Tuesday, 26 January 2016

Configuration Manager - Windows 10 Provisioning Packages

System Center Configuration Manager landing page

My previous blog post described how to deploy an On Premise MDM solution with Configuration Manager Current Branch (1511 for now). It's a pretty cool solution. You can find that blog post here

There is one drawback though. It's a bit of a pain having to install a client certificate and the Trusted Root certificate on each Windows device before then having to enrol the device manually through Work Access. We're in luck. Configuration Manager has a very slick way to automate this process through provisioning packages. You can read about this process in the official Microsoft TechNet documentation .

This process could not be simpler. What does it look like?

There are a couple of prerequisites.

1. You must have installed Windows Image and Configuration Designer (WICD) from the Windows 10 ADK before you can create an enrollment package. 

2. You must have already configured the solution for On-Premise MDM. During that process you would have created a Certificate Profile containing the Trusted Root Certificate.

Navigate to "Assets and Compliance" > "All Corporate-owned Devices > Windows > Enrolment Profile. Right click to create a new profile.

Enter a suitable name. See that you can choose On-Premises or Cloud as the Management Authority. We're interested in On-Premises for now.

Choose the Site Code.

Select "Intranet Only" and choose the Enrolment Point.

Choose the certificate profile.

You can optionally choose to configure a WiFi profile for network connectivity during enrolment.

Confirm the settings to configure the profile.

Profile has been created.

Right click the profile. You can view the properties or export.

See that you can still make changes in the properties. You can change the Management Authority.....

.....or add a WiFi profile, for example.

Now choose to export. Accept the validity period (the package will expire) and enter a location. You can choose to encrypt the package.

The enrollment package has been created. See there are two files.

Now let's go to our test client. It is not enrolled.

I removed the client certificate....

...and Trusted Root Certificate that I previously installed.

Copy the Enrollment Package to the Windows 10 client (the method is up to you). Launch the package.

Accept the UAC warning.

You are given information on what a provisioning package could do. You must accept this.

That's all you have to do. Almost instantly you will see that the device is enrolled (Settings > Accounts > Work Access). Note that it has been enrolled as a Corporate Owned device rather than by a specific user.

The first sync has started.

The device appears in the ConfigMgr console as is under On Premise Management. This is seriously cool.

Until next time....

Friday, 22 January 2016

Configuration Manager - On premise MDM

System Center Configuration Manager landing page

On premise Mobile Device Management is a new feature released in Configuration Manager 1511. It allows you to manage mobile devices without synchronising your user accounts to Azure. Also devices enrol directly with the on premise infrastructure unlike regular MDM which requires each device to enrol with Intune. Although devices do not contact Intune directly you must still have an Intune subscription and licenses to deploy this solution.

Currently the solution only supports Windows 10 devices.

This is quite a complex solution with many moving parts. I've added a second Configuration Manager server to my lab to enable it.

You'll find the official Microsoft documentation here. I've deployed by getting nuggets of information from various other sources. I'll share all that information here. Kent Agerlund and Panu Saukko provide the bulk of the information in a blog post that they published in late 2015 (see the references section at the bottom of this post).

Beware - this is a pretty long blog post.

The following are the high level steps required (remember this was my lab environment so I had to start from scratch):

PKI (on my Domain Controller)

  • Install PKI
  • Configure CRL and CRLDP
  • Create Certificates

ConfigMgr roles (my second CM server)
  • Add Management Point and configure for HTTPS
  • Add Distribution Point and configure for HTTPS
  • Add Enrollment Point and Enrollment Proxy Point
SSL fix
  • Registry fix (SendTrustedIssuerList)
Additional ConfigMgr configuration
  • User collection
  • Add Intune subscription (require Service Connector)
  • Enable Windows enrollment
  • Create Enrollment Profile (Client Settings)
Client (Windows 10 workgroup)
  • Certificates
  • Work access > Connect
So let's have a look at some details and tips for these steps.

Install PKI

Installing Certificate Services is outside the scope of this blog post. I installed a default Enterprise Root Certificate Authority in my lab by adding Active Directory Certificate Services to my DC.

You will need the following role services:
  • Certification Authority
  • Certification Authority Web Enrollment
  • Certification Authority Web Service
Note that the Certification Authority and the Certification Authority Web Service cannot be installed simultaneously. You must complete the CA setup first and then add the CA Web Service.

Use this TechNet library document for further information:

Configure CRL and CDP

When Windows 10 clients communicate over HTTPS they automatically check to see if the certificate they are using has been revoked. They find this information in the CRL (Certificate Revocation List). The CRL comes in the form of two files stored in a virtual directory which is accessible to the Windows 10 clients (full and delta CRL files).

The CRL location (CRL Distribution Point) must be configured in the CA so that it is included in all issued certificates. If you don't get this bit right you will not be able to successfully implement on premise MDM. You have to do this configuration BEFORE you issue your certificates.

(I haven't personally tested this but it looks like, if you are already configured to use https, you will have to replace the MP and DP certificates after you carry out this work).

Follow this Microsoft blog to configure your CRLDP.

Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority

The steps are as follows:

Create CRL DNS record

Add CDP extension on CA

Create file share and virtual directory

Publish CRL to CDP

Create Certificates

As I previously said there are numerous working parts to this solution. We will require an additional Management Point and Distribution Point (configured to communicate via HTTS). Therefore we need a few certificates. The process for this is the same as we use for implementing Internet Based Client Management. I used the following certificates for my lab:
  • Distribution Point Client Certificate
  • Management Point Web certificate
  • Client certificate
There are several places to get good information on how to create the certificate templates and generate the certificates required for Configuration Manager.

PKI Certificate Requirements for Configuration Manager

SCCM 2012 Internet based client management

How to install a ConfigMgr Client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode.

The main steps are as follows:
  • Create web certificate template
  • Create DP certificate template
  • Create client certificate template
  • Generate web certificate
  • Generate DP certificate
  • Generate client certificate
  • Assign the web certificate in IIS and bind to https (second Configuration Manager server)

Add Management and Distribution Points and configure for HTTPS

I added an additional Configuration Manager Management Point and Distribution Point to my second server. (don't forget to make the Configuration Manager Site Server computer account a local administrator on this server).

See MP Prerequisites

See DP Prerequisites

See my previous blog posts for installing additional Management and Distribution Points

Management Point

Distribution Point

This time we need to configure for https

Select "Specify an FQDN for this site system for use on the Internet. If we were configuring this for IBCM we would use an external FQDN here. However this is for on premise only so just enter the name of the server.

Select HTTPS (Allow intranet and internet connections). Select "Allow mobile devices to connect to the DP".
Import the DP certificate we created earlier.

Choose HTTPS (allow intranet and internet connections) for the MP.

After the roles have been added edit the site properties and set the Trusted Root CA.

Add Enrollment Point and Enrollment Proxy Point

Now select to add new site system roles on the second server.

Add the Enrollment Point and Enrollment Proxy Point roles in a default configuration.

(don't forget to install the prerequisites first - you can find them here)

Registry fix (SendTrustedIssuerList)

There is a known issue when using SSL certificate authentication with Windows Server 2012. You can read about this issue here.

Apply the registry fix shown if required.

User collection

You must select a user collection when you create the Intune subscription. For MDM using Intune I always create an "Intune users" collection. The users in this collection will be allowed to enrol devices with Intune. If you are just configuring on premise MDM only, you must choose a user collection, but it doesn't matter which one you pick. This has no effect. A count of licensing is tracked in Intune (rather than specific users).

Add Intune subscription (require Service Connector)

Although this is an on premise solution you will still need to add the Intune subscription.

Enable Windows enrolment

Create Enrollment Profile (Client Settings)

Export the trusted root certificate to a .cer file.

Now navigate to Assets and Compliance > Compliance \settings > Company Resource Access.

Right click and create a certificate profile.

Enter a suitable name and choose "Trusted CA certificate".

Browse to the .cer file. Ensure that the Destination store is Root.

Choose Windows 10.

Finish the wizard to create the certificate profile.

Now enable enrolment in your client settings. Click to "Set Profile".

Click to create an Enrolment profile.

Enter a suitable name, choose the site code and verify the certificate profile.

Click OK to finish and create the enrolment profile.


OK, now let's move to the client.

Import the certificates we created earlier (Trusted root cert and client cert)

Now navigate to Settings > Accounts > Work access  and select "Connect to work or school"

Enter your local account details.

The first attempt will fail. Now enter your enrollment server name.

This looks hopeful. Enter the password.

Choose whether or not you want this password remembered.

We're connecting........

.....and we've connected.

The device is now enrolled using our on premise infrastructure only.

Click on Info to see the sync status

Windows 10 computers now appear in the ConfigMgr console as mobile devices.

Devices can be managed. See hardware inventory. 

We can right click and retire the devices from the console.

The device becomes unmanaged almost immediately.

Issues encountered

1. You must ensure that you have published the CRL in the CRLDP before issuing the client certificates. Otherwise you will have to re-create the certificate.

This is a healthy certificate showing the CRL DP location (see the URL at the bottom).
If you don't do this you will be able to enrol but the device will never sync or appear in the Configuration Manager console.

You will receive an error 0x800728f in this case.

I did carry out the work in advance but I still had the issue. I tested by browsing to the CRL DP location but I couldn't download the CRL files. I could however browse to the virtual directory. I noticed that somehow there was a space at the beginning of the CRL filenames. Once I removed the space I was able to sync correctly.

2. Trusted Root certificate

You will receive this error if you have installed the client certificate but not the Trusted Root certificate on the Windows 10 device.

Now see how to create Windows 10 Provisioning Packages with Configuration Manager.


Install and Configure on-prem mobile device management (MDM) with ConfigMgr vNext TP3 (Kent Agerlund & Pan Saukko)

Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority

PKI Certificate Requirements for Configuration Manager

SCCM 2012 Internet based client management (System Centre Dudes)

How to install a ConfigMgr Client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode. (Peter van der Woude)