There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems. This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.
Step 1
In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :
Step 2
Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !
My Comments:
MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the
request is made, give the certificate the following Attributes:
• CommonName: (i.e. OSDpxeBootCert..Com)
• Alternate name: OSDpxeBootCert..com
• Friendly name: Any descriptive name.
Note: Because certificates are Required through out the native mode deployment. FQDNs are also required for certificate Subject name and Alt Subject Names.
When you have created the certificate , export it to a DER format by going to MMC –
Certificates – personal – Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .
Step 3
Import you in the PXE role configuration pane .
Now we go to the SCCM console and go to Site systems – PXE Role , import the certificate you just exported . The picture below explains it :
You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select “yes” to continue
Check the PXE Certificate in the SCCM console. Verify that the Root CA is trusted.
Try opening the Certificates | PXE node in SCCM. Find the certificate that is not “blocked” and right-click to Open it. Check the status of the CA Certificate. I found that it was “Not Trusted” in my environment.
When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then “valid” when I reopened the certificate. My SMSPXE.log no longer reflected that the certificate was not set.
Step 4
Check that the following things below are set correctly
Network Access Account Not Set
Go into the Client Policy in SCCM and set a Network Access Account. It sometimes
“disappears” even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !