Hello,
I have issues with some servers in Azure which are not getting the CM Client installed:
Server name
DNS Name=CZOHVCXSCP01.ad
Operating System: Microsoft Windows Server 2019 Datacenter
Configuration Manager 2010 KB4594177
==========[ ccmsetup started in process 15340 ]========== ccmsetup 4/1/2021 12:48:53 PM
Running on platform X64
Launch from folder C:\windows\ccmsetup\
CcmSetup version: 5.0.9040.1010
Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist.
Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist.
In ServiceMain
Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist.
Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist.
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0
Failed to get MDM_ConfigSetting instance, 0x80041013
[CZOHVCXSCP01] Running on 'Microsoft Windows Server 2019 Datacenter' (10.0.17763). Service Pack (0.0). SuiteMask = 400. Product Type = 18
Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /ForceInstall /ignoreskipupgrade /config:MobileClient.tcf
Command line parameters for ccmsetup have been specified. No registry lookup for command line parameters is required.
SslState value: 224
CCMHTTPPORT: 80
CCMHTTPSPORT: 443
CCMHTTPSSTATE: 480
CCMHTTPSCERTNAME:
Lookup MP: VRPSCCMPR01.ad
FSP: VRPSCCMRS01.ad
CCMCERTSTORE: MY
CCMCERTISSUERS: CN=ad-VRCA-CA; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa | CN=XXXX Zzzzz Root Certificate Authority
CCMFIRSTCERT: 1
CCMPKICERTOPTIONS: 1
MANAGEDINSTALLER: 0
Begin searching client certificates based on Certificate Issuers
Certificate Issuer 1 [CN=ad-VRCA-CA; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa]
Certificate Issuer 2 [CN=XXXX zzzzz Root Certificate Authority]
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to [] issued by [CN=XXXX zzzz AD Certificate Authority-CA1; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa]
Chain has Certificate [Thumbprint 3D4FDAC359EF8DA12CDE84FA6C31237A00021FF7] issued to [CN=XXXX Zzzzz AD Certificate Authority-CA1, DC=ad, DC=yyyyyy, DC=xxxx, DC=aaa] issued by [CN=XXXX Zzzzz Root Certificate Authority]
Chain has Certificate [Thumbprint B60BA9406B1B7ADBF4848CE3DA0E977105C2ED92] issued to [CN=XXXX Zzzzz Root Certificate Authority] issued by [CN=XXXX Zzzzz Root Certificate Authority]
Based on Certificate Issuer 'CN=XXXX Zzzzz Root Certificate Authority' found Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
Begin validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
CRL check enabled.
Verification of Certificate chain returned 80092013
Completed validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to CZOHVCXSCP01.ad'
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint 9A0520DB27147AF3D1E1727ED3D0FE7ACE8C7344] issued to [DC=Windows Azure CRP Certificate Generator] issued by [DC=Windows Azure CRP Certificate Generator]
Failed to get certificate subject name using type 6 [80092004]
Failed to get certificate subject name using type 3 [80092004]
Cannot get subject name for cert '9A0520DB27147AF3D1E1727ED3D0FE7ACE8C7344'. Ignoring it.
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint 18515AAEC279159B14CD6A8439E5BF139306D6DB] issued to [CN=cxohiasharefile.mednet.xxxx.aaa, OU= (MITS), O="", STREET=Avenue, L=Los Angeles, S=California, PostalCode=90095, C=US] issued by [CN=InCommon RSA Server CA; OU=InCommon; O=Internet2; L=Ann Arbor; S=MI; C=US]
Chain has Certificate [Thumbprint F5FB01DEA6E59CA6DD057054F4A3FF72DDE1D5C6] issued to [CN=InCommon RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, S=MI, C=US] issued by [CN=USERTrust RSA Certification Authority; O=The USERTRUST Network; L=Jersey City; S=New Jersey; C=US]
Chain has Certificate [Thumbprint 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E] issued to [CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US] issued by [CN=USERTrust RSA Certification Authority; O=The USERTRUST Network; L=Jersey City; S=New Jersey; C=US] ccmsetup 4/1/2021 12:49:39 PM 2796 (0x0AEC)
Skipping Certificate [Thumbprint 18515AAEC279159B14CD6A8439E5BF139306D6DB] issued to 'cxohiasharefile.mednet.xxxx.aaa' as root is 'CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US' ccmsetup 4/1/2021 12:49:39 PM 2796 (0x0AEC)
Completed searching client certificates based on Certificate Issuers
Begin to select client certificate
The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.
1 certificate(s) found in the 'MY' certificate store.
Only one certificate present in the certificate store.
Begin validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
Allowing usage of CNG key storage.
The Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad' has 'Client Authentication' capability.
Completed validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
Failed to read assigned site code from registry. Error code = 0x80070002Client selected the PKI Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
Performing AD query: '(&(ObjectCategory=mSSMSManagementPoint)(mSSMSDefaultMP=TRUE)(mSSMSSiteCode=UCP))'
OperationalXml '<ClientOperationalSettings><Version>5.00.9040.1016</Version><SecurityConfiguration><SecurityModeMask>0</SecurityModeMask><SecurityModeMaskEx>480</SecurityModeMaskEx><HTTPPort>80</HTTPPort><HTTPSPort>443</HTTPSPort><CertificateStoreName></CertificateStoreName><CertificateIssuers>CN=ad-VRCA-CA; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa | CN=XXXX Zzzzz Root Certificate Authority</CertificateIssuers><CertificateSelectionCriteria></CertificateSelectionCriteria><CertificateSelectFirstFlag>1</CertificateSelectFirstFlag><PKICertOptions>1</PKICertOptions><SiteSigningCert>308202FB308201E3A00302010202103D2CFCA6B6FD15A64B1C3CAA9ACFCD7B300D06092A864886F70D01010B05003016311430120603550403130B53697465205365727665723020170D3137303830373138353235385A180F32313137303731353138353235385A3016311430120603550403130B536974652053657276657230820122300D06092A864886F70D01010105000382010F003082010A0282010100C7904737D5B3DD55C86AA0B8B01078ABCF81947F2FB7142C1760E6CA55255C8DB8B125A963DE0AE2E9AB97FACAE264A166BDCF36F82AEBC48BB5ADB52074FD27754B9CE59B41CECF414ED3099FE0C5A8290AC4FDDE2DE946AE65F7EE4C789908E2E216E350DEF620074A9E070D3184EB850847683F527517A35828F9D80E71FF72962F449699B5704BC716636D4B8F8294DCAD6FF7B5125EACABE9DD3F9D284E538404A7613EF61DD62BF8AEBA7F426AC3EAF86FA33FB561DFF69292B023DD1145E1923828F2A20C55B8B0EA7AED8DEADC5E1B481052EB851056B7C12CEEF837CD0F7F0D7D1188184B4F8BFCB71C3FBBCDFE511E849E9126182FA243999717190203010001A343304130290603551D1104223020821E5652505343434D505230312E61642E6D65646374722E75636C612E65647530140603551D25040D300B06092B060104018237650B300D06092A864886F70D01010B05000382010100A1324457D7CE23ECD76D2C01C7CB8CE7A169CE51E80BA99FA99391720C773B52AEA7874ACB6A275105C1838D4E9B5593A6990A238E4E1F7F13C17DBB3FEBA98B9DA9ACD590077CCA6055BC758AE0A5819368D9E7BEB213D6C96A273D577B432F9F4650542E6BDF357F34C5B1DD3170D002DA0AD725B1266165C7054F61A3AD62089948299CBB7C725B3197773A3ACA0868AA6E568BA5686924F8A57BC3EE1735D6FBA9564871470F45B50EC27390688BA36AF33F8B314EC6E0BC63916DDC9EDD1C9B958787DAD8337FB8CFC9DC1249B454440E80266E9F010B3D0BA39D7F778A6C16AAAE540A6155DEA6440D5B0416C142D60C035D4D7FEBBFBAAEA65BEDB1BC</SiteSigningCert></SecurityConfiguration><RootSiteCode>UCP</RootSiteCode><CCM> <CommandLine>SMSSITECODE=UCP DNSSUFFIX=ad SMSMP=VRPSCCMPR01.ad CCMHOSTNAME=SCCMinternet.ad FSP=VRPSCCMRS01.ad</CommandLine> </CCM><FSP> <FSPServer>VRPSCCMRS01.ad</FSPServer> </FSP><Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /><Property Name="SSLState" Value="63" /></Capabilities><Domain Value="ad" /><Forest Value="ad" /><AADConfig Version="1.0"><Tenants></Tenants></AADConfig></ClientOperationalSettings>' ccmsetup 4/1/2021 12:49:40 PM 2796 (0x0AEC)
The MP name retrieved is ' VRPSCCMPR01.ad' with version '9040' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>'
MP ' VRPSCCMPR01.ad' is compatible
The MP name retrieved is ' VRPSCCMMS03.ad' with version '9040' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>'
MP ' VRPSCCMMS03.ad' is compatible
Retrieved 2 MP records from AD for site 'UCP'
No AAD tenants information found.
Persisted AAD on-boarding info.
FromAD: FSP = VRPSCCMRS01.ad
FromAD: command line = SMSSITECODE=UCP DNSSUFFIX=ad SMSMP= VRPSCCMPR01.ad CCMHOSTNAME= SCCMinternet.ad FSP= VRPSCCMRS01.ad
Local Machine is joined to an AD domain
Current AD forest name is ad, domain name is ad
Domain joined client is in Intranet
CMPInfoFromADCache requests are throttled for 00:59:59
Found MP https://VRPSCCMPR01.ad from AD
Found MP https://VRPSCCMMS03.ad from AD
Successfully refresh bootstrap information from AD.
Begin searching client certificates based on Certificate Issuers
Certificate Issuer 1 [CN=ad-VRCA-CA; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa]
Certificate Issuer 2 [CN=XXXX Zzzzz Root Certificate Authority]
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to [] issued by [CN=XXXX Zzzzz AD Certificate Authority-CA1; DC=ad; DC=yyyyyy; DC=xxxx; DC=aaa]
Chain has Certificate [Thumbprint 3D4FDAC359EF8DA12CDE84FA6C31237A00021FF7] issued to [CN=XXXX Zzzzz AD Certificate Authority-CA1, DC=ad, DC=yyyyyy, DC=xxxx, DC=aaa] issued by [CN=XXXX Zzzzz Root Certificate Authority]
Chain has Certificate [Thumbprint B60BA9406B1B7ADBF4848CE3DA0E977105C2ED92] issued to [CN=XXXX Zzzzz Root Certificate Authority] issued by [CN=XXXX Zzzzz Root Certificate Authority]
Based on Certificate Issuer 'CN=XXXX Zzzzz Root Certificate Authority' found Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad'
Begin validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad'
CRL check enabled.
Verification of Certificate chain returned 80092013
Completed validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad'
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint 9A0520DB27147AF3D1E1727ED3D0FE7ACE8C7344] issued to [DC=Windows Azure CRP Certificate Generator] issued by [DC=Windows Azure CRP Certificate Generator]
Failed to get certificate subject name using type 6 [80092004]
Failed to get certificate subject name using type 3 [80092004]
Cannot get subject name for cert '9A0520DB27147AF3D1E1727ED3D0FE7ACE8C7344'. Ignoring it.
Analyzing 1 Chain(s) found
Chain has Certificate [Thumbprint 18515AAEC279159B14CD6A8439E5BF139306D6DB] issued to [CN=cxohiasharefile.mednet.xxxx.aaa, OU=Medical Information Technology Services (MITS), O="", STREET=, L=Los Angeles, S=California, PostalCode=90095, C=US] issued by [CN=InCommon RSA Server CA; OU=InCommon; O=Internet2; L=Ann Arbor; S=MI; C=US]
Chain has Certificate [Thumbprint F5FB01DEA6E59CA6DD057054F4A3FF72DDE1D5C6] issued to [CN=InCommon RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, S=MI, C=US] issued by [CN=USERTrust RSA Certification Authority; O=The USERTRUST Network; L=Jersey City; S=New Jersey; C=US]
Chain has Certificate [Thumbprint 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E] issued to [CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US] issued by [CN=USERTrust RSA Certification Authority; O=The USERTRUST Network; L=Jersey City; S=New Jersey; C=US]
Skipping Certificate [Thumbprint 18515AAEC279159B14CD6A8439E5BF139306D6DB] issued to ' cxohiasharefile.mednet.ucla.edu' as root is 'CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US'
Completed searching client certificates based on Certificate Issuers ccmsetup 4/1/2021 12:49:40 PM 2796 (0x0AEC)
Begin to select client certificate
The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.
1 certificate(s) found in the 'MY' certificate store.
Only one certificate present in the certificate store.
Begin validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad'
Allowing usage of CNG key storage.
The Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad' has 'Client Authentication' capability.
Completed validation of Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to ' CZOHVCXSCP01.ad'
Config file: C:\windows\ccmsetup\MobileClientUnicode.tcfClient selected the PKI Certificate [Thumbprint A761955E74FD4FC9DFA050E25B2CD6CECE94D9FD] issued to 'CZOHVCXSCP01.ad'
Retry time: 10 minute(s) ""
Any idea what is going on?
Client Authentication Certificate: checked
Network Firewall: telnet commands passed successfully
Windows Firewall: OFF checked
Boundaries: correct
![83767-2021-04-01-12-06-47-boundaries.png][2]
Trying the url from IE locally on the Client and it works...
![83853-2021-04-01-16-23-21-ccm-client-url.png][1]
It seems the certificate is not getting picked!!
Thanks,
Dom
[1]: /answers/storage/attachments/83853-2021-04-01-16-23-21-ccm-client-url.png
[2]: /answers/storage/attachments/83767-2021-04-01-12-06-47-boundaries.png




