Answered by:
PXE Boot issue after HTTPS only and PKI has been applied

Question
-
Main error: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set. Screenshot attached.
- 1910 enviroment, transfered to HTTPS only mode with PKI usage
- Certs in use: Web Cert for PS, Workstation Cert with Private Key Export for DP, Workstation Cert for Clients
- Clients on-field are transformed to PKI mode and are capable of installing Applications and Packages
- Boot imgaes are updated to DPs after PS and DP are transformed to use https only.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Thursday, December 5, 2019 8:58 AM
Answers
-
> WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
The CA that issued your certs is not trusted.
> At Site properties, Root CA is not specified.
Without this, the PXE and media boot clients won't trust the CA that issued the certs which is your issue.
Jason | https://home.configmgrftw.com | @jasonsandys
- Marked as answer by Niall C. BradyMVP Sunday, December 8, 2019 3:47 PM
- Unmarked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 6:59 AM
- Marked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 7:00 AM
Saturday, December 7, 2019 11:38 PM
All replies
-
Did you also do the PKI client cert on the DP settings aswell?
One of the lines does mention somethng about "In SSL, but with no client certs"Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro
Thursday, December 5, 2019 10:26 AM -
Like wrote above, I added wks cert for DP, which was exported with Private Key. Did it like this: https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Thursday, December 5, 2019 10:47 AM -
Is the root cert installed on the DP
Is the export to pfx done from the DP
Thursday, December 5, 2019 3:13 PM -
Hi,
Thanks for posting in TechNet. Please try the following actions:
1.Please help try to re-import your DP Client Cert on your PXE DP and check your CRL availability for the certificate you are using on the DP.
2. Please make sure the date and time on the PXE booted system are correct.
3.Please also help go into the option of your PXE-enabled DP and look at the general tab and take a look to see if the certificate has been imported and is the certificate valid.
Here is a similar thread for your reference: PXE boot fails when DP is on HTTPS mode
Thanks for your time.
Best regards,
SimonPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Friday, December 6, 2019 1:53 AM -
Thanks for help, let me answer more…
- Only one server, PS, DP, MP, SUP are all on the same server.
- This Server has now 3 cert enrolled; web cert, DP cert, client cert.
- Cert for DP is imported, exported Private key and imported into DP properties. This cert is visible fine in DP properties. This procedure is also repeated, no help. Cert to DP is created from Workstation Auth template.
- Date and time are correct on PXE client.
- At Site properties, Root CA is not specified. Clients to check CRL is enabled.
- Also, WDS died after transform to https only and I started to use native SCCM PXE. If needed, I can re-install WDS and turn it back again.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
- Edited by Pavel yannara Mirochnitchenko Friday, December 6, 2019 10:03 AM
Friday, December 6, 2019 9:34 AM -
What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....
More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements
-> Site systems that have a distribution point installed
- Edited by KloinerFeigling83 Friday, December 6, 2019 10:36 AM
Friday, December 6, 2019 10:35 AM -
What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....
More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements
-> Site systems that have a distribution point installed
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Friday, December 6, 2019 11:32 AM -
This is interesting. I was using Native PXE instrad of WDS after https only transfer, because WDS died. Now I decided to re-install MP and DP roles and get back to WDS. WDS does load the boot image (client), but I see: (this is something new to me).
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Friday, December 6, 2019 1:10 PM -
warnings are safe to ignore, but the failure to pull policy on the client is worrying, i have the same issue (as you know) in one of my 1910 labs, and I will troubleshoot it some more and if nothing positive happens, i'll raise it to the PG,
cheers
niall
Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.
- Edited by Niall C. BradyMVP Sunday, December 8, 2019 7:22 PM
Saturday, December 7, 2019 8:04 PM -
> WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA
The CA that issued your certs is not trusted.
> At Site properties, Root CA is not specified.
Without this, the PXE and media boot clients won't trust the CA that issued the certs which is your issue.
Jason | https://home.configmgrftw.com | @jasonsandys
- Marked as answer by Niall C. BradyMVP Sunday, December 8, 2019 3:47 PM
- Unmarked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 6:59 AM
- Marked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 7:00 AM
Saturday, December 7, 2019 11:38 PM -
Jason was 100% correct, I've added it back to my CM1910 https previously non working lab and all is good, on my other CM1910 https working lab it was already correctly specified !
thanks Jason :)
cheers
niall
Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.
Sunday, December 8, 2019 4:05 PM -
Thanks, indeed, adding root CA solved the issue with PXE boot, TS is listed and loadable. Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
Tuesday, December 10, 2019 7:18 PM -
i'd suggest you open a new thread for that issue
cheers
niall
Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.
Tuesday, December 10, 2019 8:32 PM -
Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.
Got it working. I disabled Bitlocker pre-provisioning, that might help.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.
- Edited by Pavel yannara Mirochnitchenko Wednesday, December 11, 2019 5:42 PM
Wednesday, December 11, 2019 5:42 PM -
Hi,
Thank you very much for your sharing and feedback. Here's a short summary for the problem.
Problem/Symptom:
===================
1.PXE Boot failed with the error WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA after HTTPS only and PKI has been applied
2. during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.
Solution:
===================
1.Adding root CA solved the issue with PXE boot
2. Disable Bitlocker pre-provisioning,
Thanks again for your time.
Thanks and regards,
Simon
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Thursday, December 12, 2019 3:17 AM