locked
Automate client certificate request and installation RRS feed

  • Question

  • I have ConfigMgr 2012 R2 configured to only listen on HTTPs for all client computers communications and I also have internal Windows 2008 CA server for issuing certificates. Now, in order to successfully install ConfigMgr client on a computer, I have to manually request/install the Workstation Authentication certificate first.

    I’d like to automate the ConfigMgr client installation process but don’t know how to automate the certificate request/installation piece on all computers. How do I configure my clients to automatically request and install “Workstation Authentication” certificate if they don’t have one already installed?

    Gucci100

    Tuesday, February 25, 2014 10:58 PM

Answers

  • You are welcome. Always happy to help. Don't forget to mark the answer(s) that solved your problem to help those who stumble upon this thread :-)


    Dustin Estes - MCP | www.dustinestes.com

    • Marked as answer by Gucci100 Wednesday, February 26, 2014 7:50 PM
    Wednesday, February 26, 2014 7:46 PM

All replies

  • That's the purpose of using an Enterprise CA in Windows -- it integrates into AD and enables both auto-enrollment and auto-renewal. I suggest you look into this as enrollment is truly only a small portion of the battle; renewal is a much bigger challenge.

    If for whatever reason you decide that you cannot have an Enterprise CA, then you should be able to script things out using PowerShell or certutil. Hiring a competent consultant/contractor will help you get there.


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Dustin Estes Wednesday, February 26, 2014 7:59 PM
    Wednesday, February 26, 2014 12:04 AM
  • Jason is right. You have to setup the certificate for autoenrollment. It is much easier than it sounds. Here is a simplified order of operations:

    • Configure security on the Workstation Authentication certificate template so that "Autoenroll" is enabled for the desired security group. (Such as Authenticated Users)
    • Enabled autoenrollment settings in Group Policy so your clients check into the cert server and pull back their corresponding cert. Detailed steps are here

    Dustin Estes - MCP | www.dustinestes.com

    • Proposed as answer by Dustin Estes Wednesday, February 26, 2014 7:57 PM
    Wednesday, February 26, 2014 3:08 AM
  • My CA is already configured for autoenrollment. For autoenrollment to work, the client has to submit the request first and that's where I'm having problem with. How do you get a client to submit the request automatically for a specific certificate template?

    Thanks

    Wednesday, February 26, 2014 5:57 PM
  • That's what I was telling you. You enable the security rights on the certificate template. Then you need to follow the instructions in the link to configure Group Policy to allow the clients to request the certificate automatically.

    Group policy tells the clients to check the CA server for any certificates they have rights to autoenroll into. They then enroll in that certificate.

    Dustin Estes - MCP | www.dustinestes.com


    • Edited by Dustin Estes Wednesday, February 26, 2014 6:00 PM clarity
    Wednesday, February 26, 2014 5:59 PM
  • Dustin is correct. With an Enterprise CA, the process is completely automatic given that you've set your permissions on the templates correctly.

    Incidentally, are you using a CA installed on Windows Enterprise or Windows standard?


    Jason | http://blog.configmgrftw.com

    Wednesday, February 26, 2014 6:23 PM
  • Incidentally, are you using a CA installed on Windows Enterprise or Windows standard?


    Jason | http://blog.configmgrftw.com

    You are absolutely right Jason. I completely forgot that when I got certified on 2008 there was a specific question regarding the difference in Std and Ent. Only Ent could do auto-enrollment. It seems, though, that this has changed with 2008 R2. The table on this link states that both versions allow for autoenrollment with an "*" at the bottom stating this feature is new for R2

    Jason is on the right path here. I noticed you stated that you have an internal "2008 CA" is this R2?


    Dustin Estes - MCP | www.dustinestes.com

    Wednesday, February 26, 2014 7:28 PM
  • My CA is enterprise.

    I set the GPO to allow clients to request certificates automatically as suggested by Dustin and it's now working. Thank you both Dustin and Jason, much appreciated!!!

    Wednesday, February 26, 2014 7:36 PM
  • You are welcome. Always happy to help. Don't forget to mark the answer(s) that solved your problem to help those who stumble upon this thread :-)


    Dustin Estes - MCP | www.dustinestes.com

    • Marked as answer by Gucci100 Wednesday, February 26, 2014 7:50 PM
    Wednesday, February 26, 2014 7:46 PM