Operating System Deployment (OSD) with HTTPS/SSL in SCCM/MECM

Miguel Madrid July 3, 2021

install, MECM, microsoft, security, server, windows

Microsoft recommends using HTTPS for all Microsoft Endpoint Configuration Manager communication paths, although is not always possible to manage correctly due to the growing volume of certificates. In addition, MECM communication over HTTP will be soon discontinued.

Prerequisites

MECM Server installed and configured with a compatible ADK, server firewall rules, database,… In my case it will be a primary site managing intranet clients, following the Hardware Requirements for less than 25000 clients.
At least, one domain controller server with the following roles:
- Active Directory
  - At least this service users and groups:
    - MECM_NAA: Network Access Account. It must only read the shared resources.
    - MECM_DomainJoin: This user has special permissions over the domain such as create and delete computers, change computer password… Nothing else.
    - MECM_IIS_SiteServers_g: All the IIS servers are SCCM/MECM servers with Internet Information Services installed as a web server.
    - MECM_SiteServers_g: All SCCM/MECM Servers, including those that don’t have IIS installed.
    - MECM_DenyLogOnLocally_g: All the service users mustn’t log on on any system in our network, this group I’ll use in a Group Policy.
- DNS
- Active Directory Certification Authority

Steps for Operating System Deployment on MECM with HTTPS

It’s not necessary to follow a strict order, since while you are waiting for the completion of some tasks you can perform others.

Download ISO
- Extract/copy the WIM/ESD File

Customized WIM File
- DISM.exe
  - Extract OS index version from ESD or WIM file

DISM.exe /Get-ImageInfo /ImageFile:install.[esd|wim]

Convert from ESD to WIM file

DISM.exe /ExportImage /SourceImageFile:install.esd /SourceIndex: <Number> /DestinationImageFile:install.wim /Compress:max /CheckIntegrity

Windows SIM (System Image Manager) from Windows ADK (Assessment and Deployment Kit)
- Create an unattended.xml file from the WIM file:
  - enable/disable packages
  - OOBE
    - Create a MECM package or…

DISM /Image:InstallW10Custom.wim /Apply-Unattend:unattended.xml

Install a new Windows Server
- Config network with a static IP.
- Apply updates.
- Open inbound ports (Domain, Private):
  - Basic:
    - MECM – HTTP (TCP-In): 80, 8530
    - MECM – HTTPS (TCP-In): 443, 8531
    - MECM – RPC/WMI (TCP-In): 135
    - MECM – RPC/WMI (UDP-In): 135
    - MECM – SMB (TCP-In): 445
    - MECM – Client Notification (TCP-In): 10123
    - MECM – RPC Dynamic Ports (TCP-In): 49152-65536
    - MECM – ICMPv4
    - MECM – ICMPv6
  - If SQL service in the same server:
    - MECM – SQL Service (TCP-In): 1433
    - MECM – SQL Broker (TCP-In): 4022
- Add MECMPS to the local administrators group:
  - MECMPS must be able to install MECM on this server
- command prompt: sconfig.exe
  - Limit upgrading to manually > apply updates
  - Domain Join > Name: MECMOSD
    - Restart

Configuration from Domain Controller

Install Active Directory Certification Authority
- Open it: Create three certificates, one for every IIS, another for MECM distribution points and the last for the clients. +info
  - MMC.exe: Certification Authority
    - Manage: Certification Templates.
      - Duplicate: Web Server Template
        Windows server 2003, enterprise edition (selected)
        DN: MECM Web Server (IIS) Certificate
        Validity: 3 years
        o NOT allow private key to be exported
        Security:
        Remove Enterprise Admins permissions (enroll)
        Remove Domain Admins permissions (enroll)
        Add MECM_IIS_SiteServers_g (read, enroll)
      - Duplicate: Workstation Authentication Template
        Windows server 2003, enterprise edition (selected)
        DN: MECM Client Distribution Point (DP) Certificate
        Validity: 3 years
        v YES allow private key to be exported
        This certificate will be exported to our distribution points in MECM in order to configure HTTPS communication in management and software update point as well.
        Security:
        Add MECM_IIS_SiteServers_g (read, enroll)
        Remove (enroll) from Enterprise Admins group
      - Duplicate: Workstation Authentication Template
        Windows server 2003, enterprise edition (selected)
        DN: MECM Computer Certificate
        Validity: 3 years
        o NOT allow private key to be exported
        Security:
        Domain Computers (read, enroll, autoenroll)
      - Certificate Template (New)
        Certificate template to issue
        Select all the certificates created

Create or update a GPO called MECM Client Settings linked in Active Directory
- MMC: Group Policy Management
  - Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally
    - Add MECM_DenyLogOnLocally_g group
  - Computer / Windows Settings / Security Settings / Public Key Policies
    - Certificate Service Client – Auto-enrollment
      - Enable
        Renew Certificates…
        Update Certificates…
  - Add firewall rules to perform the MECM Client communication, predefined applications and ports used for client push installation and communication +info:
    - Windows Management Instrumentation (TCP, UDP-In): It includes port 135 and RPC access.
    - File and printing sharing (TCP-In): It’ll include ICMP, NetBIOS (optional) and SMB (p445) access.
    - MECM – RPC Dynamic Ports (TCP-In): 49152-65535 +info
    - Outbound connections are allowed by default, but I prefer setting up this rules in case something changes in the future:
      - File and printing sharing (TCP-Out): Same as inbound rule.
      - MECM – HTTP (TCP-Out): 80, 8530
      - MECM – HTTPS (TCP-Out): 443, 8531
      - MECM – Client Notification (TCP-Out): 10123

MECM Console from Primary Site Server

You must restart the servers first to ensure that they can access the certificate template created using the Read and Enroll permission
- command prompt: gpupdate /force
MMC: Certificates (Computer) > This procedure must be done in every IIS Server, every MECM Server that have IIS installed or required, in this lab I’ll reuse the same certificates for all the IIS. +info
- Personal
  - Certificates
    - All tasks > Request new certificate
      - MECM Distribution Point (DP) Certificate
      - MECM MECM Web Server (IIS) Certificate
        Properties
        Friendly Name
        MECM Web Server (IIS) Certificate
        Alternative name, Type DNS:
        MECMOSD
        MECMOSD.DOMAIN.LOCAL
        Enroll
    - Select: MECM Distribution Point (DP) Certificate
      - Export on MECM path
        Default: Personal Information Exchange – PKCS #12 (.PFX) option is selected
        v YES export the private key
        Security
        Select group MECM_IIS_SiteServers_g
        The members of this group will be able to import the certificate
        set a strong password
        save the certificate e.g. \\myserver\myshare$\cert\…

Internet Information Services (IIS) manager

As I said, on every IIS once we have requested the certificates, web server and distribution point (computer is autoenrolled), we’ll able to configure the IIS itself. MECMOSD doesn’t have software update point (no WSUS), so we’ll use the default branch of IIS, this will be the port 443 (HTTPS on MECMOSD), instead of port 8531 (HTTPS for WSUS on MECMPS)

Open IIS Manager +info
- Sites
  - Default
    - Edit Bindings (MECMOSD, MECMPS)
      - port 443, select “MECM Web Server (IIS) Certificate”
  - WSUS
    - Edit Bindings (MECMPS)
      - port 8531, select “MECM Web Server (IIS) Certificate”
    - SSL Settings (WSUS)
      - v Require SSL, client certificates (Ignore)
        ApiRemoting30
        ClientWebService
        DSSAuthWebService
        ServerSyncWebService
        SimpleAuthWebService

Command prompt: In each IIS Server with WSUS we need to configure SSL
- cd “%programfiles%\update services\tools”
  - wsusutil.exe configuressl mecmps.pagodait.local
    - URL: https://mecmps.domain.local:8531
  - The OSD Server will use the default configuration of IIS
    - wsusutil.exe configuressl mecmosd.pagodait.local
      - URL: https://mecmosd.domain.local:443

MECM Console from Primary Site Server

Administration
- Sites / Active Site: Properties
  - Communication Security
    - Use PKI if it is available
- Server and site system roles
  - Site System Roles
    - Distribution point: Properties
      - Communication:
        HTTPS
        Import Certificate
        MECM Client Distribution Point (DP) Certificate
    - Management point: Properties
      - Client connections: HTTPS
    - Software update point (MECMPS)
      - Require SSL communication to the WSUS Server
        Port 8531

Administration > Site Configuration
- Servers and site system roles
  - Create site system server (MECMOSD on same site): select roles.
    - Select install IIS
    - Distribution point (properties)
      - Enable PXE for clients
        Allow this DP to respond incoming PXE request
        Enable unknown computer support
        Enable PXE responder without WDS
        Security: Enter a password
        Win Boot will demand this password to continue with the deployment
    - Management point
    - (optional) State migration point
      - In order to capture settings and data before deploy the OS, ideal for production scenarios or if you want to upgrade OS.
  - Sites
    - Settings: Software Distribution
      - Add MECM_NAA user
    - Properties: Communication Security
      - Set the Root CA Certificate
        We need to connect the client computer to a management point that is set up to use HTTPS, when deploying a operating system this is means there are several certificates involved and need to be checked (not revoked).
Software Library > Operating Systems
- Operating System Images
  - Add OS (install.wim)
    - Schedule Updates
  - Distribute Content to MECMOSD
- Drivers
  - Create Structure in the logical volume as well (Manufacturer / Model)
    - download sources (.inf)
      - move to your structure
    - create a model package
      - move to your structure
- Boot Images
  - Add drivers packages if needed (e.g. network, storage)
  - Enable command support (testing only, LAB)
  - Distribute Content to MECMOSD
Assets and intelligence > Device collections
- Unknown computers
  - Add variable
    - OSDComputerName
      - This will permit us put a name before join the computer to the domain
Software Library > Operating Systems
- Task Sequence: New task
  - Only media and PXE
    - Although we can also add Configuration manager clients, as long as we have installed State Migration Point in our site, for saving data and settings before updating our production clients.
  - Deployment available (need to press F12 at boot on the client machine)
  - Apply unattended package
  - Config the MECM_DomainJoin user
    - move the computer on a specific Organizational Unit to apply domain policies
  - Add drivers packages
    - Query WMI: Apply drivers %model%
      - Deploy the task as available to Unknown Computers or other controlled collection

Select * From Win32_ComputerSystem WHERE Model LIKE "%Model%"

Done!!!

Additional OSD Server configuration

Increase the Speed of PXE Boot/TFTP when using MECM Distribution Point, the default value for RamDiskTFTPBlockSize is 4096 and for RamDiskTFTPWindowSize is 1, so we can increase this values progressively (2^n) until we find the ideal values for our network, I show you how to perform this task by powershell:

New-ItemProperty `
    -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" `
    -Name RamDiskTFTPBlockSize `
    -PropertyType DWord `
    -Value "8192" 
New-ItemProperty `
    -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" `
    -Name RamDiskTFTPWindowSize `
    -PropertyType DWord `
    -Value "4"

Logs to check

Server
- SMSPXE.log
- distmgr.log
- sitecomp.log
- wsyncmgr.log
Client
- SMSTS.log

Links:

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/recommended-hardware
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates
https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/troubleshoot-pxe-boot-issues

certificate, configmgr, HTTPS, MECM, OSD, PKI, PXE, SCCM, SSL

Operating System Deployment (OSD) with HTTPS/SSL in SCCM/MECM

About: Miguel Madrid

« Creating partitions on GNULinux

Install Certification Authority on Windows Server »