CM client push installation to server in untrusted forest

Question

Hi, I want to perform CM client push installation on server in untrusted forest (that forest TRUSTS forest where MP is located). In ccmsetup.log I see this line:

Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. ccmsetup 4/1/2021 4:31:45 AM 3220 (0x0C94)

Server has CM client cert issued by issuing CA in its domain but obviously with one-way forest trust only something more needs to be done. Any help would be appreciated.

Answer 1

Forest trusts are irrelevant for client communication in ConfigMgr.

You have a PKI trust issue based on what you have above (PKI trust and forest trust are two different and completely unrelated things). You need to sync with your PKI folks.

Answer 2

I will suggest to use the GPO startup script to install the agent instead. Just easier in such scenarios.

Answer 3

Kindly try with the below command line and check again

CCMSetup.exe /UsePKICert SMSSITECODE=CON CCMHTTPPORT=80 CCMHTTPSPORT=443

Answer 4

I guess installation method is irrelevant here - on MP client communication is set to https hence this certificate issue.

Answer 5

@Bojan Zivkovic
Based on the above description, it is difficult for us to determine the specific cause.
Here are some articles for reference:

https://www.petervanderwoude.nl/post/using-client-push-installation-on-untrusted-forest-systems-with-configmgr-2012/ (Third-party link, just for your reference.)
http://eskonr.com/2017/02/sccm-configmgr-how-to-manage-clients-in-untrusted-forest/ (Third-party link, just for your reference.)