MNSCUG March 2017 Notes

Notes from our March 2017 meeting are below. Click arrow to proceed.

Thanks to 1E for their gold sponsorship.




Matthew Teegarden – PKI 



This environment has three machines
MNSCUG-DC - Domain Controller, SubCA (Issuing CA)
MNSCUG-PKI - Offline root



Setup CRL location

We will put our CRL location on the DC, because why not!! In your own environment you will probalby have something like this:

Offline Root Server
Subordinate CA (Issuing CA) server
CRL Server that can be accesed over the internet

On MNSCUG-DC - Subordinate CA - run the following:

Install IIS

New-item -path c:\pki –type directory

write-output "Example CPS statement" | out-file c:\pki\cps.txt

new-smbshare -name pki c:\pki -FullAccess SYSTEM,"MNSCUG\Domain Admins" -ChangeAccess "MNSCUG\Cert Publishers"

Check NTFS and Share persmissions. Make sure Cert Publishers has modify

Create CertEnroll Virtual Directory in IIS

Click Start, Administrative Tools and then select Internet Information Services (IIS) Manager.
On the Connections, expand SRV1 and then expand Sites.
Right-click on Default Web Site and select Add Virtual Directory.
On Add Virtual Directory page, in Alias, type PKI. In Physical path, type C:\PKI and then click OK.
In the Connections pane, under the Default Web Site, ensure the PKI virtual directory is selected.
In the PKI Home pane, double-click on Directory Browsing.
In Actions pane click Enable.

Enable double escaping - this is if you plan to use the SCCM Certificate Registration Point role
Change the parameters to: 65534

Restart IIS




Set up Offline Root

1. On MNSCUG-PKI (Offline Root) install ADCS

Certificate Authority
Standalone CA
Root CA
Configure new Private Key
[email protected] Software Key Storage Provider
Key length 4096
Name of CA: MNSCUGRootCA
Validity period- 20 Years
Database location- default

2. On MNSCUG-PKI (Offline Root) Configure settings. 

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://PKI.MNSCUG.ORG/PKI/%3%8.crl"

certutil –setreg CA\CACertPublicationURLs "2:http://PKI.MNSCUG.ORG/PKI/%1_%3%4.crt"

Certutil -setreg CA\CRLPeriodUnits 6
Certutil -setreg CA\CRLPeriod "months"

Certutil -setreg CA\CRLDeltaPeriodUnits 0

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod "Hours"

Certutil -setreg CA\ValidityPeriodUnits 20

Certutil -setreg CA\ValidityPeriod "Years"

certutil -setreg CA\DSConfigDN "CN=Configuration,DC=MNSCUG,DC=ORG"

restart-service certsvc

certutil -crl

3. On MNSCUG-PKI (Offline Root) Enable “Audit object access” Success and Failure

Certutil -setreg CA\AuditFilter 127

4. Copy the following from the Root CA c:\windows\system32\CertSrv\Certenroll to removable media




Set up the Subordinate CA on MNSCUG-DC - Subordinate CA (Issuing CA)

1. Place the removable drive with the two files in the Sub CA

Create one direcotry


certutil –dspublish –f C:\From_MNSCUG-PKI\MNSCUG-PKI_MNSCUGRootCA.crt RootCA

certutil –dspublish –f C:\From_MNSCUG-PKI\MNSCUGRootCA.crl MNSCUG-PKI

certutil –addstore –f root C:\From_MNSCUG-PKI\MNSCUG-PKI_MNSCUGRootCA.crt

certutil –addstore –f root C:\From_MNSCUG-PKI\MNSCUGRootCA.crl

2. Create a CAPolicy.inf file in C:\Windows

Signature="$Windows NT$"

3. Install the Subordinate CA (Issuing CA)

install ADCS – This will be the Subordinate CA
Certification Authority only
Configure the Certification Authority
Enterprise CA
Subordinate CA
Create a new private key
Key length: 4096

4. Copy the REQ file to the MNSCUG-PKI - Offline Root CA
NOTE: the REQ file is in the root of C:

Insert the removable media
Create two folders.
From_MNSCUG-DC - this is where we will keep files from the Subordinate CA (Issuing CA)
To_MNSCUG-DC - this is where we will keep file that go to the Subordinate CA (Issuing CA)


Note the numbe

Issue the cert in Certificate Authority tool


Note: The number 3 is the same number that you saw when you submited the REQ. If you saw 2, then change to 2.

Copy the items in C:\To_TEE-DC1\*.* to removable drive

5. On the Subordinate CA

restart-service certsvc

6. On the subordinate CA (Issuing CA)

certutil -setreg CA\CRLPublicationURLs "1:C:\windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.MNSCUG.ORG/pki/%3%8%9.crl\n1:file://\\MNSCUG-DC\pki\%3%8%9.crl"
certutil -setreg CA\CACertPublicationURLs "2:http://pki.MNSCUG.ORG/pki/%1_%3%4.crt\n1:file://\\MNSCUG-DC\pki\%1_%3%4.crt"

Certutil -setreg CA\CRLPeriodUnits 1
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\DELTACRLPeriodUnits 1
Certutil -setreg CA\DELTACRLPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 3
Certutil -setreg CA\CRLOverlapPeriod "Days"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
Certutil -setreg CA\AuditFilter 127
restart-service certsvc
certutil -crl

7: Copy C:\windows\certserv\certenroll\*.cr* \\MNSCUG-DC\PKI

8. Copy the CRL and CRT from the RootCA to \\MNSCUG-DC\PKI

9. explore Certauthority. Show properties for the Authority and the Revoked Certificates. Create a DELTA CRL


Cloud Management Gateway 

Great step by step - 

This one has pictures! 

This one is nice because the article discuses checking to see if the URL for is free or taken. The article is WRONG with the certificates. Nice pictures and step by steps though. 

PKI - 


Hank – Cloud DP 

Both Azure sites needed

1. (OLD)

Needed for New Setup and Certificate Updates

2. (NEW)

Better at Reporting and Metric dashboards

Use Corporate Azure Account for Prod


Normal Usage

Disk Usage: 100 GB

Bandwidth: 50 GB

Cost: $50

Peek Usage

Disk Usage: 100 GB

Bandwidth: 15000 GB

Cost: $1000

Also some other costs at play with the usage of blob storage in application but they are very small costs

Setup and Use

1. Create your Certificate for your Cloud DP from your PKI environment

2. Add this Certificate to the Azure Portal

3. In Configuration Manger Console -> Create Cloud Distribution Point

This takes about 5 to 10 minutes

You can log into Azure portal and see objects being created

Instances and Cloud storage

4. Once online you can use it like any other DP

5. Most things work

Lessons Learned


Must add Certificate to the Azure Site before first setup

Updating existing expired Certificate is weird and not straightforward

To remove old Certificate from portal you must enable remove desktop and move the association to new Certificate then disable remote desktop

Weird Database slowness over time

Notice a long running query that was starting slow down database after like 5 months of use

update Azure_Service set LastWADLogDownloadTime = GetDate()

Troy Martin – IE 

Tachyon - Faster IT

Query information and execute actions against your environment in real time

Not policy-based, can get information in it's current state rather than last time inventory was collected

Could be used as security response tool to execute actions on systems immediately rather than based on when certain client actions run


What's new in boundary group 

Default Site Boundary Group replaces the fallback DP's that you may have had. 

Current boundary group would be the systems that match the boundary group your client machine is in. 

Neighbor Boundary Group – occurs after a 15 min timeout (default) if resources can't be found in your current boundary group. The client will try another Neighbor Boundary Group after 30 minutes (default) if the first neighbor didn't have the resources 


If you use the same network card or docking station for imaging (think Surface Pro's) you can go to Hierarchy Settings > Client Approval and Conflicting Records > Duplicate hardware identifiers and put the MAC address in. you can now PXE boot from the same network card to image systems. 

Windows Information Protection in SCCM =