After upgrading SCCM to the latest version, the OSD stopped working completely. The smsts.log revealed the error: “Sending with Winhttp failed 80072f8f.” I’ll show you how to fix the WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error that occurs during SCCM OSD in this post.
This is my 100th SCCM troubleshooting post, and I feel delighted to have published so many posts just on troubleshooting Configuration Manager. Additionally, it demonstrates how comprehensive Configuration Manager is for resolving problems.
This week I decided to upgrade my lab running ConfigMgr version 2207 to SCCM version 2211. After this upgrade, something broke the operating system deployment. According to the SCCM upgrade log files, the update installed without any problems.
My setup uses PKI, and both the management point and the distribution server are set up to operate over HTTPS. On the distribution point server, the PKI certificate was already imported and working correctly. In my previous posts on PKI, I mentioned the importance of the DP certificate. The certificate authenticates DP with an HTTPS-enabled management point.
On PXE-booting my test VM, I could see the boot image had downloaded fine. However, the task sequence never loaded, and I did not see anything on the screen. Check out the below image to understand what I am talking about.
Fix SCCM OSD Error Sending with Winhttp failed 80072f8f
The sending with Winhttp failed 80072f8f error occurs when your certificate authority issues the certificates that aren’t trusted and when the site server is not assigned with a Root CA.
During the OSD, when your SMSTS.log file contains WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error, it means that the certificate authority that issued the certificates are not trusted. That’s why the SCCM task sequence doesn’t load after you PXE boot the machine.
In the below screenshot, we can see the smsts.log shows two errors: Sending with Winhttp failed 80072f8f and WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA.
Using the F8 key will start the command prompt if you’ve enabled command support in the boot image properties. Reviewing the smsts.log file using the CMTrace tool revealed the actual errors.
Sending with winhttp failed; 80072f8f. retrying Retrying and Ignoring date security failures. AsyncCallback() WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered dwstatusinformationlength is 4 WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set sending with winhttp failed; 80072f8f
Assign the Root CA under Site Server Properties
If you get the error 80072f8f during SCCM OSD, you should first check the site server properties to see if there is a root CA listed. If there is no root certificate specified, the PXE and media boot clients won’t trust the CA that issued the certs. This was precisely why I saw sending with Winhttp fail with error 80072f8f.
Launch the Configuration Manager console. Go to Administration\Overview\Site Configuration\Sites. Right-click your site and select Properties. Switch to Communication Security tab and click the Set button, select and assign the Root Certificate.
After the root CA has been specified, you must restart the WDS service once. If WDS isn’t installed for PXE, restart the ConfigMgr PXE Responder service.
Restarting the VM and PXE booting it loaded the task sequence correctly this time. You’ll notice that the certificates are the real cause of this problem if you’ve read the entire post. I sincerely hope the solutions in this post help you to resolve the issue. In case something else worked for you, please let me know in the comments section below.