Share via

SCCM agent installation get failed on Internet based Co-Managed devices

Dilan Nanayakkara 1,111 Reputation points
2022-05-17T06:02:55.887+00:00

Hi All,

I am getting below error message on internet-based client when deploy SCCM agent via Intune.

I am using on-prem certificate server (self-sign) for CMG server certificate and I don't have any certificate installed on Client devices since Enhances HTTPS enabled, but since I use on-prem certificate, I have uploaded the Root-CA as a trusted authority provider in client machine. Further, Root-CA is uploaded to the SCCM server as well. I don't see any errors for CMG in content analyzer as well.

I have checked SCCM agent distribution in CMG and it has successfully distributed to the cloud management gateway.

CRL check is disabled on site systems (Clients check the certificate revocation list (CRL) for site systems).

Please note that I didn't configure any boundary configurations, Do I need any boundary configuration settings?

appreciate the help.

202588-2022-05-17-11-29-33.jpg

202563-2022-05-17-11-29-25.jpg

Please find attached ccmsetup.log here.

202612-ccmsetup-error.log

dsregcmd status

202721-dsregcmdstatus.txt

thanks,
Dilan

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,569 questions
Microsoft Configuration Manager
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amandayou-MSFT 11,156 Reputation points
    2022-05-18T03:33:39.05+00:00

    Hi @Dilan Nanayakkara

    When we use CMG in configuration manager, the server requires a server authentication certificate to build the secure channel. We can acquire a certificate for this purpose from a public provider, or issue it from your public key infrastructure (PKI).

    But we can not use on-prem certificate server (self-sign) for CMG server certificate, please change it.
    Here is the related article we could refer to:
    https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/server-auth-cert

    According to the record: Client does not allow to use PKI issued cert and is not AAD capable. Ignoring this MP.

    Please check the status client's AAD. If there is something wrong, please retire the client and re-join the AAD.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Ahsan Amin 0 Reputation points
    2023-08-09T16:30:08.3766667+00:00

    Hi Dilan

    Did you find a solution?

    I'm deploying a CMG in my LAB and have the exact same error in ccmsetup.log

    Device is AADJ (not hybrid), client deployed using the co-mgmt setting in Intune, Root-CA added to the client.

    CMG Connection Analyzer passes with Azure ID and client cert.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.