Excellent way of presenting, nice and clear you are a good presenter. 7 days is a bit of a limiting factor, whilst this is cool it's not ideal for my use case (installing the client during ESP AutoPilot with no VPN)
Great video with explanation sir. Looking fwd more videos on sccm .. If u can make a video on how to migrate cm database to remote sql cluster would be very helpful.
The posts dated now but the instructions shouldn't be that far off from what you'd need to do today archive.wmug.co.uk/wmug/b/r0b/posts/sqlalwayson-and-sccm
I think the same process should apple. CCMsetup should just re-install the client using the token, so it can then access the site from the internet. I didn't test this scenario, but I think it should work the same.
@@PatchMyPC We get that temp AAD token at install time so yeah we'll need to reinstall to induce the code workflow ... nice work Justin mine is delayed due to issues grrr
Why am I only seeing this now!!! I have now subscribed! Quick question - on the video the MS doc on Step 5 - shows an entry for "SMSMP=mp1.contoso.com" - in your batch file you also have the entry but in the current MS doc "docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token" Step 5 is not showing "SMSMP=mp1.contoso.com" in the example. This is puzzling me! Is this required? If so is this my internal SCCM server address? Thanks
Great video, and followed every step , im in test lab environment using an internal pki , CMG is working fine , when I use is the procedure I receive errors that it cannot establish a connection, does my cmg have to have a public cert for this to work?
@@PatchMyPC Hi , I don't have that log , I viewed ccmsetup.log on the workgroup machine and says in red Failed to connect to machine policy namespace 0x8004100e
@@PatchMyPC It seem your install .cmd assumes the client has trusted cert error 0x87d00454 , hence why my on-prem devices worked because they pick up a cert via GPO , if i switch the nic to public but if I get workgroup remote device no sccm client and run your install , I get that error , which seem to point to the client needing to trust the cmg , I try exporting the client cert which is autoenrolled via gpo to the workgroup client but still failed, I even used the switch /usePKICert /NOCRLCheck /mp, the problem I have we have remote devices some with not previous client , no gpo enrollment, even if I manually import the client cert from sccm it fails...
Hi Justin, I have been trying to install the sccm agent on a workgroup PC over the internet using token based authentication but I cannot get it to work. When I try the install, ccmsetup is throwing errors as if there is a cert trust issue between the client and CMG. Among the errors I am getting in ccmsetup, I think these are my main issue: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED and WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA. If I import the RootCA to the PC, I can prevent the INVALID_CA error from appearing but I shouldn't have to do that. My command line is very similar to what you have in the video. I found if I include /nocrlcheck, the client will install but will still refuse to talk to the CMG and will throw the same cert errors. I have disabled the CRL check for the site but that did not help. Do you have any thoughts? I am running SCCM 2010 and trying to install the client on a Win10 1909 machine. Thanks.
Since you asked that question, I think I figured out my problem. My workgroup PC doesn't trust the cert that it attached to the CMG. It looks like I need to get a public cert instead.
Great video! I was wondering if I can use 'Token-based Authentication' temporary to onboard a client and then let it switch to AzureAD based authentication?
this was very informative, but i need info on client auth check. MS article after 90 days the token expires , what after that ? how the systems will connect back. how the registration happens if the system is in internet without LAN access
@@PatchMyPC We seem to be having a number of internet clients losing connection to our SCCM environment and a common factor seems to be that they are our users who do not frequently connect via VPN. Are there any requirements for this renewal over the internet, such as AzureAD hybrid membership? Or this not a requirement at all in CM2002 and later?
Dude the way you explain this are awesome and to the point. Thanks
Thanks for the feedback!
Clear and to the point explanation of this new feature. Thanks a lot!
Thanks for watching
As usual, great post and more informative as well in small video!
Thanks!
Excellent way of presenting, nice and clear you are a good presenter.
7 days is a bit of a limiting factor, whilst this is cool it's not ideal for my use case (installing the client during ESP AutoPilot with no VPN)
Thank you very much!
Really great work as always. Appreciate your effort 😊.
Thanks!
Great video with explanation sir. Looking fwd more videos on sccm .. If u can make a video on how to migrate cm database to remote sql cluster would be very helpful.
I tend to stay far away from SQL :)
The posts dated now but the instructions shouldn't be that far off from what you'd need to do today archive.wmug.co.uk/wmug/b/r0b/posts/sqlalwayson-and-sccm
Awesome video ❤️
Glad you liked it!!
Great video, such a great feature. My question is, what if the machine already has the client?
I think the same process should apple. CCMsetup should just re-install the client using the token, so it can then access the site from the internet. I didn't test this scenario, but I think it should work the same.
@@PatchMyPC Great, thanks! I will test this out today.
@@PatchMyPC We get that temp AAD token at install time so yeah we'll need to reinstall to induce the code workflow ... nice work Justin mine is delayed due to issues grrr
Why am I only seeing this now!!! I have now subscribed!
Quick question - on the video the MS doc on Step 5 - shows an entry for "SMSMP=mp1.contoso.com" - in your batch file you also have the entry but in the current MS doc "docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token" Step 5 is not showing "SMSMP=mp1.contoso.com" in the example.
This is puzzling me! Is this required? If so is this my internal SCCM server address?
Thanks
It should still work
Great video, and followed every step , im in test lab environment using an internal pki , CMG is working fine , when I use is the procedure I receive errors that it cannot establish a connection, does my cmg have to have a public cert for this to work?
I would need more specifics on the error message, what's the error in ccmmessaging.log?
@@PatchMyPC Hi , I don't have that log , I viewed ccmsetup.log on the workgroup machine and says in red Failed to connect to machine policy namespace 0x8004100e
@@PatchMyPC It seem your install .cmd assumes the client has trusted cert error 0x87d00454 , hence why my on-prem devices worked because they pick up a cert via GPO , if i switch the nic to public but if I get workgroup remote device no sccm client and run your install , I get that error , which seem to point to the client needing to trust the cmg , I try exporting the client cert which is autoenrolled via gpo to the workgroup client but still failed, I even used the switch /usePKICert /NOCRLCheck /mp, the problem I have we have remote devices some with not previous client , no gpo enrollment, even if I manually import the client cert from sccm it fails...
Hi Justin, I have been trying to install the sccm agent on a workgroup PC over the internet using token based authentication but I cannot get it to work. When I try the install, ccmsetup is throwing errors as if there is a cert trust issue between the client and CMG. Among the errors I am getting in ccmsetup, I think these are my main issue: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED and WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA. If I import the RootCA to the PC, I can prevent the INVALID_CA error from appearing but I shouldn't have to do that. My command line is very similar to what you have in the video. I found if I include /nocrlcheck, the client will install but will still refuse to talk to the CMG and will throw the same cert errors. I have disabled the CRL check for the site but that did not help. Do you have any thoughts? I am running SCCM 2010 and trying to install the client on a Win10 1909 machine. Thanks.
Are you using a public SSL cert for CMG?
No I'm using a PKI cert pointing directly to the xxx.cloudapp.net domain.
Since you asked that question, I think I figured out my problem. My workgroup PC doesn't trust the cert that it attached to the CMG. It looks like I need to get a public cert instead.
@@mikegorski783 yeah those may be self signed public cert is the best option I would think
Great video! I was wondering if I can use 'Token-based Authentication' temporary to onboard a client and then let it switch to AzureAD based authentication?
That should work just fine!
Do we have to use the new token for every new devices coming in company after seven days??
Yes, the tokens expire after that.
this was very informative, but i need info on client auth check. MS article after 90 days the token expires , what after that ? how the systems will connect back. how the registration happens if the system is in internet without LAN access
It renews using the MP
Hi Justin, same question here... how would the client renew the token? Via CMG again?
@@PatchMyPC We seem to be having a number of internet clients losing connection to our SCCM environment and a common factor seems to be that they are our users who do not frequently connect via VPN. Are there any requirements for this renewal over the internet, such as AzureAD hybrid membership? Or this not a requirement at all in CM2002 and later?
Does it also work with Windows 7 ?
It is OS agnostic, any OS supported bv Client works :-)
Yes