1. Native Mode
OSD in a native mode ConfigMgr environment
requires one additional certificate. Systems use this certificate when
they are booted using PXE or physical media. It allows these systems to
authenticate and securely communicate with the ConfigMgr site systems.
You can share a single certificate for all OSD deployments; this
certificate is used only during the deployment process and not actually
installed on the target system.
The requirements for this certificate are as follows:
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).
The Subject Name or Subject Alternative Name field must be unique.
The
certificate must be stored in a Public Key Certificate Standard (PKCS
#12) format file, which must also contain the private key.
The maximum key length is 2,048 bits.
When you create a PXE service point or task
sequence media, ConfigMgr prompts you to create a self-signed
certificate or import a certificate. For a native mode site, you must
choose to import a certificate and supply the password protecting the
certificate file.
You can view imported certificates under the Site Management -> <Site Code> -> <Site Name>
-> Site Settings -> Certificates in the Boot Media and PXE nodes.
Only two options are available from the context menu of imported
certificates: Block and Unblock.
In addition to the new certificate, you must also
specify the Root Certificate Authority (CA) certificate to ConfigMgr.
You do this on the Site Mode tab of the Site Properties configuration
dialog by pressing the Specify Root CA Certificates button, as shown in Figure 1.
By
default, ConfigMgr enables Certificate Revocation List (CRL) checking.
Depending on your PKI implementation, you can publish the CRL to
multiple, various locations including Active Directory and a website.
OSD targets booted using PXE or media cannot access CRLs published to
Active Directory. Thus if your CRLs are published only to Active
Directory, OSD cannot access them and will fail.
In addition, if the first CRL distribution point
listed in your certificates is Active Directory, you might experience a
delay during the Windows PE startup process. This happens because
Windows PE tries to access each CRL distribution point in the order
listed in the certificate.
Although it is possible to change your CRL
distribution points, certificates already issued will not reflect this
change; you have to revoke the existing certificates and issue new ones.
Disabling CRL checking in ConfigMgr is another option but is
discouraged.
The recommended solution is to
carefully plan your PKI infrastructure and ensure that your CRLs are
accessible to all systems that need them.
2. Upgrading from SMS 2003
Although Microsoft supports both in-place
upgrades and side-by-by-side migrations from SMS 2003 to Config 2007,
you cannot directly transfer any work done in the OSD Feature Pack of
SMS 2003. In fact, you must uninstall the OSD Feature Pack from SMS 2003
before you perform an upgrade. Here are some of the limitations:
The upgrade process creates a new node
named OSD FP Packages under the Operating System Deployment node in the
ConfigMgr console, with all existing operating system feature pack
packages placed under this new node. The node appears until you delete
the existing operating system packages.
You
cannot create new advertisements in this node or distribute down-level
feature pack operating system images to distribution points.
Down-level
image packages are not available as a choice when choosing an Operating
System Image package in the Apply Operating System Image task, although
existing advertisements and package deployments for down-level images
are upgraded intact and still usable after the upgrade.
Images
created using the OSD Feature Pack are not compatible with OSD in
ConfigMgr, and you cannot directly import them.
For the long-term, you should definitely
consider revamping your imaging process and use a full-fledged Build
and Capture task sequence to create your image.
