locked
SCCM Client not installing RRS feed

  • Question

  • I had two machines with working SCCM clients.

    Which stopped working at some point, we found that these machines could no longer connect to the certificate server due to firewall rules.

    This has been solved.

    But i can not get the SCCM client working/installing again.

    I keep seeing this in the sccmsetup.log

    ']LOG]!><time="10:23:38.329-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="siteinfo.cpp:104">
    <![LOG[Sending message header '<Msg SchemaVersion="1.1"><ID>{EB7F1ABE-3FE3-43AD-8FCA-C785D8AA4418}</ID><SourceID></SourceID><SourceHost>SCCMCLIENT</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:SCCMCLIENT:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>HTTPS://SCCMSERVER.***</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2018-12-18T09:23:38Z</SentTime><Body Type="ByteRange" Offset="0" Length="1214"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>']LOG]!><time="10:23:38.329-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="siteinfo.cpp:193">
    <![LOG[CCM_POST 'HTTPS://SCCMSERVER.***/ccm_system/request']LOG]!><time="10:23:38.329-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="httphelper.cpp:984">
    <![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="10:23:38.329-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4722">
    <![LOG[Certificate Issuer 1 [CN=*** - Internal CA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.329-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4738">
    <![LOG[Analyzing 1 Chain(s) found]LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4777">
    <![LOG[Chain has Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to [SCCMCLIENT.***] issued by [CN=*** - Internal IssuingCA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Chain has Certificate [Thumbprint 43E5DBC1F03238CA4AEDA85D5D3228AC28F800BF] issued to [*** - Internal IssuingCA] issued by [CN=*** - Internal CA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Chain has Certificate [Thumbprint EE570BA5328F6E66FE210D73D4F2DBF9F6BD6595] issued to [*** - Internal CA] issued by [CN=*** - Internal CA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Based on Certificate Issuer '*** - Internal CA' found Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4820">
    <![LOG[Begin validation of Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1677">
    <![LOG[Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to 'SCCMCLIENT.***' has expired.]LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="2" thread="5660" file="CcmCert.cpp:1690">
    <![LOG[Completed validation of Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.345-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1838">
    <![LOG[Analyzing 1 Chain(s) found]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4777">
    <![LOG[Chain has Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to [SCCMCLIENT.***] issued by [CN=*** - Internal IssuingCA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Chain has Certificate [Thumbprint 43E5DBC1F03238CA4AEDA85D5D3228AC28F800BF] issued to [*** - Internal IssuingCA] issued by [CN=*** - Internal CA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Chain has Certificate [Thumbprint EE570BA5328F6E66FE210D73D4F2DBF9F6BD6595] issued to [*** - Internal CA] issued by [CN=*** - Internal CA; DC=***; DC=drp; DC=***]]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Based on Certificate Issuer '*** - Internal CA' found Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4820">
    <![LOG[Begin validation of Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1677">
    <![LOG[CRL check enabled. ]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:1756">
    <![LOG[Verification of Certificate chain returned 00000000]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:1439">
    <![LOG[Completed validation of Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1838">
    <![LOG[Analyzing 1 Chain(s) found]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4777">
    <![LOG[Chain has Certificate [Thumbprint 274F424724C2BF2F9FDE783E177056FE1658BFB6] issued to [WMSvc-SHA2-SCCMCLIENT] issued by [CN=WMSvc-SHA2-SCCMCLIENT]]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:4799">
    <![LOG[Skipping Certificate [Thumbprint 274F424724C2BF2F9FDE783E177056FE1658BFB6] issued to 'WMSvc-SHA2-SCCMCLIENT' as root is '']LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4840">
    <![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:4881">
    <![LOG[Begin to select client certificate]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:5037">
    <![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:5073">
    <![LOG[1 certificate(s) found in the 'MY' certificate store.]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:5101">
    <![LOG[Only one certificate present in the certificate store.]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:5105">
    <![LOG[Begin validation of Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1677">
    <![LOG[Allowing usage of CNG key storage.]LOG]!><time="10:23:38.361-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:1813">
    <![LOG[The Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***' doesn't have 'Client Authentication' capability.]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="CcmCert.cpp:657">
    <![LOG[Completed validation of Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***']LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="CcmCert.cpp:1838">
    <![LOG[GetSSLCertificateContext failed with error 0x800b0110]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="3" thread="5660" file="ccmsetup.cpp:6378">
    <![LOG[Failed to get client version for sending state messages. Error 0x8004100e]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="2" thread="5660" file="state.cpp:164">
    <![LOG[[] Params to send '5.0.8577.1115 Deployment Error: 0x800b0110, ']LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="state.cpp:209">
    <![LOG[Sending Fallback Status Point message to 'SCCMSERVER.***', STATEID='315'.]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="state.cpp:295">
    <![LOG[<ClientDeploymentMessage ErrorCode="-2146762480"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage>]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="statedetails.cpp:127">
    <![LOG[Request failed: 404 Not Found
    ]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="FSPStateMessage" context="" type="3" thread="5660" file="fsputillib.cpp:1395">
    <![LOG[State message with TopicType 800 and TopicId {41984C22-0CFA-4235-A35E-E926195D83DF} has been sent to the FSP]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="FSPStateMessage" context="" type="1" thread="5660" file="fsputillib.cpp:783">
    <![LOG[GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'HTTPS://SCCMSERVER.***/ccm_system/request']LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="3" thread="5660" file="httphelper.cpp:1163">
    <![LOG[GetDPLocations failed with error 0x800b0110]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="3" thread="5660" file="siteinfo.cpp:620">
    <![LOG[Failed to get DP locations as the expected version from MP 'HTTPS://SCCMSERVER.***'. Error 0x800b0110]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="2" thread="5660" file="ccmsetup.cpp:11481">
    <![LOG[Failed to get client version for sending state messages. Error 0x8004100e]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="2" thread="5660" file="state.cpp:164">
    <![LOG[[] Params to send '5.0.8577.1115 Deployment Error: 0x0, ']LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="state.cpp:209">
    <![LOG[Sending Fallback Status Point message to 'SCCMSERVER.***', STATEID='101'.]LOG]!><time="10:23:38.376-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="state.cpp:295">
    <![LOG[<ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage>]LOG]!><time="10:23:38.392-60" date="12-18-2018" component="ccmsetup" context="" type="1" thread="5660" file="statedetails.cpp:127">
    <![LOG[Request failed: 404 Not Found
    ]LOG]!><time="10:23:38.392-60" date="12-18-2018" component="FSPStateMessage" context="" type="3" thread="5660" file="fsputillib.cpp:1395">
    <![LOG[State message with TopicType 800 and TopicId {98FFB9E8-5C16-490D-B29D-5E914F96312A} has been sent to the FSP]LOG]!><time="10:23:38.392-60" date="12-18-2018" component="FSPStateMessage" context="" type="1" thread="5660" file="fsputillib.cpp:783">
    <![LOG[Next retry in 10 minute(s)...]LOG]!><time="10:23:38.392-60" date="12-18-2018" component="ccmsetup" context="" type="0" thread="5660" file="ccmsetup.cpp:9272">

    Tuesday, December 18, 2018 9:36 AM

All replies

  • You have a certificate problem.

    0x800b0110 = The certificate is not valid for the requested usage.

    I see two references to certificates.

    This one has expired

    Certificate [Thumbprint 9F853D4A2C25AB74408C9CE7FBEA6EF814CC314C] issued to 'SCCMCLIENT.***' has expired.]

    and this was is not configured for client authentication (which is what you need).

    The Certificate [Thumbprint 9195E5A7A189E12B3821BA395EBA5FF110B0D00A] issued to 'SCCMCLIENT.***' doesn't have 'Client Authentication' capability

    You should have a look at how you deploy your certificates. The easiest way to do it is by Autoenrollment GPO.



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Tuesday, December 18, 2018 1:19 PM
  • Indeed,

    But we have al of this in place, which works fine for the rest of the infra.

    But these systems where cut off from the Certificate server for a while.

    How can we get this back going again?

    Tuesday, December 18, 2018 3:13 PM
  • That's why the certificate is expired then. It depends, how are you distributing the certificate in the first place? As I said, autoenrollment via GPO is the easiest way. You need to troubleshoot that and figure out why the computers aren't getting a certificate. The event logs on the certificate server and the clients is a good place to start. It's outside the scope of this forum though.


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Tuesday, December 18, 2018 3:32 PM
  • While trying to find the GPO my predesessor made that does the autoenrollment i came up blank.

    Is there a posiblity to do this from SCCM?

     
    Tuesday, December 18, 2018 3:44 PM
  • No this is done external to SCCM. It's more to do with PKI than SCCM. This is the easiest way

    https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates



    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Tuesday, December 18, 2018 3:49 PM