Is there a new PXE configuration for CB?

[jfdensmore 3]

What i mean is, i had PXE working just fine using DHCP Scope options. Just last week i converted my Site to "HTTPS Only" and everything went great and is working well except for PXE Booting. Currently I can get a computer to PXE and then get to the SCCM Splash screen, put in a password, then it sits there at retrieving policy for a few minutes, then reboots.    After trouble shooting this for a bit im wondering if i need to rethink how i configure PXE booting.  Is the DHCP WDS method outdated?  Or perhaps does it not work with HTTPS?

is there a definitive guide out there to set this up??  Working with HP Switches. 

Thank you for taking some time to check this out, Appreciate all your help out there!

[anyweb 451]

To get PXE working with HTTPS read my guide here (two parts, here's part 1.) You are more than likely missing the osd certs.

 

but to answer your question, is there a new PXE type, yes, ConfigMgr can manage PXE boot using it's own service instead of the Windows Server Service called Windows Deployment Services Service. Also, I'd recommend that you don't configure DHCP scope options, and use IP Helpers instead.

[jfdensmore 3]

Thank you! I will check this out asap!  

Before i go too far, which of these methods do you recommend?  Our environment consists of 3 physical locations that in the future will each contain their own distribution point,  one central server ("To rule them all"), and i would to PXE at these other locations at some point as well.   Any advice would be greatly appreciated!

@anyweb  Do you guys recommend any training courses for SCCM?  I have been using SCCM for about 6 years now and i love it for what we use it for. But i feel like i have never been able to get completely comfortable with all it can do. Currently i have learned all i know from awesome people like you and those on these sites. But say i wanted to become Certified in it which route should i take?

 

 

[anyweb 451]

the central server is just a Primary server, avoid a CAS if at all possible, it will only cause grief, you can have DP's at your 3 locations no problem, if you want to get certified then take training with Kent Agerlund or Johan Arwidmark, both offer training via their companies, i would also try and get trained up on Microsoft Intune as that is where a lot of focus (and companies) are moving towards,

on-premise management is via SCCM

cloud management=Intune

mix of both=SCCM co managed with Intune

cheers

niall

[jfdensmore 3]

Sorry bad terminology on my part, we run primary, not CAS.   Thanks for the info!  I have actually seen some of Johan's trainings, i will take you up on that and see what i can get my work to approve!

I actually do have intune installed doing co-management, but i don't do anything with it as i haven't had time to educate myself. SCCM and Intune is a big project for me in the near future. 

Back to initial problem, I have verified your instructions and i appear to have everything correct.    Still not getting past the Splash screen. 

  Ill try to locate your guide on using ConfigMgr to handle our PXE Service. That sounds like the proper way to do it. 

 

[anyweb 451]

if you are not getting the screen press f8 as soon as you can, grab the smsts.log and attach it here i'll take a look

[jfdensmore 3]

Perhaps this will tell you something:

When i look at my smspxe.log i get:

WARNING: _SMSTSRootCACerts Not Set. This might cause client failures in native mode.    SMSPXE    8/28/2019 7:41:03 AM    14064 (0x36F0)
WARNING: _SMSTSCertStoreName Not Set. This might cause client failures in native mode.    SMSPXE    8/28/2019 7:41:03 AM    14064 (0x36F0)
WARNING: _SMSTSCertSelection Not Set. This might cause client failures in native mode.    SMSPXE    8/28/2019 7:41:03 AM    14064 (0x36F0)
 

[jfdensmore 3]

4 hours ago, anyweb said:

if you are not getting the screen press f8 as soon as you can, grab the smsts.log and attach it here i'll take a look

I try this, but f8 does nothing for me, i have updated my boot images to 1903 , and verified the option is checked.  

Wow Noob moment there, I have to hit the FN key for F8 to function properly..... Sorry, checking log now. THanks. 

[jfdensmore 3]

Well i thought it might be a time issue, since it was set to PST, So i changed it to our local time and it still failed. I do still see this in the SMSTS.log:

SyncTimeWithMP() failed. 80072f8f.    TSPxe    8/28/2019 12:46:36 PM    1100 (0x044C)
 

Attached is complete SMSTS.log. 

smsts1.log

[anyweb 451]

hi, i've fired up one of my HTTPS configmgr labs and verified that all the certs are working, then i pxe booted and compared my smsts.log to yours, have a look here, it looks like you are missing certificates in the boot image as suspected. You log to the left, my working vm on the right. I'd double check you've done everything in my converting sccm from http to https guides again.

 

[jfdensmore 3]

Well damn.  I must have missed something, Thank you so much for going through the trouble. I'm looking at this again now.

[jfdensmore 3]

Well after reviewing i cant see where i am going wrong! i went through step by step. and have done everything. 

 

But you said missing certs in the "Boot Image" At what point are the certs imported to the Boot image, maybe that will help me understand what is going on?

[anyweb 451]

did you do step 4 here ?

and step 5 here

that is how the boot image gets the certificate, the other method for getting the cert into the boot image is documented here

[jfdensmore 3]

Absolutely, both Step by step!   Twice!  That is what is driving me batty! 

Don't know if it matters, but these are "Unknown" Computer's i am pxebooting in this case.

Gonna look at the other method now. 

[anyweb 451]

the other method is only for creating bootable media, did you update your boot images to your distribution points as a matter of interest after you enabled HTTPS ?

[jfdensmore 3]

Once i enabled HTTPS, i had everything working, a day later i had to do an OSD via PXE and that is when i noticed it failing at the splash screen after i put in our password.   In troubleshooting this, one of the first things i did was update the boot images*. Then i came here for help. 

[jfdensmore 3]

It was in trouble shooting, but we are distributing 1903 so I needed to at some point anyway.    Should i maybe revert to see if there is an issue there?

[anyweb 451]

can  you do a teamviewer session so i can take a look ?

[jfdensmore 3]

Sure let me get it installed.

[jfdensmore 3]

Sure let me get it installed.       

 

Sorry, Sent you a PM incase you were waiting on me. 

[Joe13 1]

Don't want to high jack, but I'm interested, why would you want to HTTPS PXE deployments? Are you doing it over WAN or internet?

[jfdensmore 3]

Not a problem.  I was simply moving my SCCM configuration over to "HTTPS only".  Was not doing it just to get PXE to use HTTPS directly?  This just started happening once I completed the change over.  And i cant figure out why. 

[jfdensmore 3]

So I have tried everything i can to get this working but i keep getting the same results. (See smsts.log attached) 

Earlier you had me double check all my Settings, and i did. Then you caught this little bit in my smsts.log:

So i went through it again today, and...

In reviewing your documentation i see in step 3 of your "How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1"

That you refer to Part 8, Step 3 of your: How can I configure PKI in a lab on Windows Server 2016 - Part 8

 

And in this step i see here that in your CDP Container, you have 3 Certs,   one being a "Root CA"

. 

Now when i compare this to mine, i don't see this "Root CA"  Could this be the "Root" of my problem (Pardon the pun)

 I am not knowledgeable at certificates, nor is the person here who set them up. So im wondering if something has been missed or if something needs to be created??  Just looking for direction at this point. 

Thanks again in advance. 

smsts.log