Unable to install SCCM agent over internet using CMG and bulk enrollment token

Mike Gorski 41 Reputation points

I have set up a CMG recently and I am having trouble trying to install the SCCM agent over the internet using token based authentication. The errors I am seeing seem to indicate a certificate trust issue but there should be no need for certs for this to work. My test PC is in a workgroup and has never touched the domain. I have tested the CMG with a domain joined PC and I verified it works (I can deploy applications and software updates.)

I am running SCCM 2010 and to test this, I am following this MS doc https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token. I ran the bulk enrollment utility to generate the token and here is my installation command line:

ccmsetup.exe /mp:https://myCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 CCMHOSTNAME=myCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 SMSSiteCode=GOR SMSMP=https://myMP.myDomain.com /regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InpkZnpZMVNGM.....

The installation fails with these errors in ccmsetup.log:

[CCMHTTP] AsyncCallback(): -------------------------                   ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered                 	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP]                : dwStatusInformationLength is 4              	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP]                : *lpvStatusInformation is 0x9                      	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set    	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set                   	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f	                      ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f	                ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)    
Failed to create SMS client object. Error 0x80040154                             	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
Failed to get CCM access token and client doesn't have PKI issued cert to use SSL. Error 0x80070002         	ccmsetup	3/2/2021 10:53:37 PM	10656 (0x29A0)  
CcmSetup failed with error code 0x87d00455  

I imported the RootCA from my domain tried to reinstall. It errored again with the same messages except for WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set which makes sense. However the the RootCA or any certs should not be needed if I am understanding how the bulk token is supposed to work. I added /nocrlcheck to the command line and this allowed the SCCM agent to complete. Unfortunately after it finished installing the agent is refusing to communicate with the CMG as I get the same error messages in locationservices.log that I posted above.

I've read a lot of blogs and how-tos for this and I am doing exactly the same procedure. Does anyone have any thoughts about this? Thanks.

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,186 Reputation points Microsoft Employee

    but there should be no need for certs for this to work.

    This is not correct. Clients must still trust the PKI that issued the certificate configured on the CMG. Given that you've tested it and it works with a domain joined PC, I'm assuming that you are using a certificate issued from an internal CA on the CMG. If so, then this is an issue as non-domain joined clients won't automatically trust the cert on the CMG. This is all standard, by design PKI behavior and not specific to CMG or ConfigMgr. This is why we recommend using a cert from public CA for the CMG as this kind of cert is trusted by Windows by default.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Fiona Yan-MSFT 2,311 Reputation points

    @Mike Gorski

    Thank you for posting in Microsoft Q&A forum.

    As we mentioned above, there is no requirement of using certs during our installation. Could we know if we check the option of "Clients check the certificate revocation list (CRL) for site systems"(like the image shown below)? If we select it, please check out it and then try to use /nocrlcheck command line to see if it works.

    Have a good day!

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Mike Gorski 41 Reputation points

    Hi @Fiona Yan-MSFT thanks for replying. I disabled the CRL check but my test machine still throws the WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error and refuses to communicate with the CMG. Thinking maybe the client needed a policy update, I connected to the internal LAN and ran a machine policy refresh. After it completed I put it on the internet and it is still throwing the WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error. After this failed, I completly uninstalled the client from my test machine, rebooted, and tried to reinstall. It fails to install if I do not include /nocrlcheck and if I do include it, it will install like before and then fail to communicate with the CMG.

    0 comments No comments

  3. Amal Priyankara 1 Reputation point

    I have faced the same issue. still looking for the answer

    0 comments No comments