This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 62%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
I am working on upgrading the SCCM client on devices that either connect only to our IBCM server or are very rarely connected to our network via VPN.
I have noticed that when trying to do a manual install of the client on an internet connected device, the process fails. When I connect it to VPN, the install succeeds.
When connected via VPN, I see these lines in the ccmsetup.log:
Adding file '<primary site server>:80/SMS_DP_SMSPKG$/DOT00003/x64/WindowsFirewallConfigurationProvider.msi' to BITS job, saving as 'C:\windows\ccmsetup\WindowsFirewallConfigurationProvider.msi'.
Adding file '<primary site server>:80/SMS_DP_SMSPKG$/DOT00003/x64/client.msi' to BITS job, saving as 'C:\windows\ccmsetup\client.msi'.
Starting BITS download for client deployment files.
Download Update: 1120 out of 61009408 bytes transferred.
Successfully completed BITS download for client deployment files.
It looks like there are 2 files missing from the install package that I am manually running.
These files end up in the C:\windows\ccmsetup folder even though they already exist in the x64 folder.
The command line I use is:
ccmsetup.exe /UsePKICert /NoCRLCheck /mp:<site server> SMSMP="<site server>" CCMHOSTNAME="<IBCM server, external facing name>" SMSSITECODE="<site code>"
Do I have to specify something else?
Skip
It seems that specifying our site server with "/mp:<site server>" tells the install to look for that server to download further install files. And since it cannot reach it, it fails.
Is there any way to include the files it downloads in the package?
Skip
It looks like using /source and pointing it to a local folder does the job.
Skip
You have to check the configuration of your boundaries and boundary group in order to specify which DP will be used for which IP Address range/subnet.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!
What says the ccmsetup.log & client.msi.log files when you are trying the installation in the internet context?
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!
They were just hanging. The 2 instances of msiexec never started. Using /source instead of /mp has now allowed the client to install. However, it never registers with the IBCM management point.
Thanks,
Skip
Are they your MP/DP are hosted in the same DMZ server? Make sure that the both accept internet requests.
Using /mp is required to install the client in the internet context. Let's try /mp and /source and check the logs.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!
Yes, the MP and DP roles are both on the DMZ server. I am able to deploy software to internet connected devices after installing the client while connected to the network.
I will try with both switches.
Thanks,
Skip
Using both /mp and /source failed. Same thing as before - instances of msiexec never start as it's failing to download components.
Skip
@Skip B
Thank you for posting in Microsoft Q&A forum.
When we use /mp, if the client connects to a management point using HTTPS, specify the FQDN not the computer name. The value must match the management point PKI certificate's Subject or Subject Alternative Name.
When we use /source, the Windows user account for client installation needs Read permissions to the location.
So when you use /source, it works now, right?
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
When I use /source, the client installs fine. But it never registers with the IBCM management point.
Skip
Looks to be a certificate issue. IIS on the IBCM server is giving errors. When I look at one of the logs, I see:
ModuleName="SCCMDeviceCertAuthModule", Notification="BEGIN_REQUEST", HttpStatus="403", HttpReason="Client certificate required", HttpSubStatus="7", ErrorCode="The operation completed successfully.
(0x0)", ConfigExceptionInfo=""
The GENERAL_REQUEST_START event has for details RequestURL="https://<ibcm server external FQDN>:443/bgb/handler.ashx?RequestType=Continue". When I got to that site in a browser, I am prompted for a certificate but the browser only shows me the cert in the Personal store for the user account and nothing from the local machine store.
Skip
HTTP Status Code 403: The server understood the request but refuses to authorize it.
Make sure that your PKI certificate is configured correctly in the client side.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!
Thanks for the reply.
The certificate works well enough that devices receive application deployments just fine from the IBCM server.
What would the server be missing?
Skip