We have a customer that has a functional ConfigMgr (CB 2006) environment with a newly configured CMG and Co-Management enabled. All of the CMG related settings and EHTTP settings are enabled. Machines that are Hybrid-AD joined and already have the ConfigMgr client are able to communicate and download software from the CMG.
Now trying to deploy the client to off-prem internet-only devices (all Win10 2004). Devices are AAD-joined. They get this when running the install manually:
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
[CCMHTTP] ERROR: URL=https://<CMGname>.CLOUDAPP.NET/CCM_Proxy_ServerAuth/ServiceMetadata, Port=443, Options=192, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE
Failed to get CMG metadata 0x80072f8f
Looking for MPs from AD...
Unexpected row count (0) retrieved from AD.
GetADInstallParams failed with 0x80004005
Couldn't find an MP source through AD. Error 0x80004005
No valid source or MP locations
CcmSetup failed with error code 0x80004005
Cmd is as follows:
ccmsetup.exe CCMHOSTNAME=<CMGname>.CLOUDAPP.NET/CCM_Proxy_MutualAuth/<code> SMSSiteCode=<site code> SMSMP=<FQDN for Primary Site> AADTENANTID=<AADTENANTID> AADCLIENTAPPID=<AADCLIENTAPPID> AADRESOURCEURI=https://ConfigMgrService
They have also tried adding the following switches:
/nocrlcheck
/mp:https://<CMGname>.CLOUDAPP.NET/CCM_Proxy_MutualAuth/<code>
Adding the /mp still fails but changes the error:
DownloadFileByWinHTTP failed with a non-recoverable failure, 0x87d00455
CcmSetup failed with error code 0x87d00455
There is no client cert involved as it should be using the AAD token, correct? They've followed the instructions from the following link, so not sure what they missed: https://video2.skills-academy.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-azure#configure-client-settings
Any ideas or suggestions would be hugely appreciated!
Thanks!