Using data dedupliation with Configuration Manager

Microsoft recetly published an blogpost with how we can use data deduplication with Configuration Manager.

Now the reason why you would use Data deduplication is to save space, since this works on a file level it allows us to remove redudant chunks on files within a volume.

So instead of having file with a chuch of A B C D E F F F we would just have A B C D E F, im simple terms . I have written about how to use data deduplication within one of m y previous posts here, this shows how to trigger a schedule and setting it up using PowerShell

Now in terms of using it with Configuration Manager, there are some couple of things you might want to note.It is supported using data deduplication on a distribution point, but not on the source files. Meaning that we can use deduplication on volumes where the content library is located. This on the other hand, allows us to reduce a good amount of storage on our distribution point, but again it requires that the server is running Windows Server 2012 or 2012 R2.

#configuration-manager, #system-center-2012

XenMobile vs Configuration Manager & Intune

So this is a discussion I often meet, and will come across more the next weeks and months ahead I belive Smilefjes
Many of the customers I work with are often a full blowen Citrix customer or more forwards Microsoft.

Many are facing the discussion mobility how do we embrace it ? (or from another point of view, how do we manage it ?) and they are doing some research and find often that XenMobile or Intune shows up. So whats the difference between the two ?

Citrix has a long time been the master of delivering workspaces to a user and to any type of device, and with the release of CloudGateway Enterprise they were entering towards delivering mobile based features (for instance allowing them to deliver mobile based applications to a user device trough Citrix client) and with the purchase of ZenPrise last year they went full in. Zenprise was a fullblown MDM solution and now they have integratet CloudGateway (Cloudgateway was the old product which included Storefront, Gateway and AppController) with ZenPrise which is now known as XenMobile Enterprise.

This fits well for Citrix’s image (any device anywhere) and now they can manage any device as well (as long as it is mobile). Also they have developed sandboxed based applications under the category Worx and they can also deploy any applications from the vendors different stores. These Worx applications use Micro-VPN functionality to connect to the infrastructure and are completely seperated from other apps inside the mobile client.
To break it down in components XenMobile (Enterprise) consists of
* Netscaler (Gateway)
* Storefront
* AppController
* XenMobile MDM
* Sharefile

Then on the other side you have Microsoft, which is coming from a client management standpoint, and they have been there for quite some time. With the latest release of Configuration Manager, Microsoft released a connection with Intune which allowed buisneses to manage mobile devices via Intune directly from Configuration Manager.
So all mobile devices needed to be setup to talk to Intune in order to be managed.
Configuration Manager has also expanding it support to include Linux / Mac / Thin Clients as well as mobile devices with Intune, so microsoft has operated in the management part for a long time.
Instead of aiminig for a on-premise solution Microsoft har put everything in their cloud. So whenever Microsoft deployes a new feature to Intune every customer of Intune gets it without needing to do anything.
They also have an integration to exchange to allow the IT-guys to control mobile devices trough Active Sync (this also includes Office 365)
There is a new intune release coming with a new release of Configuration Manager the 18th of October.

But can these two products compete?
Well… they have some of the same features which is device management, Citrix has more advanced features with XenMobile and with Worx and Micro-VPN etc. Microsoft has full support for Windows phone and Windows RT (And coming with iOS and Android with an company portal app pretty soon) and Intune might have what you need but nothing fancy.

What we need to remember is that Configuration Manager is a fullblown client management suite, with patching, deploying operating systems, applications, baselining, antivirus, with Intune it gets mobile device management capability. XenMobile is not in this category, it gives you mobile management, mobile application management, sandboxing applications, give any device application delivery trough Citrix Receiver.

So if you are a System Center customer with Configuration Manager and your IT-guys use ConfigMgr for management, adding Intune might be an easy way to go ahead, and by using Intune you leave the feature set to Microsoft, they need to continue development and will add more features as new release become available (So you will get the new releases for free since its a cloud based solution which you get buy a monthly basis). For other customers which needs advanced features such as selective wipe and the ability to seperate buisness and private data and more advanced security features and deep suppor for all vendors (Except Windows) XenMobile is for you. Zenprise was one of the market leading vendors before Citrix bought them up.

If you compare the cost (for Intune the cost pr user is 6$ pr month so for one year you have 72 USD. You also need Configuration Manager for it to make any sense.) You can also get a discount if you are EAS or EA agreement already which makes Intune more viable.
XenMobile Enterprise on the other hand is not so much more expensive then a regular Intune subscribtion of course it requires alot more infrastructure then Intune does.

So hopefully you got a bit more understanding on what seperates Intune from XenMobile! Smilefjes

#citrix, #configuration-manager, #intune, #sysctr, #system-center-2012, #xenmobile

Cloud based distribution points

Well, along time since I’ve managed to blog! Smilefjes But ill give a quick update about the book im writing. Im writing a book about Configuration Manager which is going to cover high-availability and performance tuning, really exiting times! It takes up alot of my time therefore my lack of blogging lately.
Anways, this is something I’ve post poned some while now, which is cloud based distribution points!

Cloud-based distribution points is something that came with Service Pack 1 in System Center. Cloud-based DPs are really much like a regular DP except for the following:

* You cannot use a cloud-based distribution point to host software updates
* You cannot use a cloud-based distribution point for PXE or multi-cast deployments
* You cannot use a cloud-based distribution point during a task sequence that requires a task to Download content locally when needed by running task sequence.
* You cannot use a cloud-based distribution point to offer packages that are setup with run from Distribution Point
* You cannot use a cloud-based distribution point to host virtualized applications
* You cannot set a cloud-based distribtuion point as pull-based or as source distribution point.

Content that is sent from the Configuration Manager to Azure is copied encrypted. In order to setup a Cloud DP you need a couple of things.
First of you need a management certificate which you can use against Azure you can follow my recipe from my previous post.

You also need to generate a certificate which should be created using the same PKI structure as for the regular Configuration Manager solution. This certificate should be created using the web server template. This certificate should contain a FQDN which your clients should be able to resolve using DNS.
You can read more about the certificate here –>

After these two prerequsites are in place we can create the distribution point (if you have SP1 the option to create one are under Administration –> Hierachy –> Cloud –>

Here we have to enter the subscripbtion ID this we can get from Azure and the management certificate.


Next we choose what region and what site this DP should be assosicated with, as well as add a certificate generated by our internal PKI for the DP.
Next we configure alerts and thresholds. After this is done we have to change the client policy to allow access to cloud DP


And we can se in the monitoring pane that the cloud DP is functional.


Under the FQDN enter a name for the server (which resembles the certificate name) this record has to be added the the DNS-zone either internally (if only for internal clients) or on the external zone) the IP-adress of the Distribution Point in Azure is found under cloud services.


After this is done, we also have to modify the clients policy settings to allow clients access to the distribution point. If you go into the storage blob and under containers you can see the different packages that have been distributed to the cloud DP.


If you want to scale out with more cores to the cloud DP you can go into the cloud service and use the scale function

after I have distributed content I can see the package ID under the container in the storage pane.


And there we go, will try to write up a follow-up which covers multi cloud DP points.

#configmgr, #configuration-manager-2012, #sysctr, #system-center-2012

Azure Pack configuration for Windows Server 2012 R2

So Microsoft has released the new wave of products into preview, including the next version of Katal (Azure Services) for Microsoft, called Azure Pack. This pack transforms your datacenter into Azure allowing users to sign up using plans and be able to use your infrastructure into a IaaS platform.

You can download the trial for Azure Pack here –>

Now there are some prerequisites for using this pack.
You can read more about them here –>

But in order to integrate Azure pack with your on-premise solution it uses Service Provider Foundation (Which is included in the Orchestrator installation media)


Not that this requires the installation of SCVMM 2012 R2 Console on the same machine as SPF since it uses the VMM APIs to communicate with it.

It also requires some other prerequisites such as


WCF Data Services 5.0 can be found here –>

.NET features 4.5 WCF is a part of .Net 4.5 which can be installed from Server Manager

Management ODATA IIS is also a part of 2012 R2 installation media

ASP.NET MVC 4 can be downloaded from here –>

Next we configure a database for use for SPF


In this database the SPF stores information such as
Usage Records
Gallery Items
And Tenants Stamps

Next we choose where to deploy the SPF files and what certificate we want to use.
In my case for this demo I used a self-signed certificate.


Next we define credentials for the admin web service


NOTE: If you choose Network Service here you need to make sure that the machine account is a VMM administrator

In my case I choose a Service Account and entered a domain user.
After that you are done with SPF


Next we move on to the Azure Pack installation
You can download the pack from here –>

All it does is download a profile which uses webdeploy.


Now by default it will install all the web roles on the same servere


Click I accept (ill come back to what the different roles do)
And Note this installing part may take some time.

After that is done, press Continue and ill will start the Service Management Configuration site.


It will open a browser window on the localhost on port 30101, and again we will have to define a Database and server for the Azure Pack.

Here you have the option to use a Windows user or a regular SQL user.
Remember that you have to enable Mixed Mode on the SQL server in order to use regular SQL users.


Make sure that you write down the passphrase. If you forget or lose this passphrase, there is no way to recover it. This is used to encrypt and decrypt the Configuration Store..

Next we define a FQDN for the host


After this is done it will start configuring the different roles on the Server


After that is done we continue on with the configuration


NOTE: You may need to log out of your system and log back in before you can access the management portal for administrators. This is due to Windows authentication and the need to add the security group to your security token.

If you continue to see an access denied error, even after logging back in, close all Internet Explorer windows, and run Internet Explorer as an administrator.

Now the setup will open a browser on port 30091 which is the default port for the management portal for administrators



Now you can see the difference between “Katal” and Azure Pack

Katal (The old version)


(Azure Pack the New one)


New stuff is including
Reporting provider (This is also a feature that is on the Orchestrator installation media)
Service Bus Clouds (Read more about setting up service bus here –> )
Automation (This requires Service Management Automation web service)

So in my case I define the Service Provider Foundation endpoint for Azure Pack
And then Go to VM Clouds and connect to my VMM Management Server.

Add some bugs when connecting to my cloud but after a IISreset it worked just fine


This gets the cloud container from VMM, from here I can view resources in my cloud


Now for the end-user I can sign up using the tenant portal.
Which is on the same server you installed Azure Pack only on port 30081 remember thou that you need to create a plan and publish it in order for users to subscribe to that plan.

Here I signed up with a regular user account


Choose Add Plan and select a public plan which was created on the management portal.
Note thou that here we have external users created we can also use AD authentication

For the tenant portal you can configure this using ADFS here –>

Note when you sign up for a plan you need to go back to the administration portal and approve the subscription.

Now If I want to automate a task associated with VM create I can do this in the management portal


All for this time, all dive in a bit more when I got the time Smilefjes 
Stay tuned

#active-directory, #azure, #service-provider-foundation, #system-center-2012, #windows-server-2012, #windows-server-2012-r2

One system to manage them all

Microsoft has seen that all environments aren’t all black and white. Some have Linux/Unix based systems, some have Mac’s and some are just sitting on a terminal such as Wyse or Igel.
And then there are some that just use a tablet (iPad or Android based) Some are lucky enough to have a Windows 8 RT based tablet such as Microsoft Surface or Samsung ATIV.
What problems arise with all these devices and consumerization of IT ?


With all the different components in the mix, IT is having a hard time managing all this different devices. They usually have different systems to manage different devices.
Since they usually have one system that is good on Unix but doesn’t have features that work on Android or IPhones. With the surge of next generation workers people wish to bring their own device within the business.
(This Dilbert comic shows the frustration that IT-people have in many occasions) Smile

Now Microsoft has been good at managing what they do best, Windows. They have done so since the first release of ConfigMgr in 1994 (Good old SMS) The biggest chance in ConfigMgr 2012 is that the system is now more User-Centric.
Meaning that the system is “aware” of users within the environment, previously it was aimed at just the device.
And with the upcoming release of Service Pack 1 there are multiple news that make the IT-admin work easier.

* Support for Linux/Unix based Systems
* Support for Mac OSX
* Support for Windows Embedded
* Support for Android and IPhones (5 & 6) (Using Windows Intune Connector)
* Support for Windows 8 Phones and Windows RT (Using Windows Intune Connector)

Now if you are missing some devices here, ConfigMgr also has support for devices that support Exchange ActiveSync, so therefore ConfigMgr can be the center of your IT-management infrastructure. It still remains to see what functionality comes with Intune connector to mobile devices. (And if it can compare with other MDM systems on the market.) the main problem with MDM is that people are concerned about their private data on their devices since IT in some forms can manage their devices.
You can read more about it here –>

You can look at this video interview with Wally Mead which is head of development of ConfigMgr if you wish to know more about Intune and SP1

Since a lot are competition on this front, ConfigMgr might gain the edge because of it’s wast support for devices, low cost and integration with other system center products.

Integration possibilities:

* System Center
* XenApp XenDesktop
* App-V
* Secunia
* AppSense
* + Much moresyst

With all these possibilities ConfigMgr can become a central point for managing all of your devices. 

#configmgr-2012, #system-center-2012

Automating Configuration Manager 2012 SP1 with PowerShell

First part of this series, I showed how you could run and install all the necessary prerequisites silent and automated, this time I will write a bit more instead of just adding the commands.
In Service Pack 1, Configuration Manager will finally include cmdlets for PowerShell this allows for a scripted and automated setup process. Therefore I took the liberty of creating this post which will show you how-to.

Now with this you can actually create a script for a new customer (If you already have knowledge of the customers infrastructure) with contains all the necessary you need to setup a fully site. Then where you are at the customer, run the script and take the rest of the day of.

Now what do we need in order to setup a fully Configuration Manager site?

We need a boundary group (Which contains a boundary, refer my earlier post –> ) Which again contains a distribution group and is assigned a site.
And we need to activate discovery objects to fetch information such as Users, Group, Computer objects.
We also need to setup AD publish (In case we did a manual ConfigMgr site agent install we wouldn’t have to setup this but for the administration ease we are going to do so)
Next we are going to Create Computer Collection which is going to include our test servers. We are also going to Create User Collection b
After that we are going to Create an application which we are going to deploy to our computer collection

All using PowerShell.
Now in order to start PowerShell against Configuration Manager, just click the file button inside the Console and press the Connect using PowerShell.

You can use the get-command –module ConfigurationManager to show all the commands available for Configuration Manager
You can also use the get-help cmdlets if you are unsure of the parameters that you need to use.
Also you can use the get-help cmdlets –examples if you want to show some examples.

NOTE: Will trying to get this fully automated, I find its hard with the current release of the PowerShell cmdlets but still I’ve gotten far.  So this post will be updated periodically.

Create a new Boundary: New-Cmboundary -type ADsite -value «Default-First-Site-Name»

Create a new BoundaryGroup: New-CmboundaryGroup -name Test -DefaultSiteCode TST

Add boundary to group:
Add-CMBoundaryToGroup -Boudaryid 16777218 -GroupName «Test»

I got this BoundaryID using Get-CMboundary since the command didn’t parse the value ID properly.

You can use the Get-Cmboundary and Get-CmBoundaryGroup to view the values. And you need to add the site code to the command so it assigns
that as the default site for the boundary group.

Get info from Active Directory Forest: New-CMactiveDirectoryForest -ForestFqdn demo.local -EnableDiscovery $true

Install Configuraiton Manager Agent: Install-CMClient -DeviceName ConfigMgr -includeDomainController $false -AlwaysInstallclient $false -SiteCode TST

Create a new device collection: New-CMdevicecollection -name «My Servers» -LimitingCollectionName «All Systems» -RefreshType Manual

Still more to come

#configmgr-2012, #configuration-manager-2012, #powershell, #system-center-2012

Beta of System Center 2012 Service Pack 1 released!

This update includes the following:
The Beta of System Center 2012 Service Pack 1 (“SP1”) enables System Center customers to jointly evaluate System Center 2012 with Windows Server 2012 and Windows 8. The Beta is for evaluation purposes only and not to be used in production as described in the EULAs associated with the product. No license keys are required to do this evaluation. The Beta includes updates and enhancements to the following System Center 2012 components:

  • Virtual Machine Manager
    • Improved Support for Network Virtualization
    • Extend the VMM console with Add-ins
    • Support for Windows Standards-Based Storage Management Service, thin provisioning of logical units and discovery of SAS storage
    • Ability to convert VHD to VHDX, use VHDX as base Operating System image
  • Configuration Manager
    • Deployment and management of Windows 8 and Windows Server 2012
    • Distribution point for Windows Azure to help reduce infrastructure costs
    • Automation of administrative tasks through PowerShell support
    • Management of Mac OS X clients and Linux and UNIX servers
    • Real-time administrative actions for Endpoint Protection related tasks
  • Data Protection Manager
    • Improved backup performance of Hyper-V over CSV 2.0
    • Protection for Hyper-V over remote SMB share
    • Protection for Windows Server 2012 de-duplicated volumes
    • Uninterrupted protection for VM live migration
  • App Controller
    • Service Provider Foundation API to create and operate Virtual Machines
    • Support for Azure VM; migrate VHDs from VMM to Windows Azure, manage from on-premise System Center
  • Operations Manager
    • Support for IIS 8
    • Monitoring of WCF, MVC and .NET NT services
    • Azure SDK support
  • Orchestrator
    • Support for Integration Packs, including 3rd party
    • Manage VMM self-service User Roles
    • Manage multiple VMM ‘stamps’ (scale units), aggregate results from multiple stamps
    • Integration with App Controller to consume Hosted clouds
  • Service Manager
    • Apply price sheets to VMM clouds
    • Create chargeback reports
    • Pivot by cost center, VMM clouds, Pricesheets
  • Server App-V
    • Support for applications that create scheduled tasks during packaging
    • Create virtual application packages from applications installed remotely on native server

So much interesting stuff here! looking forward to trying it out this week! Smile

#beta-sp1, #sp1, #system-center-2012

System Center 2012 and Integration Possibilities

With System Center 2012, Microsoft gathered all of their previous System Center products and gathered it as one large product.
So now in 2012, System Center now contains (Service Manager, Configuration Manager, Operations Manager, Data Protection Manager, Orchestrator, Virtual Machine Manager and App Controller)
It is split in two editions, one for standard and one for datacenter (standard is limited to running 2 OSE)

But all the features are there, and the magic with System Center 2012 is the integration possibilities which I’m going to list down. These integration possibilities are listed on what I know so far, if you have any info about other integrations that are possible please link send me some info Smile

Configuration Manager 2012:
Citrix XenApp (Can connect to XenApp to automate application delivery to XenApp servers, and use XenApp as an deployment type out to the user
Microsofot App-V (Can use Application virtualization as an deployment type out to users)
Citrix XenDesktop (Since you can use Configuration Manager to patch windows systems you can also use SCCM to patch VDI images
Microsoft Exchange (You will use this to manage your mobile devices that are connected to Exchange in SCCM console)
Microoft SCUP (Software Catalog Update Publisher you can use this to update software patches from for instance Adobe, Dell and HP)
Secunia (Corporate Software Inspector you can use this with SCCM to patch all of your software within your enviroment )
Microsoft MDT 2012 (You can integrate this with SCCM 2012 to improve and ease deployment of OS)
Dell Client Integration (For ease of Dell client deployment)
System Center Service Manager (For importing software and hardware information to the CMDB)
System Center Orchestrator (You have an own integration pack for automating SCCM tasks)
RES Workspace Manager (You can integrate with RES Workspace Manager in order to allow for SCCM to deploy applications to RES controlled servers/computers)
AppSense Application Manager (For deployment of UV agents and UV configurations)
Windows Intune (You can connect to your windows Intune account for sentral management)
Windows Azure ( You can deploy distribution Points in Windows Azure)
Wyse Device Manager (It is for 2007, but it will be for 2012 as well)
MDT 2012
Quest Management Xtensions
NOMAD 2012

Operations Manager 2012 (Mostly Management Packs)
System Center Service Manager (For importing of alerts for further investigation in Service Manager)
System Center Virtual Machine Manager (For PRO Performance and resource optimization )
Network Devices with SNMP V3
HP MP (For HP monitoring)
Dell MP (For Dell monitoring)
System Center MP( For System Center monitoring)
Citrix MP via ComTrade (For monitoring of Citrix components)
BIG-IP F5 Monitoring
System Center Orchestrator (For automating of tasks)
NetApp On-command (For monitoring of NetApp solutions)
Cisco USC (For monitoring of UCS solutions )
Brocade (Monitoring of Brocade storage)
IBM Hardware (For monitoring of IBM hardware)
Windows Azure (GSM for application monitoring)
NetApp monitoring

Virtual Machine Manager
Citrix Netscaler (For auto deployment of LB rules and access)
F5 BIG-IP (For auto deployment of LB rules and access )
Brocade ACX (For auto deployment of LB rules and access)
Citrix Xendesktop and PVS (For rapid deployment of vdi machines)
Citrix Xenserver (Allows to use SCVMM to manage XenServers)
Vmware vSphere (Allows to use SCVMM to manage vSphere)
Hyper-V (Allows to use SCVMM to manage Hyper-V
NetApp (Automated rapid provisioning of space-efficient VMs with System Center Virtual Machine Manager (SCVMM) or Windows PowerShell™ rapid provisioning cmdlets)
SMI-S (Is a standard storage API which work for most storage solutions)

Orchestrator (Mostly Integration Packs)
System Center 2012 (All of the products)
vSphere (Integration pack for automating of tasks)
NetApp (Integration pack for automating of tasks)
HP (ilo, Service Manager, Operations Manager) (Integration pack for automating of tasks)
IBM Tivoli ((Integration pack for automating of tasks)
Microsoft Exchange (Integration pack for automating of tasks)
EMC (Integration pack for automating of tasks)
Cisco UCS (Integration pack for automating of tasks)
IBM Tivoli

(This is a post which is under work, so not all the products are listed yet)

#integration, #system-center, #system-center-2012

Integrating XenApp and Configuration Manager 2012

Finally the day has come, as I mentioned in the previous post the TechPreview of XenApp connector for Configuration Manager 2012 is now released on Citrix.
or as they call it “Project Thor” it allows for a flexible application delivery solution that combines the best of both worlds (Configuration Manager and XenApp)
I’ve managed to deploy the connector and give you a demonstration of how it works.

The package consist of the client components ( Reciver etc) PCM (Power and Capacity Management Components ) And the Connector itself.
The Client Component XenAppDTHandler (Has to be installed on all the clients before you can use XenApp published)


And we start by installing the connector on the SCCM server.

Start and accept the license terms,

Include all the roles and extensions, click next and Install!



After the install is finished the setup will run the Integration Configuration itself,
So you should create a separate Service Account for this purpose.
You see the requirements it needs.
Note that if you have created a service account and forgot to add it to “log on as a service” rights Citrix will handle this for you.

So just click Yes and move forward,


After that specify a Citrix server that the connector will use. In my case I choose my only Citrix server, (Which has the Data store and the XML service )
Then the setup verifies that I can connect to the server, it not you will get an error message during verification.
After that you need to enter the Configuration Manager site (the Setup will automatically read the local site it is connected to)
And verify the connection.


If you get this error message you need to run the following commands.
Enable-PSremoting –Force
Set-item WSman:\localhost\Client\TrustedHosts hostname.domain.local –Force
Restart-Service winrm –Force

Then press Yes and continue.
Now you get the summary screen, press Apply.
If everything goes as planned you will get this screen Smile
(NOTE: you can also see these applications appear after the installation )


Now you can open the Configuration Manager console and under Software –> Application Management you can now see XenApp.
As you can see here we only have 1 option, which is “Create Publication”
This will create an published application on the XenApp server which is avaliable for Configuration Manager

We can start by publishing an application –>
In this case Notepad (This will by default appear under Applications/ConfigMgr12 on the XenApp console)
Click next –>
Choose a XenApp installed application –>
Choose the Command line click next –>
This wizard is much like the wizard in XenApp same configuration settings and so on. Click finish.


And here you have all the advanced settings like encrytion etc.If you open XenApp AppCenter you can now see the application (This update goes every 10 min but you can force an update to the XenApp server by running the sync tool installed)

so now we can create an deployment type with XenApp.

With the possibility which comes with SP1 (Mac and Linux support we have loads of options!)
Here we can add the newly created Notepad ( I fixed the display name before running the wizard Smile

Click next –> And we can create requirements for this deployment.
ill write more about this feature as soon as I have the time, with integration of SP1 as well, stay tuned Smile

NOTE: If you have some issues with the connector you can review the log files found under C:\Program Files\Citrix\XenApp Connector for ConfigMgr 2012\Connector Service\logs
NOTE: There is also created an Collection which consists of the XenApp servers. Do not edit this, the connector will add all the XenApp servers automatically from the farm.


#citrix, #configuration-manager-2012, #system-center-2012, #xenapp

SCCM 2012 and PKI

This is going to be a huge post, but hopefully someone will find it useful for future references Smile
In my previous SCCM 2012 post, I showed how-to install SCCM, but not how to configure it for encrypted communication.

So out-of-the box SCCM traffic goes unencrypted via HTTP, which is clear text. So if you manage to get inside the LAN, fire up an arpspoof or macof (or any other MITM method) you can
read the traffic going back and fourth from the client to the site servers. So therefore I’m going to show you how to install your very own Microsoft PKI infrastructure and how you enroll the different types of Certificates that you need in order for SCCM to encrypt traffic.

Before I start, I want to show you how I designed my lab for this demo. This is in a fully virtual lab environment, much of the setup I do here is not “Best Practice” but in order to make this post readable, I wanted to keep it as short as I possibly could. I have excluded much of the setup regarding CRL, OSCP and config files (If you are unfamiliar with these terms go to this page )

In my lab I have

1 * SQL Server (Running the Configrmgr site SQL database)
1 * ADCS (Active Directory Certificate Services) Server running Enterprise Subordinate CA (Which we are going to install in this post ) Running Server 2008 R2 Enterprise
1 * ADCS Server running Stand-alone root CA (Is also going to be installed in this post ) Running Server 2008 R2 Enterprise
1 * ConfigrMgr server ( Which was installed in a previous post  )

What we are going to start with is the Stand-alone root CA, this is a server that is not connected to the network (For security reasons, and therefore not domain joined) Since we are going to create a trusted root CA, which the sub CA is going to use to issue certificates. The reason why I setup a two-tier PKI is because this is the most common used setup.

To but we do first, is install a virtual computer with server 2008 r2 ( or regular 2008 ) after the server is finished installing, you start by installing the server role ADCS


Click next and choose Certification Authority


Click next and choose Standalone CA (As you can see Enterprise is unavailable since this server is not a part of a domain )


Click next and choose Root CA,


Click next and choose “Create a new private Key”


Click next, and next again ( Let it stay at the default on Cryptography )  and here by default it uses the hostname of the server (Since this was a fresh install and had the jibber is name WIN-i3ou423io I changed the name to ROOTCA1 (Which is the name that will appear on the trusted root certificate )


Click Next, next and Install.
Now after it is finished installing, go to the folder C:\windows\system32\certsrv\certenroll
There you will now have 2 files.

1 . crt file (Which is the Trusted root certificate)
1 . crl file (Which is the Certification Revocation List, which is basically a list that contains all the certification that have been revoked )

Now we have to export these files and import them on the subordinate server, so we have to install that first before we can continue. But after it is installed open a powershell prompt as a domain admin. Run the following commands.

certutil –dspublish –f filename.crt RootCA

certutil –addstore –f root filename.crt
certutil –addstore –f root ROOTCA1.crl

The first command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy. The second and third commands place the root CA certificate and CRL into the local store of the SUBCA. This provides SUBCA immediate trust of root CA public certificate and knowledge of the root CA CRL. SUBCA could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on SUBCA is helpful to speed the configuration of SUBCA as a subordinate CA.

If you open the Local Certificate store on the server you can see that the Root CA and the Root CA CRL is in the local store.



Now we can continue with the Sub-ordinate install ADCS.
The Setup is basically the same,


Instead we choose Enterprise CA, click next.


Choose Subordinate CA, click next.


Here we choose “Save a certificate request to file” and choose a location. We need to copy this file over to the Root CA and issue a certificate in order to make the CA operational.
Click Next, and install. After you finished installing copy the file to the Root CA. Open a command prompt (ON THE ROOT CA) (PowerShell) And type the command
certreq -submit F:\APP1.corp.contoso.com_corp-App1-CA.req (remember to change the file name to match the one you have)

After you have done that, open the Certification Authority  MMC, Expand  and then click Pending Requests.

Choose the certificate and click “Issue” now we have to copy the certificate back to a removable drive.
Open a powershell promt and run the command certreq –retrieve <RequestId> F:\filename.crt.

You can see the Request ID in the Issued Certificates tab.
Click enter and choose the ROOTCA1 from the List and click OK.

This command, will copy the certificate of the server + the root CA certificate and crl.
(If not go to the Windows\System32\certsrv and copy the other files as well)

After you have copied the files to a removable drive you can turn of the Root CA as it is no longer needed.

Now back to the Subordinate CA, open the Certification Authority mmc. Right click on the server click All Tasks, and then click Install CA Certificate.

In the Select file to complete CA installation, set the file type to X.509 Certificate (*.cer; *.crt) and then navigate to the removable media and select hostname.crt. Click Open, now that we’ve imported the certiciate we can start the service.


Now what did we actually do here ?
First we setup the Root CA, which is the center of trust in this case(Tier 1). We created a Enterprise Root Certificate, we exported the Enterprise Root CA to Active Directory and to the Subordinate CA. And we installed a subordinate CA, made a certificate request, imported that to the root CA and issued the request. What it  basically does is that the sub-ca says to the root “I have a request, I wish to issue certificates” and then the
root ca says to the subordinate. “I trust you, here is your certificate so now you can issue certificates on my behalf”
Since all the domain computers get the Root CA certificate in the trusted root certificate authorities, they will automatically trust all the certificates that the Subordinate CA issues to the domain.

Hopefully that made some sense Smile
Now we are done with the PKI setup, now we have to start with the SCCM part of the certificates.
What kind of certificates do SCCM need ?

In this demo we are going to create two templates that will automatically deployed via AD.

  • ConfigMgr Client Certificate

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

  • ConfigMgr Web Server Certificate

This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

You can see the entire list here.

Lets start with the Client Certificate
On the subordinate root CA open the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console

right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.


In the Duplicate Template ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. (2008 Server is not supported by ConfigMgr 2012)

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Auto enroll. Do not clear Enroll (This gives domain computers the permission to get this certificate)


Click Ok, and close the Console.

Now back to the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.


Next we need to create a group policy that allows the clients in the domain to do auto enrollment.

Open the group policy management console, and create a new group policy object.

In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies

Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.


Then close the Group Policy Management Console.

If you have a client computer in the domain, reboot the computer. When the client is finished booting the client will check its policy.
1: See that it has auto enrollment enabled
2: See what certificates it has access to (Since we added Domain computers to the ConfigMgr client certificate, it fill automatically fetch a certificate from the subordinate CA)

You can double check this by opening the local certificate store on the client computer.


Now we need to repeat this for creating a certificate template for the Configmgr server roles.
Follow the same steps as before, but there are some other changes.
Instead of the Workstation template, choose the Webserver template and choose duplicate template.

Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

Click the Subject Name tab, and make sure that Supply in the request is selected.

Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. Click Add, enter the name of the configmgr computer names in the text box, and then click OK. Select the Enroll permission for this group or computer account, and do not clear the Read permission. (This gives the ConfigMgr server right to enroll for this template) Then click OK.


In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue

In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.

Now head over to the ConfigMgr server.

Open the local Certificate Store on the server, select computer account. Click on the personal store, Right-click Certificates, click All Tasks, and then click Request New Certificate.


On the Before You Begin page, click Next

If you see the Select Certificate Enrollment Policy page, click Next.

On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.


In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.


Now the ConfigMgr server will have a certificate available which I can use.
Open IIS Manager, Expand Sites, right-click Default Web Site, and then select Edit Bindings.

Click the https entry, and then click Edit. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK. After that is done, close the console.

Since I’ve done this after the SCCM got installed, I have to do some configuration in the console as well. Go to Administration –> Sites –> Right click and choose properties, go to client computer communication –> Choose use HTTPS and import the Root CA crt in the bottom menu.

Now im going to install the SCCM client on a new computer and see that its communicating on port 443. As you can see during the install, the setup looks for a certificate under the Personal Store on the computer, and uses that in order to communicate with the site server.

Now if I open the agent on the client I can see that it says client certificate it says PKI,

Now If I choose a Action like fetch Machine Policy, It should communicate with the Site server using https:
I can also open the Application portal, and it should be using the new certificate.

And Voila there you have it, encrypted communication between client and ConfigMgr site server (Management Point) My next blog will include the Distribution point, which uses a diffenrent type of certificate.
If you choose https mode on DP after you completed this demo you will get some error messages from your client.

#adcs, #certificate, #pki, #sccm-2012, #sccm-and-pki, #system-center-2012