[Solved] ONE machine SCCM 2207 client fails - Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f

Question

SCCM 2207, a SINGLE machine (used to have client, did not upgrade correctly, so removed all & trying to re-install), 100s of other machines behave fine, so please do not recommend any changes to the server itself!

[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------  
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered  
[CCMHTTP]                : dwStatusInformationLength is 4  
[CCMHTTP]                : *lpvStatusInformation is 0x80000000  
[CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR is set  
[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------  
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f  
  
Failed to get MDM_ConfigSetting instance, 0x80041013  
Failed to get client version for sending state messages. Error 0x8004100e  
  

crls are accessible, machine was rebooted, every DNS resolves correctly, boundry assigned correct

Every other machine in same IP range install & reports correct

None of these are of any help:

https://social.technet.microsoft.com/Forums/en-US/181e5971-d5d3-4812-9a4c-e4bee15aa19b/ccmsetup-asynccallback-winhttpcallbackstatussecurefailure-encountered-on-a-push?forum=configmgrgeneral
https://learn.microsoft.com/en-us/answers/questions/753010/sccm-client-installation-failing.html
https://learn.microsoft.com/en-us/answers/questions/252748/cannot-start-pushed-sccm-agents-and-they-do-not-re.html

Anybody has any useful idea?

I can "force" the install with

c:\temp\client\CCMSetup.exe /source:c:\temp\client SMSSITECODE=BG1  CCMDEBUGLOGGING=1 CCMLOGLEVEL=0 CCMLOGMAXSIZE=52488000 CCMLOGMAXHISTORY=5 CCMHTTPSSTATE=31 SMSCACHEFLAGS=PERCENTDISKSPACE;NTFSONLY SMSCACHESIZE=15  
  

But then it does not report, as it gives the same error:

Failed to get MDM_ConfigSetting instance, 0x80041013  

Seb

Answer 1

Got that part of the error sorted:

Realized that I used IIS Crypto https://www.nartac.com/Products/IISCrypto/ with STRICT template (on that machine)
This disables OS to be able to connect to SSL sites. Reset it to Best Practice & this part of the error is no longer there

Now I have a different one instead (after client installs fine):

Could not retrieve value for MDM_ConfigSetting . Error 0x80041013  
  
Failed to get MDM_ConfigSetting instance, 0x80041013  
  
No Location Reply received from sccm_server.fdqn  

Answer 2

And now got it all sorted

Needed to re-enable on MP (Allow intranet and Internet connections) even this is internal ONLY server!

The client instantly (after service restart) picked up MP & registered itself with MP

That was rather excising exercise

Answer 3

Knowing absolutely nothing whatsoever... I find that the text of this message --> WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR <-- to me, implies it's something to do with security. Do your clients need a certificate to communicate? is that certificate good / not expired ?

There are multiple other ccmsetup switches, related to certificates that might be helpful. Or at least... potentially use the CCMDEBUGLOGGING on this one device when you do the manual installation, and see if you get more information in the setup logs. https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-installation-properties .

Since it's "just one device", to me it's obvious it can't be anything wrong with your Management Point, it's something unique/special on this one box. Right now, with just that error message, it "feels like" it's the Client Certificate.

Standard Disclaimer: "I could be wrong and likely am."

Answer 4

It is likely, yet none of the various logs makes any sense (or makes it more clear)

The certificate is (like 100s of other machines) from local CA (it is correct certificate ), but for the purpose of this exercise I did delete it (and private key) and policies re-created it (as expected)

And being a local domain, all is trusted (by GPOs, Root CA, Enterprise CA)

Absolutely nothing looks different/wrong with certificates on this one box

Answer 5

I don't see that you have specifically said whether or not you tried this... so ... try this, just for fun.

• ccmsetup /uninstall
• Wait for %windir%\ccmsetup\logs\ccmsetup.log to say the uninstall is done.
• reinstall using this (copied from your line above, with ONE ADDITION)

CCMSetup.exe /source:c:\temp\client SMSSITECODE=BG1 CCMDEBUGLOGGING=1 CCMLOGLEVEL=0 CCMLOGMAXSIZE=52488000 CCMLOGMAXHISTORY=5 CCMHTTPSSTATE=31 SMSCACHEFLAGS=PERCENTDISKSPACE;NTFSONLY SMSCACHESIZE=15 RESETKEYINFORMATION=TRUE

• Wait for ccmsetup.log to say it's done... and see if things look normal-ish.

Why? because sometimes if there is a certificate issue... by forcing that resetkeyinformation=true, it clears up "huh, that's interesting" client stuff related to the certificate.

Worst case, you are still as stuck as you already are. Best case, it miraculously fixes something.