This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 78%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
I have recently switched our ConfigMgr environment to use HTTPS communication. Since then, OSD is not working anymore. It fails at step “apply operating system” with error 0x80070002. I receive errors of type “Http result: 403”, “SendResourceRequest() failed. 80190193”, “Download() failed. 80190193" in smts.log file.
Based on my comprehension, I understand that the system will use Network Access User account to retrieve boot image at this step; the system has no operating system installed so it cannot use certificate.
Debug logs (smts.log, ...) have been uploaded to https://www.swisstransfer.com/d/e2cc198a-2f99-4b76-b9ed-20a13365387c
Certificates are valid and not expired
All roles installed on the same server
Network access user configured
SQL Server : Microsoft SQL Server 2016 (SP3-CU1-GDR)
Configuration Manager 2211
IIS Version : 10.0.14393.0
Windows Authentication and anonymous authentication enabled on the default web site
Could anyone help please?
debug logs (smts.log, ...) have been uploaded to https://www.swisstransfer.com/d/e2cc198a-2f99-4b76-b9ed-20a13365387c
Hello,
Did you switch your DP to communicate using HTTPS?
You can take a look of the following official documentation about PKI DP & OSD requirements:
Regards,
Youssef Saad | Blog: https://youssef-saad.blogspot.com/ | LinkedIn
Yes I did switch the DP to communicate using HTTPS and followed guides to do it. Any other idea from the logs I provided?
I believe you will need to re-create or re-deploy boot images, they will have that new DP cert which you didn't have before.
Hi Pavel,
Are you sure of that? Do you have any reference and can someone confirm this information?
What I find strange is that no one speaks about this in the forums and documentation.
@Pavel yannara Mirochnitchenko could you please share with me the documentation that mention what you suggest? Thanks
and
Boot images don't contain PKI certificates to communicate with the site. Instead, boot images use the PKI certificate added to the task sequence media to communicate with the site. (so I am probably wrong). I did this solution at the end of 2019 so Might be wrong, sorry :)
Hi,
Thank you for posting in Microsoft Q&A forum.
Agree with above replies. You will need to make sure that both your DP and IIS certificates have been assigned to the DP, then re-create and re-deploy boot images. A PXE-enabled distribution point sends this DP certificate to clients. Then the clients can connect to an HTTPS-enabled management point during the OS deployment process.
Helpful articles for your reference:
SOLVED OSD BROKEN AFTER HTTPS SETUP
Deploying the Client Certificate for Distribution Points
Deploy PKI Certificates for SCCM Step by Step Guide
PKI for Site systems that have a distribution point installed
Thanks for your time. Have a nice day!
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Simon Ren-MSFT thanks for your reply.
Could you clarify what you mean by "DP and IIS certificates have been assigned to the DP". I have deployed the Client Certificate for Distribution Points and edited the bindings on the IIS web server to use DP certificate, following the documentation (https://www.prajwaldesai.com/deploying-the-client-certificate-for-distribution-points/). I do not understand how the PXE deployment can use a certificate when the OS has not been created yet.
Could you please share with me the documentation that mention we have to recreate boot images after switching ConfigMgr environment to HTTPS ?
Thanks
Hi,
Thanks for your reply.
During PXE process, distribution point sends the DP certificate to clients, and then the clients use this certificate to represent itself to communicate with MP and get policies and task sequence advertisement.
Best regards,
Simon