SCCM OSD/PXE Issues in Native Mode

October 30, 2008 at 9:54 am in ConfigMgr, ConfigMgr 2007, sccm, SCCM 2007 by Kenny Buntinx [MVP]

Some people are really experiencing hell with the PXE/OSD features when their site is in native mode. Below I have written a small guide on what to do and what to check to get things going in native mode for Operating system deployment .

Step 1

In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :

SNAG-0169 SNAG-01701

Step 2

Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !

SNAG-0172 SNAG-0173

When you have created the certificate , export it to a DER format by going to MMC – Certificates – personal – Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .

Step 3

Import you in the PXE role configuration pane .

Now we go to the SCCM console and go to Site systems – PXE Role , import the certificate you just exported . The picture below explains it :


You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select “yes” to continue


Check the PXE Certificate in the SCCM console.  Verify that the Root CA is trusted.

Try opening the Certificates | PXE node in SCCM.  Find the certificate that is not “blocked” and right-click to Open it.  Check the status of the CA Certificate.  I found that it was “Not Trusted” in my environment. 

When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then “valid” when I reopened the certificate.  My SMSPXE.log no longer reflected that the certificate was not set.


 Step 4

Check that the following things below are set correctly

Network Access Account Not Set

Go into the Client Policy in SCCM and set a Network Access Account.  It sometimes “disappears” even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !


Hope it helps !


Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest