This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 67%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hello,
I'm trying to do a Build and Capture task sequence but the TS always fail at the Install Application step. This step works when the client join the domain but not on workgroup.
I already checked many forums but I'm not able to find a solution.
I found errors in the LocationService.log, it seems that the problem is because the clients don't have a certificate. I don't know how to import the certificate for workgroup clients in Build and Capture TS and if it is what I need to do.
[CCMHTTP] ERROR: URL=https://FQDN_TO_SERVER/SMS_MP/.sms_aut?SITESIGNCERT, Port=0, Options=31, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=
I use the following parameters to install the SCCM Client : SMSCACHESIZE=10240 SMSMP=FQDN /UsePKICert /NoCRLCheck CCMHTTPSSTATE=31 DNSSUFFIX=DOMAIN
Can you help me on this ?
Do you need to see a specific log ?
Thanks for your feedback.
I understand that it is not the recommended approach but it's time consuming to wait for every software to be installed. When you need to install 100, 300, 600 or 1000 computers on a limited time, having a reference image ready helps very much. Before the switch from HTTP to HTTPS, we used this method and it worked well.
Do you know any solution that I can apply on our case so we can do that ?
I know that some people join the domain instead of workgroup to install the softwares and then removes the computer from the domain before the capture step. I know that's not the better solution too but what is it possible to do ?
How can I authenticate the client on workgroup so he can talk with the DP on a PKI environment ?
Joining a reference system to a domain violates the entire intent of creating a clean image as unjoining it doesn't remove all of the changes made when it was joined.
As noted, based on the error message, the cert you've supplied is not correct but without direct examination of the cert, the configuration, and the log files (since one out of context log line is typically not sufficient for troubleshooting), not much additional can be said here. Perhaps posting screenshots of your DP configuration and the properties of the certificate will help us help you.
Sorry for offtopic, but I quit using B&C after Windows 7. With Win10 I use native install.wim. Patches could be done with offline servicing. Unless you need a thick image and fastest install times, I would give up on B&C :)
Hi @Pavel yannara Mirochnitchenko , thanks for your message.
I understand your point of view but on our case it is not always possible :-/
Thanks @Jason Sandys for your advices. I know and I agree with you that it is not clean to do that and I always try to do the things as clean as possible. I'm looking for the solution since many days and I was trying to find a temporary solution for now. So I came here to try to understand why it is not working and solve this on a clean manner.
Is it possible to share the logs privately to you ?
There is the configured DP certificate :
Distribution Point properties :
Site properties :
You need to check the enhanced key usage. For the cert template, assuming that is the one used to issue the cert, that'll be on the extensions tab/page. Alternatively, it's an attribute on the certificate itself.