CMG setup with Internal PKI for AAD join devices

Question

Hi Anoop,

I am trying to setup cmg in my lab with interna ca ( used for only CMG server authentication). Devices are AAD join and testing the comanagement.
MP is on Ehttp

CMG is properly configured without any issue and no error on cloudmgr.log and proxy log.

However while trying to install sccm client manully or win32 app it is failing.
Followed “https://eskonr.com/2019/12/using-intune-to-install-configmgr-client-as-win32-app-with-local-source-files-without-downloading-from-cmg/”

I have deployed the root CA with intune to aad devices.
While installing client is tries to download client from CMG server and during the process it fails. it pretty slow. I am not sure why is trying to download setup from cmg as i am providing the  complete media in the command line.

Other thing do i need to create cname record to route my public domain kascmg.kastest.tech to cmg server. i think not as i am using internal pki and i have provided CN and DNS name in the cert (CMG server fqdn).

do i need to add root ca in cmg revocation check in cmg cofiguration wizard as well?
ccmsetup1 - HTMD Forum - Welcome to the world of Device Management! This is community build by Device Management Admins for Device Management Admins❤️ Ask your questions!! We are here to help you! - CMG setup with Internal PKI for AAD join devices ccmsetup2 - HTMD Forum - Welcome to the world of Device Management! This is community build by Device Management Admins for Device Management Admins❤️ Ask your questions!! We are here to help you! - CMG setup with Internal PKI for AAD join devices commandline - HTMD Forum - Welcome to the world of Device Management! This is community build by Device Management Admins for Device Management Admins❤️ Ask your questions!! We are here to help you! - CMG setup with Internal PKI for AAD join devices

I have setup enterprise CA in my test lab.ccmsetup ccmsetup-20220216-055154

Please guide

Thanks,
kashif

in progress 0
kashif Ali 2022-02-16T06:47:25+05:30 1 Answer 146 views Beginner 0

Answer ( 1 )

  1. I can’t comment anything about Eswar’s script because I never used it. But I don’t think there is any relation between PS script and the error.

    0x8004100e – Invalid namespace – Source: Windows Management (WMI)
    0x87d00281 – No certificate matching criteria specified. Source: System Center Configuration Manager

    Failed to get client certificate for transportation. Error 0x87d00281
    GetSSLCertificateContext failed with error 0x87d00281
    Params to send ‘5.0.9058.1047 Deployment Error: 0x87d00281
    Failed to get client certificate for transportation. Error 0x87d00281

    The error is because of chain of certificates are missing from the client.

    Are you deploying Root and Intermediate certificates specified in the SCCM server properties (More details https://www.anoopcnair.com/sccm-client-cmg-communication-failure/ )

    How to configure root and intermedia certs in SCCM ? Site Configuration – Sites – Propertieis – Client Computer Communication explained https://www.anoopcnair.com/co-mgmt-client-pki-certificates-part-7/

Leave an answer

Sorry, you do not have a permission to answer to this question .