This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have a customer that has a functional ConfigMgr (CB 2006) environment with a newly configured CMG and Co-Management enabled. All of the CMG related settings and EHTTP settings are enabled. Machines that are Hybrid-AD joined and already have the ConfigMgr client are able to communicate and download software from the CMG.
Now trying to deploy the client to off-prem internet-only devices (all Win10 2004). Devices are AAD-joined. They get this when running the install manually:
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
[CCMHTTP] ERROR: URL=https://<CMGname>.CLOUDAPP.NET/CCM_Proxy_ServerAuth/ServiceMetadata, Port=443, Options=192, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE
Failed to get CMG metadata 0x80072f8f
Looking for MPs from AD...
Unexpected row count (0) retrieved from AD.
GetADInstallParams failed with 0x80004005
Couldn't find an MP source through AD. Error 0x80004005
No valid source or MP locations
CcmSetup failed with error code 0x80004005
Cmd is as follows:
ccmsetup.exe CCMHOSTNAME=<CMGname>.CLOUDAPP.NET/CCM_Proxy_MutualAuth/<code> SMSSiteCode=<site code> SMSMP=<FQDN for Primary Site> AADTENANTID=<AADTENANTID> AADCLIENTAPPID=<AADCLIENTAPPID> AADRESOURCEURI=https://ConfigMgrService
They have also tried adding the following switches:
/nocrlcheck
/mp:https://<CMGname>.CLOUDAPP.NET/CCM_Proxy_MutualAuth/<code>
Adding the /mp still fails but changes the error:
DownloadFileByWinHTTP failed with a non-recoverable failure, 0x87d00455
CcmSetup failed with error code 0x87d00455
There is no client cert involved as it should be using the AAD token, correct? They've followed the instructions from the following link, so not sure what they missed: https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-azure#configure-client-settings
Any ideas or suggestions would be hugely appreciated!
Thanks!
ERROR_WINHTTP_SECURE_FAILURE
This is indicative of a certificate issue.
Was the certificate issued by a public CA or an internal CA? I'm assuming internal.
Is there are reason that a CName is not being used here (which is the recommended path) instead of the cloudapp.net CMG service name?
Thanks Jason, it was indeed a cert issue. They had missed a step in that they hadn't deployed the CA trusted root certificate to the remote clients. That's why it worked for the on-prem devices that roamed to the internet because they had picked up the CA trusted root cert already. The remote machines had never been on-prem so needed that cert deployed:
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_cmgroot
Once we deployed the CA trusted root cert via Intune, the installation worked.
Thanks for your assistance!
Hi,
Thank you very much all your reply and sharing. We're glad that the question is solved now. It may help others who have similar issue. Here's a short summary for the problem.
Problem/Symptom:
ConfigMgr Client install failed on AAD-joined devices with error code 0x80072f8f and 0x87d00455.
Solution/Reason:
It was indeed a cert issue. Once deployed the CA trusted root cert to problematic clients, the installation worked.
Thanks again for your time!
Best regards,
Simon