There was an important step missed here that will become an issue when attempting to do OS deployments using PXE. At around 20:00 in this video the Trusted Root Certificate Authorities certificate was not set in Site Properties -> Client Computer Communication tab. This will cause the PXE client to fail to securely communicate with the Management Point and will be unable to retrieve the necessary policies for OS deployment. Using the Certificates MMC snapin in the local computer context, export your enterprise RootCA certificate in the DER encoded binary X.509 (.CER) format. Add the exported certificate on the Client Computer Communication tab by clicking Set next to Trusted Root Certification Authorities, and then restart the Web Deployment Services Server service on the Distribution Point server. Note that it is not necessary to set any IntermediateCA certificates. Only the RootCA is required.
@@PatchMyPC My pleasure. These videos have been so useful to me that I thought I would add something back in case anyone runs into the same issue I had. Thanks again!
Thank you, that was useful. I'd like to add to that: After you restart WDS (or the whole server), in case you're using Bootable Media, you'll need to recreate them again to include the Cert.
I'm about to start a new SCCM deployment for my organization after not having gone through the process for 5 years (and that time I had the assistance of a PFE to get up and running). This series of videos is incredibly helpful to utilize a reference for my upcoming build. Also a big fan of Patch My PC, great service that helps a ton with my third party patch deployment... not sure how I'd get by without it :-) Thanks a ton!
Nice Step by Step Video. The only issue that I ran into was for deployment task sequences. I needed to add the Trusted Root Certification Authority to my Site Properties Communication Security, so that the DP certificate was trusted.
Thank you! This just helped me prepare my SCCM environment for the coming change where http communication will be deprecated. I will sleep like a baby tonight.
Just adding my two cents to maybe help others, since this guide got me over the hump... With the rapid changes going on in Azure/Intune, I wanted to point out that these steps still work as of 10/2020. Although there were two snags I had to work out: (1). After requesting the IIS Web cert on my MECM server, I had to go back and find the request on my CA, in the "Pending Requests" node, right-click and choose "Issue" to actually issue the cert to MECM server. Then had to go to MECM server's Certs.MMC, right-click the top node (Certificates (Local Computer)), > All Tasks > Automatically Enroll and Retrieve Certificates... Finally, the IIS Web cert showed up on my MECM server. (2) With all steps completed, my clients were still using Self-Signed certs (second line on General tab of CfgMgr client properties) and wouldn't switch to PKI cert. I had to go to MECM server registry and add the following key: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel ClientAuthTrustMode (DWord) = 2. Reboot was required before my clients finally used the PKI cert. I'm still getting an error in EventViewer but not sure of its impact. "A fatal error occurred while creating a TLS client credential. The internal error state is 10013."
Great video series. What's holding me here is the video in minute details. I'm able to learn more things, which will certainly add value next time when I configure SCCM. Thanks.
@@PatchMyPC I have an other problem, now when I try to distribute content do my distribution point, I have the error "The distribution handler could not connect to the distribution point, try to check your network or firewall", my distribution point is on the same server than the rest. I tried to disable my firewall but I still have the same problem. Do you have an idea? Thanks ;)
Just wanted to add a note about the client auth certificate version. I don't think a 2003 version is a requirement any longer. Our client certs use a 2012 version and everything is working correctly. We're currently running CB 1810.
Great walkthrough. I've used your videos to go from noob to intermediate level sccm support! I do have an issue that arose though and I can't seem to figure it out, even with all the main forums for SCCM engineers blasted with the issue. I'm getting "DP not installed or configured yet" error when I try to create a new DP from the site. It was working prior to December 2023 just fine, then just stopped replicating content. After initial troubleshooting, I couldn't narrow it down to the site server, so since it was a brand new DP (not even in production yet really), I just recreated a new DP on another machine, and got the same error. I have checked all of the prerequisites for DP on the new computer. I have removed/readded the DP and site system server more times than I can count. I have made sure the site server computer account was in the local administrators group on the DP. First error in distmgr.log is above, then it's followed by errors saying it couldn't copy the ContentAuthModule.lib to the dp. Then it says can't copy ISAPI extensions. When I first kick off the DP add, the SCCM Content Lib folder is created on the DP, but nothing ever goes inside of it. I know this sounds like an easy "remove/readd permissions to site server local admin group and/or specific site server computer account to local admin", but it's not working. 4 weeks I've been banging my head on this and my company is too small to have a Premier Support account with Microsoft, nor will they pay anyone to come fix it as "you're our guru" they say to me as they pay me intermediate level moneys :) Any insight would be amazing from anyone really.
Awesome video, it helped me alot! Could you please simplify for me in what way I would go for resolve PXE on my secondary distribution site. I enrolled the IIS Certificate and DP certifciate on the this 2nd DP and then I exported the DP cert and imported it on the DP node in the console. Was this the right way to do it? Do I need to do anyhting with the IIS certificate on the 2nd DP?
Hi, I followed the procedure without encountering any difficulties but in the Configuration Manager console I see the devices with CLINET CERTIFICATE like Self-Signed and not PKI, any suggestions on what I could check? Thank you and your guides are very helpful and informative
I was having problems with the boot media but I figured it out. You actually have to export the root CA certificate and import it into the "Trusted Root Certification Authorities" (20:00 on the video). After that, you can regenerate the media and it will work. This may help someone out there ;-)
Great video. Question about remote DPs though, only a single cert for all DPs for OSD? I have 20 DPs, wouldn't the client want the cert to match the ones they're connected to? Also, after the import, can the .pfx be deleted (I didn't see it get stored anywhere else).
@@PatchMyPC I get that, but when I request the DP Cert, it's tied to a particular DP so I guess I don't know how that works. (And can I delete the file after import?)
Hi Justin thanks for fantastic video. One thing I want to clear you mentioned cert are required for CMG , If I don't want my internal machines to usi PKI how can I ignore that. Based on your 2 videos it looks like I am moving my infrastructure from self signed to PKI.Please advise . ?
If you don't use internal PKI, machine would be able to use Azure AD Auth or token based auth docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token
Nice Job on these videos! The names on my templates are slightly different. For example, instead of mine being called "SCCM IIS Certificate", I have mine called "MECM IIS Certificate". Because of the newer name for SCCM.
As http has deprecated, is configuring PKI for SCCM a mandatory step or are there are other way to configure and enable https only communication? Please suggest.
Great video, but I have a question. Why would you configure https but then have the option to use https or http with pki as preferred instead of forcing https only?
Excellent video, many thanks for your time. How can I deal with PKI's for machines in a DMZ, I have a management point in the same dmz network for authentication but the machines are on a completely different domain and do not have access to my subca where my MECM server resides
Great video. Thanks! Is there a reason you didn’t enable "https only" and instead selected “https or http”? From what I understand "https only" shouldn’t require any additional configuration besides what you've already done? In my experience removing https bindings on your DP, just makes the client being stuck on downloading 0% in Software Center.
tehpatriot yeah, that would have been fine since I only had one site system, and it had the needed certs. I had some other things I was planning on doing so I didn't enable it site wide.
So I have my DP and WSUS servers separate from the primary site system. Would I need to create a different IIS SSL for each of those servers with the local hosts DNS name?
Great video. This looks after machines on the corporate LAN - what about if I want to look after machines in a DMZ? as well as internet based clients (mobile devices) that are sometimes on our LAN but mostly not... Is this possible....?
Just FYI, I know this is two years later, but at 20:50 I had to specify Trusted Root Certification Authority. Without it, Imaging failed. It was just a case of exporting the root CA from the server and importing it there. Just if anyone else gets caught on this
Sir You are amazing..... Thank you so much! I have just one question: I created templates for Web Server and Windows Authentication PKI certificates. I don't want to create DP certificate for now, but in CM I set DP communication to HTTP and on primary site both https and http. I am creating all this because Client wants the CM to deploy Bitlocker to their machines, so the MP has to use PKI. Did everything like you explained, I have one PC that is in the PKI TEST collection. Created GPOs, PC received PKI, changed MP communication to HTTPS, everything looks fine. BUT - now in devices, the icon next to a PC turned to grey X, and when I deploy apps or run scripts to that PC nothing happens. MP is green in Monitoring, in all Log files everything is the same as is in your logs. I can access the PC using remote control but thats it... Can you PLEASE help me... this has to work in 9 hours :( :(
Great video, how would you go about installing the client certificate for a different domain, this works perfectly for domain XYZ but my other domain obviously is not getting the certificate form AD/GPO.
@@PatchMyPC Ouch, okay I have a 2 domain environment and I got this working perfectly for the primary domain where SCCM sits, SCCM was managing both domains fine before I forced HTTPS/PKI - was hoping I could push the cert to the other domain and be all set?
@@walterh1223 As long as the root CA issuing certs is trusted it should work fine. Client need to trust SCCM site system (IIS certs) and vice versa. It shouldn't really matter what domain/CA is issuing the certificate as long as the root is trusted.
Hi Justin, I just wanna know is there a command that'd pick the correct cert if the client installation is taking wrong cert, from a bunch of certificates. how to go about it?
Hope you figured this one out. Sorry for the delay this is a little but to complex to try to resolve on comments. The Microsoft docs for ConfigMgr can often be a great resource.
Thanks Justin - when specifying the private key toward the start of the AD CS Config, is it possible to use a wildcard cert that we have purchased for our domain name through GoDaddy as an example ?
Great video, awesome resource! Question - I have multiple DP's (14), do I need to request the DP Cert from EACH DP? ...and IF YES, do I also need to import THAT SPECIFIC exported Certificate on the DP Tab for that same DP? Thank you in advance...
@@PatchMyPC Thank you very much for the reply, still a little confused. To clarify (for me!): 1. Do I need to request the DP Cert on each of my DP's? 2. Do I export from each DP and import the matching .pfx within the console for each DP, or just export one time and import that same .pfx for each DP? Thank you again!
When importing the OSDCert into IE, i still cant access the site because its not accepting the imported cert? Why is that? Maybe because i have exported it with a SHA256 encryption?
I'm getting stuck at about the 13:30 minute mark. Auto-enroll works but I don't see the templates I created being imported. The SCCM Client Certificate doesn't import. I only see Kerberos Authentication, Directory Email Replication, and Domain Controller Authentication. This is on an existing network with CA already setup. Did I miss a setting?
Another great video. One small question if none of my clients or the CA are Windows 2003 can I make the compatibility mode 2008R2 or even 2012? I wasn't sure why the compatibility had to be such a old version.
Hi Justin, Just to clarify, I have multiple DPs for each city in my company. Do I need to interactively log in to each server individually, request the certs for OSD and then import it in the console? Or can I login to the Configuration Manager console and just import the OSD cert?
@@PatchMyPC so each DP will also need the web server certificate we generated at the beginning? I think I have the general idea. Log in to each DP, run through the IIS certificate process you outlined on the video and just import the OSD certificate from the console.
I have to say FANTASTIC VIDEO!! Very detailed. Just have one question. For reason when I enabled SSL communication, when I pxe boot and get to the SCCM password screen It will not load my Task Sequences jobs and errors out then restarts.
@@PatchMyPC SOrRY FOR SUCH A LATE RESPONSE. I had to put this to the side for a bit. I do have logs: WARNING: _SMSTSRootCACerts Not Set. This might cause client failures in native mode. WARNING: _SMSTSCertStoreName Not Set. This might cause client failures in native mode. WARNING: _SMSTSCertSelection Not Set. This might cause client failures in native mode.
Ok....Also steps taken I updated the boot image and unblocked the certificate in the Certificate Node, which resolved the warning, but I am still having the same issue. I would get to the Pxe boot screen to enter my password, but when I enter it, it would attempt to look for policy then fail.
@@PatchMyPC I resolved the issue by putting a trusted Root Certificate in the Site Property>Client Computer Communication. Just in case someone else is having the same issue. Thanks again for the video, I could not have gotten here without it. Next up for us is ICBM.
Hope you figured this one out. Sorry for the delay this is a little but too complex to try to resolve on comments. The Microsoft docs for ConfigMgr can often be a great resource.
I just try to build new Windows 7 machine and its failing to apply OS. In SSL, but with no client cert. We use Windows 10 Enterprise machine which are acting as DP for local sites
I@@PatchMyPC I exported the Cert from SCCM onto my desktop and then attched it to each DP, it keep failing with same error. In SSL, but with no client cert. I did check the SCCM\Administrator\Security\Cert and all of the Cert for each DP are showing as unblocked
@@PatchMyPC Under each DP, i went into Distribution point role. select https, select import cert and then point to cert which is on my desktop, enter password and click on apply. i didnt get any errors
@@PatchMyPC I just update the image but it showing with same error message. Also my SCCM server is show wrong cert when i type in sccm in browser. it should show me that my cert should expaire in 2021 but showing old cert.
Hi, Thank you for videos. I have question regrading WSUs and SCCm. My SCCM and WSUS server are on different servers. Do I need to import the Cert (IIS) on both servers and assign binding to site and when running the wsusutil what server i'm putting for https. will be sccm server or wsus. my wsus server has the software dp site install on
Hi Justin, Hope you are doing well! It was a great video.Thanks a lot. This is the first time I am making changes in a live environment, however I am currently facing a challenge. In our environment we have SUP role installed in CAS and PRI. We have set up one web server certificate for CAS and another web server certificate for PRI in the WSUS administration (port 8531) we have even done the ssl settings as per your video and ran wsusutil with the diffrent server FQDN on both CAS and PRI however, we are getting error in the logs stating"The request failed with Http status 403" . Please help me out!
Justin, As always your videos are very well done, educational and has helped me very much. Even experienced IT Pro's learn from your videos. I wanted know if you can answer something. I followed this process exactly and it worked. All my systems that were in SCCM automatically got upgraded to PKI and a system that I added to the domain manually also got PKI certificate. The issue I am having since I configured to PKI, when i PXE boot (using PXE responder) to build a new system via task sequence, the Task Sequence Wizard never comes up and the system reboots. I restored my system to non-PKI and the task sequence wizard comes up ok and allows me to select a task sequence and image. I need to get PKI to work because i'm working on BitLocker integration (CM version 1910) and PKI is required. I have been looking for an answer for a couple of weeks now with no luck. Any suggestions will be greatly appreciated . P.S. do you have a video on how BitLocker Integration?
I was able to find a resolution. Basically what was needed was to create a Trusted Root Certificate and import into your site and give full rights to Authenticated Users to SMS_MP in IIS under Default Web Site. Reboot you SCCM server, then re-deploy you Task Sequence. After that, it PXE boots successfully.
First, I must say; fantastic video! Very clear, detailed instructions with explanations of why you're doing these things. Seriously great stuff! I do have a question. In my lab, I have mostly domain-joined endpoints to manage, but also a few workgroup clients. I followed this guide, which resulted in my environment being configured to handle https or http. However, it seems that the workgroup clients I have stopped being able to communicate after making these changes. Is there a specific reason why? On the workgroup computers, I have added the FQDN of the SCCM server into the hosts file, which essentially gives me DNS resolution. I also have Windows firewalls turned off, no network ports blocked in between, etc. Furthermore, it seems that the obvious *best* way forward would be to install the certificate manually on the workgroup systems. I *shouldn't* necessarily need to do this, since it should accept http or https, but if I did want to manually install the certificate(s) on the workgroup clients, what would be the best way to achieve that? Thanks again for the quality content!
Patch My PC Correct. Here’s my two questions around that: 1. Shouldn’t I not necessarily need the client certificate installed since my SCCM environment is configured for either http or https? Shouldn’t it just prefer a cert, not require it? 2. What’s the process for exporting a client cert to a workgroup client from the CA, since it obviously can’t auto-enroll via the group policy? Thank you for your time!
Mike Murphy Have you seen my updated video here m.th-cam.com/video/amrg_mlFvuk/w-d-xo.html. I cover more on debth how to install SCCM current branch in this one.
I seem to be good the entire way until I enable https on my MP then boom all clients instantly go inactive. All the certs are there on both clients and sccm box but i fail as soon I add MP to secure. So I stopped and rolled back
@@PatchMyPC Immediately within 5 minutes or less. It is clearly related as soon as I undid the management point they went back active. But now I have to undo the WSUS changes. I have done remove the require SSL but is there a undo command for the wsusutil configuressl command?
@@PatchMyPC Offline with the X icon. All I really want to know is how to undo the wsusutil.exe configuressl command. Is that not possible? I have reversed all the other changes
This is a very helpful video, but there are some topics it doesn't cover. 1. It needs to create a CRL distribution point on http and on share, and configure CA accordingly. Otherwise PXE will stop working, also it needs to import Root CA to Site Properties. Clients need the possibility to check the revocation list. 2. Currently (2211) there is a bug - console shows Client Certificate as Self-Signed for Devices, while it is PKI on a client.
Hi Justin. I am following your complete video series about SCCM and is the first learning source I recommend to any SCCM novice. After following this guide, when I test MP as you shown I am getting error: HTTP Error 403.2 - Forbidden You have attempted to view a resource that does not have Read access. I followed guide and verified each steps and still I am getting above error. Any help or direction would be grateful. Thanks in advance.
@@PatchMyPC Thanks for prompt reply. I set Read permission on Handler Mapping for SMS_MP as suggested in the error page. Now I am getting below error: HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid. Same error is reflected in MPcontrol.log: Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error
Hi Justin, thanks for the upload! getting two errors at the moment Http test request failed, status code is 403, 'Forbidden'. Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden Followed on from video one but made some changes: sccm and sql are both separated server, i have also install a AD CS Two-Tier PKI Hierarchy docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v%3Dws.11) any help would be great
5 years later, this video is still saving Jobs
I refer your video to all my customers. You became like the number 1 to go for PKI
Thanks for recommending!
This is by far the best SCCM video series I have come across. Thanks so much for the high quality detailed videos :)
Thanks for watching!
@@PatchMyPCs
There was an important step missed here that will become an issue when attempting to do OS deployments using PXE. At around 20:00 in this video the Trusted Root Certificate Authorities certificate was not set in Site Properties -> Client Computer Communication tab. This will cause the PXE client to fail to securely communicate with the Management Point and will be unable to retrieve the necessary policies for OS deployment.
Using the Certificates MMC snapin in the local computer context, export your enterprise RootCA certificate in the DER encoded binary X.509 (.CER) format. Add the exported certificate on the Client Computer Communication tab by clicking Set next to Trusted Root Certification Authorities, and then restart the Web Deployment Services Server service on the Distribution Point server.
Note that it is not necessary to set any IntermediateCA certificates. Only the RootCA is required.
Thanks for the post!
@@PatchMyPC My pleasure. These videos have been so useful to me that I thought I would add something back in case anyone runs into the same issue I had. Thanks again!
Thank you, that was useful. I'd like to add to that: After you restart WDS (or the whole server), in case you're using Bootable Media, you'll need to recreate them again to include the Cert.
I'm about to start a new SCCM deployment for my organization after not having gone through the process for 5 years (and that time I had the assistance of a PFE to get up and running). This series of videos is incredibly helpful to utilize a reference for my upcoming build. Also a big fan of Patch My PC, great service that helps a ton with my third party patch deployment... not sure how I'd get by without it :-)
Thanks a ton!
Thanks for watching.
Nice Step by Step Video. The only issue that I ran into was for deployment task sequences. I needed to add the Trusted Root Certification Authority to my Site Properties Communication Security, so that the DP certificate was trusted.
Nice catch
Thank you!
This just helped me prepare my SCCM environment for the coming change where http communication will be deprecated.
I will sleep like a baby tonight.
Glad to hear!!
Just adding my two cents to maybe help others, since this guide got me over the hump... With the rapid changes going on in Azure/Intune, I wanted to point out that these steps still work as of 10/2020. Although there were two snags I had to work out:
(1). After requesting the IIS Web cert on my MECM server, I had to go back and find the request on my CA, in the "Pending Requests" node, right-click and choose "Issue" to actually issue the cert to MECM server. Then had to go to MECM server's Certs.MMC, right-click the top node (Certificates (Local Computer)), > All Tasks > Automatically Enroll and Retrieve Certificates... Finally, the IIS Web cert showed up on my MECM server.
(2) With all steps completed, my clients were still using Self-Signed certs (second line on General tab of CfgMgr client properties) and wouldn't switch to PKI cert. I had to go to MECM server registry and add the following key: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel ClientAuthTrustMode (DWord) = 2. Reboot was required before my clients finally used the PKI cert.
I'm still getting an error in EventViewer but not sure of its impact. "A fatal error occurred while creating a TLS client credential. The internal error state is 10013."
Thanks for the tip
Dear Justin, You really helped me. My heart is always with you.
Excellent step-by-step. Very much appreciated!
Thanks for watching
Great video series. What's holding me here is the video in minute details. I'm able to learn more things, which will certainly add value next time when I configure SCCM. Thanks.
Thanks for watching!
Thank you so much, I struggled for a long time making everything work. Now it works perfectly!!
Thanks for watching! Glad it helped.
@@PatchMyPC I have an other problem, now when I try to distribute content do my distribution point, I have the error "The distribution handler could not connect to the distribution point, try to check your network or firewall", my distribution point is on the same server than the rest. I tried to disable my firewall but I still have the same problem. Do you have an idea? Thanks ;)
You saved me days of search and troubleshooting. Thank you!
You're welcome
@@PatchMyPC One question, if I wanted to change my Report Server to switch to HTTPS, how I would do that? Thanks!
Just wanted to add a note about the client auth certificate version. I don't think a 2003 version is a requirement any longer. Our client certs use a 2012 version and everything is working correctly. We're currently running CB 1810.
There's still some mention of it in the docs: docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements
Hi, great video.
2 Years is up and my IIS and OSD certs are expiring soon. What do I need to do to renew them? Really struggling :(
Wonderful presentation. I read the MS docs that run parallel to this and your work just put it all in focus. Appreciate it!
Glad it was helpful!
Thank you for this very helpful video. Very easy to follow guide.
Thanks for watching
Great walkthrough. I've used your videos to go from noob to intermediate level sccm support! I do have an issue that arose though and I can't seem to figure it out, even with all the main forums for SCCM engineers blasted with the issue. I'm getting "DP not installed or configured yet" error when I try to create a new DP from the site. It was working prior to December 2023 just fine, then just stopped replicating content. After initial troubleshooting, I couldn't narrow it down to the site server, so since it was a brand new DP (not even in production yet really), I just recreated a new DP on another machine, and got the same error. I have checked all of the prerequisites for DP on the new computer. I have removed/readded the DP and site system server more times than I can count. I have made sure the site server computer account was in the local administrators group on the DP. First error in distmgr.log is above, then it's followed by errors saying it couldn't copy the ContentAuthModule.lib to the dp. Then it says can't copy ISAPI extensions. When I first kick off the DP add, the SCCM Content Lib folder is created on the DP, but nothing ever goes inside of it. I know this sounds like an easy "remove/readd permissions to site server local admin group and/or specific site server computer account to local admin", but it's not working. 4 weeks I've been banging my head on this and my company is too small to have a Premier Support account with Microsoft, nor will they pay anyone to come fix it as "you're our guru" they say to me as they pay me intermediate level moneys :)
Any insight would be amazing from anyone really.
Awesome video, it helped me alot! Could you please simplify for me in what way I would go for resolve PXE on my secondary distribution site. I enrolled the IIS Certificate and DP certifciate on the this 2nd DP and then I exported the DP cert and imported it on the DP node in the console. Was this the right way to do it? Do I need to do anyhting with the IIS certificate on the 2nd DP?
Hi, I followed the procedure without encountering any difficulties but in the Configuration Manager console I see the devices with CLINET CERTIFICATE like Self-Signed and not PKI, any suggestions on what I could check?
Thank you and your guides are very helpful and informative
Excellent video, it helped to configure SCCM 2019 in my environment..
Thanks for watching!
You're so damn good Justin :) really awesome and amazing detailed videos.
Thanks for watching!
Thank you so much for all these videos. They are extremely valuable.
Thanks!
Very good walk through. You are a legend.
Thanks for watching
Amazing walkthrough. Thank you for taking the time and making this so easy to follow!
thanks for watching!
Hi Justin, thank you for the fantastic tutorial. Can I use this blog as a reference for creating my own blog in a different language?
Go for it!
Wonderful... very clear and efficient. nothing to say more.. thank you Justin !
Glad you liked it!
Excellent video! One question: how about the certificates for OSD boot media? Can I use the DP certificate or do I need another one?
I was having problems with the boot media but I figured it out. You actually have to export the root CA certificate and import it into the "Trusted Root Certification Authorities" (20:00 on the video). After that, you can regenerate the media and it will work. This may help someone out there ;-)
Yes you can
Great video. Question about remote DPs though, only a single cert for all DPs for OSD? I have 20 DPs, wouldn't the client want the cert to match the ones they're connected to? Also, after the import, can the .pfx be deleted (I didn't see it get stored anywhere else).
The cert added directly to the DP tab is used for clients during OSD. The web server DP certs would need to be unique but the DP/OSD ones don't.
@@PatchMyPC I get that, but when I request the DP Cert, it's tied to a particular DP so I guess I don't know how that works. (And can I delete the file after import?)
@@firealliancenx boundary groups will tell the client what DP to use. Yes, you should be able to remove it after.
@@PatchMyPC I don't think I'm asking the question correctly, thank you for the swift responses though!
This guide is great but I can't my client push working. Are there some additional installation properties required now i'm using https
Check out my post install guide it covers client push
Hi Justin thanks for fantastic video. One thing I want to clear you mentioned cert are required for CMG , If I don't want my internal machines to usi PKI how can I ignore that. Based on your 2 videos it looks like I am moving my infrastructure from self signed to PKI.Please advise . ?
If you don't use internal PKI, machine would be able to use Azure AD Auth or token based auth docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token
Nice Job on these videos! The names on my templates are slightly different. For example, instead of mine being called "SCCM IIS Certificate", I have mine called "MECM IIS Certificate". Because of the newer name for SCCM.
Thanks!
Thanks, helped me a lot, had some wierd issues with changing over to PKI but this just running this step by step solved it :)
Awesome!
Is it possible to skip the CA setup and to just use a public wildcard cert?
For what certificate the management point?
As http has deprecated, is configuring PKI for SCCM a mandatory step or are there are other way to configure and enable https only communication? Please suggest.
Great video, but I have a question. Why would you configure https but then have the option to use https or http with pki as preferred instead of forcing https only?
Some MPs could run on HTTP and see in HTTPS
Excellent video, many thanks for your time.
How can I deal with PKI's for machines in a DMZ, I have a management point in the same dmz network for authentication but the machines are on a completely different domain and do not have access to my subca where my MECM server resides
DMZ is hard. You can request the cert internally with private key exportable.
Fantastic video, great efforts to make it step by step. Love your work!
Thanks for watching.
Incredible content! Thanks so much for sharing your expertise.
Thanks for watching!
Great video. Thanks!
Is there a reason you didn’t enable "https only" and instead selected “https or http”? From what I understand "https only" shouldn’t require any additional configuration besides what you've already done? In my experience removing https bindings on your DP, just makes the client being stuck on downloading 0% in Software Center.
tehpatriot yeah, that would have been fine since I only had one site system, and it had the needed certs. I had some other things I was planning on doing so I didn't enable it site wide.
So I have my DP and WSUS servers separate from the primary site system. Would I need to create a different IIS SSL for each of those servers with the local hosts DNS name?
Yeah you likely would unless you used a wildcard SSL certificate
I believe we do have a public wildcard with digicert or GoDaddy.
Great instructional videos. I like your concise training style.
Matthew Driscoll thanks for the feedback.
Great video. This looks after machines on the corporate LAN - what about if I want to look after machines in a DMZ? as well as internet based clients (mobile devices) that are sometimes on our LAN but mostly not... Is this possible....?
John Mills I will be covering IBCM soon and DMZ clients in the future.
Just FYI, I know this is two years later, but at 20:50 I had to specify Trusted Root Certification Authority. Without it, Imaging failed. It was just a case of exporting the root CA from the server and importing it there. Just if anyone else gets caught on this
Thanks for the tip
Sir You are amazing.....
Thank you so much!
I have just one question:
I created templates for Web Server and Windows Authentication PKI certificates. I don't want to create DP certificate for now, but in CM I set DP communication to HTTP and on primary site both https and http.
I am creating all this because Client wants the CM to deploy Bitlocker to their machines, so the MP has to use PKI.
Did everything like you explained, I have one PC that is in the PKI TEST collection. Created GPOs, PC received PKI, changed MP communication to HTTPS, everything looks fine.
BUT - now in devices, the icon next to a PC turned to grey X, and when I deploy apps or run scripts to that PC nothing happens.
MP is green in Monitoring, in all Log files everything is the same as is in your logs.
I can access the PC using remote control but thats it...
Can you PLEASE help me... this has to work in 9 hours :( :(
Great video, how would you go about installing the client certificate for a different domain, this works perfectly for domain XYZ but my other domain obviously is not getting the certificate form AD/GPO.
This can get very complex depending on how the trust is configured.
@@PatchMyPC Ouch, okay I have a 2 domain environment and I got this working perfectly for the primary domain where SCCM sits, SCCM was managing both domains fine before I forced HTTPS/PKI - was hoping I could push the cert to the other domain and be all set?
@@walterh1223 As long as the root CA issuing certs is trusted it should work fine. Client need to trust SCCM site system (IIS certs) and vice versa. It shouldn't really matter what domain/CA is issuing the certificate as long as the root is trusted.
Im enjoying your videos about SCCM. for this chapter, can we use Wildcard SSL on the WSUS or SCCM ?
I haven't tested that scenario with Internal PKI.
Hi Justin, I just wanna know is there a command that'd pick the correct cert if the client installation is taking wrong cert, from a bunch of certificates. how to go about it?
Hope you figured this one out. Sorry for the delay this is a little but to complex to try to resolve on comments. The Microsoft docs for ConfigMgr can often be a great resource.
Thanks Justin - when specifying the private key toward the start of the AD CS Config, is it possible to use a wildcard cert that we have purchased for our domain name through GoDaddy as an example ?
I'm not sure about that one.
Great video, awesome resource! Question - I have multiple DP's (14), do I need to request the DP Cert from EACH DP?
...and IF YES, do I also need to import THAT SPECIFIC exported Certificate on the DP Tab for that same DP? Thank you in advance...
You can use the same client cert for the DP cert.
@@PatchMyPC Thank you very much for the reply, still a little confused. To clarify (for me!):
1. Do I need to request the DP Cert on each of my DP's?
2. Do I export from each DP and import the matching .pfx within the console for each DP, or just export one time and import that same .pfx for each DP?
Thank you again!
When importing the OSDCert into IE, i still cant access the site because its not accepting the imported cert? Why is that? Maybe because i have exported it with a SHA256 encryption?
It could be a lot of different reasons, and probably a little tough to try to solve via comments.
I'm getting stuck at about the 13:30 minute mark. Auto-enroll works but I don't see the templates I created being imported. The SCCM Client Certificate doesn't import. I only see Kerberos Authentication, Directory Email Replication, and Domain Controller Authentication. This is on an existing network with CA already setup. Did I miss a setting?
Got it, had to request it from the SCCM server, not CA.
@@dsyncd555 Cool!
Another great video. One small question if none of my clients or the CA are Windows 2003 can I make the compatibility mode 2008R2 or even 2012? I wasn't sure why the compatibility had to be such a old version.
You need the template to be Windows Server 2003. This is for compatibility for ConfigMgr.
Hi Justin,
Just to clarify, I have multiple DPs for each city in my company. Do I need to interactively log in to each server individually, request the certs for OSD and then import it in the console?
Or can I login to the Configuration Manager console and just import the OSD cert?
It depends on the cert, for the DP cert for OSD you can do it in the console. The IIS will probably require you to log in or some other automation.
@@PatchMyPC so each DP will also need the web server certificate we generated at the beginning?
I think I have the general idea. Log in to each DP, run through the IIS certificate process you outlined on the video and just import the OSD certificate from the console.
Very good tutorial! Thank you :)
Thanks for watching
Thanks, this was incredibly helpful and insightful.
Thanks for watching!
I love your video it's very educative. Please could you give me a guide on how to get a PKI on a window server. I have been struggling with it
Thanks for watching.
I have to say FANTASTIC VIDEO!! Very detailed. Just have one question. For reason when I enabled SSL communication, when I pxe boot and get to the SCCM password screen It will not load my Task Sequences jobs and errors out then restarts.
I believe once I enter pxe the client cannot communicate with the mp due to no certificate? is that possible?
@@fresnocourt6874 anything in SMSPXE.log?
@@PatchMyPC SOrRY FOR SUCH A LATE RESPONSE. I had to put this to the side for a bit. I do have logs: WARNING: _SMSTSRootCACerts Not Set. This might cause client failures in native mode. WARNING: _SMSTSCertStoreName Not Set. This might cause client failures in native mode. WARNING: _SMSTSCertSelection Not Set. This might cause client failures in native mode.
Ok....Also steps taken I updated the boot image and unblocked the certificate in the Certificate Node, which resolved the warning, but I am still having the same issue. I would get to the Pxe boot screen to enter my password, but when I enter it, it would attempt to look for policy then fail.
@@PatchMyPC I resolved the issue by putting a trusted Root Certificate in the Site Property>Client Computer Communication. Just in case someone else is having the same issue.
Thanks again for the video, I could not have gotten here without it. Next up for us is ICBM.
In admin console still selfsigned showing but in client pki is showing. Pls let me know if I need to do any changes
Hope you figured this one out. Sorry for the delay this is a little but too complex to try to resolve on comments. The Microsoft docs for ConfigMgr can often be a great resource.
How did you solve it
I just try to build new Windows 7 machine and its failing to apply OS.
In SSL, but with no client cert.
We use Windows 10 Enterprise machine which are acting as DP for local sites
Did you import the PFX client cert on the DP in the console as shown in the video?
I@@PatchMyPC I exported the Cert from SCCM onto my desktop and then attched it to each DP, it keep failing with same error. In SSL, but with no client cert.
I did check the SCCM\Administrator\Security\Cert and all of the Cert for each DP are showing as unblocked
@@PatchMyPC Under each DP, i went into Distribution point role. select https, select import cert and then point to cert which is on my desktop, enter password and click on apply. i didnt get any errors
@@sarwanamajid can you try to update your boot images? If using boot media recreate that after updating the boot image.
@@PatchMyPC I just update the image but it showing with same error message. Also my SCCM server is show wrong cert when i type in sccm in browser. it should show me that my cert should expaire in 2021 but showing old cert.
Client certificate in SCCM console didn't change from "Self signed" to "PKI" any one know way ? 33:25
Excellent video
Thanks for watching
Hi, Thank you for videos. I have question regrading WSUs and SCCm. My SCCM and WSUS server are on different servers. Do I need to import the Cert (IIS) on both servers and assign binding to site and when running the wsusutil what server i'm putting for https. will be sccm server or wsus. my wsus server has the software dp site install on
IIS certs are usually specific to each post.
Hi Justin,
Hope you are doing well!
It was a great video.Thanks a lot. This is the first time I am making changes in a live environment, however I am currently facing a challenge.
In our environment we have SUP role installed in CAS and PRI. We have set up one web server certificate for CAS and another web server certificate for PRI in the WSUS administration (port 8531) we have even done the ssl settings as per your video and ran wsusutil with the diffrent server FQDN on both CAS and PRI however, we are getting error in the logs stating"The request failed with Http status 403" .
Please help me out!
403 could be a variety of issues
Justin, As always your videos are very well done, educational and has helped me very much. Even experienced IT Pro's learn from your videos.
I wanted know if you can answer something. I followed this process exactly and it worked. All my systems that were in SCCM automatically got upgraded to PKI and a system that I added to the domain manually also got PKI certificate. The issue I am having since I configured to PKI, when i PXE boot (using PXE responder) to build a new system via task sequence, the Task Sequence Wizard never comes up and the system reboots. I restored my system to non-PKI and the task sequence wizard comes up ok and allows me to select a task sequence and image. I need to get PKI to work because i'm working on BitLocker integration (CM version 1910) and PKI is required. I have been looking for an answer for a couple of weeks now with no luck. Any suggestions will be greatly appreciated .
P.S. do you have a video on how BitLocker Integration?
I was able to find a resolution. Basically what was needed was to create a Trusted Root Certificate and import into your site and give full rights to Authenticated Users to SMS_MP in IIS under Default Web Site. Reboot you SCCM server, then re-deploy you Task Sequence. After that, it PXE boots successfully.
glad to hear!
Thanks for the update below!
Outstanding video!
Thanks for watching!
Excellent video, thanks for uploading.
Thanks for watching.
Nice vidéo. thanks
Thanks for watching
Hi Justin,
Nice video.
But how did you manage to get the OSDcert?
That should be covered in the video.
First, I must say; fantastic video! Very clear, detailed instructions with explanations of why you're doing these things. Seriously great stuff!
I do have a question. In my lab, I have mostly domain-joined endpoints to manage, but also a few workgroup clients. I followed this guide, which resulted in my environment being configured to handle https or http. However, it seems that the workgroup clients I have stopped being able to communicate after making these changes. Is there a specific reason why? On the workgroup computers, I have added the FQDN of the SCCM server into the hosts file, which essentially gives me DNS resolution. I also have Windows firewalls turned off, no network ports blocked in between, etc.
Furthermore, it seems that the obvious *best* way forward would be to install the certificate manually on the workgroup systems. I *shouldn't* necessarily need to do this, since it should accept http or https, but if I did want to manually install the certificate(s) on the workgroup clients, what would be the best way to achieve that?
Thanks again for the quality content!
I'm assuming the workgroup clients don't have a client authentication certificate installed?
Patch My PC Correct. Here’s my two questions around that:
1. Shouldn’t I not necessarily need the client certificate installed since my SCCM environment is configured for either http or https? Shouldn’t it just prefer a cert, not require it?
2. What’s the process for exporting a client cert to a workgroup client from the CA, since it obviously can’t auto-enroll via the group policy?
Thank you for your time!
@@cpukid00 did you ever find a solution for this?
Can you put your SCCM 2012 RC - Step by Step video back up? That was a very helpful setup primer
Mike Murphy Have you seen my updated video here m.th-cam.com/video/amrg_mlFvuk/w-d-xo.html. I cover more on debth how to install SCCM current branch in this one.
I seem to be good the entire way until I enable https on my MP then boom all clients instantly go inactive. All the certs are there on both clients and sccm box but i fail as soon I add MP to secure. So I stopped and rolled back
They go inactive after how long? What do you have set for your inactive period?
@@PatchMyPC Immediately within 5 minutes or less. It is clearly related as soon as I undid the management point they went back active. But now I have to undo the WSUS changes. I have done remove the require SSL but is there a undo command for the wsusutil configuressl command?
I tried a simple patch on a server and it fails to download that's why i am undoing WSUS changes as well
@@craigb2279 Are you saying they are "Inactive" or showing "Offline" (the icon) these are different.
@@PatchMyPC Offline with the X icon. All I really want to know is how to undo the wsusutil.exe configuressl command. Is that not possible? I have reversed all the other changes
Thank you for this!
My pleasure!
Hey, this is is still valid for implementation.
Yes it is!
When you switch over to 443 should you resync Azure?
Not needed
Great video ... please make more SCCM Videos
Thanks!
Just posted a new one! - Justin
This is a very helpful video, but there are some topics it doesn't cover. 1. It needs to create a CRL distribution point on http and on share, and configure CA accordingly. Otherwise PXE will stop working, also it needs to import Root CA to Site Properties. Clients need the possibility to check the revocation list. 2. Currently (2211) there is a bug - console shows Client Certificate as Self-Signed for Devices, while it is PKI on a client.
Yeah. CRL would be more advanced than I wanted to cover in this video.
Hi Justin. I am following your complete video series about SCCM and is the first learning source I recommend to any SCCM novice.
After following this guide, when I test MP as you shown I am getting error:
HTTP Error 403.2 - Forbidden
You have attempted to view a resource that does not have Read access.
I followed guide and verified each steps and still I am getting above error. Any help or direction would be grateful.
Thanks in advance.
Does MPControl.log look ok?
@@PatchMyPC Thanks for prompt reply. I set Read permission on Handler Mapping for SMS_MP as suggested in the error page. Now I am getting below error:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Same error is reflected in MPcontrol.log:
Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error
@@mandargothoskar8578 I would probably start by trying to remove and reinstall the MP.
Can't thank you enough for this video!
Happy to help!
Good One!
Thanks for watching!
same installation for pro environment ?????
The same concepts will generally apply.
You have helped me a lot, Thank you so much!!!
Thanks for watching :)
Thanks you so much, i did it
Thanks for watching.
Hi Justin,
thanks for the upload!
getting two errors at the moment
Http test request failed, status code is 403, 'Forbidden'.
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
Followed on from video one but made some changes:
sccm and sql are both separated server,
i have also install a AD CS Two-Tier PKI Hierarchy
docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v%3Dws.11)
any help would be great
There can be a lot of possible causes for 403. I would start wit the IIS logs.
thanks bud
You bet