Certificates for internet-based site systems in SCCM

Internet-based site systems in SCCM needs certifcates which has server authentication purpose e.g. Webserver Certificate. Important for this certificates is the FQDN name of the Server (or the defined DNS Alias) in either the certificate subject name field or the subject alternative name (SAN) field.

BUT!!! It's getting difficult if you want to use one certificate for Intranet and Internet usage. In this case both FQDN names must be included in certificate, but only one certificate subject name can be configured. In normal case also a Windows PKI issues only certificates with one SAN name, but this can be changed!

Execute the following command to extend the CA with the SAN2 extension, so that certificated getting issued with this fields:

certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAME2

After this stop and start the CA service

net stop certsvc && net start certsvc

Now you can issue certificates with more that one SAN name
To requst the certificate with more SAN names goto to your computer certificates mmc, request a new cetificate, choose your server authentication template and go to the properties page by clicking the details arrow.
Under alternative name select type 'DNS' and type in you FQDN names.


Assign Windows PE Boot Image to Client

Windows Deployment Service (WDS) delivers a command line tool named wdsutil.exe, which can be used to prestage computers into Active Directory. I was personally intersted to get a Windows PE Boot Image automatically get choosen from a Client during Windows Boot Manager.
One purpose is for example if there are different Windows PE images for different processor architecture (x86, x64).
The parameter /BootImagePath defines the boot image which will be started by the client after the countdown

Example x86
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x86\pxeboot.com /BootImagePath:boot\x86\images\bootx86.wim

Example x64
WDSUTIL /Add-Device /Device:ComputerName /ID:MACAddress /ReferralServer:WDSServerName /BootProgram:boot\x64\pxeboot.com /BootImagePath:boot\x64\images\bootx64.wim

After executing the command, there's created a computer account in Active Directory which stores the configured options. Once a Client is booting from network now, it gets all information needed to choose the assigned boot image.
Note: Scripting the "WDSUTIL /Add-Device" command is nice for creating mutiple prestaged computer objects very comfortable

Further you can configure your WDS Server to only answer to known clients which delivers more control about the deployment.