question

David-7939 avatar image
0 Votes"
David-7939 asked SandeepBondada-7191 commented

Bulk registration token with CMG

Hi all,

I've got an operational Cloud Management Gateway setup with Enhanced HTTP using a public wildcard certificate.

I have many remote machines (not Hybrid or Azure AD joined) that now operate on the Internet and were configured prior to installing Configuration Manager 2010 infrastructure; all these machines do not have the CM agent installed.

I created a new bulk-token to allow token based authentication; I also provided to my users all source files to be able to install the CM client through the following command line:

ccmsetup.exe /mp:https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 CCMHOSTNAME=<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 SMSSiteCode=<sitecode> SMSMP=http://<localMPFQDN> /regtoken:<bulktoken>

Below part of the ccmsetup.log:

47387-image.png




Has anyone else encountered behavior like this? Am I missing something?

mem-cm-general
image.png (69.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi David,

Were you able to resolve CCM bulk registration token issue, I am seeing the same error now and would appreciate if you can post fix for the issue.

Thanks!

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered

Is this happening on all of the systems where it has been attempted?

What happens when you manually navigate to https://<publicCMGname.mypublicdomain.com>/ and https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938 in a browser from one of these systems?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

David-7939 avatar image
0 Votes"
David-7939 answered David-7939 commented

Hi Jason,
thanks for the reply.
If I try to navigate https://<publicCMGname.mypublicdomain.com>/CCM_Proxy_MutualAuth/72057594037927938/ccm_client (as indicated in the ccmsetup.log) I get this message:

{"Message":"Authorization has been denied for this request."}

I think it is normal as the device should negotiate the token it should receive from the CM server; but analyzing the log, I do not see receiving any token that is then cached.

From CM server side, I didn't see errors in any log related to the process.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What about my first question above?

Also, for the log snippet above, is that truly where the log ends?

0 Votes 0 ·

Hi Jason,
I tried on two systems and we received the same error!

About log, the client retries so many times but with the same error.




0 Votes 0 ·

Please open a case with Microsoft support. I think this may be a known bug but can't confirm here as that needs to be done with a support engineer.

0 Votes 0 ·
Show more comments
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Without knowing the root cause here, not much can be said. And it will take more than just a simple forum thread to determine root cause which is exactly what support is for.

It's possible that this is a configuration or environmental issue as well. Without some digging, there is no way to know.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KoenWalraevens-8397 avatar image
0 Votes"
KoenWalraevens-8397 answered KoenWalraevens-8397 edited

I've got in working (manually, not in sccm task sequence, so all will be set during rollout though) but my devices are first being azure ad joined with a bulk token.

INFO Bulk token azure AD join:
https://www.nielskok.tech/microsoft365/unattended-azure-ad-join/
BEWARE: change the expiration date, otherwise your token might expire too early!!!!
Follow nielkkok's procedure and save. Open C:\Users\<Your Login>\Documents\Windows Imaging and Configuration Designer (WICD)\<name earlier created package>\customizations.xml
There you can find the Authority between the <Authority> and </Authority> tag (is usually https://login.microsoftonline.com/common) and the bulk token between <BPRT> and the </BPRT> tag. (very long string, I think it always starts with 0.).
Start Windows configuration designer once again and choose 'advanced provisioning', navigate to Runtime Settings - Accounts - Azure and complete the Authority and BPRT fields with the info from the .xml file. Save the project and choose export - provisioning package. Navigate to C:\Users\<Your Login>\Documents\Windows Imaging and Configuration Designer (WICD)\<name created package>\, there you'll find a .ppkg file. You can use that file to join devices in bulk to azure AD.
More info:
- https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package
- https://docs.microsoft.com/en-us/powershell/module/provisioning/install-provisioningpackage?view=win10-ps

INFO install sccm client with intune:
You'll need a few parameters from SCCM, you can find these with an sql query from the sccm database:
http://eskonr.com/2020/05/how-to-prepare-sccm-cmg-client-installation-switches-for-internet-based-client/

Below an example of the command line (where CLOUDSCCM.mydomain.eu= name of the cmg point, site code = NTW)
"%~dp0ccmsetup.exe" /forceinstall /MP:HTTPS://CLOUDSCCM.mydomain.eu/CCM_Proxy_MutualAuth/72057594037927123 SMSSiteCode=NTW SMSCACHESIZE=40960 CCMHOSTNAME=CLOUDSCCM.mydomain.eu/CCM_Proxy_MutualAuth/72057594037927123 AADCLIENTAPPID=76457ae3-b7fd-40ce-b599-a094ddac107b AADTENANTID=B6E080EA-ADB9-4C79-9303-6DCF826FB854 SMSMP=https://CLOUDSCCM.mydomain.eu

Technically, you should set the SMSMP parameter to your (primary) sccm management point on your internal network, according to microsoft info, but that's something I'll test later on.
https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-installation-properties

--------------------- UPDATE 01/14/2021 --------------------------------
INFO Install sccm client with sccm (compatible with CMG):
Once you set up CMG, the SCCM client will get all the necessary parameters upon installation via the task sequence. No need to change any parameters for the 'Setup Windows and ConfigMgr' step.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.