Share via

SCCM PXE OSD Fails on "Apply OS Image" Step After Removing NAA

GARRISON CARLSON 0 Reputation points
2025-04-03T18:18:21.6366667+00:00

I am trying to remove the NAA account from my SCCM since we are fully HTTPS now, and theoretically the NAA account is not necessary anymore. However, the moment I remove the account, OSD fails on the "Apply Operating System Image" step.

Troubleshooting I have done so far:

  • Verify that the OS package is NOT set to "access content directly from the DP" in the task sequence step options.
  • OS image package is NOT set to "copy the content in this package to a package share on DPs" in data access tab.
  • Task sequence DP deployment option is set to "Download content locally when needed by the running task sequence".
  • Recreate client certificate for DP according to the PKI certificate requirements.
  • Redistribute boot image to the DP after recreating client certificate.
  • Verified that IIS cert is bound.
  • Verified root cert is installed in SCCM primary site.

In the smsts.log on the client I'm getting the errors in the attached pictures.

Screenshot 2025-04-03 111603

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
1,065 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Simon Ren-MSFT 40,411 Reputation points Microsoft External Staff
    2025-04-04T02:25:08.9166667+00:00

    Hi,

    Hope everything is going well.

    The error 80190191 means Unauthorized (401). As you would like to remove NAA, so please make sure there is no missing IIS components on the site server.

    1,To remove NAA, you will need to make sure that both your DP and IIS certificates have been assigned to the DP, then re-create and re-deploy boot images to your DPs. A PXE-enabled distribution point sends this DP certificate to clients. Then the clients can connect to an HTTPS-enabled management point during the OS deployment process.

    Helpful articles for your reference:

    SOLVED OSD BROKEN AFTER HTTPS SETUP

    Deploying the Client Certificate for Distribution Points

    Deploy PKI Certificates for SCCM Step by Step Guide

    PKI for Site systems that have a distribution point installed

    2,Sometimes, the issue could be due to Windows Authentication missing on the server. In such cases you must examine the IIS logfiles and double check if IIS is configured as per the actual requirements. Install the missing components on the distribution point server may fix the error.

    Site and site system prerequisites for Configuration Manager

    3.Also check the needed services are running on the IIS, for example ASP.NET State Service.

    Feel free to contact me if you have any concerns/queries.

    Best regards,

    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    After the way you tag questions on Q&A is updated, for any "Microsoft Configuration Manager" related problem, you can tag it with "Microsoft Intune", and then "Microsoft Configuration Manager" as the child tag.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.