SCCM | Configuration Manager | Intune | Windows Forums

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members. Please post your questions in the correct category.

NEW CMG - Client install via Azure AD Authentication

tjwsysengineer

New Member
Has anyone utilized the Azure AD authentication option for installation of the Configuration Manager client? I don't have a public cert, so I don't think my internal CA PKI solution will work for off-premises devices that have never and maybe will never be on-prem to receive the cert through domain GPO and then trust it.

I've read that Azure AD authentication can be used as a solution to install the Config Mgr client for AAD joined devices, which the off-premises devices are.

"To install the Configuration Manager client on Windows devices using Azure Active Directory (Azure AD) authentication, integrate Configuration Manager with Azure AD. Clients can be on the intranet communicating directly with an HTTPS-enabled management point or any management point in a site enabled for Enhanced HTTP. They can also be internet-based communicating through the CMG or with an Internet-based management point. This process uses Azure AD to authenticate clients to the Configuration Manager site. Azure AD replaces the need to configure and use client authentication certificates."



1679331884783.png


<![LOG[Failed (0x80070057) to send location request to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. StatusCode 200, StatusText '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="ccmhttplib.cpp:324">
<![LOG[Failed to send location message to 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Status text '']LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:153">
<![LOG[GetDPLocations failed with error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17256" file="siteinfo.cpp:614">
<![LOG[Failed to get DP locations as the expected version from MP 'HOSTNAME.LOCATION.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927171'. Error 0x80070057]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="2" thread="17256" file="ccmsetup.cpp:12274">
<![LOG[Cannot get client package location from CMG MP.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="ccmsetup.cpp:12037">
<![LOG[Client is not installed yet. Ignore all upgrade exclusion flags.]LOG]!><time="13:19:54.937+240" date="03-20-2023" component="ccmsetup" context="" type="1" thread="17256" file="setupenv.cpp:824">

I realized my testing omitted the S in HTTPS, which might have caused the error. Changing to HTTPS results in invalid CA errors. I thought this Azure AD Identity process worked around the need for certificates in the CMG configuration.

LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:57">
<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:58">
<![LOG[[CCMHTTP] : dwStatusInformationLength is 4
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:59">
<![LOG[[CCMHTTP] : *lpvStatusInformation is 0x8
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:60">
<![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
]LOG]!><time="14:39:37.677+240" date="03-20-2023" component="ccmsetup" context="" type="3" thread="17112" file="ccmhttperror.cpp:76">
 
I managed to get things working by creating a policy in Intune, to push the internal CA root cert to client devices. I also needed the nocrlcheck to install the ccm client, since this is an internal certificate.

However, after successful client installation, it seems the test client is now failing because of a lacking CRL. I thought the nocrl would bypass this, but perhaps that is solely for the client installation process. Certificate revocation verification is disabled on the CMG, according to the settings I find.

SCCM_CMG_ERROR_01.png
SCCM_CMG_ERROR_02.png
 
Back
Top