Build and Capture in Configuration Manager 2012 SP1 using HTTPS

I’ve recently had a hell of a time getting build and capture to work to create a reference image for use with some workgroup machines that I’m going to need to build. My SCCM environment is entirely HTTPS, as I have to support internet based clients. This brings up some certificate issues, and I found this post from @jamesbannan. This post covers the whole process needed to workaround the issues with this particular scenario, but it attacks it from an MDT point of view. Reading through the comments, I came up with a slightly rejigged solution and so have written this blog post to pass on how I did it.

First, I copied the folder that I keep the unattend.xml files to my programs share. I keep x86 and x64 unattend.xml’s in the same folder, named appropriately. As I have specific requirements (keyboard settings, etc.), and I hope that this solution will make my workgroup deployments easier, I decided that I should duplicate these files and add in the xml for the certificates to each one. I then created the certificates as per James’ blog:

Step 1 – Generate a Client Certificate

This is the easy bit.  You just need a valid PKI client certificate which gets exported, along with its private key for importing later on.  For this you just need a domain-joined system which can talk to the CA.

The certificate template I used was the same as the ConfigMgr Client Certificate template I created to support HTTPS communications in CM12.  So, in the Certification Authority console:

  1. Right-click “Certificate Templates” and select “Manage”;
  2. Right-click “ConfigMgr Client Certificate” and select “Duplicate Template”;
  3. Select “Windows Server 2003 Enterprise”;
  4. In the General tab, change the certificate Template Display Name to “ConfigMgr Workgroup Client Certificate”;
  5. In the Request Handling tab, tick “Allow private key to be exported”;
  6. In the Subject Name tab, select “Supply in the request”;
  7. In the Security tab, select “Domain Computers” and untick the “Autoenroll” permission;
  8. Select OK.

Back in the Certificate Authority console, right-click Certificate Templates and choose “New” –> “Certificate Template to Issue”.  Choose the newly-created template from the list and select OK.

Now, on a domain system (it can even be the CA), launch the Certificate MMC snap-in for the Local Computer:

  1. Go to Personal –> Certificates;
  2. Right-click Certificates and select “All Tasks”, “Request New Certificate”;
  3. Select “Active Directory Enrolment Policy” and click Next;
  4. Tick “ConfigMgr Workgroup Client Certificate” and click the link directly underneath which is prompting for more information;
  5. In the Subject tab, select “Common Name” from the Subject Name drop-down and type in “Workgroup PKI” in the Value field;
  6. Select Add, and OK;
  7. Select Enrol.

The new certificate should now appear in the MMC window.  Right-click the certificate and select All Tasks –> Export:

  1. In the Export Private Key window, select “Yes, export the private key”;
  2. In the Export File Format windows, tick “Include all the certificates….” and “Export all extended permissions”;
  3. Select and confirm a password, and then a location for the PFX file;
  4. Export completed.

Once I had the exported certificate, I copied this into the folder with the unattend.xml files. I then made the edits to the unattend.xml files, according to the relevant architecture as per James’ blog, but with a slight change, as per the comments, which I have bolded:

On a system with the Windows Automated Installation Kit (WAIK) installed, launch System Image Manager and open the Unattend.xml.  Make sure that it’s associated with a Windows catalog for the correct architecture version of Windows (eg: x86 or x64)

In the Windows Image section:

  1. Expand Components;
  2. Expand amd64_Microsoft-Windows-Deployment_6.1.7600.16385_neutral (assuming your architecture is x64);
  3. Expand RunSynchronous;
  4. Right-click RunSynchronousCommand and select “Add setting to Pass 4 specialize”.

In the Answer File section:

  1. Navigate to the newly-added setting under pass 4 specialize;
  2. Change the Description to “Import PFX”;
  3. Change the Order to the last in the list (eg: Order = 3);
  4. Change the Path to “cmd /c certutil -f -p {password} -importpfx c:\_SMSTaskSequence\Packages\{PackageID}\nameofyourcert.pfx” (without the quotes);
  5. Ensure the Will Reboot is set to “Never”;
  6. Expand RunSynchronousCommand and right-click “Credentials” and select Delete.

Save and exit System Image Manager.  Make sure that the Settings package is updated in the Configuration Manager console so that the latest version is copied to the distribution point.

Once I had saved the unattend.xml files, I then created a package in SCCM from these files and called it “workgroup settings”.

I didn’t need to create a new Configuration Manager Workgroup Package as per James’s instructions (well, I created one, but due to an oversight, I didn’t actually use it!).

Once the package is complete and distributed, create a new “build and capture task sequence”. I used the install.wim file from each operating systems DVD’s sources folder for the task sequence, and the Configuration Manager Client Package. Once you’ve created the task sequence, follow the below steps:

1: Go to the step “Partition Disk 0 – BIOS” and delete the BCD partition, and then mark the Windows primary partition as the boot partition.
2. In the “Apply Operating System” step, tick the box “use an unattended or Sysprep answer file for a custom installation” box, and then select your “workgroup settings” and choose the unattend.xml relevant to your architecture.
3. In the “Setup Windows and Configuration Manager”, change the installation properties for the Configuration Manager Client Package to DNSSUFFIX={your dns suffix} CCMHTTPSSTATE=31.

I then proceeded to deploy the task sequence to the collection I was targeting, making sure that on the distribution tab, I ticked the “when no local distribution point is available” box.

Once I had done this, I was able to build and capture machines for Windows 7, 8 and 8.1 (and I’ve not even installed 2012 R2 yet!). Next step is to see if I can apply what I have learned here to building workgroup clients. I’ll let you know how it goes!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.