I have a single server deployment of SCCM 2012 R2 on Windows 2012 R2. I have an enterprise PKI, and the certificates have been properly configured on the SCCM server and distributed to clients. All was well, until I had to renew the root certificate with a new key pair. The intermediate cross certification certs were created properly and were added to the domain trust GPO.

 

I began noticing that new clients could not register with the management point. I eventually realized that I had the old root certificate set as the trusted root CA. When I added the new root certificate here, I learned that it replaced the old one, did not add to it. This now caused the computers with certs issued by the old root certificate to be rejected. After reading some, I learned that if I have the trusted root certificate authority set to "Not Set", Config Manager would revert to the Windows trust store. I have been running this way for a couple of weeks and I thought all was well. I was able to manage clients with both new and old certs.

 

This week I find out that PXE OSD is not working. When the trusted CA is not set, the SMSPXE.log shows "_SMSTSRootCACerts Not Set. This might cause client failures in native mode." The PXE client fails to get a policy, and this snippet appears in the smsts.log:

WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered

WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set

 

I have updated the PXE certificate on the distribution point, but to no avail. I can remedy this temporarily by setting the new root certificate as the trusted one in ConfigMgr, but this breaks communication with the clients on the old key pair.

 

Is there a way to have PXE work, while still managing both old and new certificate clients?

Do you have auto enrollment configured for computers in your domain? THis guide is really helpful for HTTPS in a ConfigMgr environment: https://technet.microsoft.com/en-us/library/gg682023.aspx

Also, for PXE, after making changes to certificates, you likely need to update your boot images.

Jeff

Do you have auto enrollment configured for computers in your domain? THis guide is really helpful for HTTPS in a ConfigMgr environment: https://technet.microsoft.com/en-us/library/gg682023.aspx

Also, for PXE, after making changes to certificates, you likely need to update your boot images.

Jeff

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator 33 minutes ago

Do you have auto enrollment configured for computers in your domain? THis guide is really helpful for HTTPS in a ConfigMgr environment: https://technet.microsoft.com/en-us/library/gg682023.aspx

Also, for PXE, after making changes to certificates, you likely need to update your boot images.

Jeff

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Monday, August 24, 2015 7:15 AM
• Unproposed as answer by MattBMile 15 hours 48 minutes ago

I'm sorry it took me so long to reply.

I do have auto enrollment configured, and certificates in general are working fine. The issue being that there is a natural lag time from when the root certificate is updated and the time when a domain computer will renew it's certificate on the new key pair. It is a problem that should solve itself within the year, but a problem none the less.

For the boot images, I actually completely ripped them out and rebuilt them. So while I did not specifically set a certificate when doing so (am I missing something?), would the act of re-importing them (and the WinPE10 versions of them) not update the certifciate?