How To: Build and Capture in Configuration Manager 2012 using HTTPS

One of the major changes in Configuration Manager 2012 is that the old Mixed and Native modes in CM07 are gone.  Instead, CM12 does the vase majority of its communications using HTTP and HTTPS, and the CM12 site is configured on installation to use either a mix of both protocols, or HTTPS only.

In the old Native mode in CM07, you had to cater for certain scenarios, such as Build and Capture task sequences, where the system normally doesn’t join the domain (to avoid picking up group policy, logon scripts and other domain-based configurations).  It takes a little more effort, but it works just fine.

Things are a bit different in CM12, and I’ve been picking away at a particularly annoying problem in my lab environment, which is configured to only use HTTPS.  This isn’t really a scenario most ConfigMgr administrators are likely to encounter, but I figured that this was the configuration most likely to break something…..guess I was right 🙂

The specific problem is this:

  • You create a Build and Capture task sequence which has one or more Install Applications or Install Software Updates steps;
  • The task sequence is either classic CM or MDT-integrated;
  • The task sequence does not join the system to the domain;
  • The CM hierarchy is configured for HTTPS communications only;
  • The task sequence is started from either PXE or boot media with an imported PKI client certificate;
  • The task sequence runs successfully until the Install Applications step, at which point the task sequence fails with a generic 0x80004005 error;
  • The log files are of little or no earthly use.

What’s happening is that the workgroup system is failing to be properly assigned to a site.  It’s finding the management point (which has been published via DNS) but because it doesn’t have a locally-installed PKI client certificate, it can’t talk to an HTTPS-only management point.  CM07 had an option to use HTTP for site assignment, but CM12 doesn’t have this fallback position.

There are a number of ways around this, but my challenge was to find a solution which didn’t involve changing the security settings in the CM12 hierarchy or joining the system to the domain during the Build and Capture.  The trick to achieving this is how to get a valid PKI client certificate into the operating system during the build process before the CM12 agent gets installed, especially considering that the OS installation and agent installation are all part of the same step.  Before that step, you’re still in WinPE, after that step, it’s too late.

This is a bit lengthy, so read on for the full solution.

Step 1 – Generate a Client Certificate

This is the easy bit.  You just need a valid PKI client certificate which gets exported, along with its private key for importing later on.  For this you just need a domain-joined system which can talk to the CA.

The certificate template I used was the same as the ConfigMgr Client Certificate template I created to support HTTPS communications in CM12.  So, in the Certification Authority console:

  1. Right-click “Certificate Templates” and select “Manage”;
  2. Right-click “ConfigMgr Client Certificate” and select “Duplicate Template”;
  3. Select “Windows Server 2003 Enterprise”;
  4. In the General tab, change the certificate Template Display Name to “ConfigMgr Workgroup Client Certificate”;
  5. In the Request Handling tab, tick “Allow private key to be exported”;
  6. In the Subject Name tab, select “Supply in the request”;
  7. In the Security tab, select “Domain Computers” and untick the “Autoenroll” permission;
  8. Select OK.

Back in the Certificate Authority console, right-click Certificate Templates and choose “New” –> “Certificate Template to Issue”.  Choose the newly-created template from the list and select OK.

Now, on a domain system (it can even be the CA), launch the Certificate MMC snap-in for the Local Computer:

  1. Go to Personal –> Certificates;
  2. Right-click Certificates and select “All Tasks”, “Request New Certificate”;
  3. Select “Active Directory Enrolment Policy” and click Next;
  4. Tick “ConfigMgr Workgroup Client Certificate” and click the link directly underneath which is prompting for more information;
  5. In the Subject tab, select “Common Name” from the Subject Name drop-down and type in “Workgroup PKI” in the Value field;
  6. Select Add, and OK;
  7. Select Enrol.

The new certificate should now appear in the MMC window.  Right-click the certificate and select All Tasks –> Export:

  1. In the Export Private Key window, select “Yes, export the private key”;
  2. In the Export File Format windows, tick “Include all the certificates….” and “Export all extended permissions”;
  3. Select and confirm a password, and then a location for the PFX file;
  4. Export completed.

Step 2 – Bring the PKI Certificate into Configuration Manager

It’s easy enough import an exported PFX file using Configuration Manager as a command line step, but this isn’t going to help us in this scenario.  You can’t import a certificate into the OS from WinPE (mainly because the OS hasn’t been installed yet) and as already mentioned, after the “Setup Windows and ConfigMgr” step it’s too late.

However, MDT to the rescue! 🙂

So yes, you will need to have MDT 2012 integrated into your CM12 environment and be using an MDT-integrated task sequence.  Why?  Because whenever the “Use Toolkit Package” step is called, everything within the MDT package gets copied down to the _SMSTaskSequence folder on the local system.  That gives you a lot of flexibility to call on your own resources during a task sequence.

In my case, I just copied the exported PFX file to the SCRIPTS folder in the already-configured MDT Toolkit package.  If you haven’t already created an MDT package for use within Configuration Manager, just create a new MDT-integrated task sequence – it will prompt you to create the package.  Make sure the PFX file is in the SCRIPTS folder (it doesn’t particularly have to be there – that’s just what I used) and ensure it’s been distributed to all distribution points.

Step 3 – Import the Certificate during the Windows Build

This was a tricker solution to find.

One of the steps in creating an MDT-integrated task sequence is that you’re prompted to create a new Settings package.  This creates Unattend.xml and a CustomSettings.ini files for use during the task sequence.

On a system with the Windows Automated Installation Kit (WAIK) installed, launch System Image Manager and open the Unattend.xml.  Make sure that it’s associated with a Windows catalog for the correct architecture version of Windows (eg: x86 or x64).

In the Windows Image section:

  1. Expand Components;
  2. Expand amd64_Microsoft-Windows-Deployment_6.1.7600.16385_neutral (assuming your architecture is x64);
  3. Expand RunSynchronous;
  4. Right-click RunSynchronousCommand and select “Add setting to Pass 4 specialize”.

In the Answer File section:

  1. Navigate to the newly-added setting under pass 4 specialize;
  2. Change the Description to “Import PFX”;
  3. Change the Order to the last in the list (eg: Order = 3);
  4. Change the Path to “cmd /c certutil -f -p password-importpfx %deployroot%scriptsexportedcert.pfx” (without the quotes);
  5. Ensure the Will Reboot is set to “Never”;
  6. Expand RunSynchronousCommand and right-click “Credentials” and select Delete.

Save and exit System Image Manager.  Make sure that the Settings package is updated in the Configuration Manager console so that the latest version is copied to the distribution point.

Step 4 – Create a new Configuration Manager Client Package

To force the CM agent to pick up the PKI certificate, we need to force the issue.

In the Configuration Manager console, go to the Software Library.  Right-click Packages and select “Create Package from Definition”.  Step through the process of creating a standard Configuration Manager client package.

Once complete:

  1. Right-click on the newly-created package and select Properties;
  2. Change the package name to “Configuration Manager Workstation Client” and select OK;
  3. In the Programs tab underneath, right-click the program “Configuration Manager agent silent upgrade” and select Properties;
  4. Change the command line executable to “CCMSETUP.EXE /UsePKICert /NoCRLCheck /MP:mp.fqdn SMSSITECODE=XXX” (without the quotes);
  5. Click OK and distribute the package.

Step 5 – Customising the Task Sequence

To bring all of this together in the task sequence, there are a couple of changes which need to be made.  Open up the task sequence in the Software Library:

  1. Go to the step called “Format and Partition Disk 6.1” (assuming you’re deploying Windows 7);
  2. Delete the small partition which MDT will create for BitLocker;
  3. Edit the remaining large partition and tick “Make this the boot partition”;
  4. Next, go to the step “Setup Windows and ConfigMgr”;
  5. Change the referenced Package to “Configuration Manager Workstation Client”;
  6. In the installation properties, enter “DNSSUFFIX=dnssuffix CCMHTTPSSTATE=31″ (without the quotes);
  7. Select OK to close down the task sequence

What Happens Now?

When you run the updated task sequence, the PFX file will be copied down to the local machine as part of the “Use Toolkit Package” step.

After the operating system is laid down, the RunSychronousCommand item configured earlier will run and will import the PFX file. The MDT variable %deployroot% will be resolved as C:_SMSTaskSequence.  If we hadn’t removed the BitLocker partition it would have resolved as D:_SMSTaskSequence because WinPE assigns a drive letter to all partitions, but Windows 7 does not assign one to the BitLocker partition, so the RunSychronousCommand step would have failed.

When the Configuration Manager client is installed, it will be forced to use the PKI certificate, told which management point to look for and told to work in HTTPS mode.  It will then be able to be assigned to the site correctly.

Subsequent Install Applications and Install Software Updates steps in the task sequence will run successfully.  Once the system is sysprepped, the imported PKI certificate will be stripped out.

This solution may seem convoluted, but it overcomes the issue without having to change any settings in the CM hierarchy and it keeps the Build/Capture process as clean as possible.

So far, this has been the biggest hurdle I’ve encountered in running CM12 in a pure HTTPS environment and it took quite a while to resolve.

Onwards and upwards with CM12 🙂 (damn I hate trying to write pithy conclusions……)

24 comments to How To: Build and Capture in Configuration Manager 2012 using HTTPS

  • […] Read the full article: How To: Build and Capture in Configuration Manager 2012 using HTTPS […]

  • […] Manager 2012 using HTTPS May 15, 2012 robertrieglerwien Leave a comment Go to comments //… Share this:PrintEmailLike this:LikeBe the first to like this post. Categories: MS: Deployment […]

  • Jason

    Thanks for this post. I have been trying to do this for a couple of days now. But, I am having a problem that maybe you can help with. I have got the certificate part working. That was no problem. But, for some reason when the Setup Windows and ConfigMgr task runs it does not use the program that was modified (it runs the default /useronly /source:C:_SMSTaskSequenceOSDXXX0000X /config:MobileClient.TCF /status:544) and it does not ever get assigned a Site code. If I press F8 and use the command to uninstall and reinstall using the options that you specified manually then it the machine gets assigned a site. However, in SMSCFGRC.cpl it still says Client Certificate: NONE. The applications do not install and fail with some other errors (I think due to the uninstall), but once the deployment is over, If I have manually uninstalled and reinstalled using your settings the applications download just fine. So I am not sure what I am missing or how I can force the proper setup options to run.

  • dexter

    Nice article. I followed all the steps you listed out and got the certificate installed during OSD but i’m still encountering that 0x80004005 error when I get to the application installation sequence. Just like you mention, the smsts log is pretty much useless. Any other thoughts as to what I can check?

    It’s a new sccm 2012 install standalone Primary site, 1 MP (https), 1 DP (http). Certificate I used is the same one I used for a standalone bootable media.

  • Janis

    Thanks for article.
    Have the same problem as Jason – CCMSETUP runs with default parameters and therefore installation doesn’t pick up certificate. My TS fails to deploy updates, but when I log in to this reference machine, after few minutes SCCM client automatically picks up certificate and can then download updates.

    So has anybody figured this out?

    • James Bannan

      One thing I have seen is where the machine isn’t in the right management boundary, so is failing to pick up content during OSD. Some content can be specified to be available on remote DPs or fallback DPs, but depending on how the content is distributed, it may not work. I had issues where a machine outside the management boundaries was still able to pick up the OS, client and software updates, but then couldn’t pick up some extra AppModel applications. The errors pointed to a certificate problem, but in the end it was just a boundary issue. Make sure you’re using either IP ranges or IP subnets – they seem to be the most reliable.

      • Janis

        I have defined subnet boundary and assigned to this DP, so I suppose that is not the problem. I am sure that the problem is that ccmsetup is not executed with UsePKICert parameter, but I can’t figure out why.

        For me it looks like Configuration Manager Workstation Client package doesn’t run program specified in it, but runs ccmsetup with default parameters instead. From ccmsetup.log – CCMsetup command line “C:_SMSTaskSequenceOSDXXX0002Cccmsetup.exe” /useronly /source:C:_SMSTaskSequenceOSDXXX0002C /config:MobileClient.TCF

        As I sad, after task sequence fails (install updates step), I log in to the computer (still in workgroup), and after few minutes SCCM agent picks up Workgroup PKI cert and starts downloading all updates.

  • Gary

    Thanks for the Post, I’ve been working on this.
    During the process of “Installing Windows”, I get an error when it is parsing the Unattend.xml file. “Windows could not parse or process the unattend answer file fro pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for the component [Microsoft-Windows-Shell-Setup].
    Any ideas?

    • Janis

      Gary, double-check your command in unattended.xml file – cmd /c certutil -f -p YourPassword -importpfx %deployroot%scriptsexportedcert.pfx

      If you copied, then make sure there is space before -importpfx

  • Another James

    Thanks for posting this. I too have been trying to get it to work with no success.

    I have found that there is no way of getting the client to find the management point using HTTPS. I created a package as you suggested but I also added the installation property CCMCERTSEL=”SubjectStr:Workgroup”. I can see in the logs that it is selecting the “Workgroup PKI” certificate and that the thumbprint matches the cert installed during by certutil however, after the B&C task sequence has completed the SCCM control panel applet shows “Client Certificate = None” and that it is operating in “Currently Internet” mode. From what I have read this would suggest it has not been able to find the management point. I have published the management point to DNS and also extended the AD schema. I also have my boundaries setup correctly.

    Interestingly though, if I set the management server/distribution point to HTTP comms, I can see from the logs that it selects and uses the correct certificate and talks to all the servers using HTTPS. It seems that the client cannot verify it’s management point via HTTPS (or something like that). But when HTTP is allowed, it verifies itself, then immediately switches over to HTTPS mode using the workgroup cert.


  • […] very nice article describes step by step the way to follow in order to succeed the […]

  • Thanks for your Blog Entry. Hope this will help us to Start Caturing Machines with the SCCM 2012.

    I have one question, or maybe a non understanding. Where takes the Settings File place in your Tutorial?

    Do i have to add a step in the Build & Capture Task Sequence?

    Thanks for your help!

  • Thank you for a great article!

    I had some spare time and tried to solve this without editing Unattend.xml since I’m not very keen on editing this file. I did however not found any good/better method of importing the certificate that using unattend.xml.

    I also found out that the “Setup ConfigMgr and Windows” step does not take into account the command-line options on the client package. This means you can do this with any client package. The key msi parameters seems to be SMSMP and DNSSUFFIX

    So the only change I’ve done to get this working is:
    * Configuring RunSynchronousCommand in unattend.xml
    * Configuring SMSMP in “Setup ConfigMgr and Windows” step

  • Todd Mote

    I can add to this that MDT is not required and you can use the built-in Build and Capture task sequence. You can accomplish the same effect by creating a new package that contains your cert and your unattend file, setting the package and the filename for the unattend file in the “Apply Operating System” step, and making your deployment “download content locally when needed by running task sequence”. The path to the cert in the unattend file changes to c:_SMSTaskSequencePackagescert.pfx. Everything else is the same as above. I just successfully completed my first Build and Capture on CM 2012 SP1. Thanks for this post!

  • Christian M.

    Great article – I managed to get the Capture sequence running with and without MDT. I encounter a similar problem when deploying this image though: I use the MDT user-driven setup routine and can select my newly captured image(s) but how do you manage to apply different unattend.xml files depending on the images you select? Also those xml files would have to be modified by the TS if you’re using different language packs.

    It would still be a requirement in a HTTPS-only environment to install the client in a similar way as described above when using a Deployment TS or are there any workarounds there?

    Any help is greatly appreciated since this problem is bugging me now for quite a while.


  • bharat

    Hi Christian,

    This is known issue and Microsoft working on it no fix yet only workaround.


  • Todd Mote

    I was able to get this approach to work for building and capturing Server 2008 R2, however, Server 2012 loads the cert fine, though the config manager 2012 client install refuses to use it. My TS bails out at the first sign of trying to install updates. when i get into windows, the cert is there, the client is installed, however the logs all say something to the effect of “no certificate”. the same TS, the same cert even, works fine for 2008 R2. has anyone tried this for server 2012?

  • Vlad

    Thanks for a very useful page. This would have taken waaaay more time without it. I simply cannot believe that a) This has not been tested by the product team. b) is not in Microsoft’s documentation c) that the SCCM task sequence editor does not come with an “Install certificate” step if it is required to make things work.

    And finally, the only useful bit of info I can add is that I have tried it on Server 2012 and it does indeed work as expected.

  • […] as I have to support internet based clients. This brings up some certificate issues, and I found this post from @jamesbannan. This post covers the whole process needed to workaround the issues with […]

  • Hi James,

    Can you email me if you are still getting this issue?

  • Daniel

    Thank you, You saved a lot of heart ache with the unattend.xml

  • Marc

    Not sure if my issue relates to this but everything else in the TS seems to be working fine except when it comes to Installing Applications in my Task Sequence, they all fail. From the logs it seems to be because it’s trying to connect via HTTP and if I have Anonymous Authentication disabled in IIS under Sites/Default Web Site/NOCERT_SMS_DP_SMSPKG$ on the SCCM server, they fail. I can enable it and it works but it will automatically disable it again at some random time.

    I’d like to a) have some way to enable that permanently (not desired) or b) be able to insert the correct cert into the task sequence without MDT.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>