HeroicBandit

This setting is also unchecked in the CMG properties. *Edit Looking at the failure logs further, it seems like its trying to use a token. Having some understanding of the bulk token option for CMG internet only clients, is there any sort of prerequisite for this and such tokens?

Yup! Confirmed using the trusted root cert. I've also got that applied to the CMG along with the intermediate. Not sure if its worth noting but part of the reason the CRL checks are disabled in my environment is I had a heck of time troubleshooting all the rejected attempts to have a client communicate with it until I realized our root cert isn't published externally and will not be due to company security and politics.

Thanks for the write up and video! After following everything exactly, I've run into an immediate failure when attempting to download policy from WinPE once booted. By all accounts it looks cert related but I can't for the life of me figure out what's happening. CRL enforcement isn't being enabled on my CMG nor is TLS 1.2. I've also tried using the same cert we use for imaging on prem but that resulted in the exact same error. Sample log below. Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. Request may fail. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Using port 443 for CMG request even customer configured customized port. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) SMS CCM 5.0: Host=redacted.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1204, Options=0x40000000 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Created connection on port 443 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Target URL scheme is HTTPS: https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Trying without proxy. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] : dwStatusInformationLength is 4 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] : *lpvStatusInformation is 0x8 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) spNamespace.Open( c_szEventingNamespace, true, 0, (uFlags & CcmEvent_UseAdminLocator) != 0 ), HRESULT=8004100e (..\Event.cpp,280) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Failed to create event "CCM_CcmHttp_Status" (8004100E) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) CreateCcmEventV(pszEventName, 0, &spEvent, va), HRESULT=8004100e (..\Event.cpp,353) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) HRESULT_FROM_WIN32( dwErrorCode ), HRESULT=80072f8f (..\requestresponse.cpp,799) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] ERROR: URL=https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Options=1073741824, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) [CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText= TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) HttpRequestResponse( m_sUserAgent.c_str(), szUrl, szMethod, szHeaders, pPayload, dwPayloadLen, 0, uFlags, &httpOptions, ResponseHandler, (LPVOID)&responseData, false, m_eCertAuthResult, m_dwStatusCode, m_sStatusText ), HRESULT=80072f8f (..\ccmhttpget.cpp,815) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) RequestResponseImpl( szUrl, L"GET", szHeaders, 0, 0, 0, 0, uFlags, &pbResponse, &ulResponseLen), HRESULT=80072f8f (..\ccmhttpget.cpp,297) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) GetURLSyncInStreamEx2(szUrl, szHeaders, uFlags, &spStream), HRESULT=80072f8f (..\ccmhttpget.cpp,372) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) spHttpGet->GetURLSyncInStringEx2( sUrl, sAuthHeader, dwFlags, &csResponse), HRESULT=80072f8f (..\ccmtoken.cpp,478) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) RetrieveTokenFromStsServerImpl failed with error 0x80072f8f TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Failed to create SMS client object. Error 0x80040154 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) spNS.Open(L"root\\ccm"), HRESULT=8004100e (..\CcmUtilLib.cpp,4350) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) !sCcmToken.empty() && (ulExpiresIn > 0), HRESULT=87d00215 (..\ccmtoken.cpp,404) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) CCcmTokenMgr::RetrieveTokenFromStsServer(szPotentialServerUrl, szQueryString, sAuthToken, sToken, ulExpiresIn), HRESULT=87d00215 (..\clientauthutil.cpp,2734) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) CCM::Authentication::CCMGetTokenForMedia(CCM_PREAUTH_TOKEN_REGISTRATION, sSMSTSMP.c_str(), sMediaToken.c_str(), sMediaGuid.c_str(), pClientCertContext, sMediaBulkToken), HRESULT=87d00215 (tsmediawizardcontrol.cpp,948) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Failed to retrieve registration token from the media token, Error code: 0x87d00215 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694) Any help is greatly appreciated!