Share via

Config manager 2107 HTTPS only configuration

ritmo2k 911 Reputation points
2021-09-16T17:02:52.137+00:00

I have set up HTTPS-only using the official documentation with an integrated AD certificate authority and automatic client enrollment. However, nowhere do I see any documentation about PXE boot images and certificates.

Coincidentally, my PXE deployments in both test and prod environments all failed until the images were reloaded. I am not clear what occurred during the reload which made them all start working?

I also see only self-signed in the client certificate column for all clients in the device list.

Does anyone know of a comprehensive location that documents the client-side details, and the PXE image task sequence details in an HTTPS-only environment?

Thanks.

Microsoft Security | Intune | Configuration Manager | Deployment
Microsoft Security | Intune | Configuration Manager | Other
0 comments

Answer accepted by question author

Jason Sandys 31,421 Reputation points Microsoft Employee Moderator
2021-09-17T20:04:23.02+00:00

Clients using PKI-issued auth certs showing as self-signed in 2107 in a known "issue". Because of some client certificate hardening work, the current method of reporting what type of cert the client uses to the site is not sufficient and can only report self-signed. They is an item in the backlog to correct this. This is called out in the docs as well: purple note at https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/certificates-overview#hardware-bound-key-storage-provider

Was this answer helpful?

0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 49,441 Reputation points Microsoft External Staff
    2021-09-17T02:30:46.757+00:00

    Hi, @ritmo2k
    Thank you for posting in Microsoft Q&A forum.

    You may need to deploy the client certificate for distribution points, when the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

    Here is the detailed steps we may refer to:
    http://www.prajwaldesai.com/deploying-the-client-certificate-for-distribution-points/
    (Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. ritmo2k 911 Reputation points
    2021-09-17T21:23:22.293+00:00

    I actually read that page, but stopped exactly short of that section for what I thought would be unrelated. Sigh...

    Thanks for the help everyone!

    Was this answer helpful?

    0 comments
  3. ritmo2k 911 Reputation points
    2021-09-17T10:40:25.763+00:00

    Hi Allen,
    Thank you for that info. I have the DP set up as indicated with the related certificate.

    I am still unclear why the clients that are requesting a certificate from the associated config manager client template show up as self-signed?

    I assume the client is not configured to force the selection of the right certificate possibly?

    Thanks

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.