SCCM 2012 - Pull distribution point and target PKI or HTTPS DPs RRS feed

  • Question

  • I have spent several days researching this and so far have found only a single page that even takes a stab at offering a solution.


    Trying to target an HTTPS DP when creating a pull distribution point in SCCM 2012 R2. The link that I'm referring to that does offer a workaround is here(guess I can't post a link, but it ends with the following, how-to-set-an-https-distribution-point-as-a-source-dp-for-pull-dps)

    I have several problems with the proposed solution.

    1. Is a script really the only way to proceed with something that has up till now been a built in feature with the rest of the product.
    2. You have to provision the DP to use a self signed cert initially for it to even work, then supposedly you can add the private key to the DP later.
    3. Does that mean I have to unbind the cert from both the pull and target/source push DP in IIS?
    4. Powershell which would be a logical way to go, doesn't seem to make any head way(Mr. Snover I know you don't oversee configman but please push for more documentation, you've taught me to live and die by get-help. A single example for a command as large as set-cmdistributionpoint or add-cmdistributionpoint is a shame. Perhaps my update help just didn't finish properly and I'm talking prematurely. If that is the case then I apologize!)

    Is there no other solution other than build the DP with a self signed cert then run this VB script and then switch the private key later? I have read through a lot of the pull DP documentation and it makes mention of leveraging the SDK but I haven't seen anything definitive. I would like to at the very least convert this from VB to powershell(if that script is the only option) and I know how to convert the portions where it's interacting with the site's WMI namespace (smsprovider if I'm not mistaken). What I don't know how to do, rather don't have the chops for is what comes after. The site control file piece, I see it's also WMI and I could spend the time stepping through the different piece and just might to learn more about SCCM in the lab anyhow. I've spent the last year getting to know powershell and have spent next to no time with VB. I know enough to recognize what a script is doing.

    The environment:

    The reason this is important for me is I'm about to start the production build(been all lab up till now) that is going to have just under 300 DPs in the field connected via T1 lines. They were all 07 secondary sites. I was thinking about migrating them using the migration tool but considering the amount of work its going to take if that link is the ONLY path to target a HTTPS DP then I might as well just spend the time and manually uninstall and reinstall the field DPs. The client count in the field is an average of 50 machines per site where there are on-prem devices... Total client count is around 25k. The primary site in the datacenter will house the majority of the site roles unless I start running into resource issues, at which time I will begin offloading site roles to one of two more servers that I have slated for the project. No CAS, no Secondaries. SQL is co-located on the primary.


    I'm sure there are more people out there using PKI, and using pull DPs. How have you managed to target your HTTPS enabled DPs? Security wants this to be a HTTPS only environment, and up until now I have successfully done that. If someone could please point me in the direction of some more thorough documentation I would be very grateful. I understand that this is a somewhat new feature, but there has to be an easier way. Perhaps powershell can cleanly do it with the set-cmdistribution point...but when I update help and do showwindow for the command I only get one example and so far haven't found any other stories like mine with the exception of the link I posted in the beginning.

    While I'm rambling, Wally there are a lot of us in the community that are going to miss your presence at Microsoft and should you read this I wish you luck with your new position. But that is a whole different topic. Thanks in advance for any links or help you can provide. -K.R.

    • Edited by KeepReading Tuesday, October 21, 2014 12:47 AM Added some details
    Tuesday, October 21, 2014 12:29 AM

All replies

  • Yes, this is the only way, from http://technet.microsoft.com/en-us/library/gg712321.aspx#BKMK_PlanPullDps: "However, you can use the Configuration Manager SDK to specify a source distribution point that is configured for HTTPS. To use a source distribution point that is configured for HTTPS, the pull-distribution point must be co-located on a computer that runs the Configuration Manager client. "

    Does "why" really matter , who cares? It just is. Whether it was an oversight, a coding bug, or an act of God doesn't change anything. Why does there "have to be" an easier way? And what's wrong with using the VBScripts others have written? A script is a script is a script particularly if you've been given it already. Just because the hammer is pink doesn't mean it can't hammer the nail in.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, October 21, 2014 12:42 PM
  • Thanks Benoit for posting the link i was trying to reference. I don't have a problem with using the pink hammer if that is the only hammer to be found.... What I was hoping for was a nail gun with an instruction manual:-) The reason is I have to run through this for almost 300 of these. I'm sure there would be a way to leverage Orchestrator to accomplish this task in some way, but is there no other choice, and further how do I deal with the certs within IIS and their bindings? I'm going to give it a shot in my lab shortly and I do have a 2012 client running on the server. 

    If anyone could provide ANY other alternative or a more efficient way of going through this process I would be very grateful. Thank you in advance. -K.R. 

    • Edited by KeepReading Tuesday, October 21, 2014 6:41 PM Updated previous post.
    Tuesday, October 21, 2014 12:55 PM
  • Here is a PowerShell script I wrote for enabling an HTTPS DP as the source for a Pull DP.


    Friday, May 29, 2015 7:22 PM