It breaks OSD because this is how the TS configures WinPE (and the deployed Windows instance) to trust your PKI and the certs it issues. Without it, neither your boot image or deployed OS would trust any of your certs.
J ________________________________ From: [email protected] <[email protected]> on behalf of Steve Whitcher <[email protected]> Sent: Tuesday, June 23, 2015 8:29 AM To: [email protected] Subject: Re: [mssms] Update Root CA Cert in ConfigMgr When you renewed the CA's certificate, did you renew it with the same key, or a new key? >From my experience, if you renew the CA certificate with a new key, and update >the Trusted Root CA cert under Client Computer Communication in the CM site >properties, you'll start seeing those errors. When you add the new >certificate in Site Properties, the new cert will actually replace the old, >not add a 2nd cert to the list. Any computers that have a certificate signed >by the old CA will then be rejected by the management point because they were >signed by a different CA cert than the one the MP expects. It seemed backwards to me, but the Trusted Root Certificate Authorities setting is actually restrictive, not permissive. If you leave that setting blank, then it will accept computer certificates signed by either CA, but if you configure the setting with a trusted CA's cert then it will only trust certificates signed by that root CA cert. If you remove the certificate you have configured there and leave the setting blank, your communication settings should go away. HOWEVER... Leaving this setting blank broke my OSD TS. I don't recall exactly what the issue was at the moment, but I do remember that for a short time I was going in and configuring the Trusted Root CA setting whenever we needed to image a batch of computers, then changing it back when done. Not finding any better way to resolve this issue, I eventually ended up writing a script to reach out to all of our workstations checking for and renewing any of the older certificates on each. (After that, I found what probably would have been an easier solution to forcing the certificates to renew. Isn't that always the way?) I did find a bug report about this on connect and voted for it, I'd encourage you to do the same if you find that this is indeed the cause of your issue. https://connect.microsoft.com/ConfigurationManagervnext/feedback/details/1015617/root-ca-cert-with-identical-subject-overwrites-older-root-ca-cert-in-client-computer-settings-trusted-root-certification-authorities Steve On Mon, Jun 22, 2015 at 1:02 PM, Harjit Dhaliwal <[email protected]<mailto:[email protected]>> wrote: A few weeks ago, we renewed our root CA's certificate, as the old one was expiring. The root CA cert was updated in the ConfigMgr site settings, however several computers that were issued new certs or were re-imaged post cert update, are still being rejected by ConfigMgr. It appears that computers which have certs signed by the old CA certificate are getting registration rejections. I'm seeing some warnings in the SMS_MP_Control_Manager component which reads: MP has rejected registration request due to failure in client certificate (Subject Name: computer.domain.com<http://computer.domain.com> <http://computer.domain.com<http://computer.domain.com/>>) chain validation. If this is a valid client, Configuration Manager Administrator needs to place the Root Certification Authority and Intermediate Certificate Authorities in the MPÆs Certificate store or configure Trusted Root Certification Authorities in primary site settings. The operating system reported error 2148204809<tel:2148204809>: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Any ideas or recommendations to fix the certificate issue? Thanks. -Harjit
