Its Matt

Hi all, I have not actively been to these forums in several years now as my responsibilities have broadened, but I come to you hat in hand seeking help! I have a single server deployment of SCCM 2012 R2 on Windows 2012 R2. I have an enterprise PKI, and the certificates have been properly configured on the SCCM server and distributed to clients. All was well, until I had to renew the root certificate with a new key pair. The intermediate cross certification certs were created properly and were added to the domain trust GPO. I began noticing that new clients could not register with the management point. I eventually realized that I had the old root certificate set as the trusted root CA. When I added the new root certificate here, I learned that it replaced the old one, did not add to it. This now caused the computers with certs issued by the old root certificate to be rejected. After reading some, I learned that if I have the trusted root certificate authority set to "Not Set", Config Manager would revert to the Windows trust store. I have been running this way for a couple of weeks and I thought all was well. I was able to manage clients with both new and old certs. This week I find out that PXE OSD is not working. When the trusted CA is not set, the SMSPXE.log shows "_SMSTSRootCACerts Not Set. This might cause client failures in native mode." The PXE client fails to get a policy, and this snippet appears in the smsts.log: WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set I have updated the PXE certificate on the distribution point, but to no avail. I can remedy this temporarily by setting the new root certificate as the trusted one in ConfigMgr, but this breaks communication with the clients on the old key pair. Is there a way to have PXE work, while still managing both old and new certificate clients? This community had been a great resource to me in the past. I'm hopeful that one of the brilliant minds here can help me again. Thanks!

Rocket Man, thanks for the reply. I did not perform those checks before, but just did and am able to connect to Admin$ and query WMI of the client machine from the SCCM Management Point server. Yes, these machines did predate this implementation of SCCM.

Ok that makes sense. I've made the changes to my boundaries. All subnets recreated as IP ranges and added to the same boundary groups that previously existed. I tried the install again and got the same failure code.

Is there a reason to switch to IP ranges vs subnets?

I've got a new installation of SCCM 2012 that is going mostly well. This was a clean install, but I believe this environment may have tried SCCM 2007 at some point in the past, though unsuccessfully. I have a couple clients that are failing installation. They are all Windows XP. Here is a snippit of the ccmsetup.log. Current AD site of machine is HQ Local Machine is joined to an AD domain Current AD forest name is domain.local, domain name is domain.local DHCP entry points already initialized. Begin checking Alternate Network Configuration Finished checking Alternate Network Configuration Adapter {5A85755B-F909-4D9C-A46E-0BE51D804DD6} is DHCP enabled. Checking quarantine status. Sending message body '<ContentLocationRequest SchemaVersion="1.00"> <AssignedSite SiteCode="AHI"/> <ClientPackage/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0"> <ADSite Name="HQ"/> <Forest Name="domain.local"/> <Domain Name="domain.local"/> <IPAddresses> <IPAddress SubnetAddress="10.0.1.0" Address="10.0.1.77"/> </IPAddresses> </ClientLocationInfo> </ContentLocationRequest> ' Sending message header '<Msg SchemaVersion="1.1"><ID>{81019CDF-2B74-4089-93D1-A4C32BCA8C5E}</ID><SourceHost>CLIENTXP</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:CLIENTXP:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCMserver.domain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-10-12T15:06:44Z</SentTime><Body Type="ByteRange" Offset="0" Length="1082"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>' CCM_POST 'https://SCCMserver.domain.local/ccm_system/request' Begin searching client certificates based on Certificate Issuers Completed searching client certificates based on Certificate Issuers Begin to select client certificate The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. 1 certificate(s) found in the 'MY' certificate store. Only one certificate present in the certificate store. Begin validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' doesn't have private key or caller doesn't have access to private key. Completed validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' GetSSLCertificateContext failed with error 0x87d00283 GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://SCCMserver.domain.local/ccm_system/request' GetDPLocations failed with error 0x87d00283 Failed to find DP locations with error 0x87d00283, status code 200. Check next MP. Only one MP https://SCCMserver.domain.local is specified. Use it. Have already tried all MPs. Couldn't find DP locations. GET 'https://SCCMserver.domain.local/CCM_Client/ccmsetup.cab' Begin searching client certificates based on Certificate Issuers Completed searching client certificates based on Certificate Issuers Begin to select client certificate The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. 1 certificate(s) found in the 'MY' certificate store. Only one certificate present in the certificate store. Begin validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' doesn't have private key or caller doesn't have access to private key. Completed validation of Certificate [Thumbprint 177CC907017F1F85AE0630C211E747D8C2B4352F] issued to 'clientXP.domain.local' GetSSLCertificateContext failed with error 0x87d00283 GetHttpRequestObjects failed for verb: 'GET', url: 'https://SCCMserver.domain.local/CCM_Client/ccmsetup.cab' DownloadFileByWinHTTP failed with error 0x87d00283 CcmSetup failed with error code 0x87d00283 This should not be a boundary issue. I have defined all of my subnets as boundaries and joined them to a boundary group. This client is on the same subnet as many other clients that are working fine. The certificate is issued and the root CA is trusted. I have removed and rejoined this client to the domain. I have run winmgmt /resetrepository on this client. I looked up the 0x87d00283 with net helpmsg and it returns: This doesn't make any sense to me. My forest and domain function level is Windows 2008. These particular clients are Windows XP Professional SP3. I have many other WinXP SP3 clients working fine. I've pretty well run out of ideas and would welcome any discussion on the subject that might help me in any way. Thanks for listening!