The posts we’ve provided around Configuration Manager 2012 Internet Based Client Management (IBCM) are proving to be very popular with lots of comments and questions coming in. A common request is a way of provisioning certificates for clients when domain auto-enrolment is not possible. This would be the case for workgroup machines, multi-forest deployment, and in scenarios where group policy processing doesn’t take place (remote machines accessing the infrastructure over VPN might be a candidate).

Our approach to this at the moment is to break the deployment process up a little, but still drive as much automation as possible. So, when we want to deploy a client in this scenario, the first thing we need to do is generate a certificate for it. We’re likely to want to do this in bulk, and as one-off jobs, so we use a standard batch script which accepts a parameter of the computername to generate a certificate request and export the resulting cert.

@echo off


rem Create an INF request file with the specified subjectname


echo Generating *.inf file for certificate request for server %subjectname%

echo ;—————CertificateRequestTemplate.inf————– >> %subjectname%.inf

echo [NewRequest]                                                 >> %subjectname%.inf

echo Subject=”cn=%subjectname%”                                   >> %subjectname%.inf

echo Exportable=TRUE                                              >> %subjectname%.inf

echo KeyLength=2048                                               >> %subjectname%.inf

echo KeySpec=1             ;key exchange                          >> %subjectname%.inf

echo KeyUsage=0xA0                                                >> %subjectname%.inf

echo MachineKeySet=TRUE                                           >> %subjectname%.inf

echo [RequestAttributes]                                          >> %subjectname%.inf

echo CertificateTemplate=”ConfigMgrClientCertificate” ; this is for Client Authentication    >> %subjectname%.inf

echo SAN=”DNS=%subjectname%”                             >> %subjectname%.inf

rem Create the a binary request file from the INF

echo Generating certificate request for server %subjectname%

CertReq -New -f %subjectname%.inf %subjectname%.req

echo Retrieving certificate for server %subjectname%…

CertReq -Submit -q -f -config CAServerName.FQDN.CO.UKCA-NAME-CA %subjectname%.req %subjectname%.cer

Echo Importing certificate into Local Computer Store…

certreq -accept %subjectname%.cer

Echo Exporting certificate with private key…

Certutil -f -p agoodpassword –exportpf x %subjectname% .clientcerts%1.pfx

Echo Cleaning up…

certutil -delstore “MY” %subjectname%

del %subjectname%.req

del %subjectname%.inf

del %subjectname%.cer

echo Certificate generation for server %subjectname% complete!

This script will create a ConfigMgr client cert with the name of the machine you are going to deploy.

To use this script against a list of machines you want to deploy you would:

For /f %I in (mylistofmachines.txt) do ApajoveCertGen.cmd %I

This will result in a certificate for each machine name being generated and stored in the clientcerts folder.

So, we now have a load of certificates. We will need the Trusted Root certificate exporting too, this can be obtained from the computer TR store and exported as a .cer file.

How to deploy the client?

We need a folder structure with a copy of the ConfigMgr client binaries.


Our clientcerts folder is in here too, as is the batch file for certificate and client install, which looks like this:

@echo off

@Echo Adding Trusted Root Certificate

certutil -addstore -f “ROOT” “%~dp0MyTrustedRoot.cer”

@echo Import Client Certificate

Certutil -p agoodpassword –importpf x “%~dp0clientcerts%computername%.pfx”

@echo Install ConfigMgr Client

“%~dp0clientccmsetup.exe” /source:%~dp0clientcertsclient / /usePKICert /NOCRLCheck SMSSITECODE=ZZZ CCMHTTPSTATE=31

When executed this imports the Trusted Root cert, imports the client cert we created above and then installs the ConfigMgr client. You’ll likely want to pass additional parameters to the client installation, but this is a good place to start.