jfdensmore 3 Posted August 27, 2019 Report post Posted August 27, 2019 What i mean is, i had PXE working just fine using DHCP Scope options. Just last week i converted my Site to "HTTPS Only" and everything went great and is working well except for PXE Booting. Currently I can get a computer to PXE and then get to the SCCM Splash screen, put in a password, then it sits there at retrieving policy for a few minutes, then reboots. After trouble shooting this for a bit im wondering if i need to rethink how i configure PXE booting. Is the DHCP WDS method outdated? Or perhaps does it not work with HTTPS? is there a definitive guide out there to set this up?? Working with HP Switches. Thank you for taking some time to check this out, Appreciate all your help out there! Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 27, 2019 Report post Posted August 27, 2019 To get PXE working with HTTPS read my guide here (two parts, here's part 1.) You are more than likely missing the osd certs. but to answer your question, is there a new PXE type, yes, ConfigMgr can manage PXE boot using it's own service instead of the Windows Server Service called Windows Deployment Services Service. Also, I'd recommend that you don't configure DHCP scope options, and use IP Helpers instead. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 28, 2019 Report post Posted August 28, 2019 Thank you! I will check this out asap! Before i go too far, which of these methods do you recommend? Our environment consists of 3 physical locations that in the future will each contain their own distribution point, one central server ("To rule them all"), and i would to PXE at these other locations at some point as well. Any advice would be greatly appreciated! @anyweb Do you guys recommend any training courses for SCCM? I have been using SCCM for about 6 years now and i love it for what we use it for. But i feel like i have never been able to get completely comfortable with all it can do. Currently i have learned all i know from awesome people like you and those on these sites. But say i wanted to become Certified in it which route should i take? Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 28, 2019 Report post Posted August 28, 2019 the central server is just a Primary server, avoid a CAS if at all possible, it will only cause grief, you can have DP's at your 3 locations no problem, if you want to get certified then take training with Kent Agerlund or Johan Arwidmark, both offer training via their companies, i would also try and get trained up on Microsoft Intune as that is where a lot of focus (and companies) are moving towards, on-premise management is via SCCM cloud management=Intune mix of both=SCCM co managed with Intune cheers niall Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 28, 2019 Report post Posted August 28, 2019 Sorry bad terminology on my part, we run primary, not CAS. Thanks for the info! I have actually seen some of Johan's trainings, i will take you up on that and see what i can get my work to approve! I actually do have intune installed doing co-management, but i don't do anything with it as i haven't had time to educate myself. SCCM and Intune is a big project for me in the near future. Back to initial problem, I have verified your instructions and i appear to have everything correct. Still not getting past the Splash screen. Ill try to locate your guide on using ConfigMgr to handle our PXE Service. That sounds like the proper way to do it. Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 28, 2019 Report post Posted August 28, 2019 if you are not getting the screen press f8 as soon as you can, grab the smsts.log and attach it here i'll take a look Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 28, 2019 Report post Posted August 28, 2019 Perhaps this will tell you something: When i look at my smspxe.log i get: WARNING: _SMSTSRootCACerts Not Set. This might cause client failures in native mode. SMSPXE 8/28/2019 7:41:03 AM 14064 (0x36F0) WARNING: _SMSTSCertStoreName Not Set. This might cause client failures in native mode. SMSPXE 8/28/2019 7:41:03 AM 14064 (0x36F0) WARNING: _SMSTSCertSelection Not Set. This might cause client failures in native mode. SMSPXE 8/28/2019 7:41:03 AM 14064 (0x36F0) Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 28, 2019 Report post Posted August 28, 2019 4 hours ago, anyweb said: if you are not getting the screen press f8 as soon as you can, grab the smsts.log and attach it here i'll take a look I try this, but f8 does nothing for me, i have updated my boot images to 1903 , and verified the option is checked. Wow Noob moment there, I have to hit the FN key for F8 to function properly..... Sorry, checking log now. THanks. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 28, 2019 Report post Posted August 28, 2019 Well i thought it might be a time issue, since it was set to PST, So i changed it to our local time and it still failed. I do still see this in the SMSTS.log: SyncTimeWithMP() failed. 80072f8f. TSPxe 8/28/2019 12:46:36 PM 1100 (0x044C) Attached is complete SMSTS.log. smsts1.log Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 29, 2019 Report post Posted August 29, 2019 hi, i've fired up one of my HTTPS configmgr labs and verified that all the certs are working, then i pxe booted and compared my smsts.log to yours, have a look here, it looks like you are missing certificates in the boot image as suspected. You log to the left, my working vm on the right. I'd double check you've done everything in my converting sccm from http to https guides again. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 29, 2019 Report post Posted August 29, 2019 Well damn. I must have missed something, Thank you so much for going through the trouble. I'm looking at this again now. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 29, 2019 Report post Posted August 29, 2019 Well after reviewing i cant see where i am going wrong! i went through step by step. and have done everything. But you said missing certs in the "Boot Image" At what point are the certs imported to the Boot image, maybe that will help me understand what is going on? Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 29, 2019 Report post Posted August 29, 2019 did you do step 4 here ? and step 5 here that is how the boot image gets the certificate, the other method for getting the cert into the boot image is documented here Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 30, 2019 Report post Posted August 30, 2019 Absolutely, both Step by step! Twice! That is what is driving me batty! Don't know if it matters, but these are "Unknown" Computer's i am pxebooting in this case. Gonna look at the other method now. Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 30, 2019 Report post Posted August 30, 2019 the other method is only for creating bootable media, did you update your boot images to your distribution points as a matter of interest after you enabled HTTPS ? Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 30, 2019 Report post Posted August 30, 2019 Once i enabled HTTPS, i had everything working, a day later i had to do an OSD via PXE and that is when i noticed it failing at the splash screen after i put in our password. In troubleshooting this, one of the first things i did was update the boot images*. Then i came here for help. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 30, 2019 Report post Posted August 30, 2019 It was in trouble shooting, but we are distributing 1903 so I needed to at some point anyway. Should i maybe revert to see if there is an issue there? Quote Share this post Link to post Share on other sites
anyweb 478 Posted August 30, 2019 Report post Posted August 30, 2019 can you do a teamviewer session so i can take a look ? Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 30, 2019 Report post Posted August 30, 2019 Sure let me get it installed. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted August 30, 2019 Report post Posted August 30, 2019 Sure let me get it installed. Sorry, Sent you a PM incase you were waiting on me. Quote Share this post Link to post Share on other sites
Joe13 1 Posted September 5, 2019 Report post Posted September 5, 2019 Don't want to high jack, but I'm interested, why would you want to HTTPS PXE deployments? Are you doing it over WAN or internet? Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted September 6, 2019 Report post Posted September 6, 2019 Not a problem. I was simply moving my SCCM configuration over to "HTTPS only". Was not doing it just to get PXE to use HTTPS directly? This just started happening once I completed the change over. And i cant figure out why. Quote Share this post Link to post Share on other sites
jfdensmore 3 Posted September 6, 2019 Report post Posted September 6, 2019 So I have tried everything i can to get this working but i keep getting the same results. (See smsts.log attached) Earlier you had me double check all my Settings, and i did. Then you caught this little bit in my smsts.log: So i went through it again today, and... In reviewing your documentation i see in step 3 of your "How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1" That you refer to Part 8, Step 3 of your: How can I configure PKI in a lab on Windows Server 2016 - Part 8 And in this step i see here that in your CDP Container, you have 3 Certs, one being a "Root CA" . Now when i compare this to mine, i don't see this "Root CA" Could this be the "Root" of my problem (Pardon the pun) I am not knowledgeable at certificates, nor is the person here who set them up. So im wondering if something has been missed or if something needs to be created?? Just looking for direction at this point. Thanks again in advance. smsts.log Quote Share this post Link to post Share on other sites