Unable to install SCCM Client

Question

We have just upgraded to version 2409 and are using HTTPS/PKI for client communication. The install went through without any issues. And all services are showing as online. However since the upgrade we are are not able to install the client on a new machine either by manual installation or pushing out via the console. Existing machines show as PKI and are online.

The CCMsetup.log has the below errors:

Failed to connect to machine policy namespace. 0x8004100e

Failed to get client version for sending state messages. Error 0x8004100e

Failed (0x87d00455) to send location request to 'ServerName'. StatusCode 403, StatusText 'Forbidden

Failed to get DP locations as the expected version from MP 'ServerName'. Error 0x87d00455

We can access the CCM_CLient path via https using a browser.

We have checked all certs and they all are fine, having the whole chain. The new machines have a client certificate installed.

The setuplog shows cert validation:

Completed validation of Certificate [Thumbprint ] issued to 'Machine' ccmsetup 2025-02-07 9:46:27 AM 5356 (0x14EC)

Client selected the PKI Certificate

We have trawled through the internet and are unable to find a fix. Any help will be gratefully appreciated.

Answer 1

Hi,

Thanks for reaching out to Microsoft Q&A.

1,Is the new machine in the same subnet/Vlan with your site server? Can we install SCCM client on other new machines?

2,Please make sure your firewall or anti-virus software doesn't block the communication between the client and site system servers.

3,Use the following URL to verify that the client can access the management point and the management point certificate information:

http(s)://<ServerName>/sms_mp/.sms_aut?mplist

http(s)://<ServerName>/sms_mp/.sms_aut?mpcert

Where <ServerName> is the NetBIOS/FQDN for the management point computer.

4,Please check your boundaries and boundary groups configurations, and associate your MPs and DPs to the boundary groups.

For more detailed troubleshooting steps, please refer to the helpful article:

Troubleshooting SCCM ..Part I (Client Push Installation )

Thanks for your time. Have a nice day!

Best regards,

Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thanks for your reply.

1,Please help check the ClientIDManagerStartup.log and CcmMessaging.log on a client having issues to see if we can get more information for the communication between the client and management points.

2,Please check your permissions and settings in IIS. Also kindly check the IIS logs on the MP to get a more detailed error code as 403 is entirely too generic but only the IIS log will have a more specific code. My guess is that the CRL is not accessible as this is a common issue in PKIs. Another common problem is simple certificate trust which is also commonly problematic for non-well planned PKIs.

Also we can use the manually installation command with /UsePKICert and /NoCRLCheck to have a try. For example:

C:\windows\ccmsetup\ccmsetup.exe /forceinstall /mp:https://<Servername> SMSSITECODE=XXX /UsePKICert /NoCRLCheck

3,Can we see any error in ccm.log on the site server for client push installation failure?

Feel free to contact me if you have any concerns/queries.

Best regards,

Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.