This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 86%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
I have set up Configuration Manager by the book. I had to integrate it with an existing WSUS and SQL Server.
I have not been able to successfully push the agent to the two workstations that I tried. Oddly, one workstation installed a little better than the other one, but neither is fully installed and showing as green.
I have tweaked just about everything I can think of, and I have poured through endless articles and forums. I would greatly appreciate some help.
There are no errors in the MPcontrol.log. The workstation logs have these errors:
LocationServices.log:
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f
Successfully queued event on HTTP/HTTPS failure for server MACHINENAME
Failed to send management point list Location Request Message to MACHINENAME
ClientIDManagerStartup.log:
RegTask: Failed to send registration request message. Error 0x87d00231
CCMmessaging.log:
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f
Post to https://MACHINENAME/ccm_system/request failed with 0x87d00231
Failed to WMI namespace \.root\ccm (80041003)
CCMSetup.log:
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
[CCMTPP] AsyncCallback() WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
Failed to submit event to the Status Agent. Attempting to create pending event.
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f
Failed (0x80072f8f) to send location request to ‘MACHINENAME’. StatusCode 200, StatusText”
Failed to send location message to 'https://MACHINENAME.' Status text ''
GetDPLocations failed with error '0x80072f8f
Failed to get DP locations as the expected version from MP ‘HTTPS://MACHINENAME’. Error 0x80072f8f
Also, I cannot get any WSUS updates to show up, but that might be an unrelated issue.
When navigating to these adresses, you should be able to access the IIS site. If you get 403, something is wrong:
http://<ServerName.FQDN>/sms_mp/.sms_aut?mplist
http://<ServerName.FQDN>/sms_mp/.sms_aut?mpcert
Did you set up the site server to https only on purpose? It then will require full PKI setup. If not, change the site settings and MP to http or https.
I read that because the computer account normally accesses those URLs that you will see an error. See https://ramzibot.wordpress.com/2012/10/04/mpcert-mplist-access-denied-error-after-securing-the-management-point-by-a-certificate
I just imported the MP certificate, and I could browse the URLs without error.
The environment has a full PKI setup, because that is required. For the record, it didn't work in the HTTP or HTTPS mode either.
Did you get the cert working, that clients in https mode can view the iis site without error?
Yes, once I imported the computer cert into IE I could view the MP site without issue
Thank you for the update.
Getting this error in CcmMessaging.log on client: Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff. Once I imported the computer cert into IE I could view the MP site without issue.
Based on my understanding, If we use the https environment, the server must have a valid PKI web server certificate. Generally speaking, our DP has two certificates. When communicating with the client to be deployed, this client will obtain the certificate from our DP. Another certificate is used for site server and MP.
Please kindly verify whether you have selected Use PKI client certificate (client authentication capability) when available in the site properties. This option could make the client to select the certificate that matches.
Have a nice day!
We could try to restart the SMS_EXECUTIVE service (like the image below) and then check the CcmMessaging.log and the ccmsetup.log to track the client installation. We may see " Begin to select client certificate and then Client selected the PKI Certificate" in the log so that we may know if the client use the PKI certificate.
Have a good day!
May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.
Based on the logs, the client is not able to communicate with Management Server MP, problaly is not able to discover, did add the inforamtion on the AD severs? if not you can try passing the command line to intall the agent with those paramentres.
ccmsetup.exe /mp:SCCMSERVER /logon SMSSITECODE="site leters"
You can check if the MP is responding whit those URLs:
· http://<ServerName.FQDN>/sms_mp/.sms_aut?mplist
· http://<ServerName.FQDN>/sms_mp/.sms_aut?mpcert
· http://<ServerName.FQDN>/sms_mp/.sms_aut?MPKEYINFORMATION
I did the MP URL check (· http://<ServerName.FQDN>/sms_mp/.sms_aut?mplist) already and got a 403 Access Denied error, but as I understand it, that is an expected result since the computer account is what would normally be accessing the MP.
I understand that I can pass the command line to manually install the agent, but I want to make sure the agent can be pushed because everything is working as it should.
What do you mean by "did you add the information on the AD servers? Are you referring to extending the AD schema and making the permissions change on the container?
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID. Failed to get DP locations as the expected version from MP.
1.Have we used the environment with https? If so, please check if the SSL certificate common name (host name field) is correct and the hostname the client is connecting to is matched with the certificate's subject or subject alternate name. It is recommended that we could check the certificate and use the FQDN of the server in the Common Name section.
For more details, please take a look at this blog.
I have not been able to successfully push the agent to the two workstations that I tried.
2.Could we know if any other clients are pushed successfully in this environment?
Have a good day!
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I started in HTTP mode, and some of the workstations installed, but only partially (the way they are now). That's when I decided to go through the PKI setup step-by-step using a well known guide for this. We already a PKI setup, but it was only partially fulfilling the requirements. I am 99.9% sure the PKI setup is correct. After going through the complete PKI setup I switched everything over to HTTPS.
I generated the MP certificate Alternative Name using both the hostname and FQDN fields for DNS. I am sure those are correct.
I pushed to three of the workstations. I didn't push to all of them, but they are set to push automatically anyway.
Update: I reverted to HTTP on all roles, and clients started reporting. Then I turned HTTPS back on for the MP only, and all clients went offline. The only error in MPcontrol.log is "Call to HttpSendRequestSync failed for port 443 with status code 401, text: Unauthorized"
When you switch from https only to http or https and back, be aware that the site actually re-installs itself. So you need lot of time to complete it.
Getting this error in CcmMessaging.log on client:
Client doesn’t have PKI issued cert and cannot get CCM access token. Error 0x8000ffff
I have confirmed that the client indeed has a certificate issued from the CA
I had lab https only mode a 1 hear ago because of the mbam introduced first time in 1910. I remember, that this entire scenario requires 4 certs;
I might remember this wrong, but please doublecheck.
Everything is in the same domain handled by the CA, so I don't need to manually add the Root CA. I have all other certificates.