Hi really needing help with this one as it driving me mad!
I'm trying to deliver a VPN upgrade to our current domain machines, they are all on various versions of the AT&T Managed VPN client and we need to upgrade them to version 8.10.
Create VPN profiles In the Configuration Manager console, in the Assets and Compliance workspace. Click Create VPN Profile in the ribbon. On the General page, specify a Name, and then select the VPN profile type. If the Supported Platforms page is available, select the OS versions for..
- SCCM over VPN connections. To get to this within the Configuration Manager Console, expand Site Database, Site Management, SCCM Site Name, Site Settings and Boundaries. Also another important setting in this configuration especially for VPN clients which will be connecting in through varying bandwidth speeds is to set the network.
- AutoVPN profile does not have an AlwaysOn option in SCCM VPN profile Wizard There is no option in SCCM VPN profile wizard for AlwaysON autovpn solution. Both HP companies are around 300,000 users trying to implement autoVPN solution and need to have this option added.
The problem that we face is that the installation first removes the previous version and requires a reboot, because we have different sites globally we have different billing codes for each area and these settings must be retained to automate the process so we have a custom property we use in the command line to retain these settings during the uninstall/install procedure.
Open Vpn Profiles
The problem comes when the previous version is uninstalled and then reboots the machine, from what I can gather the .msi renames the config file that has the user details reboots the machine and installs the upgrade setting the renamed settings file back to the correct path/name.
When the machines reboots and the user logs on an error that 'SYSTEM' previously started an installation is displayed and the installation then halts with changes made reverted and a series of reboots are required.
I've tried the delivery using 'Install with administrative privileges' for the program which is usign the SYSTEM account and produces this error.
I've only managed to complete the full upgrade when settings are 'When no user is logged on' and then it isn't satisfactory as we retain all the user settings but authentication fails when running the VPN client as apparently the install must complete under a user context.
Has anyone any ideas at all how we might overcome this as I've tried first uninstalling the app then adding a entry to the CURRENT_USER/RunOnce key to call a .cmd file to launch the installation but user rights prevent the execution in this manner.
Any ideas gratefully received.
~ Karan Rustagi
Configuration Manager 2012 SP2 allows you to provision personal information exchange (.pfx) files to user’s devices. PFX files can be used to generate user-specific certificates to support encrypted data exchange. With Configuration Manager 2012 SP2, imported PFX certificates can be deployed to iOS, Android, and Windows 10 devices. These files can then be deployed to multiple devices to support user-based PKI communication.
This article discusses the process of deploying a PFX certificate profile to an IPAD running iOS 8.3.
22/11/2017 - Although, the steps mentioned below are still valid but a newer and better way now exists to deploy certs using PFX-Import method. Read about Import-CMClientCertificatePfx cmdlet here - https://docs.microsoft.com/en-us/powershell/module/configurationmanager/import-cmclientcertificatepfx?view=sccm-ps
Tip: Do not forget to include -ForSmimeEncryption switch if you want to use certificate for S/MIME
To know more about PFX deployment method in Intune standalone, please read the following blog post:
Want to push a Certificate to device but can’t use NDES? Read about PKCS #12 (PFX) deployment in Intune standalone
Step 1 – Export user certificate to a PFX file.
System Center Configuration Manager Setup
b. Export the private key.
c. Untick ‘Include all certificates in the certification path if possible’.
d. Type password. You will need this later in Step 5.
e. Specify the name of the file.
f. Click on finish to export the certificate.
Step 2 – Encode PFX file to Base64 blob using Certutil tool.
a. Open CMD and type following command:
Certutil –encode <InFile> <OutFile>
For Ex:
Certutil –encode C:PublicKaranrKaranr-pfx.pfx C:PublicKaranrbase64blob.txt
b. Open base64blob.txt and remove following lines leaving just the actual blob in it.
----- BEGIN CERTIFICATE -----
----- END CERTIFICATE -----
Save changes to file.
Step 3 – Create a Certificate Profile in Configuration manager console.
a. Open Configuration Console using following command line:
AdminConsolebinMicrosoft.ConfigurationManagement.exe sms:debugview
b. Navigate to Assets and Compliance – Overview - Compliance Settings – Company Resource Access – Certificate Profiles.
c. Right click on Certificate Profiles to create a new profile.
d. Specify a Name and choose ‘Personal Information Exchange – PKCS #12 (PFX) Settings - Import’.
e. Select appropriate Key Storage Provider and click on Next.
f. Select Platform.
g. Click on Summary and complete the wizard.
h. Deploy newly created certificate profile to a collection.
Step 4 – Note down the CI_UniqueID of newly created certificate profile.
a. Right click on profile and click on ‘Show Object Details’ option.
b. You will now be re-directed to Tools workspace.
c. Copy CI_UniqueID property using Ctrl + C on your keyboard.
d. Create a new .txt file called CI_UniqueID.txt and paste the content using Ctrl + P.
e. Remove CI_UniqueID and String.
Before:
After:
f. Save the changes to CI_UniqueID.txt
Step 5 – Run the PowerShell script mentioned here to link base64 blob to certificate profile.
Sample Script:
$EncryptedPfxBlob = '<blob>'
$Password = 'abc'
$ProfileName = 'PFX_Profile_Name'
$UserName = 'ComputerNameAdministrator'
#New pfx
$WMIConnection = ([WMIClass]'<Name of the machine where provider is installed>rootSMSSite_MDM:SMS_ClientPfxCertificate')
$NewEntry = $WMIConnection.psbase.GetMethodParameters('ImportForUser')
$NewEntry.EncryptedPfxBlob = $EncryptedPfxBlob
$NewEntry.Password = $Password
$NewEntry.ProfileName = $ProfileName
$NewEntry.UserName = $UserName
$Resource = $WMIConnection.psbase.InvokeMethod('ImportForUser',$NewEntry,$null)
Note:
$EncryptedPfxBlob – This will be base64 blob from base64blob.txt we created earlier in Step 2.
$Password – Password for PFX file - Step 1.d
$ProfileName – CI_UniqueID of the profile from CI_UniqueID.txt we created earlier in Step 4.
$UserName – Unique User Name for user. You can get unique user name for a user from properties of the user record in console.
For Ex:
b. To check if script ran successfully, run following command. It should list the thumbprint of certificate you exported in Step 1.
Get-WmiObject rootSMSSite_scs –Class sms_clientpfxcertificate | Select-Object Thumbprint
Note: Replace scs with your site code
c. Wait for DMP_Uploader to upload the policy to Intune.
Refresh policy on the device. Once done, go to Settings – General – Device Management – Management Profile – More Details. You should now see the certificate listed. iOS does not show the thumbprint so use Serial Number to verify the certificate.