PXE Boot issue after HTTPS only and PKI has been applied

All replies

• 

  

  0

  Sign in to vote

  Did you also do the PKI client cert on the DP settings aswell?
  One of the lines does mention somethng about "In SSL, but with no client certs"

  ---

  Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

  Thursday, December 5, 2019 10:26 AM
• 

  

  0

  Sign in to vote

  Like wrote above, I added wks cert for DP, which was exported with Private Key. Did it like this: https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/ 

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  Thursday, December 5, 2019 10:47 AM
• 

  

  0

  Sign in to vote

  Is the root cert installed on the DP

  Is the export to pfx done from the DP

  Thursday, December 5, 2019 3:13 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  Thanks for posting in TechNet. Please try the following actions:
  
  1.Please help try to re-import your DP Client Cert on your PXE DP and check your CRL availability for the certificate you are using on the DP.
  2. Please make sure the date and time on the PXE booted system are correct.
  3.Please also help go into the option of your PXE-enabled DP and look at the general tab and take a look to see if  the certificate has been imported and is the certificate valid. 
  
  Here is a similar thread for your reference: PXE boot fails when DP is on HTTPS mode
  
  Thanks for your time.
  
  Best regards,
  Simon
  

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Friday, December 6, 2019 1:53 AM
• 

  

  0

  Sign in to vote

  Thanks for help, let me answer more…

  • Only one server, PS, DP, MP, SUP are all on the same server.
  • This Server has now 3 cert enrolled; web cert, DP cert, client cert. 
  • Cert for DP is imported, exported Private key and imported into DP properties. This cert is visible fine in DP properties. This procedure is also repeated, no help. Cert to DP is created from Workstation Auth template.
  • Date and time are correct on PXE client.
  • At Site properties, Root CA is not specified. Clients to check CRL is enabled. 
  • Also, WDS died after transform to https only and I started to use native SCCM PXE. If needed, I can re-install WDS and turn it back again.
    

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  • Edited by Pavel yannara Mirochnitchenko Friday, December 6, 2019 10:03 AM

  Friday, December 6, 2019 9:34 AM
• 

  

  0

  Sign in to vote

  What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....

  More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements

  -> Site systems that have a distribution point installed

  
  

  • Edited by KloinerFeigling83 Friday, December 6, 2019 10:36 AM

  Friday, December 6, 2019 10:35 AM
• 

  

  0

  Sign in to vote

  What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....

  More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements

  -> Site systems that have a distribution point installed

  
  

  Thanks for the tip, did check, all are 2048 :)
  

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  Friday, December 6, 2019 11:32 AM
• 

  

  0

  Sign in to vote

  This is interesting. I was using Native PXE instrad of WDS after https only transfer, because WDS died. Now I decided to re-install MP and DP roles and get back to WDS. WDS does load the boot image (client), but I see: (this is something new to me).

  

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  Friday, December 6, 2019 1:10 PM
• 

  

  0

  Sign in to vote

  warnings are safe to ignore, but the failure to pull policy on the client is worrying, i have the same issue (as you know) in one of my 1910 labs, and I will troubleshoot it some more and if nothing positive happens, i'll raise it to the PG,
  

  cheers

  niall

  ---

  Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.

  
  
  
  

  • Edited by Niall C. BradyMVP Sunday, December 8, 2019 7:22 PM

  Saturday, December 7, 2019 8:04 PM
• 

  

  0

  Sign in to vote

  > WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA

  The CA that issued your certs is not trusted.

  > At Site properties, Root CA is not specified.

  Without this, the PXE and media boot clients won't trust the CA that issued the certs which is your issue.

  ---

  Jason | https://home.configmgrftw.com | @jasonsandys

  • Marked as answer by Niall C. BradyMVP Sunday, December 8, 2019 3:47 PM
  • Unmarked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 6:59 AM
  • Marked as answer by Pavel yannara Mirochnitchenko Monday, December 9, 2019 7:00 AM

  Saturday, December 7, 2019 11:38 PM
• 

  

  0

  Sign in to vote

  Jason was 100% correct, I've added it back to my CM1910 https previously non working lab and all is good, on my other CM1910 https working lab it was already correctly specified !

  thanks Jason :)

  cheers

  niall

  ---

  Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.

  Sunday, December 8, 2019 4:05 PM
• 

  

  0

  Sign in to vote

  Thanks, indeed, adding root CA solved the issue with PXE boot, TS is listed and loadable. Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  Tuesday, December 10, 2019 7:18 PM
• 

  

  0

  Sign in to vote

  i'd suggest you open a new thread for that issue

  cheers

  niall

  ---

  Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.

  Tuesday, December 10, 2019 8:32 PM
• 

  

  0

  Sign in to vote

  Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  Got it working. I disabled Bitlocker pre-provisioning, that might help.
  

  ---

  MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

  
  

  • Edited by Pavel yannara Mirochnitchenko Wednesday, December 11, 2019 5:42 PM

  Wednesday, December 11, 2019 5:42 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  Thank you very much for your sharing and feedback. Here's a short summary for the problem.
  
  Problem/Symptom:
  ===================
  1.PXE Boot failed with the error WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA after HTTPS only and PKI has been applied
  2. during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.
  
  Solution:
  ===================
  1.Adding root CA solved the issue with PXE boot
  2. Disable Bitlocker pre-provisioning,
  
  Thanks again for your time.
  
  Thanks and regards,
  Simon
  

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Thursday, December 12, 2019 3:17 AM