I ran into an issue where after deploying an image with SCCM 2012 R2 the client would not pickup the PKI certificate. If you are not receiving packages from your server this could be why. To resolve this you have to modify the “ProvisioningMode” registry key and clear the value in “SystemTaskExcludes” registry key. To simply this and make sure this is working on all clients I would recommend pushing this registry setting out through group policy.
ProvisioningMode = True
SystemTaskExcludes = [null]