I was busy putting together another BitLocker Management OSD related blog post in one of my PKI enabled ConfigMgr labs (#11) when I noticed that PXE boot no longer worked. The virtual machine would attempt to PXE boot for a while and then time out and boot straight into the operating system.
PXE boot worked just fine the day before and I was nearly done with my blog post, so what was the issue ?
A quick look at the smspxe.log file revealed some details within a sea of red.
[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID is set
So I guessed I had an expired certificate but a quick glance as pkiview.msc on the IssuingCA server, didn’t reveal any issues.
Next, I checked certsrv.msc on the IssuingCA to list expired certificates, and I sorted by name so I could easily find my IIS certificate. According to this, it expired yesterday (today is 2020/8/16).
To confirm this, I launched Internet Information Services (IIS) Manager on the ConfigMgr primary server (CM01), and selected Default Web Site, then selected Bindings.
This certificate has expired or is not yet valid
It expired yesterday right in the middle of another blog post I was putting together, and that caused me to lose focus as I had to figure out this new issue, so one day led to another.. and inevitable delays.
Requesting a new certificate
Note: This environment is one of my labs, so your setup will differ. Use these steps as a guide to fixing your broken production environment 😛
On the ConfigMgr primary server hosting IIS where you verified that the certificate had expired, start certlm.msc. We will use this to request a new certificate to replace the old expired certificate.
Select the SCCM IIS Certificate from those listed.
For Alternative Name, choose the DNS option and then click on Add to add both the hostname and the fully qualified domain name of your SCCM server (CM01 and CM01.windowsnoob.lab.local).
Next Click on General, and give this cert a friendly name so we can distinguish it in IIS later when we bind it.
Import the new certificate into IIS
On the SCCM server (CM01), start Internet Information Services (IIS) Manager, expand Sites so that you can see the Default Web Site and the WSUS Administration websites listed. Select the Default Web Site, this web site is where the management point, distribution point and other SCCM roles such as Application Catalog can be found (if they are installed).
Right click on the Default Web Site and choose Edit Bindings from the options available. In the window that appears, select the https section (port 443) and choose Edit. In the screen that appears, change the dropdown for certificate from SCCM IIS Certificate (the expired one) to the newly released certificate called Endpoint Manager Certificate.
Note: If you are also hosting a Software Update Point (which uses WSUS) then you’ll need to do the same action for your WSUS https binding otherwise your software update point scans (on the client side) will fail with the following errors in WUAHANDLER.log
OnSearchComplete - Failed to end search job. Error = 0x80240438. Scan failed with error = 0x80240438.
Test the changes
Now that you’ve fixed the problem, PXE boot a computer again to verify the changes