I've got a couple of PXE OSD task sequences that we've been using for a while, and for some reason lately we seem to be having problem where one out of every
few machines gets a client certificate generated, but the control panel client tool never shows that there is a certificate.
The value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\PKICertReady is 0, and setting this to 1 doesn't change anything.
I have even deleted the client certificates and the smscfg.ini, ccmsetup /uninstall, remove the computer from the AD and from Devices in SCCM, and reinstalling didn't fix it.
I have noticed that on a working machine, after the certs are created, CertificateMaintenance.log tries to validate the certificates. On the non-working clients,
they never begin validation.
Here is a copy of CertificateMaintenance.log:
HTTPS is enforced for Client. The current state is 63.
CertificateMaintenance 3/31/16 1:43:48 PM
2280 (0x08E8)
Client is set to use HTTPS when available. The current state is 480.
CertificateMaintenance 3/31/16 1:44:20 PM
976 (0x03D0)
Client is set to use HTTPS when available. The current state is 480.
CertificateMaintenance 3/31/16 1:46:01 PM
1628 (0x065C)
Creating Signing Certificate... CertificateMaintenance
3/31/16 1:46:21 PM 2356 (0x0934)
Successfully created certifcate CertificateMaintenance
3/31/16 1:46:22 PM 2356 (0x0934)
Creating Encryption Certificate... CertificateMaintenance
3/31/16 1:46:22 PM 2356 (0x0934)
Successfully created certifcate CertificateMaintenance
3/31/16 1:46:22 PM 2356 (0x0934)
I've searched around quite a bit and found a lot of client-server suggestions, but in many cases the best answer was to disable https. I'm supposed to use the PKI infrastructure here, so that wasn't a viable solution for me. Does anybody have any idea what
I'm missing? It feels like a huge waste of time to reimage a machine 2-3 times before the client picks up the server and everything fits together properly.
Thanks,
-Andrew
