigMgrClientCertificateforExport" Start-Sleep -s 2 } Else{ new-item D:\LinuxSCCM\inf\$record.inf -type file add-content D:\LinuxSCCM\inf\$record.inf "[NewRequest]`r`nSubject = ""CN=$record""`r`nMachineKeySet = True`r`nExportable = TRUE`r`nKeyLength = 2048`r`n[RequestAttributes]`r`nCertificateTemplate = ConfigMgrClientCertificateforExport" Start-Sleep -s 2 } If (test-path D:\LinuxSCCM\req\$record.req){ remove-item D:\LinuxSCCM\req\$record.req Invoke-Expression $certreq Start-Sleep -s 2 } Else{ Invoke-Expression $certreq Start-Sleep -s 2 } If (test-path D:\LinuxSCCM\cer\$record.rsp){ Remove-Item D:\LinuxSCCM\cer\$record.rsp Start-Sleep -s 2 } If (test-path D:\LinuxSCCM\cer\$record.cer){ remove-item D:\LinuxSCCM\cer\$record.cer Invoke-Expression $certsubmit Start-Sleep -s 2 } If (test-path D:\LinuxSCCM\cer\$record.rsp){ Remove-Item D:\LinuxSCCM\cer\$record.rsp Start-Sleep -s 2 } Else{ Invoke-Expression $certsubmit Start-Sleep -s 2 } Invoke-Expression $certaccept Start-Sleep -s 2 If (test-path D:\LinuxSCCM\pfx\$record.pfx){ remove-item D:\LinuxSCCM\pfx\$record.pfx Invoke-Expression $certexport Start-Sleep -s 2 } Else{ Invoke-Expression $certexport Start-Sleep -s 2 } $certdump = "certutil D:\LinuxSCCM\cer\$record.cer" $dump = Invoke-Expression $certdump | where-object {$_ -like "Serial Number:*"} $index=$dump.trimstart("Serial Number: ") $certremove = "certutil -delstore MY $index" Invoke-Expression $certremove From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Justin Chalfant Sent: Wednesday, September 24, 2014 1:27 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: SCCM 2012 R2 CU2 - PKI to workgroup computers I'm not aware of an automated way to issue certs to workgroup clients. Check out this session I did on IBCM it covers workgroup clients: http://memug.wordpress.com/2014/08/08/replay-july-2014-memug/ Thanks, Justin Chalfant Premier Field Engineer - Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected]<mailto:[email protected]> If you have any feedback about my work, please let either myself or my manager Rusty Gray know at [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Avery Sent: Wednesday, September 24, 2014 12:06 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] SCCM 2012 R2 CU2 - PKI to workgroup computers Hello everyone, I'm having issues with workgroup computers, not domain systems when I request a certificate. I have the following configuration: 1. CA Enterprise a. I have created the SCCM Client Certificate b. I have created the SCCM Web Server Certificate c. I have created the SCCM Distribution Point Certificate 2. GPO is configured 3. SCCM 2012 R2 CU2 configured to do HTTP and HTTPS a. Installed SCCM Client Certificate b. Installed SCCM Web Server Certificate c. Installed Distribution Point Certificate 4. Deployed to a domain computer good on PKI Workgroup Computers: I'm having issues with deploying certificates 1. Windows 7 - (ERROR) not successful 2. Windows Server 2008 R2 - (ERROR) not successful 3. Windows Server 2003 - successful 4. Windows XP - (ERROR)not successful (unable to find CERTUTIL is not a recognized as an internal or external command. Meaning it can't find it) How I'm getting the certs for the clients is by utilizing the following scripts from this URL. http://www.ithierarchy.com/ITH/node/48 I did find a couple of errors in the code, but if it's working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I'm getting is the following: Command line requesting the cert ---- CertReq -new -f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req Error --- Template not found. SCCMClientCertificate (this is my template)
