failed to get client certificate for transportation error 0x87d00215

Apr 11 2023 08:00 AM - Apr 12 2023 11:00 AM (PDT), Cloud Management Gateway for Azure AD Hybrid Joined Windows 10 Workstations, Microsoft Intune and Configuration Manager, https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway, Re: Cloud Management Gateway for Azure AD Hybrid Joined Windows 10 Workstations. 6/15/2017 12:24:47 AM 2680 (0x0A78) GetSSLCertificateContext failed with error 0x87d00280 ccmsetup If I use a Client certificate instead, the PFX I used to create the CMG, it has a failure on two steps. Retrieved 0 MP records from AD for site '101'ccmsetup01/03/2019 16:38:072612 (0x0A34) tnmff@microsoft.com. Sign in ', Begin validation of Certificate [Thumbprint 6A5230A9641239E4489CA42559685F7358C8A0BB] issued to 'PTW01CISWB001. My MP and SUP are on the same server. ', Begin validation of Certificate [Thumbprint E570B76528BE092F69297AEFB668FDC80DD28CBB] issued to 'PTW01CISWB001. Begin searching client certificates based on Certificate Issuersccmsetup01/03/2019 16:38:072612 (0x0A34) Installation and configuration of the Distribution Point role is indeed handled by the SMS_DISTRIBUTION_MANAGER component, which runs on the site server, but it doesn't need IIS installed on the site server itself for that. ', Based on Certificate Issuer 'domainname Enterprise Root 01i001' found Certificate [Thumbprint C5CC8BED3777E7CE200257275E3F63E537D84ECA] issued to 'PTW01CISWB001. OS is not Win10RS3+, ENDOK. and highlight your SCCM server then right click and choose "Client Installation Settings" > Client Push Installation and click on the tab called Installation Properties you can add the MP server and site code in there. 1. If you go to this location in the SCCM Console: Administration\Overview\Site Configuration\Sites. Distribution Manager also requires that IIS Web Services be installed on the Distribution Point Server that needs to support Background Intelligent Transfer Service (BITS)? Failed to get client version for sending state messages. ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Uninstall Symantec Management Agent, refresh client in Microsoft Endpoint Configuration Manager console and the client immediately goes offline. CcmSetup failed with error code 0x87d00454, Configuration Manager (Current Branch) Site and Client Deployment. Only one MP HTTPS://winsccm.testlab.com Opens a new window is specified. @alexandertuvstromThe Web Server role (IIS, with a couple of specific role services enabled) only needs to be installed on the Distribution Point server, not on the site server. dism.exe /online /norestart /enable-feature /ignorecheck /featurename:"IIS-WebServerRole" /featurename:"IIS-WebServer" /featurename:"IIS-CommonHttpFeatures" /featurename:"IIS-StaticContent" /featurename:"IIS-DefaultDocument" /featurename:"IIS-DirectoryBrowsing" /featurename:"IIS-HttpErrors" /featurename:"IIS-HttpRedirect" /featurename:"IIS-WebServerManagementTools" /featurename:"IIS-IIS6ManagementCompatibility" /featurename:"IIS-Metabase" /featurename:"IIS-WindowsAuthentication" /featurename:"IIS-WMICompatibility" /featurename:"IIS-ISAPIExtensions" /featurename:"IIS-ManagementScriptingTools" /featurename:"MSRDC-Infrastructure" /featurename:"IIS-ManagementService". MPs:ccmsetup01/03/2019 16:38:072612 (0x0A34) It is obvious that later versions/fixes of configuration manager have not solved this problem. Use it. CCMHTTPSCERTNAME: ccmsetup01/03/2019 16:38:072612 (0x0A34) I had also faced issue in upgrading SCCM Site server from 1806 to 1810 but not the same error which you received , however I checked above 2 log files and got the root cause. SuiteMask = 272. MapNLMCostDataToCCMCost() returning Cost 0x1 ) GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'HTTPS://winsccm.testlab.com/ccm_system/request Opens a new window' ccmsetup 6/15/2017 12:24:47 AM 2680 (0x0A78) I decided to let MS install the 22H2 build. IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Error 0x87d00454 Sending location request to 'SCCM-Server-Dan.cork.local' with payload ' Error 0x87d00281" from around when I powered on the workstation. /config:MobileClient.tcf ccmsetup 6/15/2017 9:50:35 PM 3220 Does my CMG connection point need to be Azure AD Hybrid Joined in order to use Azure AD for client authentication? The Select First Certificate registry entry was set to OFF so a certificate cannot be selected. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. ccmsetup 6/15/2017 9:50:35 PM 2320 (0x0910) SOLVED Application installing but failing on any detection method added, uninstall works fine with no errors MSI properties: CCMCERTISSUERS="CN=SCCM-Server-Dan.cork.local" CCMCERTSTORE="MY" CCMFIRSTCERT="1" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="63" CCMPKICERTOPTIONS="1" 2680 (0x0A78) [DESKTOP-TM866AV] Running on 'Microsoft Windows 10 Pro' (10.0.10240). ', Completed validation of Certificate [Thumbprint BC0B3996CCDBED300F78A7A9A1EEFC32BCEA8EAE] issued to 'PTW01CISWB001. MPs: ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Deployment status for the update Group/collection was in unknown. Performing AD query: Already on GitHub? Unable to find any Certificate based on Certificate Issuers [] Params to send '5.0.8740.1024 Deployment Error: 0x0, 'ccmsetup01/03/2019 16:38:072612 (0x0A34) I have a new built SCCM(MP,DP,SUP)(forestA), I have a remote DP on the other forest(forestB). Error 0x87d00282. Error 0x8004100e. Current AD site of machine is Default-First-Site-NameLocationServices01/03/2019 16:38:072612 (0x0A34) Error 0x87d00215 It has been sent. Sharing best practices for building any app with .NET. No version of the client is currently detected. Best practices and the latest news on Microsoft FastTrack, The employee experience platform to help people thrive at work, Expand your Azure partner-to-partner network, Bringing IT Pros together through In-Person & Virtual events. Error 0x87d00282 "go to client computer communication and set the "Action to take if multiple certificates match criteria" to "Select the certificate with the longest validity period", has been set, a long time ago, I also tried turning it off for a few hours and back on, no difference. Error 0x87d00282. ccmsetup 6/15/2017 Error 0x8004100e ccmsetup 6/15/2017 9:50:24 PM 4140 (0x102C) 02:26 PM Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0ccmsetup01/03/2019 16:38:072612 (0x0A34) 16:38:072612 (0x0A34) Ccmsetup command line: "C:\Windows\ccmsetup\ccmsetup.exe" /runservice Next retry in 10 minute(s)ccmsetup01/03/2019 16:38:072612 (0x0A34), Some more guidance would be greatly appreciated. Failed to find DP locations from MP 'HTTPS://winsccm.testlab.com Opens a new window' with error 0x87d00280, status code 200. FromAD: command line = SMSSITECODE=101 CCMFIRSTCERT=1 CCMCERTSTORE=MYccmsetup01/03/2019 16:38:072612 (0x0A34) Folder 'Microsoft\Microsoft\Configuration Manager' not found. Software Center loads with a blank window. ccmsetup01/03/2019 16:38:072612 (0x0A34) Actually you're right, I get the same error when using the Go http client to make the request so Chrome knows the CA but not Go so it looks like the CA is not loaded properly as you said. 02:27 PM. lookup for command line parameters is required. This is what I am getting now. By clicking Sign up for GitHub, you agree to our terms of service and LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4). Error (87D00215) ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) privacy statement. Failed to connect to policy namespace. As of 29th Jan 2019. Could you share the screenshot of the deployment status on your SUG and the WUAHandler.log file on the clients? Begin to select client certificate ccmsetup 6/15/2017 12:24:47 AM SiteVersion: ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Successfully deleted task 'Configuration Manager Client Retry Task'ccmsetup01/03/2019 16:38:072612 (0x0A34) I just completed a new SCCM Primary Site installation for a customer who has a requirement of HTTPS communication only. Searching for DP locations from MP(s)ccmsetup01/03/2019 16:38:072612 (0x0A34) @alexandertuvstromIIS is *NOT* required on the site server, unless that site server itself hosts one of the roles that require IIS (such as the MP, DP or SUP role). ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Folder 'Microsoft\Microsoft\Configuration Manager' not found. Similar thread for your reference, the issue is due to access privileges. Failed to get client version for sending state messages. ', Based on Certificate Issuer 'domainname Enterprise Root 01i001' found Certificate [Thumbprint 4E67BDA515464DE0C651562D0ABBAE688F7B7510] issued to 'PTW01CISWB001. ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Begin checking Alternate Network Configuration ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Finished checking Alternate Network Configuration ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Current AD forest name is testlab.com, domain name is testlab.com ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Domain joined client is in Intranet ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Current AD site of machine is Default-First-Site-Name ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Attempting to query AD for assigned site code ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Performing AD query: '(&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=3232240486)(MSSMSRangedIPHigh>=3232240486))))' ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Performing AD query: '(&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=192.168.19.0)(mSSMSRoamingBoundaries=Default-First-Site-Name)))' ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Failed to get assigned site from AD. Client OS Version 6.2 Service Pack 0.0 ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ccmsetup 6/15/2017 9:50:35 PM 3220 ccmsetup 6/15/2017 9:50:35 PM 2320 (0x0910) CCMHTTPSCERTNAME: ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Error 0x87d00215ccmsetup01/03/2019 16:38:072612 (0x0A34) Error 0x87d00215. Task does Distribution Manager requires that IIS base components be installed on the local Configuration Manager Site Server in order to create the virtual directory? Command line: "C:\Windows\ccmsetup\ccmsetup.exe" /runservice ccmsetup01/03/2019 16:38:072612 (0x0A34) but if I scroll up enough in the log I do find an error "Failed to get client certificate for transportation. If you have any questions in future, we welcome you to post in Microsoft Q&A forum again. None ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) I had installed adminconsole.msi which was failed during installation. Failed to revoke client upgrade local policy. Get our latest recommendations, advice and offers direct to your inbox. I have my CMG setup and a handful of Azure AD Hybrid Joined Windows 10 Workstations (1809 and 1903) are getting a Client Setting to use the CMG. Retrieved 0 MP records from AD for site '001' ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Failed to send status 100. LocationServices 8/9/2019 11:00:28 AM 212 (0x00D4), 3 internet MP errors in the last 10 minutes, threshold is 5. Error 0x8004100e ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) MapNLMCostDataToCCMCost() returning Cost 0x1ccmsetup01/03/2019 16:38:072612 (0x0A34) Please try again later. The same settings worked for windows 10 machine but I am not sure why this is not working for windows 7 system. FSP: ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Command line: "C:\Windows\ccmsetup\ccmsetup.exe" /runservice /ignoreskipupgrade /config:MobileClient.tcfccmsetup01/03/2019 16:38:072612 (0x0A34) When I push client installation I received below logs: ccmsetup is shutting down ccmsetup 6/15/2017 9:50:20 PM 4140 (0x102C) RegTask: Failed to get certificate. @Kirk FrancisDid you ever get an answer to this? I'm excited to be here, and hope to be able to contribute. ', Begin validation of Certificate [Thumbprint B2400DEC508EBAACE84613AE21A33F4F59683BD0] issued to 'PTW01CISWB001. Jason | https://home.configmgrftw.com | @jasonsandys. ccmsetup01/03/2019 16:38:072612 (0x0A34) I'm not great with ConfigMgr logs but ADALOperationProvider.log on the endpoint comes up with "Getting AAD (device) token" with the client ID, ResourceURL, and AccountID every so often but I don't see any errors. ccmsetup01/03/2019 16:38:072612 (0x0A34) windows 11 deplyment is failed via sccm (sccm version:2111) and getting this error "Getupdate -failed to get targated update error= 0x87d00215 in updatedeployment.log. The SCCM client installation fails with below error shown in ccmsetup.log file. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you. Certificate Issuer 1 [CN=SCCM-Server-Dan.cork.local]ccmsetup01/03/2019 16:38:072612 (0x0A34) Completed searching client certificates based on Certificate Issuersccmsetup01/03/2019 16:38:072612 (0x0A34) Status code is '401' and status description is 'CMGConnector_Unauthorized'. ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ccmsetup01/03/2019 16:38:072612 (0x0A34) UseAzure="1" DPTokenAuth="1" UseInternetDP="0"> \\WINSCCM.TESTLAB.COM\SMSClient ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ccmsetup01/03/2019 16:38:072612 (0x0A34) Task does not exist. The management point returned the following error: 'Unauthorized'. Go to C:\Windows\System32\GroupPolicy\Machine and delete Registry.pol. Task does not exist. Local Machine is joined to an AD domainccmsetup01/03/2019 16:38:072612 (0x0A34) Do you have enough disk space on the remote DP? Source List:ccmsetup01/03/2019 16:38:072612 (0x0A34) CCMHTTPPORT: 80 ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ', Based on Certificate Issuer 'domainname Enterprise Root 01i002' found Certificate [Thumbprint BC0B3996CCDBED300F78A7A9A1EEFC32BCEA8EAE] issued to 'PTW01CISWB001. ccmsetup 6/15/2017 12:24:47 AM 2680 (0x0A78) It may not display this or other websites correctly. Are you sure that your issue is exactly as mentioned in that thread? [CCMHTTP] ERROR: URL=https://SCCM-Server-Dan.cork.local/ccm_system/request, Port=0, Options=63, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERTccmsetup01/03/2019 16:38:072612 (0x0A34) Thank you very much for your feedback and sharing. Check if certificate chain for the client certificate is specified to upload to the CMG service and check revocation check setting.". Sign up for a free GitHub account to open an issue and contact its maintainers and the community. Retry time: 10 minute(s)ccmsetup01/03/2019 16:38:072612 (0x0A34) Failed to get DP locations as the expected version from MP 'HTTPS://winsccm.testlab.com' Opens a new window. SCCM Software Updates not installing to endpoints, that SCCM site server computer account are in the Local. Config file: C:\Windows\ccmsetup\MobileClientUnicode.tcf ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Can you share with us a screenshot of your: I think the issue might be resolved but I do have a question can you have overlaping boundaries and boundary groups with mutiple SCCM standalone servers. The same certificate loads perfectly fine with the Go http server as per the screenshot above so it looks like the certificate is correct. Get the ip of the client, go and check how the boundary is set up, if it's an ad site then make sure it has the clients subnet accounted for. From previous experience, I know that I should check client certificate selection settings to confirm that the client should select the certificate with the longest validity period. ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ', Based on Certificate Issuer 'domainname Enterprise Root 01i002' found Certificate [Thumbprint B2400DEC508EBAACE84613AE21A33F4F59683BD0] issued to 'PTW01CISWB001. No AAD tenants information found. installed. Possible cause can be the distribution Manager requires that IIS base components be installed on the local Configuration Manager Site Server in order to create the virtual directory. Installation files will be reset and downloaded again. However a distribution point could not be located. Error: Conn.resetTransport failed to create client transport: connection error: desc = "transport: x509: certificate signed by unknown authority" I know the certificate is valid, verified by running a simple Go http server: Client is set to use webproxy if available. However, we had an error in some of the logs, that we couldn't really pinpoint Failed to get AAD token. 01:44 PM. LocationServices 8/9/2019 10:44:28 AM 9416 (0x24C8), 0 internet MP errors in the last 10 minutes, threshold is 5. It was our own darn fault. Begin searching client certificates based on Certificate Issuersccmsetup01/03/2019 16:38:072612 (0x0A34) Normally, ccmsetup service will stop automatically after the client installed successfully or completely failed, in your situation, the installation failed because of the client package is not distributed to DP, so it will keep retrying for 7 days unless we stop it manually. ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) I would try adding the client IP Subnet to your boundary list and then maybe the client will see the "source" to download all of the files it needs. ', Completed validation of Certificate [Thumbprint C5CC8BED3777E7CE200257275E3F63E537D84ECA] issued to 'PTW01CISWB001. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Hopefully, you have as simple a fix. 6/15/2017 9:50:35 Finding certificate by issuer chain returned error 80092004ccmsetup01/03/2019 16:38:072612 (0x0A34) SuiteMask = 272. Please find the below Prajwal Desai link to upgrade SCCM 1810. https://www.prajwaldesai.com/sccm-1810-upgrade-guide - Maybe helpful. If it's an ip range, make sure it falls within the range. 0x8004100e The 'Certificate Selection Criteria' was not specified, counting number Failed to connect to machine policy namespace. MANAGEDINSTALLER: 0ccmsetup01/03/2019 16:38:072612 (0x0A34) You can post now and register later. Looking at registry settings from other clients that use HTTPS and are working I can see the following Dword. 'ccmsetup01/03/2019 16:38:072612 (0x0A34) If I use the Cloud management Gateway connection analyzer with an Azure AD user sign in, it fails on the "Testing the CMG channel for management point: 'thenameoftheMP'" step with the following error: Failed to get ConfigMgr token with Azure AD token. The tlsConfig is initialised exactly the same for grpc, the certificate is returned using the GetCertificate method of *tls.Config. So, first interaction here, so if more is needed, or if I am doing something wrong, I am open to suggestions or guidance with forum ettiquette. In ServiceMain ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) ccmsetup 6/15/2017 12:24:47 AM 2680 (0x0A78) ccmsetup 6/15/2017 [WINDOWS10X64] Running on 'Microsoft Windows 10 Enterprise 2016 LTSB' Version="1" />'ccmsetup01/03/2019 Next retry in 10 minute(s) ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94). IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. PM 3220 (0x0C94) And what are the pros and cons vs cloud based? Updated security on object C:\Windows\ccmsetup\cache\. Source \\winsccm.testlab.com\SMSClient is inaccessible (67) ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Product Type = 18ccmsetup01/03/2019 16:38:072612 (0x0A34) OS is not Win10RS3+, ENDOK. CcmSetup version: 5.0.8740.1024ccmsetup01/03/2019 16:38:071124 (0x0464) I used a third party certificate from a public and globally trusted certificate provider for the CMG server authentication certificate. Error 0x80004005 ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)No valid source or MP locations ccmsetup 6/16/2017 9:09:51 PM 432 (0x01B0)Failed to read assigned site code from registry. Defaulting to state of 63.ccmsetup01/03/2019 16:38:072612 (0x0A34) ', Based on Certificate Issuer 'domainname Enterprise Root 01i001' found Certificate [Thumbprint 259ECEA46C3DAC33F0B5838C5B82E36B1BD872E3] issued to 'ptw01ciswb001. @alexandertuvstrom The Web Server role (IIS, with a couple of specific role services enabled) only needs to be installed on the Distribution Point server, not on the site server.Installation and configuration of the Distribution Point role is indeed handled by the SMS_DISTRIBUTION_MANAGER component, which runs on the site server, but it doesn't need IIS installed on the site server itself for . I wrote that he would review pre-reqs on DP and site server? Detected 33121 MB free disk space on system drive. Site server properties are set ccmsetup01/03/2019 16:38:072612 (0x0A34) Source List: ccmsetup 6/15/2017 9:50:35 PM 3220 (0x0C94) Ccmsetup is being restarted due to an administrative action. There are at least 2 certificates valid for ConfigMgr usage that meet the selection criteria. to your account. MEM clients go offline after Altiris / Symantec Management Agent get uninstalled Save my name, email, and website in this browser for the next time I comment. Can you verifythat SCCM site server computer account are in the Local Administrators group on the server where DP role is to be installed? 9:50:35 PM 3220 (0x0C94) ccmsetup I am currently testing software update deployment on my setup and upon checking to my testing client computer, the computer won't update. force to run a cycle from the client workstation and it will say compliant. MSI log file: C:\Windows\ccmsetup\Logs\client.msi.logccmsetup01/03/2019 16:38:072612 (0x0A34) Folder 'Microsoft\Microsoft\Configuration Manager' not found. What are some of the best ones? You may correct me but theDistribution Manager requires that IIS base components be installed on the local Configuration Manager Site Server in order to create the virtual directory?

Tom Rennie Portland, Colorado Golf Club General Manager, Articles F