SCCM – OSD not working anymore after switching to HTTPS environment.

Kevin Burgisser 6 Reputation points
2023-05-16T06:08:25.3833333+00:00

I have recently switched our ConfigMgr environment to use HTTPS communication. Since then, OSD is not working anymore. It fails at step “apply operating system” with error 0x80070002. I receive errors of type “Http result: 403”, “SendResourceRequest() failed. 80190193”, “Download() failed. 80190193" in smts.log file.

Based on my comprehension, I understand that the system will use Network Access User account to retrieve boot image at this step; the system has no operating system installed so it cannot use certificate.

Debug logs (smts.log, ...) have been uploaded to https://www.swisstransfer.com/d/e2cc198a-2f99-4b76-b9ed-20a13365387c

Certificates are valid and not expired
All roles installed on the same server
Network access user configured
SQL Server : Microsoft SQL Server 2016 (SP3-CU1-GDR)
Configuration Manager 2211
IIS Version : 10.0.14393.0
Windows Authentication and anonymous authentication enabled on the default web site

Could anyone help please?

Microsoft Security | Intune | Configuration Manager | Other
{count} votes

3 answers

Sort by: Most helpful
  1. Youssef Saad 3,416 Reputation points
    2023-05-16T13:44:32.5+00:00

    Hello,

    Did you switch your DP to communicate using HTTPS?

    You can take a look of the following official documentation about PKI DP & OSD requirements:

    Regards,

    Youssef Saad | Blog: https://youssef-saad.blogspot.com/ | LinkedIn

    1 person found this answer helpful.

  2. Pavel yannara Mirochnitchenko 13,341 Reputation points MVP
    2023-05-16T14:52:51.6933333+00:00

    I believe you will need to re-create or re-deploy boot images, they will have that new DP cert which you didn't have before.


  3. Simon Ren-MSFT 40,346 Reputation points Microsoft External Staff
    2023-05-17T08:49:15.44+00:00

    Hi,

    Thank you for posting in Microsoft Q&A forum.

    Agree with above replies. You will need to make sure that both your DP and IIS certificates have been assigned to the DP, then re-create and re-deploy boot images. A PXE-enabled distribution point sends this DP certificate to clients. Then the clients can connect to an HTTPS-enabled management point during the OS deployment process.

    Helpful articles for your reference:

    SOLVED OSD BROKEN AFTER HTTPS SETUP

    Deploying the Client Certificate for Distribution Points

    Deploy PKI Certificates for SCCM Step by Step Guide

    PKI for Site systems that have a distribution point installed

    Thanks for your time. Have a nice day!

    Best regards,

    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.