Part 7: Software Update Point & SCUP (With HTTPS)

If you’re looking to manage patches with SCCM, and lets face it why wouldn’t you be, then you’ll need to install the software update point role. In this post we’ll install and configure everything you need to get started including the System Center Update Publisher which allows you to deploy non Microsoft updates via SCCM.

In Part 3: Prep & Pre-reqs we installed WSUS, lets get to configuring everything.

Continue reading

Advertisements

Part 2: Certificate Authority (Server 2016)

Next step is to run up a CA this is optional, some reasons why you might want a CA for SCCM:

  • HTTPS – You need all SCCM communication to be encrypted
  • TDE – You need to encrypt your databases, MBAM for example
  • MDM – You want mobile devices to use certificates to authenticate instead of requiring credentials for company resources like mail and Wi-Fi.

In my lab I’m going to implement a two tier Certificate Authority, an Offline RootCA and a subordinate CA which will be co-hosted on my primary Domain Controller (DC01). For some more details on planning production CA architecture see Securing PKI: Planning a CA Hierarchy.

  1. Create a new Virtual Machine with the below config:
    Name: RootCA
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
    Note: This server MUST NOT be joined to your domain.
  3. Set a static IP address, mines 192.168.0.250
  1. Give your server a name, mines RootCA.
  2. In Server Manger click Manage> Add roles and Features
  3. Under Server Roles tick Active Directory Certificate Services and click Next.
    2017-03-20_16-53-19.png
  4. Click Next until you get to Role Services.
  5. Select Certificate authority and click Next.
    2017-03-20_16-56-08.png
  6. Click Install
  7. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_16-58-01
  8. Make sure you’re using the administrator account.
    2017-03-20_16-59-11.png
  9. Select Certificate Authority and click Next.
    2017-03-20_17-00-17.png
  10. Select Standalone CA and click Next.
    2017-03-20_17-01-15.png
  11. Select RootCA and click Next.
    2017-03-20_17-02-21
  12. Select create a new private key and click next.
    2017-03-20_17-03-19
  13. Leave the default cryptography and click next. You’ll be fine as long as it’s not SHA-1
    2017-03-20_17-04-30.png
  14. Change the common name, i’m using RootCA and click next.
    2017-03-20_17-06-26.png
  15. Increase validity period to 20 years and click next.
    2017-03-20_17-07-13
  16. Leave the certificate database in the default location and click next.
  17. Click Configure
  18. Confirm configuration successful.
    2017-03-20_17-08-58.png
  19. Open Regedit and increase the REG_DWORD ‘ValidityPeriodUnits’ to ’20’, located here:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\RootCA\ValidityPeriodUnits
  20. Open PowerShell and run the following commands:
    certutil –setreg caDSConfigDN CN=Configuration,DC=lab,DC=local
    certutil -setreg caDSDomainDN “DC=lab,DC=local”
  21. Launch Certificate Authority from Server Manager
  22. Right Click RootCA>Properties
    2017-03-20_17-20-16.png
  23. Browse to the Extensions tab.
    2017-03-20_18-05-41.png
  24. Add a new CRL Distribution Point extension – http://DC01/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl and select the following:
    2017-03-20_18-07-56.png
  25. Select ‘C:\Windows…’ CRL Distribution Point and select Publish CRLs to this location only.
    2017-03-20_18-10-04
  26. Under Select extension change to AIA.
    2017-03-20_18-11-38.png
  27. Add a new AIA – http://DC01/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt and select the following:
    2017-03-20_18-13-59.png
  28. In Certificate Authority right click Revoked Certificates>Properties
    2017-03-20_18-15-13.png
  29. Change CRL interval to 20 years
    2017-03-20_18-16-55.png
  30. In Certificate Authority right click Revoked Certificates>All Tasks>Publish
    2017-03-20_18-18-28.png
  31. Click Next.
    2017-03-20_18-19-48.png
  32. Copy files in C:\Windows\System32\CertSrv\CertEnroll ->  \\DC01\C$\Windows\System32\CertSrv\CertEnroll
  33. Now Jump on DC01 and install Certificate Authority
  34. Under Role Services, select Certificate Authority and Web Enrollment point.
    2017-03-20_18-26-26.png
  35. Install the roles and features.
  36. Under Server Manager click the flag> Configure Active Directory Certificate Services.
    2017-03-20_19-14-56.png
  37. Make sure your using an account with Enterprise Administrator rights and click Next.
  38. Select Certification Authority and Certification Authority Web Enrollment point and click next.
    2017-03-20_19-24-08
  39. Select Enterprise CA and click next.
    2017-03-20_19-25-54
  40. Select Subordinate CA and click next.
    2017-03-20_19-27-06
  41. Select create a new Private Key and click Next.
    2017-03-20_19-28-32
  42. Leave the default cryptography and click next.
    2017-03-20_19-39-40
  43. Give the subordinate CA a common name, mines SubCA.
    2017-03-20_19-41-57
  44. Save a certificate request to the local machine.
    2017-03-20_19-44-16
  45. Finish the Installation with the remaining defaults.
    2017-03-20_19-57-39
  46. Copy the certificate back to RootCA
  47. On RootCA open Certificate Authority and right click on RootCA>All Tasks>Submit new request.
    2017-03-20_19-48-04
  48. Browse to the req file.
  49. Select Pending requests and right click on the pending request>All tasks>Issue
    2017-03-20_19-50-07
  50. Select Issued Certificates and open the certificate just issues
  51. Click Copy file
  52. Select Cryptographic Message Syntax Standard and tick Include all certificates in the certification path if possible.
    2017-03-20_19-54-36
  53. Export file to C:\SubCA.p7b
  54. Copy the file back to Dc01
  55. On DC01 Open Certificate Authority>All Tasks Install CA Certificate and browse to the SubCA.p7b
    2017-03-20_20-00-00
  56. Click Ok to the warning.
    2017-03-20_20-01-16
  57. Start the CA service, you should get a green tick as per below.
    2017-03-20_20-02-54
  58. Export Certificates and deploy via Group Policy.