This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hi all,
I've got an operational Cloud Management Gateway setup with Enhanced HTTP using a public wildcard certificate.
I have many remote machines (not Hybrid or Azure AD joined) that now operate on the Internet and were configured prior to installing Configuration Manager 2010 infrastructure; all these machines do not have the CM agent installed.
I created a new bulk-token to allow token based authentication; I also provided to my users all source files to be able to install the CM client through the following command line:
ccmsetup.exe /mp:https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 CCMHOSTNAME=<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 SMSSiteCode=<sitecode> SMSMP=http://<localMPFQDN> /regtoken:<bulktoken>
Below part of the ccmsetup.log:
Has anyone else encountered behavior like this? Am I missing something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 25%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Hi David,
Were you able to resolve CCM bulk registration token issue, I am seeing the same error now and would appreciate if you can post fix for the issue.
Thanks!
Is this happening on all of the systems where it has been attempted?
What happens when you manually navigate to https://<publicCMGname.mypublicdomain.com>/ and https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 in a browser from one of these systems?
Hi Jason,
thanks for the reply.
If I try to navigate https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938/ccm_client (as indicated in the ccmsetup.log) I get this message:
{"Message":"Authorization has been denied for this request."}
I think it is normal as the device should negotiate the token it should receive from the CM server; but analyzing the log, I do not see receiving any token that is then cached.
From CM server side, I didn't see errors in any log related to the process.
What about my first question above?
Also, for the log snippet above, is that truly where the log ends?
Hi Jason,
I tried on two systems and we received the same error!
About log, the client retries so many times but with the same error.
Please open a case with Microsoft support. I think this may be a known bug but can't confirm here as that needs to be done with a support engineer.
Hi Jason,
how could I solve my issue if I don't have (at the moment) a support contract with Microsoft?
Is it possible to have more information about the known bug?
Thank you so much.
David
Without knowing the root cause here, not much can be said. And it will take more than just a simple forum thread to determine root cause which is exactly what support is for.
It's possible that this is a configuration or environmental issue as well. Without some digging, there is no way to know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 49%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKW%3C/text%3E%3C/svg%3E)
I've got in working (manually, not in sccm task sequence, so all will be set during rollout though) but my devices are first being azure ad joined with a bulk token.
INFO Bulk token azure AD join:
https://www.nielskok.tech/microsoft365/unattended-azure-ad-join/
BEWARE: change the expiration date, otherwise your token might expire too early!!!!
Follow nielkkok's procedure and save. Open C:\Users\<Your Login>\Documents\Windows Imaging and Configuration Designer (WICD)\<name earlier created package>\customizations.xml
There you can find the Authority between the <Authority> and </Authority> tag (is usually https://login.microsoftonline.com/common) and the bulk token between <BPRT> and the </BPRT> tag. (very long string, I think it always starts with 0.).
Start Windows configuration designer once again and choose 'advanced provisioning', navigate to Runtime Settings - Accounts - Azure and complete the Authority and BPRT fields with the info from the .xml file. Save the project and choose export - provisioning package. Navigate to C:\Users\<Your Login>\Documents\Windows Imaging and Configuration Designer (WICD)\<name created package>\, there you'll find a .ppkg file. You can use that file to join devices in bulk to azure AD.
More info:
INFO install sccm client with intune:
You'll need a few parameters from SCCM, you can find these with an sql query from the sccm database:
http://eskonr.com/2020/05/how-to-prepare-sccm-cmg-client-installation-switches-for-internet-based-client/
Below an example of the command line (where CLOUDSCCM.mydomain.eu= name of the cmg point, site code = NTW)
"%~dp0ccmsetup.exe" /forceinstall /MP:HTTPS://CLOUDSCCM.mydomain.eu/CCM_Proxy_MutualAuth/72057594037927123 SMSSiteCode=NTW SMSCACHESIZE=40960 CCMHOSTNAME=CLOUDSCCM.mydomain.eu/CCM_Proxy_MutualAuth/72057594037927123 AADCLIENTAPPID=76457ae3-b7fd-40ce-b599-a094ddac107b AADTENANTID=B6E080EA-ADB9-4C79-9303-6DCF826FB854 SMSMP=https://CLOUDSCCM.mydomain.eu
Technically, you should set the SMSMP parameter to your (primary) sccm management point on your internal network, according to microsoft info, but that's something I'll test later on.
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-installation-properties
UPDATE 01/14/2021 --------------------------------
INFO Install sccm client with sccm (compatible with CMG):
Once you set up CMG, the SCCM client will get all the necessary parameters upon installation via the task sequence. No need to change any parameters for the 'Setup Windows and ConfigMgr' step.