Forum Discussion
Problems after upgrading SCCM from 1910 to 2002
we set up a testing environment for bitlocker purposes and because of new features for bitlocker we updated yesterday from 1910 to 2002. Update was done fine but now our 3 clients dont contact SCCM anymore.
we tried to install new ccm client manually but ccmsetup.log shows a lot of errors. After checking PKI we solved on problem and clients can request new certificates again (CRL error solved) but ccmsetup is still full of errors.
a quote:
The 'MY' of 'Local Computer' store has 2 certificate(s). Using custom selection criteria based on the machine name. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Machine name is 'PC14.corp.contoso.com'. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
There are no certificate(s) that meet the criteria. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Performing search that includes SAN2 extensions... ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Checking if certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com' is valid for ConfigMgr usage. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Begin validation of Certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Allowing usage of CNG key storage. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
The Certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com' has 'Client Authentication' capability. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Completed validation of Certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Checking if certificate [Thumbprint ABE4F896582BD9E9A5D97A738849ACDF9B838F5B] issued to 'PC14.corp.contoso.com' is valid for ConfigMgr usage. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Begin validation of Certificate [Thumbprint ABE4F896582BD9E9A5D97A738849ACDF9B838F5B] issued to 'PC14.corp.contoso.com' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Allowing usage of CNG key storage. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
The Certificate [Thumbprint ABE4F896582BD9E9A5D97A738849ACDF9B838F5B] issued to 'PC14.corp.contoso.com' has 'Client Authentication' capability. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Completed validation of Certificate [Thumbprint ABE4F896582BD9E9A5D97A738849ACDF9B838F5B] issued to 'PC14.corp.contoso.com' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
>>> Client selected the PKI Certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Raising pending event:
instance of CCM_ServiceHost_CertRetrieval_Status
{
ClientID = "GUID:156C4B85-650F-4B4D-BE8D-8FC184C54976";
DateTime = "20200415114602.806000+000";
HRESULT = "0x00000000";
ProcessID = 6620;
ThreadID = 6588;
};
ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Successfully submitted pending event to WMI. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
ccmsetup: Host=CM1.corp.contoso.com, Path=/ccm_system/request, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x4100, Options=0x1f ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Created connection on port 443 ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Trying without proxy. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Both AAD token auth and client PreAuth are not ready. Cannot get CCM token ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
[CCMHTTP] ERROR: URL=https://CM1.corp.contoso.com/ccm_system/request, Port=443, Options=31, Code=0, Text=CCM_E_NO_TOKEN_AUTH ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:156C4B85-650F-4B4D-BE8D-8FC184C54976";
DateTime = "20200415114602.962000+000";
HostName = "CM1.corp.contoso.com";
HRESULT = "0x87d00455";
ProcessID = 6620;
StatusCode = 403;
ThreadID = 6588;
};
ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Status Agent hasn't been initialized yet. Attempting to create pending event. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Raising pending event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:156C4B85-650F-4B4D-BE8D-8FC184C54976";
DateTime = "20200415114602.962000+000";
HostName = "CM1.corp.contoso.com";
HRESULT = "0x87d00455";
ProcessID = 6620;
StatusCode = 403;
ThreadID = 6588;
};
ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Successfully submitted pending event to WMI. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Failed (0x87d00455) to send location request to 'CM1.corp.contoso.com'. StatusCode 403, StatusText 'Forbidden' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Failed to send location message to 'https://CM1.corp.contoso.com'. Status text 'Forbidden' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
GetDPLocations failed with error 0x87d00455 ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Failed to get DP locations as the expected version from MP 'https://CM1.corp.contoso.com'. Error 0x87d00455 ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Sending state '101'... ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
[5.00.8913.1012] Params to send '5.0.8968.1014 Deployment Error: 0x0, ' ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
A Fallback Status Point has not been specified and no client was installed. Message with STATEID='101' will not be sent. ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Failed to send status 101. Error (87D00215) ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
Next retry in 10 minute(s)... ccmsetup 15.04.2020 13:46:02 6588 (0x19BC)
CCMSETUP bootstrap from Internet: 0 ccmsetup 15.04.2020 13:56:02 6588 (0x19BC)
Current AD forest name is corp.contoso.com, domain name is corp.contoso.com LocationServices 15.04.2020 13:56:02 6588 (0x19BC)
Domain joined client is in Intranet LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Current AD site of machine is Default-First-Site-Name LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
DHCP entry points already initialized. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Begin checking Alternate Network Configuration LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Finished checking Alternate Network Configuration LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Adapter {A326668B-B0AF-436B-A37A-702FACCBD56A} is DHCP enabled. Checking quarantine status. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Adapter {A6EFB301-F50C-4AD4-BAFE-35389BF1686E} is DHCP enabled. Checking quarantine status. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Adapter {BD9C5FEF-8AD9-43F2-8748-258BEA19DBA4} is DHCP enabled. Checking quarantine status. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Adapter {2D673774-A210-4C3C-ACA5-10C17F9D9175} is DHCP enabled. Checking quarantine status. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Adapter {AAC1183F-40B2-4D83-A2E1-36E2D8B85DCC} is DHCP enabled. Checking quarantine status. LocationServices 15.04.2020 13:56:03 6588 (0x19BC)
Sending message body '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1">
<AssignedSite SiteCode="CHQ"/>
<ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
<ADSite Name="Default-First-Site-Name"/>
<Forest Name="corp.contoso.com"/>
<Domain Name="corp.contoso.com"/>
<IPAddresses>
<IPAddress SubnetAddress="10.0.0.0" Address="10.0.0.108"/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
' ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Sending location request to 'CM1.corp.contoso.com' with payload '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1">
<AssignedSite SiteCode="CHQ"/>
<ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
<ADSite Name="Default-First-Site-Name"/>
<Forest Name="corp.contoso.com"/>
<Domain Name="corp.contoso.com"/>
<IPAddresses>
<IPAddress SubnetAddress="10.0.0.0" Address="10.0.0.108"/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
' ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Failed to enumerate instances of the CCM_NetworkSettings class. Error = 0x80041013 ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Client is not on internet ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Client is set to use webproxy if available. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Using the certificate [Thumbprint A6DFB039061A840C88D29F2E24F8656812895EF4] issued to 'PC14.corp.contoso.com'. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
ccmsetup: Host=CM1.corp.contoso.com, Path=/ccm_system/request, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x4100, Options=0x1f ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Created connection on port 443 ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Trying without proxy. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Both AAD token auth and client PreAuth are not ready. Cannot get CCM token ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
[CCMHTTP] ERROR: URL=https://CM1.corp.contoso.com/ccm_system/request, Port=443, Options=31, Code=0, Text=CCM_E_NO_TOKEN_AUTH ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:156C4B85-650F-4B4D-BE8D-8FC184C54976";
DateTime = "20200415115603.357000+000";
HostName = "CM1.corp.contoso.com";
HRESULT = "0x87d00455";
ProcessID = 6620;
StatusCode = 403;
ThreadID = 6588;
};
ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Status Agent hasn't been initialized yet. Attempting to create pending event. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Raising pending event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:156C4B85-650F-4B4D-BE8D-8FC184C54976";
DateTime = "20200415115603.357000+000";
HostName = "CM1.corp.contoso.com";
HRESULT = "0x87d00455";
ProcessID = 6620;
StatusCode = 403;
ThreadID = 6588;
};
ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Successfully submitted pending event to WMI. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Failed (0x87d00455) to send location request to 'CM1.corp.contoso.com'. StatusCode 403, StatusText 'Forbidden' ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Failed to send location message to 'https://CM1.corp.contoso.com'. Status text 'Forbidden' ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
GetDPLocations failed with error 0x87d00455 ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Failed to get DP locations as the expected version from MP 'https://CM1.corp.contoso.com'. Error 0x87d00455 ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Failed to find DP locations from MP 'https://CM1.corp.contoso.com' with error 0x87d00455, status code 403. Check next MP. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Only one MP https://CM1.corp.contoso.com is specified. Use it. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Have already tried all MPs. Couldn't find DP locations. ccmsetup 15.04.2020 13:56:03 6588 (0x19BC)
Attached both ccmsetup.log from 1910 and 2002, because of log and txt restrictments as PDF. May anybody knows what to do?
michaelgibson I had same issue, it resolved after adding https to MP parmater, eg., SMSMP=httpS://<ServerName> SMSSITECODE=<sitecode> /mp:httpS://<sitecode>
16 Replies
I'm seeing the same thing on a few of our clients during the client upgrade (both Windows 10 and server). This has happened using our internal MP and removing the client fully and pointing them to our CMG which has a valid GoDaddy certificate on and both have exactly the same issue.
I've worked around this issue after trying lots of different things including client removal/clean/cert/registry deletion etc. with no luck. Because we have a CMG I mentioned I also tried the token install which failed with exactly the same error but the following got the client to install against our internal MP:
1. Uninstall client
2. Try installing client with the token command line (will fail)
3. Uninstall client again. This takes ages as if you watch the ccmsetup.log you can see it cycling through trying to connect multiple times before it finally tries to remove it
4. Run the old SCCM ccmclean utility
5. Delete SMS certs from the store
6. Install the client using local files
There will probably be other combinations that get this to work more efficiently (may not need the local files) but I just needed to get these couple of servers fixed.
Who knows what MS have done to break ccmsetup but I hope they fix it soon.
michaelgibson I had same issue, it resolved after adding https to MP parmater, eg., SMSMP=httpS://<ServerName> SMSSITECODE=<sitecode> /mp:httpS://<sitecode>
amensch1100 It looks like the client selects its authentication certificate just fine, but then fails to connect to the /ccm_system/request path on its Management point. The associated error ("Forbidden") indicates that either the client doesn't trust the MP's SSL certificate, or the MP doesn't trust the client's authentication certificate.
amensch1100 I have the same exact issue, did you ever resolve this?
hman_advancelocal No, unfortunately not.
