Workgroup Task Sequence in a PKI environment

[Westy182 2]

Hi all,

I hope someone can help me, even if it's just to say this isn't possible....

We currently have an SCCM 1806 environment with HTTPS/PKI enabled.  All domain joined machines receive their personal PKI cert to allow SCCM client communication via GPO and this works fine.  We have a need to build servers that are in a DMZ workgroup and at present these are built using a standard OSD task sequence which joins them to the domain.  The server then has to be manually removed from the domain and added to the DMZ workgroup, then a certificate needs to be requested from the Certificate Authority and applied to the server.  I'm in the process of trying to streamline all server builds, and this is one area that has come up where the company would like to reduce manual task if possible.

When joining a workgroup during an OSD task sequence things obviously stop working once the SCCM client is installed as the communication to an MP doesn't occur.

Is there a way to build a machine using a Task Sequence where it can be added to a workgroup and continue to communicate to the MP and finish the TS?  I have been playing around with some scripts to request a PKI cert so that in can be applied in the TS prior to the SCCM client being installed but I'm really struggling now and don't even know whether what I'm trying to do is even possible at all!  I've been unable to find a guide to doing this some I'm wondering if it's impossible. Has anyone got any pointers?

Thanks in advance.

Westy