question

Jonathan-8497 avatar image
1 Vote"
Jonathan-8497 asked Jonathan-8497 answered

SCCM - Build and Capture - Application installation while on PKI for workgroup clients not working

Hello,

I'm trying to do a Build and Capture task sequence but the TS always fail at the Install Application step. This step works when the client join the domain but not on workgroup.

I already checked many forums but I'm not able to find a solution.

I found errors in the LocationService.log, it seems that the problem is because the clients don't have a certificate. I don't know how to import the certificate for workgroup clients in Build and Capture TS and if it is what I need to do.

[CCMHTTP] ERROR: URL=https://FQDN_TO_SERVER/SMS_MP/.sms_aut?SITESIGNCERT, Port=0, Options=31, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=


I use the following parameters to install the SCCM Client : SMSCACHESIZE=10240 SMSMP=FQDN /UsePKICert /NoCRLCheck CCMHTTPSSTATE=31 DNSSUFFIX=DOMAIN


Can you help me on this ?

Do you need to see a specific log ?

mem-cm-osdmem-cm-application
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

Are you using boot media or PXE for this?

Directly using CCMHTTPSSTATE is unsupported.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Hello Jason,

I'm currently using PXE.

Is it not supported on Boot Media or PXE ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

As noted, no, manually specifying CCMHTTPSSTATE is unsupported.

On the PXE enabled DP, is there a valid PKI-issued, client auth certificate configured as part of the DPs configuration?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Yes, I think that I configured the IIS, DP and Client certificates correctly following the Microsoft article :

https://docs.microsoft.com/en-gb/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates


DP Cert has been configured for Intranet clients only (Subject blank and added FQDN for DNS).

I also added the Root certificate on Site properties.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

The log above is showing an error of having no PKI cert though. During OSD when PXE booted, the client auth cert assigned to the DP is used throughout the process.

You need to review the entire smsts.log here to help in tracking down the issue.

Although why perform a build and capture at all? That is generally considered an antiquated approach that requires additional time and overhead. The commonly used path with Windows 10 is to use and deploy the image from the media, serviced to include the latest CU, and then layer on all additional customizations, applications, settings, etc. during the deployment task sequence. This eliminates a ton or work and re-work in the long run and greatly simplifies the process.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered Jason-MSFT commented

Thanks for your feedback.

I understand that it is not the recommended approach but it's time consuming to wait for every software to be installed. When you need to install 100, 300, 600 or 1000 computers on a limited time, having a reference image ready helps very much. Before the switch from HTTP to HTTPS, we used this method and it worked well.


Do you know any solution that I can apply on our case so we can do that ?

I know that some people join the domain instead of workgroup to install the softwares and then removes the computer from the domain before the capture step. I know that's not the better solution too but what is it possible to do ?

How can I authenticate the client on workgroup so he can talk with the DP on a PKI environment ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joining a reference system to a domain violates the entire intent of creating a clean image as unjoining it doesn't remove all of the changes made when it was joined.

As noted, based on the error message, the cert you've supplied is not correct but without direct examination of the cert, the configuration, and the log files (since one out of context log line is typically not sufficient for troubleshooting), not much additional can be said here. Perhaps posting screenshots of your DP configuration and the properties of the certificate will help us help you.

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered

Sorry for offtopic, but I quit using B&C after Windows 7. With Win10 I use native install.wim. Patches could be done with offline servicing. Unless you need a thick image and fastest install times, I would give up on B&C :)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Hi @yannara, thanks for your message.

I understand your point of view but on our case it is not always possible :-/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Thanks @Jason-MSFT for your advices. I know and I agree with you that it is not clean to do that and I always try to do the things as clean as possible. I'm looking for the solution since many days and I was trying to find a temporary solution for now. So I came here to try to understand why it is not working and solve this on a clean manner.

Is it possible to share the logs privately to you ?


There is the configured DP certificate :

88266-dp1.png
88205-dp2.png
88215-dp3.png
88253-dp8.png
88254-dp10.png


Distribution Point properties :

88234-dp-properties.png


Site properties :

88222-site.png



dp1.png (14.0 KiB)
dp2.png (16.3 KiB)
dp3.png (24.3 KiB)
dp8.png (19.1 KiB)
dp10.png (19.4 KiB)
dp-properties.png (25.6 KiB)
site.png (137.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

You need to check the enhanced key usage. For the cert template, assuming that is the one used to issue the cert, that'll be on the extensions tab/page. Alternatively, it's an attribute on the certificate itself.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.