Users at home — No Corp Network / No VPN / No Certificates, No Problem
As the Covid crisis deepened and large swathes of the workforce started working from home it was interesting reading twitter posts from tech, and gauging where their companies stood in readiness for a large percentage of their staff no longer having access to the office and the resources their LAN connects to.
On the SCCM/ MEMCM front it seemed many people had not yet put in Cloud Management Gateways and were now scrambling to do so. For others their cloud journey had begun and they were in a good position yet there were still a few things to iron out with some laptops that hadn’t been seen in a while on the corp network.
A couple of scenarios that popped up regularly on twitter feeds were ….
“I have laptops that do not have any certs or VPN and have not been in the office for months, I want to put SCCM client on these how is it possible?”
“An exec left her laptop in the Office, she is now attempting to use her home laptop and we have agreed to get it under management, if possible”
The real answer to this is to setup Intune enrollment and distribute a minimum level of tools for them to be able to fulfill the users day to day role. However if your company is not there yet with Intune here’s how updating to MEMCM 2002 and using the CMG feature can go towards resolving the above.
Scenario:
Laptops that have never seen the corporate network, get them under management to be able to distribute software to them.
Solution:
Token-based authentication for cloud management gateway
If you can’t install and register clients on the internal network, create a bulk registration token. Use this token when the client installs on an internet-based device, and registers through the CMG. The bulk registration token has a short-validity period, and isn’t stored on the client or the site. It allows the client to generate a unique token, which paired with its self-signed certificate, lets it authenticate with the CMG.
Requirements:
SCCM (MEMCM) Version 2002
Cloud management Gateway
An admin account on the laptop you are going to install SCCM client
How to:
- Sign in to your primary site server / CAS with local administrator privileges.
2. Open a command prompt as an administrator.
3. Change Directory to InstallDir of SCCM\Program Files\Microsoft Configuration Manager\Bin\X64
4. Run BulkRegistrationTokenTool.exe /new
5. You will receive an output like the following (Notice the expiry date is 3 days by default, you can extend this — more details at bottom of post)
6. Copy the key part of the output to a file you will need it for your client
7. Copy ccmsetup.exe from the SCCM client folder somewhere to your local computer (this we will email / share with the user after adding the installer cmd file below)
8. Put ccmsetup.exe in a folder and create create a cmd file to go with it.
Insert the command below into the cmd file changing details with your key / CMG / and MP details
(You can get the CMG address from a current client by going to Control Panel Configuration manager > Network)
Example installer.cmd (put this in the client folder you will send to user)
ccmsetup.exe /nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC SMSMP=https://mp1.contoso.com/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0RDQzVFOTEtMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkLTRjNWItODJmMy1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVGgIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIk-gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg-6EVYRcCAA
Notes
MP: name of your CMG
CCMHOSTNAME= name of your CMG
SMSMP= your internal management point
(By the way I added /nocrlcheck to mine)
This might be just an issue with my site but mine didn’t work till I added the nocrlcheck switch
Send the folder off to a user or remote on and install
The laptop will now be added to SCCM.
My test was a blank ISO build Windows 10 Pro logged in as local account /workgroup NO VPN no access to corporate lan
Notes
Switches for bulk tool
The BulkRegistrationTokenTool.exe tool is in the \bin\X64 folder of the Configuration Manager installation directory on the site server. Sign in to the site server, and run it as an administrator. It supports the following command-line parameters:
/?/new/lifetime
/?
Display this usage information.
Full Details from Microsoft
