locked
Cannot Install Client via GPO but Push Installation Works RRS feed

  • Question

  • Good Afternoon,

    I can't seem to find out why I cannot install the Client via GPO but have no problems installing it via PUSH

    My Schema was extended and i'm using HTTPS

    I shared out the folder containing the ccmsetup.msi to Domain Computers & Users

    Below is the log file:

    ']LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="0" thread="4060" file="util.cpp:2205">
    <![LOG[Sending message header '<Msg SchemaVersion="1.1"><ID>{B7F293F1-1213-437E-83E2-27295ACD72A5}</ID><SourceHost>MJZHNM5</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MJZHNM5:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://wesc-sccm-01.wesc.internal</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-12-28T18:29:04Z</SentTime><Body Type="ByteRange" Offset="0" Length="1094"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>']LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="0" thread="4060" file="util.cpp:2286">
    <![LOG[Client is not allowed to use PKI issued certificate thus it can not talk to HTTPS server.]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="httphelper.cpp:795">
    <![LOG[GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://wesc-sccm-01.wesc.internal/ccm_system/request']LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="httphelper.cpp:942">
    <![LOG[GetDPLocations failed with error 0x80004005]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="util.cpp:2487">
    <![LOG[Failed to find DP locations with error 0x80004005, status code 200. Check next MP.]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="2" thread="4060" file="ccmsetup.cpp:9642">
    <![LOG[Only one MP https://wesc-sccm-01.wesc.internal is specified. Use it.]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="1" thread="4060" file="ccmsetup.cpp:8763">
    <![LOG[Have already tried all MPs. Couldn't find DP locations.]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="ccmsetup.cpp:9647">
    <![LOG[Client is not allowed to use PKI issued certificate thus it can not talk to HTTPS server.]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="httphelper.cpp:795">
    <![LOG[GetHttpRequestObjects failed for verb: 'GET', url: 'https://wesc-sccm-01.wesc.internal/CCM_Client/ccmsetup.cab']LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="httphelper.cpp:942">
    <![LOG[DownloadFileByWinHTTP failed with error 0x80004005]LOG]!><time="11:29:04.188+420" date="12-28-2012" component="ccmsetup" context="" type="3" thread="4060" file="httphelper.cpp:1076">
    <![LOG[Sending Fallback Status Point message to 'wesc-sccm-01.wesc.internal', STATEID='308'.]LOG]!><time="11:29:04.189+420" date="12-28-2012" component="ccmsetup" context="" type="1" thread="4060" file="ccmsetup.cpp:8439">
    <![LOG[Params to send FSP message '5.0.7711.0000 Deployment Error 0x80004005. Url <a href="https://wesc-sccm-01.wesc.internal/CCM_Client/ccmsetup.cab']LOG]!><time="11:29:04.193+420">https://wesc-sccm-01.wesc.internal/CCM_Client/ccmsetup.cab']LOG]!><time="11:29:04.193+420" date="12-28-2012" component="ccmsetup" context="" type="0" thread="4060" file="ccmsetup.cpp:8570">
    <![LOG[State message with TopicType 800 and TopicId {C04556B9-99AB-4B88-9D5C-73918ECF3901} has been sent to the FSP]LOG]!><time="11:29:04.215+420" date="12-28-2012" component="FSPStateMessage" context="" type="1" thread="4060" file="fsputillib.cpp:752">
    <![LOG[CcmSetup failed with error code 0x80004005]LOG]!><time="11:29:04.215+420" date="12-28-2012" component="ccmsetup" context="" type="1" thread="4060" file="ccmsetup.cpp:9454">

    I did not try to reinstall any ROLES yet

    Friday, December 28, 2012 10:27 PM

All replies

  • I assume your certficate is ok and you correctly configured your auto-enrollment settings.

    In that case, this looks like a problem with CCMHTTPSSTATE. This typically is CCMHTTPSSTATE=”255” (HTTPS) or CCMHTTPSSTATE=”480” (HTTP or HTTPS) but sometimes needs to be forced to "63". You can force this by adding CCMHTTPSSTATE=”63” to your install string.

    Take a look at http://www.bibble-it.com/2012/10/14/sccm-2012-client-deployment-fails-in-https-mode



    • Edited by .Christian Friday, August 3, 2018 1:14 PM
    Monday, December 31, 2012 8:20 AM
  • Yeah,

    I tried that before and i re installed all my roles again.  Still no go.

    I checked and my Certificates are all good

    • Proposed as answer by Quo-Vadis Friday, June 14, 2013 10:29 PM
    • Unproposed as answer by Quo-Vadis Friday, June 14, 2013 10:30 PM
    Wednesday, January 2, 2013 3:33 PM
  • We had this issue today, nearly threw my computer out the window.

    Issues with GPO/WSUS SCCM 2012 (CM12) (HTTPS/PKI/Native) Client Installation/Upgrade from SCCM 2007 (CM07) (HTTP Mixed Mode) Client:

    Our issue, and this seems to be a bug in client deployment outside of Client Push, is that the old SCCM 2007 client was mixed mode NOT HTTPS, but HTTP.

    We setup our new CM12 to use PKI and HTTPS. The issue is that if you do a client install outside of client push it does a check as the log states for registry keys under HKLM\SOFTWARE\Microsoft\CCM or HKLM\SOFTWARE\Wow6432Node\Microsoft\CCM for the Httpsstate value, which with the HTTP SCCM 2007 client we have installed is set to 0.

    What does this mean?

    Well it seems that if you do a SUP or GPO install and you have the CM12 AD schema extended, it will do the following order to check for installation parameters: Registry\AD\GPO(installation properties).

    So it pulls your existing clients settings and tries to install the new client but it fails due to the httpsstate being 225 as noted before in posts above.

    There are three solutions to this issue it seems.

    1. Forget GPO/SUP and stick with client push, but its not a best practice per documentation.

    2. Uninstall the SCCM2007 client first, then GPO/SUP install will work just fine

    3. Set the Httpsstate value to 63 via GPO (we went this route)

    After this clients went and installed via GPO like nothing and all issues went away.

    Unfortunately according to the documentation you can not use the /forceinstall switch in the GPO nor can you use the CCMHTTPSSTATE= option because the AD Scheme for CM12 was extended. If you don't extend it then you can install/upgrade your clients using that switch, otherwise it ignores all GPO parameters. This appears to be a bug and might be a simple fix, either omit the registry check or allow GPO install options to override, there are other solutions but this is a pesky bug especially for those going from HTTP Mixed CM07 to HTTPS Native CM12.

    Also as a note, we have tried setting the PRIMARY site to HTTP or HTTPS but leaving the MP/DP to HTTPS only and the issue existed still. It was specifically due to the registry key being read during ccmsetup from the workstation and being passed to ccmsetup to install the CM12 client that was breaking it.

    If we did a Client Push we had the option to "Always Install" which is the equivalent of /forceinstall and it always worked..

    So there is a bug, and it just might need to get fixed, unless this is the intended behavior.

    We are suing CM12 SP1 on Server 2012 and SQL 2012 latest CU if I am not mistaken.

    • Proposed as answer by Quo-Vadis Friday, June 14, 2013 10:30 PM
    • Edited by Quo-Vadis Friday, June 14, 2013 10:41 PM
    Friday, June 14, 2013 10:29 PM