I just completed a new SCCM Primary Site installation for a customer who has a requirement of HTTPS communication only.
After installing 1806 and configuring certificates, I started having issues with installing clients. Here are some of the errors I was seeing in ccmsetup.log:
- Failed to get client version for sending state messages. Error 0x8004100e.
- Failed to get client certificate for transportation. Error 0x87d00282.
- There are at least 2 certificates valid for ConfigMgr usage that meet the selection criteria. The ‘Select First Certificate’ registry entry was set to OFF so a certificate cannot be selected.
That last point is where I focused my troubleshooting efforts on.
From previous experience, I know that I should check client certificate selection settings to confirm that the client should select the certificate with the longest validity period.
This setting is correct and has been for quite some time so I know that the client is ignoring this, or not getting the correct information.
I also know that there are a few switches I can try during installation:
- CCMFIRSTCERT (Tells SCCM to use the certificate with the longest validity period).
- CCMCERTID (Tells SCCM to use a specific certificate based on thumbprint).
ccmsetup.exe /UsePKICert /NoCRLCheck CCMFIRSTCERT=1 SMSSITECODE=P01 CCMCERTID=”MY;D29211C57353FB9FB8944AFF6C14770D9AD4D58C”.
Looking at the logs I can see that the switches have been accepted and the client should be doing the right thing, but unfortunately, it still presents the same errors.
Looking at registry settings from other clients that use HTTPS and are working I can see the following Dword.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security\Select First Certificate = 1.
Manually creating this registry key works and the client is now able to communicate with the MP.
This is the first site we have seen this issue on, but it is also the first 1806 environment in HTTPS only. it is unclear if the problem is 1806 related or just a one-off for this client
Hope this helps!