PXE boot doesn't work because a self-signed certificate isn't created
This article helps you fix an issue in which the Preboot Execution Environment (PXE) boot doesn't work in Configuration Manager if a self-signed certificate isn't created.
Original product version: Microsoft System Center 2012 Configuration Manager, Microsoft System Center 2012 R2 Configuration Manager, Configuration Manager (current branch)
Original KB number: 4469580
Symptoms
When you try to start a computer through the PXE boot by using Configuration Manager, the PXE boot process doesn't work.
When this problem occurs, the following error entry is logged in the SMSPXE log on the PXE-enabled distribution point (DP) when you start Windows Deployment Services (WDS):
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_ReportStatus failed; 0x80092002
SMSPXE PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_LookupDevice failed; 0x80092002
SMSPXE PXE Provider failed to initialize MP connection.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_ReportStatus failed; 0x80092002
SMSPXE PXE::CPolicyProvider::InitializeMPConnection failed; 0x80092002
Additionally, the SMSPXE.log file includes the following error entries when you try to run a PXE boot:
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_LookupDevice failed; 0x80092002
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_LookupDevice failed; 0x80092002
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_ReportStatus failed; 0x80092002
SMSPXE Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE Provider failed to process message.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE PXE::MP_GetList failed; 0x80092002
SMSPXE PXE::MP_ReportStatus failed; 0x80092002
SMSPXE PXE Provider failed to process message.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
If you try to fix the problem by re-creating the self-signed certificate in the properties of the DP by changing the date or time of the self-signed certificate, the certificate isn't re-created.
Note
You can view certificates for the DP in the Configuration Manager console under Administration > Security > Certificates.
When you re-create the self-signed certificate for a DP, the Start Date value should be approximately the time when the date and time values were changed for the certificate in the DP properties.
When this problem occurs, the CertMgr.log file includes the following error entries:
SMS_CERTIFICATE_MANAGER ~Found notification file C:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box\5_<DP_FQDN>.CMN
SMS_CERTIFICATE_MANAGER Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~
SMS_CERTIFICATE_MANAGER Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~
SMS_CERTIFICATE_MANAGER Cannot get copy of security registry key on server (<DP_FQDN>) (0x80070005)
SMS_CERTIFICATE_MANAGER Failed to get the copy of Security registry key on server <DP_FQDN> (0x80070005)
SMS_CERTIFICATE_MANAGER Cancelling network connection to \\<DP_FQDN>\ADMIN$.
SMS_CERTIFICATE_MANAGER Cancelling network connection to \\<DP_FQDN>\ADMIN$.
Cause
This issue occurs if the IssuingCertificateList
registry key is missing from the following registry subkey on the DP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
Note
The registry key value could also be missing on the management point.
Resolution
To fix the issue, copy the IssuingCertificateList
registry key value from the following registry subkey on the management point:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
Then, copy this value to the same registry key on the DP. To do this, you can run the following command at an elevated command prompt on the DP:
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d <Value_From_MP> /f
Note
In this command, replace <Value_From_MP> with the value that you got from the management point (without the angle brackets).
If the registry key value is also missing on the management point, open SQL Server Management Studio on the primary site, and then run the following query against the primary site database:
SELECT SD.SiteCode, SC.ComponentName, SCP.Name, SCP.Value1, SCP.Value2, SCP.Value3 FROM SC_Component SC
JOIN SC_SiteDefinition SD ON SD.SiteNumber = SC.SiteNumber
JOIN SC_Component_Property SCP ON SCP.ComponentID = SC.ID
WHERE SCP.Name = 'IssuingCertificateList'
Important
The value in the Value1 column must be copied to the registry on both the DP and the management point.
Copy the value in the Value1 column, and then run the following command at an elevated command prompt on both the DP and management point:
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d <Value_from_DB> /f
Note
In this command, replace <Value_from_DB> with the value that you copied from the primary site database (without the angle brackets).
You may want to check the CertMgr.log file to see whether additional DPs are affected. If they are, run the REG.exe
command on the additional DPs.