aczechowski
commented
5 years ago Thanks @rrsit for the feedback. Underneath the hood, we've switched to a different form of authentication that relies on tokens. EHTTP enabled token-based auth, thus doesn't require the NAA. Token-based auth is also enabled by default when you're using PKI. So we don't require NAA in a PKI scenario. This behavior would be good to clarify on this page.
If you're having issues with this configuration, then you'll need to pursue a support option. I’m sorry that you’re having problems, and I want to make sure it gets to the right people that can help. There are a couple of options available to provide the best level of support for this:
- Post on Configuration Manager forums. These are moderated by our community MVPs who are very experienced, knowledgeable, and helpful.
- Use Microsoft Support to search for the issue, or open a case with professional support.
- Contact your Microsoft Premier team, such as a Premier Field Engineer or Technical Account Manager.
the documentation states "Starting in version 1806, a workgroup or Azure AD-joined client can securely access content from distribution points without the need for a network access account. This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. For more information, see Enhanced HTTP."
when i look at the "Enhanced HTTP" page, it tells us how to configure secure communication over HTTP (without S) by using sccm generated certificates. thats fine, but what about HTTPS scenarios with PKI certificates in place? do we still need the NAA? based on my test today, removing the NAA makes all workgroup OSDs fail, so i would conclude: yes, it's still needed. can this be clarified better in the documentation?
Document details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.