Thanks for the write up and video! After following everything exactly, I've run into an immediate failure when attempting to download policy from WinPE once booted. By all accounts it looks cert related but I can't for the life of me figure out what's happening. CRL enforcement isn't being enabled on my CMG nor is TLS 1.2. I've also tried using the same cert we use for imaging on prem but that resulted in the exact same error. Sample log below.
Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. Request may fail. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Using port 443 for CMG request even customer configured customized port. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
SMS CCM 5.0: Host=redacted.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1204, Options=0x40000000 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Created connection on port 443 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Target URL scheme is HTTPS: https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Trying without proxy. TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] : dwStatusInformationLength is 4
TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] : *lpvStatusInformation is 0x8
TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
spNamespace.Open( c_szEventingNamespace, true, 0, (uFlags & CcmEvent_UseAdminLocator) != 0 ), HRESULT=8004100e (..\Event.cpp,280) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Failed to create event "CCM_CcmHttp_Status" (8004100E) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
CreateCcmEventV(pszEventName, 0, &spEvent, va), HRESULT=8004100e (..\Event.cpp,353) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
HRESULT_FROM_WIN32( dwErrorCode ), HRESULT=80072f8f (..\requestresponse.cpp,799) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] ERROR: URL=https://redacted.CLOUDAPP.NET/CCM_Proxy_ServerAuth/10119/CCM_STS?RequestTokenType=Bulk, Port=443, Options=1073741824, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText= TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
HttpRequestResponse( m_sUserAgent.c_str(), szUrl, szMethod, szHeaders, pPayload, dwPayloadLen, 0, uFlags, &httpOptions, ResponseHandler, (LPVOID)&responseData, false, m_eCertAuthResult, m_dwStatusCode, m_sStatusText ), HRESULT=80072f8f (..\ccmhttpget.cpp,815) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
RequestResponseImpl( szUrl, L"GET", szHeaders, 0, 0, 0, 0, uFlags, &pbResponse, &ulResponseLen), HRESULT=80072f8f (..\ccmhttpget.cpp,297) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
GetURLSyncInStreamEx2(szUrl, szHeaders, uFlags, &spStream), HRESULT=80072f8f (..\ccmhttpget.cpp,372) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
spHttpGet->GetURLSyncInStringEx2( sUrl, sAuthHeader, dwFlags, &csResponse), HRESULT=80072f8f (..\ccmtoken.cpp,478) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Failed to create SMS client object. Error 0x80040154 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
spNS.Open(L"root\\ccm"), HRESULT=8004100e (..\CcmUtilLib.cpp,4350) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
!sCcmToken.empty() && (ulExpiresIn > 0), HRESULT=87d00215 (..\ccmtoken.cpp,404) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
CCcmTokenMgr::RetrieveTokenFromStsServer(szPotentialServerUrl, szQueryString, sAuthToken, sToken, ulExpiresIn), HRESULT=87d00215 (..\clientauthutil.cpp,2734) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
CCM::Authentication::CCMGetTokenForMedia(CCM_PREAUTH_TOKEN_REGISTRATION, sSMSTSMP.c_str(), sMediaToken.c_str(), sMediaGuid.c_str(), pClientCertContext, sMediaBulkToken), HRESULT=87d00215 (tsmediawizardcontrol.cpp,948) TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Failed to retrieve registration token from the media token, Error code: 0x87d00215 TSMBootstrap 12/22/2020 3:22:59 PM 1684 (0x0694)
Any help is greatly appreciated!