Some typical issues with internet only mode(CMG) SCCM clients

1. Cannot install SCCM agent via CMG MP

Recently I found out that I cannot install sccm agents on our DMZ zone, when I checked the ccmsetup.log, it showed that it is trying to grab the SCCM MP from AD instead of using our CMG address:

From my sccm install command line, it is

ccmsetup.exe /nocrlcheck /UsePkiCert CCMHOSTNAME=xxx.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx SMSSiteCode=xxx CCMFIRSTCERT=1 /mp:HTTPS://xxx.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx CCMALWAYSINF=1 SMSMP=https://xxx.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx

but why the ccmsetup is taking the command line from the pic below, totally overwrote my SCCM installation parameters?

It turned out that the ccmsetup is taking the parameters from Client Installation Settings from our SCCM console here directly:

After I choose “Use Default”, the SCCM client can be installed correctly. You can see from this log that the MP is sourced from client directly instead of AD.

2.ADALOperationProvider.log Errors

If you see tons of red error messages from ADAL Operation Provider, and you are using PKI to authenticate on your internet mode only sccm clients, that's normal. This log is trying to authenticate your machine with Azure AD credentials.

Leave a Comment