A typical problem with SCCM is the wrong set up of the PKI or SCCM Server in native mode. If you are runing into the specified problem (0x80072F8F) – Task Sequence fails to run, then there could be three common problems:

  • Wrong Bios Time
  • PKI certificate network not set up correctly.
  • you did not import the correct certificates on the SCCM server.

The typical error status in smsts.log is:

  • WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA (The function is unfamiliar with the Certificate Authority that generated the server’s certificate.)
  • WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
  • sending with winhttp failed; 80072f8f

The solution is not hard at all:

Wrong Bios Time: Check you Bios for the current time, SCCM does not allow to install any OS without the current time.

PKI certificate network not set up correctly: There is a good Step-by-Step example deployment for the PKI Certificate network: Windows Server 2008 Certification Authority or Windows Server 2003 Certification Authority

You did not import the correct certificates on the SCCM server: the problem here is, that the client can not resolve the complete certificate root in the PXE set up. The solution is:

Step 1

In the site properties check if you have specified the certificates for the Root CA. Here it is important that you export CA servers and all subordinate CA servers.  After that the PXE setup was working.

SNAG-0169_2SNAG-01701_2

Step 2

You need only the steps from 2, if you did not finish the PKI setup. Create an OSD PXE service point certificate and export it. Then go to the certificate authority on the CA server and duplicate the computer certificate (2003) and name it like “configmgr OSD certificate” and also check that you can export the private key. After that add it to the certificate templates.

SNAG-0172_2SNAG-0173_2

After you finished enroll to this certificate (Configmgr OSD certificate) on the PXE SCCM server and export the certificate with private key. You could delete this certificate after that, but it doesn’t matter if you leave it on the SCCM server.

Step 3

In the PXE configuration of the SCCM server go to database and import your certificate you just exported before.

SNAG-0174_2

You will get a warning like that, but you safely ignore it.

SNAG-0175_2

Now find you certificate in the certificates | PXE node in SCCM. Check if it is not blocked. You should open it and import it to the certification store “Trusted Root CA Authorities”. After that it is trusted.

SNAG-01711_2

Hope that helped someone!

Advertisements