Operating System Deployment (OSD) with HTTPS/SSL in SCCM/MEM

Microsoft recommends using HTTPS for all Configuration Manager communication paths, although is not always possible to manage correctly due to the growing volume of certificates. In addition, SCCM communication over HTTP will be soon discontinued.

Prerequisites

  • SCCM Server installed and configured with a compatible ADK, server firewall rules, database,… In my case it will be a primary site managing intranet clients, following the Hardware Requirements for less than 25000 clients.
  • At least, one domain controller server with the following roles:
    • Active Directory
      • At least this service users and groups:
        • SCCM_NAA: Network Access Account. It must only read the shared resources.
        • SCCM_DomainJoin: This user has special permissions over the domain such as create and delete computers, change computer password… Nothing else.
        • SCCM_IIS_SiteServers_g: All the IIS servers are SCCM servers with Internet Information Services installed as a web server.
        • SCCM_SiteServers_g: All SCCM Servers, including those that don’t have IIS installed.
        • SCCM_DenyLogOnLocally_g: All the service users mustn’t log on on any system in our network, this group I’ll use in a Group Policy.

Steps for Operating System Deployment on SCCM with HTTPS

It’s not necessary to follow a strict order, since while you are waiting for the completion of some tasks you can perform others.

DISM.exe /Get-ImageInfo /ImageFile:install.[esd|wim]
  • Convert to WIM
DISM.exe /ExportImage /SourceImageFile:install.esd /SourceIndex: <Number> /DestinationImageFile:install.wim /Compress:max /CheckIntegrity
  • Windows SIM (ADK)
    • Create an unattended.xml file from the WIM file:
      • enable/disable packages
      • OOBE
        • Create a SCCM package or…
Dism /Image:InstallW10Custom.wim /Apply-Unattend:unattended.xml
  • Install a new Windows Server
    • Config network with a static IP
    • Apply updates
    • Open inbound ports (Domain):
      • Basic: 80,8530 (HTTP); 443,8531 (HTTPS); 135 (RPC); 445 (SMB/USMT)
      • If SQL service: 1433 (SQL Server); 4022 (SQL Broker)
    • Add SCCMPS to the local administrators group:
      • SCCMPS must be able to install SCCM on this server
    • command prompt: sconfig.exe
      • Limit upgrading to manually > apply updates
      • Domain Join > Name: SCCMOSD
        • Restart

Configuration from Domain Controller

  • Install Active Directory Certification Authority
    • Open it: Create three certificates, one for every IIS, another for sccm distribution points and the last for the clients. +info
      • MMC.exe: Certification Authority
        • Manage: Certification Templates.
          • Duplicate: Web Server Template
            • Windows server 2003, enterprise edition (selected)
            • DN: SCCM Web Server (IIS) Certificate
            • Validity: 3 years
            • o NOT allow private key to be exported
            • Security: 
              • Remove Enterprise Admins permissions (enroll)
              • Remove Domain Admins permissions (enroll)
              • Add SCCM_IIS_SiteServers_g (read, enroll)
          • Duplicate: Workstation Authentication Template
            • Windows server 2003, enterprise edition (selected)
            • DN: SCCM Client Distribution Point (DP) Certificate
            • Validity: 3 years
            • v YES allow private key to be exported
              • This certificate will be exported to our distribution points in SCCM in order to configure HTTPS communication in management and software update point as well.
            • Security: 
              • Add SCCM_IIS_SiteServers_g (read, enroll)
              • Remove (enroll) from Enterprise Admins group
          • Duplicate: Workstation Authentication Template
            • Windows server 2003, enterprise edition (selected)
            • DN: SCCM Computer Certificate
            • Validity: 3 years
            • o NOT allow private key to be exported
            • Security: 
              • Domain Computers (read, enroll, autoenroll)
          • Certificate Template (New)
            • Certificate template to issue
              • Select all the certificates created
  • Create or update a GPO called SCCM Configurations linked in Active Directory
    • MMC: Group Policy Management
      • Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally
        • Add SCCM_DenyLogOnLocally_g group
      • Computer / Windows Settings / Security Settings / Public Key Policies
        • Certificate Service Client – Auto-enrollment
          • Enable
            • Renew Certificates…
            • Update Certificates…
      • Add firewall rules to perform the SCCM Client communication, predefined applications:
        • Windows Management Instrumentation (WMI)
        • File and printing sharing

SCCM Console from Primary Site Server

  • You must restart the servers first to ensure that they can access the certificate template created using the Read and Enroll permission
    • command prompt: gpupdate /force
  • MMC: Certificates (Computer) > This procedure must be done in every IIS Server, every SCCM Server that have IIS installed or required, in this lab I’ll reuse the same certificates for all the IIS. +info
    • Personal
      • Certificates
        • All tasks > Request new certificate
          • SCCM Distribution Point (DP) Certificate
          • SCCM SCCM Web Server (IIS) Certificate
            • Properties
              • Friendly Name
                • SCCM Web Server (IIS) Certificate
              • Alternative name, Type DNS:
                • SCCMOSD
                • SCCMOSD.DOMAIN.LOCAL
                  • Enroll   
        • Select: SCCM Distribution Point (DP) Certificate
          • Export on SCCM path
            • Default: Personal Information Exchange – PKCS #12 (.PFX) option is selected
            • v YES export the private key
            • Security
              • Select group SCCM_IIS_SiteServers_g
                • The members of this group will be able to import the certificate
              • set a strong password
                • save the certificate e.g. \\myserver\myshare$\cert\…

Internet Information Services (IIS) manager

As I said, on every IIS once we have requested the certificates, web server and distribution point (computer is autoenrolled), we’ll able to configure the IIS itself. SCCMOSD doesn’t have software update point (no WSUS), so we’ll use the default branch of IIS, this will be the port 443 (HTTPS on SCCMOSD), instead of port 8531 (HTTPS for WSUS on SCCMPS)

  • Open IIS Manager +info
    • Sites
      • Default
        • Edit Bindings (SCCMOSD, SCCMPS)
          • port 443, select “SCCM Web Server (IIS) Certificate
      • WSUS
        • Edit Bindings (SCCMPS)
          • port 8531, select “SCCM Web Server (IIS) Certificate
        • SSL Settings (WSUS)
          • v Require SSL, client certificates (Ignore)
            • ApiRemoting30
            • ClientWebService
            • DSSAuthWebService
            • ServerSyncWebService
            • SimpleAuthWebService
  • Command prompt: In each IIS Server with WSUS we need to configure SSL
    • cd “%programfiles%\update services\tools”
      • wsusutil.exe configuressl sccmps.pagodait.local
        • URL: https://sccmps.domain.local:8531
      • The OSD Server will use the default configuration of IIS
        • wsusutil.exe configuressl sccmosd.pagodait.local
          • URL: https://sccmosd.domain.local:443

SCCM Console from Primary Site Server

  • Administration
    • Sites / Active Site: Properties
      • Communication Security
        • Use PKI if it is available
    • Server and site system roles
      • Site System Roles
        • Distribution point: Properties
          • Communication:
            • HTTPS
            • Import Certificate
              • SCCM Client Distribution Point (DP) Certificate
        • Management point: Properties
          • Client connections: HTTPS
        • Software update point (SCCMPS)
          • Require SSL communication to the WSUS Server
            • Port 8531
  • Administration > Site Configuration
    • Servers and site system roles
      • Create site system server (SCCMOSD on same site): select roles.
        • Select install IIS
        • Distribution point (properties)
          • Enable PXE for clients
            • Allow this DP to respond incoming PXE request
            • Enable unknown computer support
            • Enable PXE responder without WDS
            • Security: Enter a password
              • Win Boot will demand this password to continue with the deployment
        • Management point
        • (optional) State migration point
          • In order to capture settings and data before deploy the OS, ideal for production scenarios or if you want to upgrade OS.
      • Sites
        • Settings: Software Distribution
          • Add SCCM_NAA user
        • Properties: Communication Security
          • Set the Root CA Certificate
            • We need to connect the client computer to a management point that is set up to use HTTPS, when deploying a operating system this is means there are several certificates involved and need to be checked (not revoked).
  • Software Library > Operating Systems
    • Operating System Images
      • Add OS (install.wim)
        • Schedule Updates
      • Distribute Content to SCCMOSD
    • Drivers
      • Create Structure in the logical volume as well (Manufacturer / Model)
        • download sources (.inf)
          • move to your structure
        • create a model package
          • move to your structure
    • Boot Images
      • Add drivers packages if needed (e.g. network, storage)
      • Enable command support (testing only, LAB)
      • Distribute Content to SCCMOSD
  • Assets and intelligence > Device collections
    • Unknown computers
      • Add variable
        • OSDComputerName
          • This will permit us put a name before join the computer to the domain
  • Software Library > Operating Systems
    • Task Sequence: New task
      • Only media and PXE
        • Although we can also add Configuration manager clients, as long as we have installed State Migration Point in our site, for saving data and settings before updating our production clients.
      • Deployment available (need to press F12 at boot on the client machine)
      • Apply unattended package
      • Config the SCCM_DomainJoin user
        • move the computer on a specific Organizational Unit to apply domain policies
      • Add drivers packages
        • Query WMI: Apply drivers %model%
          • Deploy the task as available to Unknown Computers or other controlled collection
Select * From Win32_ComputerSystem WHERE Model LIKE "%Model%"

Done!!!

Additional OSD Server configuration

  • Increase the Speed of PXE Boot/TFTP When Using SCCM Distribution Point, the default value for RamDiskTFTPBlockSize is 4096 and for RamDiskTFTPWindowSize is 1, so we can increase this values progressively (2^n) until we find the ideal values for our network:
New-ItemProperty `
    -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" `
    -Name RamDiskTFTPBlockSize `
    -PropertyType DWord `
    -Value "8192" 
New-ItemProperty `
    -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" `
    -Name RamDiskTFTPWindowSize `
    -PropertyType DWord `
    -Value "4"

Logs to check

  • Server
    • SMSPXE.log
    • distmgr.log
    • sitecomp.log
    • wsyncmgr.log
  • Client
    • SMSTS.log

Links:

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/recommended-hardware
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates
https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/troubleshoot-pxe-boot-issues