SCEP Configuration Manager Client failing to install. Detailed troubleshooting below

sccm

We have a new SCEP 2002 installation on a new AD domain, and we're having no luck at all deploying clients. Whether we deploy them from the Configuration Console (right-click, Install Client) or manually (copy the files, then run ccmsetup.exe), the ccmsetup.log gives multiple errors.

Boundary Group Troubleshooting
The boundaries and boundary groups are set correctly. We have an AD site named "Site01". When we run 'nltest /dsgetsite' on a Windows 10 box, we get the response 'Site01'.

We added the Site01 as a boundary in SCEP, and we added that boundary to a boundary group, also named Site01. In our Distribution Point, we added the Site01 boundary group in the Boundary Groups tab.

Connectivity checks
From the Windows 10 client, we can browse to http://scepserver (note: we're using http to rule out any SSL issues). We can also browse to http://scepserver/CCM_Client and its subfolders. http://scepserver/sms_mp gives us a 403.2 forbidden error, but I believe that's to be expected.
The ccm.log on the server indicates that our client push account can reach the clients admin$ share, and the folder c:\windows\ccmsetup populates when we push the client.

ccmsetup.log review
Rather than attaching the whole ccmsetup.log file, here are excerpts I think are important. I've bolded a few key items.

==========[ ccmsetup started in process 9364 ]========== ccmsetup 6/10/2021 8:11:15 PM >4032 (0x0FC0)
Running on platform X64 ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0)
Launch from folder C:\windows\ccmsetup\ ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0)
CcmSetup version: 5.0.8968.1014 ccmsetup 6/10/2021 8:11:15 PM 4032 (0x0FC0)
Folder 'Microsoft\Microsoft\Configuration Manager' not found. Task does not exist. ccmsetup >6/10/2021 8:11:15 PM 4032 (0x0FC0)

Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /ignoreskipupgrade >/config:MobileClient.tcf ccmsetup 6/10/2021 8:11:15 PM 9352 (0x2488)

Performing AD query: '(&(ObjectCategory=mSSMSManagementPoint)(mSSMSDefaultMP=TRUE)(mSSMSSiteCode=site01))' ccmsetup 6/10/2021 8:11:15 PM 9352 (0x2488)
OperationalXml '5.00.8968.100002248044311removedsite01 SMSSITECODE=site01 ' ccmsetup >6/10/2021 8:11:15 PM 9352 (0x2488)
The MP name retrieved is 'scepserver.mydomain.com' with version '8968' and capabilities '' ccmsetup
6/10/2021 8:11:16 PM 9352 (0x2488)
MP 'scepserver.mydomain.com' is compatible ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
Retrieved 1 MP records from AD for site 'site01' ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)


FromAD: command line = SMSSITECODE=site01 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

Found MP http://scepserver.mydomain.com from AD ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

Failed to connect to machine policy namespace. 0x8004100e ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

Sending state '100'… ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
Failed to get client version for sending state messages. Error 0x8004100e ccmsetup >6/10/2021 8:11:16 PM 9352 (0x2488)
[] Params to send '5.0.8968.1014 Deployment Error: 0x0, ' ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
A Fallback Status Point has not been specified and no client was installed. Message with STATEID='100' will not be sent. ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
Failed to send status 100. Error (87D00215) ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

Failed to get DP locations as the expected version from MP 'http://scepserver.mydomain.com'. Error 0x87d00215 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)

Sending location request to 'scepserver.mydomain.com' with payload '

AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" >DPTokenAuth="1" UseInternetDP="0">

ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 6/10/2021 8:11:16 PM 9352 (0x2488)
Failed to connect to machine policy namespace. 0x8004100e ccmsetup 6/10/2021 8:11:16 PM >9352 (0x2488)

Failed to get DP locations as the expected version from MP 'http://scepserver.mydomain.com'. >Error 0x87d00215 ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488)
MP 'http://scepserver.mydomain.com' didn't return DP locations for client package with the >expected version. Retrying in 30 minutes. ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488)
Next retry in 30 minute(s)… ccmsetup 6/10/2021 8:21:18 PM 9352 (0x2488)

I don't know why it's using 'MobileClient.tcf' for its configuration. This is a regular Windows 10 system.

Other than that, most of the errors indicate that the SCCM client can't connect to some part of the SCEP server's web site. Or is that the SCEP server's WMI namespace? Does anything in the log files point you toward a specific issue? Any help you can offer would be greatly appreciated.

EDIT: We also added the client push account to the local administrators group on the SCEP server and the client. We ran wbemtest and get-wmiobject from the client to retrieve class_win32 from the SCEP server.

Best Answer

The MobileClient.tcf and Failed to connect to machine policy namespace. 0x8004100e error is standard. This is the line that I believe should be focused on.

Failed to get DP locations as the expected version from MP 'http://scepserver.mydomain.com'

It suggests your device either isn't falling into a boundary group or there's a misconfiguration in the boundary groups as it can't correctly find the DPs.

I would do the following:

  1. If you're assigning the boundary by IP range, check the IP address of the device and ensure it falls within that range
  2. Check the health of your distribution point
  3. Try checking the Use a fallback site option in your site's hierarchy settings. (Administration -> Site configuration -> Sites -> Your Site -> Hierarchy Settings)

enter image description here

Related Topic