There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems. This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.
In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :
Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !
MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the request is made, give the certificate the following Attributes:
- CommonName: <FQDN> (i.e. OSDpxeBootCert.<domain>.Com)
- Alternate name: <Fqdn> OSDpxeBootCert.<domain>.com
- Friendly name: Any descriptive name.
Note: Because certificates are Required through out the native mode deployment. FQDNs are also required for certificate Subject name and Alt Subject Names.
When you have created the certificate , export it to a DER format by going to MMC - Certificates - personal - Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .
Import you in the PXE role configuration pane .
Now we go to the SCCM console and go to Site systems - PXE Role , import the certificate you just exported . The picture below explains it :
You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select "yes" to continue
Check the PXE Certificate in the SCCM console. Verify that the Root CA is trusted.
Try opening the Certificates | PXE node in SCCM. Find the certificate that is not "blocked" and right-click to Open it. Check the status of the CA Certificate. I found that it was "Not Trusted" in my environment.
When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then "valid" when I reopened the certificate. My SMSPXE.log no longer reflected that the certificate was not set.
Check that the following things below are set correctly
Network Access Account Not Set
Go into the Client Policy in SCCM and set a Network Access Account. It sometimes "disappears" even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !