Certificate is not updated on a PXE-enabled DP and you see multiple log error entries

Attiecas uz: System Center Configuration Manager

Symptoms


After you update the certificate of a distribution point (DP) that’s used for PXE boot, the updated certificate doesn’t seem to be used. When you restart Windows Deployment Services (WDS) on the PXE-enabled DP, the following error entries are logged in the SMSPXE.log file:


Note The certificate thumbprint in the SMSPXE log belongs to the previous certificate that has expired. To check a certificate thumbprint, double-click the certificate, click the Details tab, and then check the value of the Thumbprint field.

Additionally, the following entry is not logged in the Distmgr.log file on the parent site server:


Note This log entry would indicate that the new certificate is updated in the registry of the DP.

Instead, the following error entry is logged in the Distmgr log:


In this scenario, you observe the following conditions: 

  • The certificate is updated on the General tab in the DP Properties dialog box.
  • The following entry is logged in the Hman.log file on the parent site server:

    Note This entry indicates that the spUpdateDPCert SQL stored procedure has run to update the certificate in the database.
  • The certificate is updated in the database.
  • In the Configuration Manager console, the new certificate is displayed under Administration > Overview > Security > Certificates.

Cause


In most cases, this issue occurs if a PXE password is specified in the properties of the DP, and the parent site is moved to another server or is recovered from a backup on a rebuilt server.

In this case, the machine keys have changed between the old instance of the site and the new instance of the site. The machine keys from the original site are required to correctly decrypt the PXE password. Because the machine keys from the original site are no longer available, the PXE password can’t be decrypted and set. If a PXE password is specified, the PXE password must be reset before the new certificate can be set in the registry of the DP.

For more information, see the "Post-recovery tasks" section of Recover a Configuration Manager site.

Resolution


To fix this issue, follow these steps:

  1. Temporarily disable the PXE password on the affected DP.

    In the DP Properties dialog box, select the PXE tab, and then clear the Require a password when computers use PXE check box.
  2. Verify that the certificate is updated. To do this, check whether the following entry is logged in the Distmgr log:
  3. Restart WDS on the DP, verify that the certificate thumbprint in the SMSPXE log belongs to the updated certificate, and that no error entry is logged in the SMSPXE log.
  4. Re-enable the PXE password on the DP.

    In the DP Properties dialog box, select the PXE tab, select the Require a password when computers use PXE check box, and then enter the password.

After you follow these steps, the new machine keys on the site server will be used to encrypt the PXE password, and you won’t see the following error entry in the Distmgr log: