ConfigMgr Client installation issues in HTTPS environment

Hi All

I just completed a new SCCM Primary Site installation for a customer who has a requirement of HTTPS communication only.

Symptoms

After installing 1806 and configuring certificates, I started having issues with installing clients. Here are some of the errors I was seeing in ccmsetup.log:

  • Failed to get client version for sending state messages. Error 0x8004100e.
  • Failed to get client certificate for transportation. Error 0x87d00282.
  • There are at least 2 certificates valid for ConfigMgr usage that meet the selection criteria. The ‘Select First Certificate’ registry entry was set to OFF so a certificate cannot be selected.

Failed Client install - ConfigMgr Client installation issues in HTTPS environment

That last point is where I focused my troubleshooting efforts on.

From previous experience, I know that I should check client certificate selection settings to confirm that the client should select the certificate with the longest validity period.

Client Certificate Selection Settings - ConfigMgr Client installation issues in HTTPS environment

This setting is correct and has been for quite some time so I know that the client is ignoring this, or not getting the correct information.

I also know that there are a few switches I can try during installation:

  • CCMFIRSTCERT (Tells SCCM to use the certificate with the longest validity period).
  • CCMCERTID (Tells SCCM to use a specific certificate based on thumbprint).

ccmsetup.exe /UsePKICert /NoCRLCheck CCMFIRSTCERT=1 SMSSITECODE=P01 CCMCERTID=”MY;D29211C57353FB9FB8944AFF6C14770D9AD4D58C”.

Looking at the logs I can see that the switches have been accepted and the client should be doing the right thing, but unfortunately, it still presents the same errors.

Solution

Looking at registry settings from other clients that use HTTPS and are working I can see the following Dword.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security\Select First Certificate = 1.

Select First Certificate - ConfigMgr Client installation issues in HTTPS environment

Manually creating this registry key works and the client is now able to communicate with the MP.

Notes

This is the first site we have seen this issue on, but it is also the first 1806 environment in HTTPS only. it is unclear if the problem is 1806 related or just a one-off for this client

Hope this helps!

Cheers

Liam

Leave a Reply

Your email address will not be published. Required fields are marked *