Remove From My Forums

Client installation issues - client setup can't access the SCCM server

Question
0

Sign in to vote
I am facing strange issues with SCCM client setup... the site was originally running the SCCM 1702 (hosted on Windows 2012 R2, all roles on one server) and successfully deployed some clients.

Now I upgraded it to 1806 and suddenly encounter very very strange problems.

- boundary group and boundary is set and worked before

- all is performed with the domain administrator account

- the client machines are Win7 and Win10

- and there are no firewalls active

The client push works, the ccmsetup servcie is started.

But the clients fail to get the packages from the server and I find repeating entries like that

<![LOG[Failed to get directory list from 'http://sccm3.BRINGIT.LOCAL/CCM_Client'. Error 0x87d0027e]LOG]!><time="15:00:27.226-60" date="11-06-2018" component="ccmsetup" context="" type="3" thread="2556" file="httphelper.cpp:988"> <![LOG[Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401) and StatusText: 'Unauthorized' ]LOG]!><time="15:00:27.226-60" date="11-06-2018" component="ccmsetup" context="" type="3" thread="2556" file="state.h:69"> <![LOG[Failed to check url http://sccm3.BRINGIT.LOCAL/CCM_Client/ccmsetup.cab. Error 0x80004005]LOG]!><time="15:00:27.226-60" date="11-06-2018" component="ccmsetup" context="" type="3" thread="2556" file="httphelper.cpp:1348"> <![LOG[Accessing the URL 'http://sccm3.BRINGIT.LOCAL/CCM_Client/ccmsetup.cab' failed with 80004005]LOG]!><time="15:00:27.226-60" date="11-06-2018" component="ccmsetup" context="" type="2" thread="2556" file="ccmsetup.cpp:10928"> <![LOG[Next retry in 10 minute(s)...]LOG]!><time="15:00:27.226-60" date="11-06-2018" component="ccmsetup" context="" type="0" thread="2556" file="ccmsetup.cpp:9812">

then I tried to access the URL

http://sccm3.BRINGIT.LOCAL/CCM_Client

and got this error:

The authentification method is set to anonymous.... the w3csvc.log of the IIS doesn't show any authentication errors, nor does the evnetviewer on the server or client.

Where would be the next place to look at?

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5
- Edited by Al Hasoob Tuesday, November 6, 2018 2:28 PM
- Moved by Jason Sandys [MSFT]MVP Tuesday, November 6, 2018 3:13 PM
Tuesday, November 6, 2018 2:27 PM

Answers

1

Sign in to vote
for interested people a resume how the bug looks alike and how I fixed it:

- Installed a site about one year ago with SCCM 1702, configured it's boundaries and discovery methods and it's client push installation. And I had some success with that. I alredy had some VM in my assets with a functional client setup. Then I downloaded some upgrades with the SCCM integrated updater and finally ended up with 1806, or 1810. I guess that one of these updates intended to replace the client directory, thereby removing the old content and then failing to generate the new directory.

- the AD system discovery finds systems and shows them without site code

- deployed the client (on Win7) via the GUI of SCCM which is equal to the push client install

- waited 30 minutes and wounder why there was no "you have new updates" message and no "configuration management" in the control panel

- the ccm.log on the server indicates the push was successful and at client side the service was running

- the ccmsetup log file at client side shows

Failed to get directory list from 'http://sccm3.BRINGIT.LOCAL/CCM_Client'.

- tried to call this address in internet explorer -> access denied 401 message

- check the IIS of the SCCM server - the CCM_Client sub-site is configured to point to c:\program files\Microsoft Configuration Manager\CCM_client

- check the c: drive of my SCCM server, found there is no such a path

-> the missing path was the root cause why the client could not download it's own software package. The SCCM basically only push-installs a "polling service" and not the enitre client. And this service called "ccmsetup" doesn't find the client install packaage on the SCCM server.

- check the other sub-directories in IIS and found some more missing directories on c:

- Finally I decided to remove the SCCM software (there is an uninstall thing in the start menu)

- going to services.msc stop the ccmsetup service

- sc delete ccmsetup

- found the installer did not remove the contents of the c:\program files\Microsoft Configuration Manager\ and it had about 6 GB of files, so I deleted them

- run a clean install of SCCM 1702 again

- finally the IIS points to correct locations and the clients were able to install.

- after waiting for about 15 minutes the client got installed automatically on the failed machine... the ccmsetup service tries this again and again, for a week or even longer and every 15 or 20 minutes so there was nothing more to do, just wait. Also on Win10 the install succeeds...

But I have to mention that Win10 1803 has an issue for remotely accessing the ADMIN$ share that has to be overcome with a registry hack and Win10 1511 has incomplete ACL, so parts of that OS doesn't work directly after a domain join.... so I finally took a Windows 7 to avoid these problems, but even on Windows 7 I mentined that the client software never got installed...

-------------------------------------------------------------------------------------------------------------

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5
- Edited by Al Hasoob Tuesday, November 6, 2018 8:43 PM
- Marked as answer by Al Hasoob Tuesday, November 6, 2018 8:43 PM
Tuesday, November 6, 2018 7:22 PM

All replies

1

Sign in to vote

Do you have HTTPS client communication enabled?

What exactly does the is log show for the corresponding traffic from this client?

Is this happening on all clients or just systems where you are attempting to install the client agent?

Have you validated that "something" at the network layer isn't interfering with the traffic?
Jason | https://home.configmgrftw.com | @jasonsandys

Tuesday, November 6, 2018 3:17 PM
0

Sign in to vote
The IIS log shows only some get requests... but no errors so far.

It happens on 2 freshly created clients , so to say all I currently have in this environment. To make sure that this isn't originating from some of the strange things happening in Windows 10 I installed a Win7 client too...

After digging deeper into the IIS configuration it turned out there are some virutal directories created but their target in "physical path" were missing. The message "access denied" was just like "something went wrong".

I guess this is one of the never-ending annoying bugs in SCCM, along with the "automatic client push" that fails randomly and without any discoverable rules (I could write a blog about this) and the incabability of earlier SCCM versions to cooperate with Windows 10. I have never encountered such a buggy MS product before and I really wounder why MS did not take care that newer OS intergrate better with a client management tool from the very same vendor.

If I could make some suggestoins: fix that firewall stuff (SCCM asks me to modify the AD schema, so why it won't modify the default domain GPO?), fix these annoying things with the Admin$ share on Windows 10 ( this is another GPO setting), and throw away the "default" boundary group and the default boundary because they behave different than everything you can create by yourself... and improve the setup so you just get what it pretends to do: create a fully functional site. Currently it doesn't.

p.s. last but not least let appear the SCCM client / server under "programs&features". Any installed software should show up there.... especially if it's from MS.

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5
- Edited by Al Hasoob Tuesday, November 6, 2018 5:12 PM
Tuesday, November 6, 2018 5:05 PM
1

Sign in to vote

> I guess this is one of the never-ending annoying bugs in SCCM, along with the "automatic client push" that fails randomly and without any discoverable rules

I've never had an issue with this and have performed many, many installs in many, many production environments over many, many years. Not to be critical, but in most cases, when folks have issues with ConfigMgr, it's because they assume way too much about how it works and/or have unique configurations in their environment that break the pre-req assumptions that ConfigMgr makes.

> so why it won't modify the default domain GPO

Because it doesn't have permissions to and depending on your security policy, this can be done in a variety of ways. Also, modifying the default domain GPO is a terrible practice and never recommended.

> fix these annoying things with the Admin$ share on Windows 10

I have no idea what you talking about here.

> and throw away the "default" boundary group and the default boundary because they behave different than everything you can create by yourself.

As noted, you're simply making a bad assumption about what these do. They are quite useful but there's actually no explicit reason that you have to use them. Also, there is no such thing as a default boundary.

> improve the setup so you just get what it pretends to do: create a fully functional site. Currently it doesn't.

It absolutely does. Many, many organizations successfully install ConfigMgr all by themselves; however, once again, folks that have issues, usually skip reading the documentation and make a lot of bad assumptions. ConfigMgr is not a simple product because it does so many different things for so many different organizations.

> last but not least let appear the SCCM client / server under "programs&features". Any installed software should show up there.... especially if it's from MS

Why? I'm totally fine with it not showing up there. I honestly would be OK with it showing up there but I'm fine with it not also. But why do you think it should? If you feel strongly about it, file a uservoice item.
Jason | https://home.configmgrftw.com | @jasonsandys

Tuesday, November 6, 2018 5:23 PM
0

Sign in to vote
certainly I will do this... when there are two, three true facts, then there is the one whitepaper from the late nineties how to deal with the registry in multi-user environments. The "Terminal Server" was a separate NT4-based CD at these times and the whitepaper was written for it and had nearly eternally validity. Even nowaday many develpers don't follow it....

I remember another whitepaper from one MS chief architect about well application behavior... any software that installs on Windows should have an entry in "programs and features" and should be able to get uninstalled without it's installaition media being required at installation time. Even nowadays some people don't handle this well, so still need for the FixIT thing that removes such kind of software especially they don't have an msiexec /x uninstallstring entry in the registry. For "our" products I introduced testing rules in the system test to guarantee this... and a clean uninstall should delete the stuff the setup has installed. The SCCM uninstall neither removes the ccmsetup service nor it removes the program directory and it leaves some stuff in IIS.

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5
- Edited by Al Hasoob Tuesday, November 6, 2018 5:55 PM
Tuesday, November 6, 2018 5:43 PM
1

Sign in to vote
for interested people a resume how the bug looks alike and how I fixed it:

- Installed a site about one year ago with SCCM 1702, configured it's boundaries and discovery methods and it's client push installation. And I had some success with that. I alredy had some VM in my assets with a functional client setup. Then I downloaded some upgrades with the SCCM integrated updater and finally ended up with 1806, or 1810. I guess that one of these updates intended to replace the client directory, thereby removing the old content and then failing to generate the new directory.

- the AD system discovery finds systems and shows them without site code

- deployed the client (on Win7) via the GUI of SCCM which is equal to the push client install

- waited 30 minutes and wounder why there was no "you have new updates" message and no "configuration management" in the control panel

- the ccm.log on the server indicates the push was successful and at client side the service was running

- the ccmsetup log file at client side shows

Failed to get directory list from 'http://sccm3.BRINGIT.LOCAL/CCM_Client'.

- tried to call this address in internet explorer -> access denied 401 message

- check the IIS of the SCCM server - the CCM_Client sub-site is configured to point to c:\program files\Microsoft Configuration Manager\CCM_client

- check the c: drive of my SCCM server, found there is no such a path

-> the missing path was the root cause why the client could not download it's own software package. The SCCM basically only push-installs a "polling service" and not the enitre client. And this service called "ccmsetup" doesn't find the client install packaage on the SCCM server.

- check the other sub-directories in IIS and found some more missing directories on c:

- Finally I decided to remove the SCCM software (there is an uninstall thing in the start menu)

- going to services.msc stop the ccmsetup service

- sc delete ccmsetup

- found the installer did not remove the contents of the c:\program files\Microsoft Configuration Manager\ and it had about 6 GB of files, so I deleted them

- run a clean install of SCCM 1702 again

- finally the IIS points to correct locations and the clients were able to install.

- after waiting for about 15 minutes the client got installed automatically on the failed machine... the ccmsetup service tries this again and again, for a week or even longer and every 15 or 20 minutes so there was nothing more to do, just wait. Also on Win10 the install succeeds...

But I have to mention that Win10 1803 has an issue for remotely accessing the ADMIN$ share that has to be overcome with a registry hack and Win10 1511 has incomplete ACL, so parts of that OS doesn't work directly after a domain join.... so I finally took a Windows 7 to avoid these problems, but even on Windows 7 I mentined that the client software never got installed...

-------------------------------------------------------------------------------------------------------------

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5
- Edited by Al Hasoob Tuesday, November 6, 2018 8:43 PM
- Marked as answer by Al Hasoob Tuesday, November 6, 2018 8:43 PM
Tuesday, November 6, 2018 7:22 PM
2

Sign in to vote
I was facing the exact same issue and it appears to be a redirection issue.

In IIS CCM_Client seems to have a redirect setup to point to CMApplicationCatalog.

If you remove this HTTP redirect the client the ccmsetup service is able to find the files and the installation completes correctly.
- Proposed as answer by 0x00000c Friday, March 15, 2019 10:16 AM
Thursday, January 10, 2019 4:07 AM
1

Sign in to vote

Note that this redirection was not put in place by ConfigMgr so while it fixed your issue (which is a good thing) this is not a generic solution.
Jason | https://home.configmgrftw.com | @jasonsandys

Thursday, January 10, 2019 2:43 PM
0

Sign in to vote

I used the very same instructions to install and configure SCCM 1702 on a clean Windows 2016 AD and a freshly installed and updated Windows 2016 server (patch level Dec 29th 2018). My test clients did not have any issues after opening the firewall with the appropriate ports. The push client install works, GPO based client install works, manual installed client works, software deployment and retirement works.

I couldnt beleive that, did the very same setup on a freshly created and fully patched Windows 2012 R2 AD and that worked too. Of course my clients were up to date too, but the Windoes 7 SP1 patch procedure takes three days...

IMO I and others didn't find the clue how to integrate SCCM into an existing AD with lot of GPO's... and there are a great many things to regard doing the SCCM 1702 rollout on Windows 7 and it gets worse with the 18xx version of SCCM because the client install thing tries to install dot net 4.5 which won't install on unpatched Windows 7 SP1 or Windows 10 15xx or 16xx. It fails and there isn't even a clear error state...

The only method for a bulletproof client install would be to use the WSUS based install because the WSUS can be configured to install the required updates first until the patchlevel meets the client install requirements (no matter if push, manual, GPP or WSUS).

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5

Friday, January 11, 2019 7:50 AM
0

Sign in to vote
Note that this redirection was not put in place by ConfigMgr so while it fixed your issue (which is a good thing) this is not a generic solution.

Jason | https://home.configmgrftw.com | @jasonsandys

You say this but I just resolved the exact same issue with Client Push failing, and I had the same HTTP redirect to Application Catalog as the previous user.
- Edited by Flannel_NZ Thursday, April 18, 2019 10:33 PM
Thursday, April 18, 2019 9:56 PM
0

Sign in to vote

Same answer though. If you put something in that breaks ConfigMgr, then the solution is to fix what you broke as this really has nothing to do with ConfigMgr. This is not in any way a default configuration in ConfigMgr.
Jason | https://home.configmgrftw.com | @jasonsandys

Friday, April 19, 2019 2:05 PM
0

Sign in to vote

I didn't do anything... just upgraded a working SCCM with ootb procedures offered by Microsoft. Found no hints in log files or event log so I think the upgrade from 1702 to 1806 obvioulsly doesn't check all prerequisites and then leaves some work undone.

Because I am not a certified SCCM software engineer I might have missed some steps, but also I was following the instructions in an MS Press book, and there were no additional hints so far. But "your" example also assumes an untouched lab AD ... so I made a new one on 2012 R2 and one on 2016 and both were healthy.

I was able to compare an OOTB AD with a prod style AD having many GPOs and unser right assignments... I assume the "log on as a service" GPO did break something, but I don't have unlimited time to find this out and I don't have unlimited budget for trainings, at least not for SCCM.

In case it gets itchy for me because I don't proceed in a project or PoC then I would call the MS support, as MSDN subscriber I am entitled to do so :-)

IT architect - Terminal servers, virtualizations, SQL servers, file servers, WAN networks and closely related to software devleopment (8 years + experience in VB, C++ and script langugaes), MCP for SQL server and CCAA for Xenapp 6.5

Tuesday, April 23, 2019 7:28 AM
0

Sign in to vote

Have had this exact same issue in two SCCM in different domain. The redirect is set on "automatically" after every update that is done to SCCM since 1806 version, currently having 1902 version. Every time I have installed the new updates I have to got to IIS on both sccm to take this setting of to be able to update the clinet to the computers.

Friday, May 24, 2019 5:54 AM
0

Sign in to vote

This is simply not anything that is part of the default configuration. I have no idea how or why these have been configured in your environments, but they are not part of ConfigMgr.
Jason | https://home.configmgrftw.com | @jasonsandys

Friday, May 24, 2019 2:10 PM
0

Sign in to vote

I had the same problem and this fix resolved my issue too.

Friday, June 14, 2019 1:26 AM
0

Sign in to vote

I have same issue and I resolved.

1- Remove the Management point.

2- restart the server.

3- add the management point again.

Note : use domain user account only to push the client.

Tuesday, November 12, 2019 8:02 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Client installation issues - client setup can't access the SCCM server

Question

Answers

All replies