Jump to content


anyweb

Deploy an OS over CMG using bootable media

Recommended Posts

Introduction

Microsoft released update 2010 on December 1st and one of the many new features was the ability to deploy an OS over CMG using bootable media. I tested out this ability when it first arrived in aTechnical Preview release back in Technical Preview version 2009, you can read about that here to see how it worked then, there are some changes to the overall process since then.

This blog post assumes you've already setup a CMG as documented here. So let's try out the feature.

Update: 2020/12/19 Please review the following hotfix for anyone who installed ConfigMgr update 2010 using the fast ring. Below is related to OSD via CMG.

Quote

If you use a PKI-based certificate for operating system boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. For later releases, including globally available version 2010, this certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate.

Step 1. Create a task sequence

In the following step I'll create a simple task sequence, nothing special other than the following settings:

On the Install Windows step, select Enable the account and specify the local administrator password and enter a local administrator password.

enable the account and specify the local administrator password.png

Next, change the Configure Network settings step to Join a workgroup instead of joining a domain.

join a workgroup.png

Select applications...

Install Applications.png

Close the wizard when done.

After the task sequence is created, edit the Enable BitLocker step and disable it or set it to Continue on Error.

continue on error.png

This is because the step will fail as it won't have access to AD to escrow the recovery key.

Step 2. Distribute content to the CMG

Select the task sequence created in step 1, right click and choose Distribute Content.

distribute content.png

On the Content Destination screen, make sure to select your Cloud Management Gateway (CMG).

distribute to cmg.png

Step 3. Verify the following settings

In the Administration pane of ConfigMgr, select Client Settings, then select Default Client Settings (or create a new one) and right click and bring up the properties of the client settings, select the Cloud Services section. Verify that the following settings are configured to Yes.

  • Allow access to cloud distribution point
  • Enable clients to use a cloud management gateway

as shown here.

Cloud Services.png

Step 4. Create a device collection

In the next step, create a Device collection and limit it to something appropriate like CMG Clients. You can populate this collection with known computers that you intend to target with this task sequence, for example by importing the mac address and associating it with a computer name.

Note: This is my lab so I'm using All Systems, don't do that in production though !

osd via CMG boot media collection.png

Step 5. Deploy the task sequence

Right click the newly created task sequence and choose Deploy. Deploy it to the collection you just created. Make sure to configure the following settings when deploying the task sequence.

  • Deployment settings page: Make available to an option that includes media, for example Only media and PXE.

only media and pxe.png

  • User experience page: Allow task sequence to run for client on the internet

allow task sequence to run for client on the internet.png

  • Distribution points page, deployment options: Download content locally when needed by the running task sequence.

download content locally when needed by the running task sequence.png

I deployed the task sequence to both known (OSD via CMG boot media collection) and unknown computers.

deployed task sequence.png

Step 6. PKI certificate modifications

Note: As per the documentation, if you use a PKI-based certificate for the boot media, configure it for SHA256 like so...

sha 256.png

And with the Microsoft Enhanced RSA and AES provider.

In case that's not clear, you'll need to modify your certificate template used for boot images to include the Microsoft Enhanced RSA and AES Cryptographic Provider instead of the default Microsoft RSA SChannel Cryptographic Provider.

I created a new template on my IssuingCA matching that requirement.

certificate template.png

Note: Under the Request Handling tab make sure that Allow private key to be exported is checked.

request handling.png

After creating the new Certificate Template  on the Issuing CA, you'll need to request it on the ConfigMgr site hosting your distribution point.

request endpoint manager certificate.png

Right click the newly imported certificate and choose All Tasks, then select Export. In the welcome to certificate export wizard click Next and choose to export the private key.

export cert.png

Save it on your desktop with a memorable name like CMG Cert.pfx.

CMG cert pfx.png

Step 7. Create bootable media

Now that you've done everything above, it's time to create your bootable media, that media can be a USB boot key or a standalone ISO.

In the ConfigMgr console, in Software Library, Operating Systems, Task Sequences, choose Create Task Sequence Media from the options available in the Create section of the ribbon.

create task sequence media.png

Choose Bootable media from the options.

bootable media.png

On the Media Management page of the wizard, select the option for Site-based media.

site based media.png

Choose USB or ISO

iso media.png

As we limited the device collection to All Unknown Computers, make sure to select that option from those available, and specify your OSD certificate+password. Also, as is this bootable media, set a strong password.

Make sure to point to the newly created CMG Cert.pfx file created earlier if your site mode is HTTPS Only (PKI).

CMG cert for boot media.png

On the Boot Image page, select the Cloud management gateway for the management point settings.

boot image management point settings.png

continue through the wizard until complete.

Step 7. Boot a computer using boot media

After completing all the steps above and verifying that your task sequence content is on the CMG, it's time to boot a target computer (with a LAN internet connection) from the media (ISO or USB). This computer does not need a connection back to the Active Directory domain controller or the on premise ConfigMgr infrastructure. But it does need full access to your CMG.

As I'm using a virtual machine, here are the configured settings I'm using to boot from the ISO file.

boot settings for vm.png

The computer should boot very quickly from the media and wait at the password screen, enter your strong PXE password configured earlier.

list of task sequences.png

Select the task sequence and off it goes. In this step, you can see it's downloading the content from the CMG

apply operating system.png

when it's done, login as Administrator,

login as administrator.png

and your computer is managed via Endpoint Manager, there's the client, and it's getting policy so you can deploy apps, and do all sorts of things to this newly deployed computer. You will of course note that this is not domain joined and that is because it does not have any contact with the on premise infrastructure throughout the entire process. You can use the ConfigMgr client to provide apps to domain join or install whatever you want after the user has logged on.

configmgr client agent.png

After the task sequence runs, the client uses token-based authentication.

What an incredible feature !

Troubleshooting

If and when problems occur look at the smsts.log file on the client (in x:\windows\temp\smsts.log) and the CMGService.log on the CMG, that log file and related logs can be found be clicking here. I've observed problems such as "failed to retrieve reg token from media token 0x87d00215 ", that should be resolved with this hotfix. If you see "WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED" check the Verify Client Certificate Revocation check box on the settings tab of your CMG properties.

Recommended reading

 

Share this post


Link to post
Share on other sites

Unfortunately I'm sure and the evidence also gives me the distmgr.log.

Successfully updated the package server status for ["Display=\\XXXcmg.cloudapp.net\"]MSWNET:["SMS_SITE=XXX"]\\XXXcmg.cloudapp.net\ for package XXX00002, Status 0

I tried to remove XXX00002 package from the TS but it also behaves exactly with others in the same TS. The strange thing is that I can authenticate, I see the list of available TS but, at the time of download, I get the error.
I'm really sad as I think I'm one step away from the goal;)

Cheers, Hawk

Share this post


Link to post
Share on other sites

Thanks for the write up and video! After following everything exactly, I've run into an immediate failure when attempting to download policy from WinPE once booted. By all accounts it looks cert related but I can't for the life of me figure out what's happening. CRL enforcement isn't being enabled on my CMG nor is TLS 1.2. I've also tried using the same cert we use for imaging on prem but that resulted in the exact same error. Sample log below.

 

Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. Request may fail.    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Using port 443 for CMG request even customer configured customized port.    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
SMS CCM 5.0: Host=redacted.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1204, Options=0x40000000    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Created connection on port 443    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Target URL scheme is HTTPS: https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Trying without proxy.    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP]                : dwStatusInformationLength is 4
    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP]                : *lpvStatusInformation is 0x8
    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
spNamespace.Open( c_szEventingNamespace, true, 0, (uFlags & CcmEvent_UseAdminLocator) != 0 ), HRESULT=8004100e (..\Event.cpp,280)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Failed to create event "CCM_CcmHttp_Status" (8004100E)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
CreateCcmEventV(pszEventName, 0, &spEvent, va), HRESULT=8004100e (..\Event.cpp,353)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
HRESULT_FROM_WIN32( dwErrorCode ), HRESULT=80072f8f (..\requestresponse.cpp,799)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP] ERROR: URL=https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Options=1073741824, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
HttpRequestResponse( m_sUserAgent.c_str(), szUrl, szMethod, szHeaders, pPayload, dwPayloadLen, 0, uFlags, &httpOptions, ResponseHandler, (LPVOID)&responseData, false, m_eCertAuthResult, m_dwStatusCode, m_sStatusText ), HRESULT=80072f8f (..\ccmhttpget.cpp,815)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
RequestResponseImpl( szUrl, L"GET", szHeaders, 0, 0, 0, 0, uFlags, &pbResponse, &ulResponseLen), HRESULT=80072f8f (..\ccmhttpget.cpp,297)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
GetURLSyncInStreamEx2(szUrl, szHeaders, uFlags, &spStream), HRESULT=80072f8f (..\ccmhttpget.cpp,372)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
spHttpGet->GetURLSyncInStringEx2( sUrl, sAuthHeader, dwFlags, &csResponse), HRESULT=80072f8f (..\ccmtoken.cpp,478)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Failed to create SMS client object. Error 0x80040154    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
spNS.Open(L"root\\ccm"), HRESULT=8004100e (..\CcmUtilLib.cpp,4350)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
!sCcmToken.empty() && (ulExpiresIn > 0), HRESULT=87d00215 (..\ccmtoken.cpp,404)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
CCcmTokenMgr::RetrieveTokenFromStsServer(szPotentialServerUrl, szQueryString, sAuthToken, sToken, ulExpiresIn), HRESULT=87d00215 (..\clientauthutil.cpp,2734)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
CCM::Authentication::CCMGetTokenForMedia(CCM_PREAUTH_TOKEN_REGISTRATION, sSMSTSMP.c_str(), sMediaToken.c_str(), sMediaGuid.c_str(), pClientCertContext, sMediaBulkToken), HRESULT=87d00215 (tsmediawizardcontrol.cpp,948)    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)
Failed to retrieve registration token from the media token, Error code: 0x87d00215    TSMBootstrap    12/22/2020 3:22:59 PM    1684 (0x0694)

Any help is greatly appreciated!

Share this post


Link to post
Share on other sites

Yup! Confirmed using the trusted root cert. I've also got that applied to the CMG along with the intermediate. Not sure if its worth noting but part of the reason the CRL checks are disabled in my environment is I had a heck of time troubleshooting all the rejected attempts to have a client communicate with it until I realized our root cert isn't published externally and will not be due to company security and politics.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.