AAD devices can't communicate with the CMG

Hybrid domain joined computers can e.g. download software from the CMG but AAD computers can't.

The AAD devices have root and intermediate certs via PKI installed and as a test I installed the actual cmg cert (from windows certificate authority service) on an AAD device and checked that the certificate chain is ok for the device.  The root and intermediate certs were also specified when creating the CMG.  Connection analyser is green ticks everywhere.

The site is HTTPS only and we use certificates on all devices.  The CMG has been recreated from scratch using a scale set and with new app registrations and we use a cname dns entry to map to Azure CMG dns name,

The devices appear to install ok via autopilot co-management using this script:

CCMSETUPCMD="CCMHOSTNAME=ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx SMSSiteCode=555"

The main errors are these in ccmMessaging log:

Failed to get CCM access token while token auth is required. Error 0x87d00231

[CCMHTTP] ERROR: URL=https://ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx/ccm_system/request, Port=443, Options=448, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE

Post to https://ourcmg.company.com/CCM_Proxy_MutualAuth/xxx57594037927xxx/ccm_system_windowsauth/request failed with 0x87d00231.

Thanks for any ideas - the case has been with Microsoft support for weeks and no answer as yet.