none
SCCM 1806 Client installation from CMG/DP RRS feed

  • Question

  • Hi, I am trying to get SCCM/Intune co-management for Azure AD joined devices. CMG is up and works fine including content distribution. I created an SCCM bootstrap installer App and assigned it to all users and devices. 

    As soon as a new device is joined to AAD I see the app starts, unpack ccmsetup.exe finds itself on the internet and tries to get AAD token. At this point the setup failed with:

    Getting AAD (device) token with: ClientId = XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX, ResourceUrl = https://azurelab/ConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token ADALOperationProvider 11/9/2018 8:26:47 AM 3712 (0x0E80)
    WAM token request failed. Status 5, Details 'AAD WAM extension error' ADALOperationProvider 11/9/2018 8:26:47 AM 3712 (0x0E80)
    Failed to get AAD token.. 
    The specified resource type cannot be found in the image file. (Error: 80070715; Source: Windows) ADALOperationProvider 11/9/2018 8:26:47 AM 3712 (0x0E80)
    Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0x80070715 ADALOperationProvider 11/9/2018 8:26:47 AM 3712 (0x0E80)
    Failed to get CCM access token and client doesn't have PKI issued a cert to use SSL. Error 0x80004005 ccmsetup 11/9/2018 8:26:47 AM 3712 (0x0E80)

    I am wondering if anybody bumped into the same issue or have any clue how to resolve it (other than installing a Certificate on the client). From the book, SCCM 1806 with enhanced HTTP should support certificate-less connection with AAD tokens...

    Regards,


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization


    • Edited by Alenat Friday, November 9, 2018 5:58 PM
    Friday, November 9, 2018 5:51 PM

Answers

  • If the user is cloud only, do you have Azure AD User discovery enabled? If it’s hybrid user, do you have both in On prem AD User discovery and Azure AD Discovery? Have you tested the CMG connection analyser using this Azure AD user?
    • Marked as answer by Alenat Tuesday, November 13, 2018 3:39 PM
    Saturday, November 10, 2018 1:27 AM
  • As Nick points out:

    Remember that using the CMG with the "Enhance HTTP site system", the authentication shifts from PKI certs into Azure and a part of that authentication lies in the user being an Azure identity hence such user has to be logged on. If assigning the installation to the device, you also allow the installation to occur before the user is logged on and the installation can fail.

    i would use the new Win32 app preview feature instead of the boot strap method. Intune will then retry the installation if it fails. 

    See this for inspiration: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/


    Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    • Marked as answer by Alenat Tuesday, November 13, 2018 3:38 PM
    Saturday, November 10, 2018 4:48 PM

All replies

  • If the user is cloud only, do you have Azure AD User discovery enabled? If it’s hybrid user, do you have both in On prem AD User discovery and Azure AD Discovery? Have you tested the CMG connection analyser using this Azure AD user?
    • Marked as answer by Alenat Tuesday, November 13, 2018 3:39 PM
    Saturday, November 10, 2018 1:27 AM
  • As Nick points out:

    Remember that using the CMG with the "Enhance HTTP site system", the authentication shifts from PKI certs into Azure and a part of that authentication lies in the user being an Azure identity hence such user has to be logged on. If assigning the installation to the device, you also allow the installation to occur before the user is logged on and the installation can fail.

    i would use the new Win32 app preview feature instead of the boot strap method. Intune will then retry the installation if it fails. 

    See this for inspiration: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/


    Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    • Marked as answer by Alenat Tuesday, November 13, 2018 3:38 PM
    Saturday, November 10, 2018 4:48 PM
  • Thank you, Nick and Martin. The user is cloud-only, Cloud  User discovery is enabled. When I run CMG Connect Analyzer it failed on the very last step (connection to CMG). But at the same time, Internet-based Clients use it just fine, getting policies and content from IT, so I decided it is a false alarm... Thank you for MSI suggestion Martin, will try that, have some doubt though - the bootstrapper just unpack ccmsetup and start it with provided parameters, I do not see any difference from the situation when we copy/run ccmsetup directly using W32 feature...

    What I do not do though it is AD hybrid. My on-prem AD is not synced with AAD, but I did not see it as a requirement... Maybe missed?

    Regards,


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Saturday, November 10, 2018 6:44 PM
  • Next time when you try to install the client again, can you check the CCM_STS.log on your management point for errors?
    Sunday, November 11, 2018 9:58 PM
  • Hi Nick, checked ccm_STS.log  Exactly as you described in https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/ I see "Return code: 403, Description: Un-authorized request, AAD user is not discovered". On-prem user discovery is already enabled. In my situation, AAD tenant has multiple domain names associated and one of them is in hybrid mode (not the one where SCCM is installed and not the one where the User is hosted). I guess I can try to stop hybrid completely and see if it will help 
    • Edited by Alenat Monday, November 12, 2018 2:04 PM
    Monday, November 12, 2018 1:59 PM
  • The Azure AD user also needs their associated tenant onboarded to Azure services and Azure AD discovery enabled. You can add multiple tenants to the Azure Services section in the ConfigMgr console. 

    See https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/cloud-management-gateway-faq

    "Do the user accounts have to be in the same Azure subscription as the subscription that hosts the CMG cloud service?"

    When you onboard each Azure AD tenant, a single CMG can provide Azure AD authentication for multiple tenants, regardless of the hosting location.

    Monday, November 12, 2018 9:37 PM
  • So, I guess it should be ok -

    Tenant is onboarded (this is a prerequisite for CMG).

    It has multiple subscriptions; 

    CMG is installed in one of it and serves the IBCM clients as MP and DP. 

    CMG Connection analyzer passes all green (It failed before, but I realized it does not support MS Authenticator, so I took a regular non-MFA account and it passed).

    AAD is in pure cloud mode (without even AAD Connect). The Client machine is joined to AAD. I do not think with that a user logged on is important since SCCM client is published to Device, not a user...

    I am trying Martin's suggestion now - using a W32 app instead of MSI. 

     

    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Monday, November 12, 2018 9:55 PM
  • Going back to that log where it says the user isn't discovered, can you confirm that the user that is logged into the Azure AD domain joined machine is discovered in the ConfigMgr console?

    Also for testing, you could just copy the client set up files over on a USB key or something and run the setup locally using the client setup command from the Co-Management wizard.

    Monday, November 12, 2018 10:14 PM
  • it looks like my MFA-enabled privileged account cannot be "completely discovered"

    AAD user with ID 5dxxxxxxxxxxxxxxxxx9-84xxxxxda90 and SID S-1-xxxxxxxxxxxxxxx6 is not completely discovered

    Return code: 403, Description: Un-authorized request, AAD user is not discovered

    non-MFA account discovery is better:

    User token is validated and SCCM token is created:

    Return token to client, token type: User, hierarchyId: 6XXXXXXXXXXXX4, userId: d0XXXXXXXXXXXXa, deviceId: 


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Monday, November 12, 2018 10:33 PM
  • Is the logged on user when the ConfigMgr client installing, the user that is discovered by Azure AD? (ie the non-MFA account that is discovered)
    Monday, November 12, 2018 11:11 PM
  • Thank you, Martin with W32 App approach the Client is installed (strange, but ccmsetup is smart enough to take required files from local cache delivered by Intune instead of download it from DP. It was not smoothly - on the first client the Intune cache was deleted from Staged folder before ccmsetup finish copy:). But on the second client, it was installed successfully. Cannot get a connection to CMG so far, but at least installed.

    In CCM_STS.log I see multiple successfully issued tokens now - all for device

    "TokenType is Device, use UDA for now"

    Still cannot get policies download, but at least moving forward with your help guys.


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Monday, November 12, 2018 11:13 PM
  • Is the logged on user when the ConfigMgr client installing, the user that is discovered by Azure AD? (ie the non-MFA account that is discovered)
    The user is still MFA-enabled user (it is AAD admin and can log in by default). Interesting, but I can see the user in SCCM, so it is discovered after all somehow.

    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Monday, November 12, 2018 11:15 PM
  • back to square one - client logs in LocationServices.log:

    RetrieveTokenFromStsServerImpl failed with error 0x87d00215

    and nothing in CCM_STS.log after several successful token distributions to the machine. 

    Next test will be with non-MFA users, but that will be a serious degradation, I would expect tokens working on machine level regardless user state.


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Monday, November 12, 2018 11:34 PM
  • logged on as a non-MFA user. Did not help ADALProvider.log:

    Getting AAD token for logged on user. Authority: https://login.microsoftonline.com/common/oauth2/token ClientId: 20-xxxx94f ResourceId: https://ConfigMgrService UserSID: S-xxxxxxxxxxxxxx5

    WAM token request failed. Status 5, Details 'The server or proxy was not found.'

    Nick, in your configuration, do you have the custom domain as Primary? Asking because I do have onmicrosoft as primary, because of this (I guess) all Azure users from my Custom domains are discovered without names. It is a bunch of empty-named users in SCCM Users console. I can right-click and see all details, but Name field is empty. Users from onmicrosoft domain are discovered successfully with names. 


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization

    Tuesday, November 13, 2018 12:14 AM
  • Can you see anything in ADALOperationProvider.log on the client? Is the CMG working for other devices? (clients using PKI certs etc)

    Are you using an internal certificate for the CMG service name or a public PKI cert?

    Tuesday, November 13, 2018 12:18 AM
  • It is finally working with the Client installed by Martin's method. 

    Here is an outline:

    1. Create SCCM Client Intune installation package as per Martin's article:https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

    2. Bring a Client to the Internet and Join a Client to AAD (or use Autopilot)

    3. Publish the SCCM Client App to the device (with a group membership)

    4. In my case, the co-management Client installation line contained internal MP URL. During the troubleshooting, I saw the Client tries to connect to it from the Internet and surely fails. So I created a CNAME pointing to CMG for this FQDN. (UPD: it is not required apparently, works without it on another client, just need to wait)

    5. As soon as the Client installed approve it in SCCM Console (if there is no auto approval for Workgroup machines)

    6. Wait. in my case, it took 15-20 min before the Client got policies.

    Logs to monitor: on SCCM side - CCM_STS.log (to check the tokens). on Client Side ADALOperationProvider.log, ClienLocation.log

    Thank you, Nick and Martin!


    Alex Ignatenko | MCSE | MCITP | MCTS:SCCM, Lync, Virtualization


    • Edited by Alenat Tuesday, November 13, 2018 4:13 PM
    Tuesday, November 13, 2018 3:04 PM