locked
Tips for Deploying Internet-Based Clients RRS feed

  • Question

  • Hi,

    I need to deploy the SCCM 2012 Client along with the Root CA Cert and Client Cert to around 150 Remote Users - What are the recommendations on doing this?

    What I want to do is email a link to all my remote users that they click on, download a package and it installs automatically with elevated admin rights.

    I have the SCCM package and I can script it to install on users computers with elevated admin rights easily enough, but I have no idea how to install the certificates without remotely controlling computers and manually installing using certmgr.msc.

    Appreciate any assistance.

    Regards,

    Andrew

    Tuesday, January 15, 2013 2:16 AM

Answers

  • certutil can be used to install certs. I haven't explicitly looked, but I bet PowerShell can also. I would be very careful sending something out via e-mail that can essentially self-elevate because that is entirely too similar to malware -- make sure you at least sign it. Also, this means you are probably embedding a password which could also be dangerous -- just because it's an exe doesn't make it protected as any "fool" with a hex editor can open an exe and find all the text inside of it.

    Jason | http://blog.configmgrftw.com

    • Marked as answer by Andrew_Fury Wednesday, January 16, 2013 10:21 PM
    Tuesday, January 15, 2013 3:28 AM

All replies

  • certutil can be used to install certs. I haven't explicitly looked, but I bet PowerShell can also. I would be very careful sending something out via e-mail that can essentially self-elevate because that is entirely too similar to malware -- make sure you at least sign it. Also, this means you are probably embedding a password which could also be dangerous -- just because it's an exe doesn't make it protected as any "fool" with a hex editor can open an exe and find all the text inside of it.

    Jason | http://blog.configmgrftw.com

    • Marked as answer by Andrew_Fury Wednesday, January 16, 2013 10:21 PM
    Tuesday, January 15, 2013 3:28 AM
  • Thanks I will have a look into Certutil!

    I was thinking of using powershell but we don't have it installed on our remote computers so that ruled that out.

    Tuesday, January 15, 2013 4:21 AM
  • Certutil did the trick! Thank you for that!
    Wednesday, January 16, 2013 10:20 PM
  • Unfortunately Certutil only covered our Windows 7 clients, not the Windows XP ones.

    Is there a utility that does the same thing for Windows XP?

    Monday, February 11, 2013 4:45 AM
  • There is a certutil for XP, you need to get it from the Windows Server 2003 RK I believe.

    Jason | http://blog.configmgrftw.com

    Monday, February 11, 2013 2:33 PM
  • Monday, February 11, 2013 10:35 PM
  • Yer I just found the Certutil for Windows XP in the Windows 2003 Admin Pack, that worked a treat.

    I certainly use GPOs to install the certs for majority of our fleet however this is for remote notebooks that never connect to the internal network to receive group policy.

    Monday, February 11, 2013 10:52 PM
  • Glad Jason could be of assistance!
    Monday, February 11, 2013 10:54 PM