I have an SCCM 2012 R2 environment where I have a number of non-SSL management points. We want to add one new SSL MP to support a handful of Mac clients. I only want to use certs on the Mac clients and not for the rest of the systems. I have added to the new management point and configured it for https communication for internet clients only.  The certs all look okay, but I don't want this cert on every single client. My problem is that whenever I try to do an OSD build through Windows PE, it will sometimes hit that MP and fail because there is no client cert.

I would have thought that it would attempt to use another MP if it couldn't communicate via https due to the cert, but it's just failing altogether.  What am I missing?  Is there something I need to do to tell the regular clients, and the PXE or PE clients to ignore this MP?

Hi,

Client installation and management for Mac computers requires public key infrastructure (PKI) certificates.

For more information:How to Install Clients on Mac Computers in Configuration Manager

Yes, I understand that but my question is about other non-Mac clients in the environment. 

Why are my regular Windows clients without certs trying to go to the one management point with https enabled?  And since the management point is configured for http and https, why won't it accept http connections and just fail when the client doesn't have the cert.

Researching a little bit more, it does look like this is a Win PE/OSD issue. Here is an article where someone go around it by changing the hosts file in Windows PE to make the SSL MP unavailable. I'm trying to determine if there is a more "standard" approach to this....

http://wmug.co.uk/wmug/b/r0b/archive/2014/03/04/controlling-management-point-access-during-osd

Researching a little bit more, it does look like this is a Win PE/OSD issue. Here is an article where someone go around it by changing the hosts file in Windows PE to make the SSL MP unavailable. I'm trying to determine if there is a more "standard" approach to this....

http://wmug.co.uk/wmug/b/r0b/archive/2014/03/04/controlling-management-point-access-during-osd

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator 21 hours 52 minutes ago

Researching a little bit more, it does look like this is a Win PE/OSD issue. Here is an article where someone go around it by changing the hosts file in Windows PE to make the SSL MP unavailable. I'm trying to determine if there is a more "standard" approach to this....

http://wmug.co.uk/wmug/b/r0b/archive/2014/03/04/controlling-management-point-access-during-osd

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Friday, August 14, 2015 9:58 AM

I did read that article.  Is the Microsoft recommended method for handling this really to update a hosts file on the fly?  I can go down this road if there is no regular support for doing this, but it seems hard to believe there is no supported method for doing this.

It's definitely the easiest method. With the latest service pack you've got also the option to configure preferred management points, I just haven't tested it yet during the initial stages of a task sequence. For more information about that, please refer to: https://technet.microsoft.com/en-us/library/gg712679.aspx#BKMK_PreferredMP