I would like to demonstrate a quite pretty script that simplifies certificate request generation for OpsMgr managed clients. Recently we had have to use various complex (for administrators that are not familiar with digital certificates) methods, such:

• CertReq.exe utility in conjunction with Policy.inf file (as decribed here: Certificate Enrollment for System Center Operations Manager Agent);
• Request generation using MMC console Certificates snap-in.

Both methods require some additional steps to generate request. For example, if you use CertReq.exe utility you need to write enough complex certificate enrollment configuration file. If you use Certificates snap-in you will need to manually specify all necesary data (such subject, private key settings, certificate extensions, etc). This PowerShell script will do all stuff, so you will have to copy and paste script to PowerShell console and run it.

In this article I want to talk about Applocker rule priority and rule sorting. As you know, Applocker has one security level or default action — Disallowed all except explicity allowed. This is common misunderstanding point for some administrators.

When you create Path or Publisher rule, it cannot uniquely identify particular file. For example, when you create Path rule such C:\BusinessPrograms\*, it will allow to run anything within C:\BusinessPrograms folder and all subfolders. Or, for example, you create Publisher rule that will allow to run any file that is signed with ‘Microsoft Corporation’ digital certificate, regardless of actual file location. It is common scenario when you want continue to block some files that are located in this folder or subfolders (in Path rule case) or files that are signed with particular certificate subject (in our case this is ‘Microsoft Corporation’ certificate), however.

This post is based on existing OpsMgr product group (PG) post: Troubleshooting Ops Mgr Certificate issues with Powershell. For me existing script return overloaded information to user and is not quite easy for understanding. Also there is missing some points:

• certificates might be issued from 3rd party Certification Authorities (CAs) and not always has SerialNumber fixed length. Therefore in some cases it incorrectly converts certificate serial number to it actual value;
• by default X509Chain.Build() method (for Operating Systems prior Windows 7/Server 2008 R2) by default attempts to build a chain up to any root certificate that is stored in Trusted Root CAs container in CurrentUser store. This means that while original script return "Ok" status, OpsMgr Agent may not work with this certificate, because root certificate don't exist in Trusted Root CAs in LocalMachine store;

Another point is that what we want to get from script? I thing that we just want to know:

This article describes process of obtaqining and installing a digital certificate for OpsMgr agent that is not a member of your AD forest or a trusted forest. This article assumes that your managed computer is running one of the following operating systems:

• Windows 2000
• Windows XP
• Windows Vista
• Windows 7
• Windows 8/8.1
• Windows 10
• Windows 2000 Server
• Windows Server 2003 (including R2)
• Windows Server 2008 (including R2 and Server Core)
• Windows Server 2012 (including R2 and Server Core)

 Target audience is OpsMgr administrators that have limited or no understanding of what certificates are and how PKI works. Described below is not the only way to achieve the same or similar goal but it implements many of PKI Best Practices.

In this article

• Prerequisites
  All steps described in this section must be completed in both scenarios
  • Existing Certification Authority (CA)
  • Export Certificates of CA Hierarchy
  • Distribute Certificates of CA Hierarchy
• Scenario 1 Certification Authority server is configured as Standalone CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2 Standard, Enterprise or Datacenter edition.
  • Prepare certificate request template
  • Create a request file to use with an Standalone Certification Authority
  • Submit a request file to Standalone Cetrtification Authority
  • Install issued certificate to managed computer
  • Import certificates using MOMCertImport
• Scenario 2
  Certification Authority server is configured as Enterprise CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2.
  • Prepare certificate template
  • Add new template to Issuing Enterprise CA
  • Prepare certificate request template
  • Create a request file to use with an Enterprise CA
  • Submit a request file to Enterprise Cetrtification Authority
  • Install issued certificate to managed computer
  • Import certificates using MOMCertImport