Following up on a similar post I did here about requiring Azure AD User Discovery and Active Directory user discovery so Windows 10 machines can communicate over the CMG using Hybrid Azure Active Directory – https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/
You may run into an issue where a specific Windows 10 client cannot communicate with the CMG. In ccmmessaging.log you will see “Post to http://<CMG>.COM/CCM_Proxy_MutualAuth/<ID>/ccm_system/request failed with 0x87d00231.”
You can run through the CMG Connection Analyzer to confirm that everything is working fine.
Then you realise it is something on the Windows 10 device end.
If you run “dsregcmd /status” and see that AzureAdJoined is set to No, then you know that the device is not Hybrid Azure AD joined, thus it cannot communicate with the SCCM CMG.
This particular machine was put in an OU that was not synced to Azure AD using Azure AD Connect. After moving it in the correct OU and doing another Azure AD Connect Sync (Start-ADSyncSyncCycle -PolicyType Delta) the device can then communicate over the CMG fine.
Did you not use ADFS? Cause with ADFS in-place you don’t have to sync the OU containing the devices to sync to AAD.
LikeLike
No I wasn’t using ADFS. Just password sync.
LikeLike