MECM Client not connected to CMG when ClientAlwaysOnInternet regkey = 1

Question

Hi All,

We have a script that will change ClientAlwaysOnInternet registry key base on network connection (ZPA, VPN or Office Network) that user currently are.
I'm facing an issue on few client whereby client are able to connect to CMG for policy and content download when the client having ClientAlwaysOnInternet regkey = 0 but its not able to when the ClientAlwaysOnInternet = 1.

To test this out I disconnect client on ZPA or GPC to make it purely on internet and change the regkey on which i notice this behavior.

Error in CcmMessaging showing up "CCM_E_NO_CLIENT_PKI_CERT, HRESULT=87d00454, Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server."
Error in ClientIDManagerStartup showing up "RegTask: Failed to send registration request message. Error: 0x87d00231"

Reinstall the agent seems to solve the issue when we try on one of the client but just thought checking up what could be the possible issue. Its will be hard on patch compliance if user lost connection to CMG due to this issue.

We currently on MECM version 2010 and using PKI cert for CMG communication.

Appreciate all the input!

Answer 1

Flipping that registry value (not key) dynamically back and forth is not supported and can/will result in unsupported and thus expected behavior.

I'm hoping to address the core issue here in a near future production build (no commitments though).

For now, the only truly supported and workable path is to use AD sites. See https://zscaler.nethelpdesk.net/article/16/supporting-microsoft-sccm-with-zpa and https://community.zscaler.com/t/zscaler-private-access-active-directory/8826.