question

ritmo2k avatar image
0 Votes"
ritmo2k asked saldana-msft edited

Config manager 2107 HTTPS only configuration

I have set up HTTPS-only using the official documentation with an integrated AD certificate authority and automatic client enrollment. However, nowhere do I see any documentation about PXE boot images and certificates.

Coincidentally, my PXE deployments in both test and prod environments all failed until the images were reloaded. I am not clear what occurred during the reload which made them all start working?

I also see only self-signed in the client certificate column for all clients in the device list.

Does anyone know of a comprehensive location that documents the client-side details, and the PXE image task sequence details in an HTTPS-only environment?

Thanks.

mem-cm-generalmem-cm-osd
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Clients using PKI-issued auth certs showing as self-signed in 2107 in a known "issue". Because of some client certificate hardening work, the current method of reporting what type of cert the client uses to the site is not sufficient and can only report self-signed. They is an item in the backlog to correct this. This is called out in the docs as well: purple note at https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/certificates-overview#hardware-bound-key-storage-provider

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ritmo2k avatar image
0 Votes"
ritmo2k answered

I actually read that page, but stopped exactly short of that section for what I thought would be unrelated. Sigh...

Thanks for the help everyone!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ritmo2k avatar image
0 Votes"
ritmo2k answered

Hi Allen,
Thank you for that info. I have the DP set up as indicated with the related certificate.

I am still unclear why the clients that are requesting a certificate from the associated config manager client template show up as self-signed?

I assume the client is not configured to force the selection of the right certificate possibly?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered

Hi, @ritmo2k
Thank you for posting in Microsoft Q&A forum.

You may need to deploy the client certificate for distribution points, when the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

Here is the detailed steps we may refer to:
http://www.prajwaldesai.com/deploying-the-client-certificate-for-distribution-points/
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.