question

TonyAbate-5875 avatar image
1 Vote"
TonyAbate-5875 asked AlexKlaman-8894 published

SCCM PXE (No WDS) Requires Approval Suddenly

Running SCCM 1910, we have successfully deployed an OS many times over the course of a month. Now, all of the sudden, when PXE booting we are seeing a Waiting for approval message. All other troubleshooting aside, my last ditch effort was to remove deployment-related content from the Distribution Point, remove the PXE role, restart the DP, enable PXE, and distribute content. No change.

46363-pxe-message.png


46364-pxe-settings.png



The log on the DP shows the DHCP request, the boot image request and send and basically just repeats this section over and over, incrementing the SMSTemp var file number:

<![LOG[Packet: Operation: 2 (reply), AdrType: 1, AdrLen: 6, HopCount: 0, TransactID: 0001e240, BootTime: 65535, Addr: 00:15:5d:0d:86:06:00:00:00:00:00:00:00:00:00:00, HostName: , BootFile: smsboot\AZ100005\x64\bootmgfw.efi, ClientIP: 10.1.21.25, HostIP: 0.0.0.0, ServerIP: 10.1.15.115, RelayIP: 0.0.0.0
Options:
53, 1, MsgType: 05, ack
54, 4, SvrID: 0a 01 0f 73
97, 17, UUID: 00 70 0f 2b f1 dc a7 f8 49 a4 f6 80 9d 4e d0 ac 3a
60, 9, ClassID: PXEClient
243, 38, '': 02 00 01 16 53 4d 53 54 65 6d 70 5c 30 30 30 30 30 30 30 30 31 35 2e 76 61 72 03 0a 41 5a 30 31 53 43 43 4d 44 50
252, 32, '': 53 4d 53 54 65 6d 70 5c 41 5a 31 30 30 30 30 35 2d 30 30 30 30 30 2d 30 30 30 30 30 2e 62 63 64]LOG]!><time="11:23:08.805+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="836" file="pxeserver.cpp:288">
<![LOG[PXE: Sending reply to 10.1.21.25, PXE.]LOG]!><time="11:23:08.805+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="836" file="pxeserver.cpp:48">
<![LOG[Packet: Operation: 1 (request), AdrType: 1, AdrLen: 6, HopCount: 0, TransactID: 0001e240, BootTime: 65535, Addr: 00:15:5d:0d:86:06:00:00:00:00:00:00:00:00:00:00, HostName: , BootFile: , ClientIP: 10.1.21.25, HostIP: 0.0.0.0, ServerIP: 10.1.15.115, RelayIP: 0.0.0.0
Options:
93, 2, Arch: 00 07
97, 17, UUID: 00 70 0f 2b f1 dc a7 f8 49 a4 f6 80 9d 4e d0 ac 3a
53, 1, MsgType: 03, request
60, 9, ClassID: PXEClient
55, 9, ParamRequestList: 3c 80 81 82 83 84 85 86 87
250, 21, Extension: 0c 01 01 0d 02 08 00 01 02 00 07 0e 01 01 05 04 00 00 00 00 ff]LOG]!><time="11:23:29.658+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="8004" file="pxeserver.cpp:288">
<![LOG[PXE: Packet from 10.1.21.25 (PXE, 00:15:5D:18:16:06, 10.1.15.115).]LOG]!><time="11:23:29.658+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="8004" file="pxeserver.cpp:479">
<![LOG[PXE: 00:15:5D:0D:86:06: Operation=1, MessageType=3, Architecture=7, Continuation=1]LOG]!><time="11:23:29.658+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: Parsed a request (continuation) packet.]LOG]!><time="11:23:29.658+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: F12B0F70-A7DC-49F8-A4F6-809D4ED0AC3A: Client is 64-bit, UEFI, WDS.]LOG]!><time="11:23:29.658+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[SSL, using authenticator in request.]LOG]!><time="11:23:29.673+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10159">
<![LOG[In SSL, but with no client cert.]LOG]!><time="11:23:29.673+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10180">
<![LOG[SSL, using authenticator in request.]LOG]!><time="11:23:29.720+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10159">
<![LOG[In SSL, but with no client cert.]LOG]!><time="11:23:29.720+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10180">
<![LOG[Client Boot Get ID Info reply: <ClientIDReply><Identification Unknown="0" DuplicateSMBIOS="0" DuplicateMACAddress="0" ItemKey="0" ServerName=""><Machine><ClientID/><NetbiosName/></Machine></Identification><ClientIDInfo ItemKey="0" ClientID="" DuplicateSMBIOS="0" DuplicateMACAddress="0" MatchType="0"/></ClientIDReply>
]LOG]!><time="11:23:29.751+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:7738">
<![LOG[PXE: 00:15:5D:0D:86:06: System records:]LOG]!><time="11:23:29.751+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: 0, , SMBIOS ID is NOT a match, MAC Address is NOT a match.]LOG]!><time="11:23:29.751+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: No valid system records.]LOG]!><time="11:23:29.751+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: Client machine is UNKNOWN.]LOG]!><time="11:23:29.751+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[SSL, using authenticator in request.]LOG]!><time="11:23:29.783+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10159">
<![LOG[In SSL, but with no client cert.]LOG]!><time="11:23:29.783+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10180">
<![LOG[SSL, using authenticator in request.]LOG]!><time="11:23:29.814+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10159">
<![LOG[In SSL, but with no client cert.]LOG]!><time="11:23:29.814+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:10180">
<![LOG[Client Boot TS reply: <ClientIDReply><Identification Unknown="0" DuplicateSMBIOS="0" DuplicateMACAddress="0" ItemKey="2046820353" ServerName=""><Machine><ClientID/><NetbiosName/></Machine></Identification><TSInfo DeploymentID="AZ120016" PkgID="AZ1000A3" BootImageID="AZ100005" Architecture="9" Required="0" AlreadyRun="0" ForPXE="1" Disabled="0" PackageAvailable="1" FutureAvailability="0" Expired="0" UEFIArchitectureMismatch="0" ArchitectureMismatch="0"/></ClientIDReply>
]LOG]!><time="11:23:29.845+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="libsmsmessaging.cpp:7884">
<![LOG[PXE: 00:15:5D:0D:86:06: Task Sequence deployment(s) to unknown machines:]LOG]!><time="11:23:29.845+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: AZ120016, AZ100005, 64-bit, optional, is valid.]LOG]!><time="11:23:29.845+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[PXE: 00:15:5D:0D:86:06: Using Task Sequence deployment AZ120016.]LOG]!><time="11:23:29.845+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="mp.cpp:37">
<![LOG[Saving Media Variables to "SMSTemp\0000000016.var"]LOG]!><time="11:23:29.845+420" date="12-08-2020" component="SCCMPXE" context="" type="1" thread="1084" file="tsremovablemedia.cpp:186">

mem-cm-osd
pxe-message.png (54.4 KiB)
pxe-settings.png (37.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I am installing 20H2 version.
Today got same message.

Was testing windows 10 Task Sequence deployment, and, before going to PXE boot - I deleted computer record from both - AD and SCCM.
Seems, there is some delay needed for SCCM, if you delete PC record and trying to redeploy it with the same computer name. My colleague just recommended to wait a bit and try again and it worked.

67270-2021-02-1210-08-35-properties.png



0 Votes 0 ·
FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered TonyAbate-5875 commented

@TonyAbate-5875

Thank you for posting in Microsoft Q&A forum.

Could we know if we make some changes before getting this approval message? For example, did we enable SSL authentication?


Have a nice day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There were no changes made to the config or any of the content. It just stopped working a few days after the last working deployment.

0 Votes 0 ·

@TonyAbate-5875

Thank for the reply.

Have we tried the following actions for a second time? Someone meet a similar problem and tried these actions and it has been resolved.
1.Disabling PXE for a second time .
2.Enable the PXE Responder again.
3.Also,he tried to recreated the boot image.

Here is the case link for us to refer to:
https://docs.microsoft.com/en-us/answers/questions/181727/sccm-current-branch-remove-wds.html

Have a good day!

0 Votes 0 ·

Yes, I have tried those steps and others multiple times. No change in behavior.

0 Votes 0 ·
FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered TonyAbate-5875 commented

@TonyAbate-5875

From the description, "In SSL, but with no client cert." Have we chosen use HTTPS option? If we choose it, the server must have a valid PKI web server certificate. Generally speaking, our DP has two certificates. When communicating with the client to be deployed, this client will obtain the certificate from our DP. Another certificate is used for site server and MP.
48219-dp-property.png

Have a good day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



dp-property.png (26.4 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HTTPS is in use and there is a valid PKI certificate installed on the DP. Since the deployment is to a blank unknown computer there is no client certificate installed.

0 Votes 0 ·

@TonyAbate-5875

Thank you for the reply.

The certificate that we installed on our DP is used to communicate with MP, when we have an environment with HTTPS only, the client must have a valid certificate for the client to communicate with the site and for the deployment to continue. Our unknown clients should have the PKI certificate when we import the certificate in the DP property.

0 Votes 0 ·

They are fresh machines with no OS on them, how would they have a certificate? Beyond that, this worked just fine for many deployments before suddenly requiring approval. I'm just not clear how the HTTPS configuration is causing this behavior.

0 Votes 0 ·
FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered TonyAbate-5875 commented

@TonyAbate-5875

I have reviewed this case again. The phenomenon is really strange, and i did a lot of researches in my lab, unfortunately, it is normally in my lab. As we mentioned that it was suddenly required approval, as the forum cannot perform the test due to limited resource, i will try the best to deliver this information to the product team to see if they have some additional comments, but not guaranteed. once there is a reply, i will get back to you at the first time. thank you for your kind understanding.

To get better support, I suggest you call Professional Support Services so that a dedicate engineer will help us solve this issue in a more efficient way. Thank you for your understanding.
To obtain the phone numbers for specific technology request please take a look at the web site listed below.
https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

Thank you very much for your kind understanding.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your help.

0 Votes 0 ·
GrantFaulkner-0998 avatar image
0 Votes"
GrantFaulkner-0998 answered GrantFaulkner-0998 published

I am also running into this issue.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexKlaman-8894 avatar image
0 Votes"
AlexKlaman-8894 answered AlexKlaman-8894 published

To resolve this, under the PXE settings for Distrobution Point:

Go to User Device Affinity. Then select the option:
"Allow user device affinity with automatic approval"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.