The first thing you will need to do is create a separate certificate template to create the SCCM client certificate to be used for your workgroup computers.
Create the certificate template
Open the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr WG Client Certificate.
Change the validity period to 5 years
Click the Request Handling tab, tick the box to allow the private key to be exported.
Click the Security tab, remove Domain Computers, add in your Domain User Account or any other account which will be used to generate the client certificate for the workgroup computer and select the additional permissions of Enroll.
You will use this account later when you need to generate the certificate for the workgroup computer. You will logon to http://certserver/certsrv with it.
Click OK and close Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr WG Client Certificate, and then click OK.
Close the Certification Authority console.
Add the SCCM client certificate on the workgroup computer
- From the workgroup computer, logon to the certificate request page as the account you gave the Enroll permission to above – http://certserver/certsrv
- Click on Request a certificate
- Advanced certificate request
- Create and submit a request to this CA.
- Fill in all the details as shown
Leave the rest default, click next.
- Click Install this certificate
- Because the certificate will end up in the user certificate store of the workgroup computer, you will need to export it from there and import it into the local computer certificate store.
Open the Certificates MMC console for the user account > Expand the Personal store > Click on Certificates > Right click on the certificate and export.
- Click next
- Type a password
- Browse to a location for the file and give a name, the file will have a .PFX extension.
- Import Process – Open the Certificates MMC console for the computer account > Right click on the Personal store and choose Import > browse to the certificate you just exported.
Root CA Trust
As your workgroup computer is not on the domain, you will need to allow the workgroup computer to trust your CA environment. The easiest way to do this is to copy the Root CA’s AIA certificate to the workgroup computer, this certificate can be found in the Root CA’s AIA location which is generally %windir%\System32\certsrv\CertEnroll on the certificate server and it will end in .CRT. Once it’s copied to the workgroup computer, open the Certificates MMC console for the computer account > Right click on Trusted Root Certification Authorities and choose Import > browse to the Root CA’s certificate you just copied.
Installing the SCCM client
To install the client manually, run the following command on the workgroup computer:
ccmsetup.exe /native:FALLBACK /mp:SCCM_server.contoso.com SMSSLP=SCCM_server.contoso.com SMSSITECODE=LAN CCMFIRSTCERT=1
ccmsetup.exe can be found on your SCCM server – C:\Program Files (x86)\Microsoft Configuration Manager\Client which is shared as “\\SCCM_server\SMS_<sitecode>\Client”
An alternative way – http://mikeshellenberger.wordpress.com/2010/09/02/installing-system-center-configuration-manager-on-workgroup-computers/
do you know if there is a way to automate this with certutil or any other utils?