ConfigMgr PXE does not work because a self-signed certificate is not created

Applies to: Microsoft System Center 2012 Configuration Manager Service Pack 2Microsoft System Center 2012 R2 Configuration Manager Service Pack 1System Center Configuration Manager (current branch - version 1706)

Symptoms


When you try to start a computer through the Preboot Execution Environment (PXE boot) by using Microsoft System Center Configuration Manager, the PXE boot process does not work.
 
When this problem occurs, the following error entry is logged in the SMSPXE log on the PXE-enabled Distribution Point (DP) when you start Windows Deployment Services (WDS):
 

SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_ReportStatus failed; 0x80092002
SMSPXE    PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_LookupDevice failed; 0x80092002
SMSPXE    PXE Provider failed to initialize MP connection.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_ReportStatus failed; 0x80092002
SMSPXE    PXE::CPolicyProvider::InitializeMPConnection failed; 0x80092002

 

Additionally, the SMSPXE.log file includes the following error entries when you try to run a PXE boot:

SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_LookupDevice failed; 0x80092002
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_LookupDevice failed; 0x80092002
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_ReportStatus failed; 0x80092002
SMSPXE    Failed to create certificate store from encoded certificate. Verify the provided Certificate was provisioned correctly. .
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE Provider failed to process message.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)
SMSPXE    PXE::MP_GetList failed; 0x80092002
SMSPXE    PXE::MP_ReportStatus failed; 0x80092002
SMSPXE    PXE Provider failed to process message.
An error occurred during encode or decode operation. (Error: 80092002; Source: Windows)

If you try to fix the problem by re-creating the self-signed certificate in the properties of the DP by changing the date or time of the self-signed certificate, the certificate is not re-created.
 
Note You can view certificates for the DP in the Configuration Manager console under Administration > Security > Certificates.
 
When you re-create the self-signed certificate for a DP, the Start Date value should be approximately the time when the date and time values were changed for the certificate in the DP properties.
 
When this problem occurs, the CertMgr.log file includes the following error entries:
 

SMS_CERTIFICATE_MANAGER    ~Found notification file C:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box\5_<DP_FQDN>.CMN

SMS_CERTIFICATE_MANAGER    Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~

SMS_CERTIFICATE_MANAGER    Successfully made a network connection to \\<DP_FQDN>\ADMIN$.~
SMS_CERTIFICATE_MANAGER    Cannot get copy of security registry key on server (<DP_FQDN>) (0x80070005)
SMS_CERTIFICATE_MANAGER    Failed to get the copy of Security registry key on server <DP_FQDN> (0x80070005)
SMS_CERTIFICATE_MANAGER    Cancelling network connection to \\<DP_FQDN>\ADMIN$.

SMS_CERTIFICATE_MANAGER    Cancelling network connection to \\<DP_FQDN>\ADMIN$.

Cause


This issue occurs if the IssuingCertificateList registry key is missing from the following registry subkey on the DP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
 
Note The registry key value could also be missing on the management point.

Resolution


To fix the issue, copy the IssuingCertificateList registry key value from the following from the registry subkey on the management point:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Security
 
Then, copy this value to the same registry key on the DP. To do this, you can run the following command at an elevated command prompt on the DP:

REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d <Value_From_MP> /f
 
Note In this command, replace <Value_From_MP> with the value that you got from the management point (without the angle brackets).
 
If the registry key value is also missing on the management point, open SQL Management Studio on the Primary site, and then run the following query against the Primary site database:

SELECT SD.SiteCode, SC.ComponentName, SCP.Name, SCP.Value1, SCP.Value2, SCP.Value3 FROM SC_Component SC
JOIN SC_SiteDefinition SD ON SD.SiteNumber = SC.SiteNumber
JOIN SC_Component_Property SCP ON SCP.ComponentID = SC.ID
WHERE SCP.Name = 'IssuingCertificateList'
 
Important The value in the Value1 column must be copied to the registry on both the DP and the management point. 
 
Copy the value in the Value1 column, and then run the following command at an elevated command prompt on both the DP and management point:
 
REG.exe ADD "HKLM\SOFTWARE\Microsoft\SMS\Security" /v IssuingCertificateList /t REG_MULTI_SZ /d <Value_from_DB> /f
 
Note In this command, replace <Value_from_DB> with the value that you copied from the Primary site database (without the angle brackets).
 
You may want to check the CertMgr.log file to see whether additional DPs are affected. If they are, run the "REG.exe" command on the additional DPs.