OSD via Boot Media and CMG Fails with Error 0x80004005

I recently published a post on OSD via Boot media and CMG. While working on it, my task sequence failed with a generic error 0x80004005. Let me share my findings and solution to this issue.

Deploying task sequence over internet via CMG is an awesome feature and you must try it. The remote machine will not be a domain joined. But hey you can image a remote client using a task sequence with a boot image and CMG.

I encountered this issue on my SCCM 2010 setup. I also installed the hotfix KB4594176 since I had opted for early update ring of version 2010.

OSD via Boot Media and CMG Fails with Error 0x80004005

So after I created a boot media, I configured my client machine to boot from it and I got an error. Failed to Run Task Sequence. An error occurred while retrieving policy for this computer (0x80004005). For more information, contact your system administrator or helpdesk operator.

My cloud management gateway was working fine and I could RDP the CMG without any issues.

First of all, the 0x80004005 is generic error code. You can’t guess anything from that error. You must examine the smsts.log file to find out the actual errors.

OSD via Boot Media and CMG Fails with Error 0x80004005
OSD via Boot Media and CMG Fails with Error 0x80004005

When I reviewed the smsts.log file, I saw WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED error. In addition, there were other errors as well such sending with winhttp failed; 80072f8f.

OSD via Boot Media and CMG
OSD via Boot Media and CMG

Scrolling down further, I saw another error SyncTimeWithMP() failed. 80072ee7. Failed to get time information from MP. This actually made no sense because there was nothing wrong with the CMG and my client.

Failed to get time information from MP
Failed to get time information from MP

Here is the smsts.log file output.

[TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap
[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap
[TSMESSAGING] : dwStatusInformationLength is 4
TSMBootstrap 
[TSMESSAGING] : *lpvStatusInformation is 0x1
[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
[TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 
Error. Received 0x80072f8f from WinHttpSendRequest.
Sending with winhttp failed; 80072f8f. retrying.
Retrying and Ignoring date security failures.
Sending with winhttp failed; 80072f8f
Will retry in 44 second(s)
Sending with winhttp failed; 80072ee7
End of retries
Failed to get client identity (80072ee7)
failed to request for client
SyncTimeWithMP() failed. 80072ee7.
Failed to get time information from MP: https://PRAJWALCMG.PRAJWAL.ORG/CCM_Proxy_MutualAuth/72057594037927939.
Failed to select MP TSMBootstrap

First I want you all take a look at WINHTTP_STATUS_CALLBACK functions. The error I have in smsts.log file is WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED. This error translates to certification revocation checking has been enabled. However the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable.

I have to mention here my colleague Tom Degreef encountered the same error. So after a week, he suggested a trick and that worked.

What Tom did is he turned off CRL checking on CMG. But that alone did not fix the issue. He also turned off the CRL checking at site level. Rebuilding the boot disk after turning off CRL checking at the site level did the trick.

Client Certificate Revocation

When deploying a CMG using PKI, we configure the service to Verify client certificate revocation on the Settings tab. This setting configures the service to use a published certificate revocation list (CRL).

According to Microsoft, this CMG option verifies the client authentication certificate.

  • If the client is using Azure AD authentication, the CRL doesn’t matter.
  • If you use PKI, and externally publish the CRL, then enable this option (recommended).
  • When you use PKI, don’t publish the CRL, then disable this option.

In my case the I was using PKI and I don’t host my CRL on a internet facing web server. Hence I decided to disable the CRL on CMG and Site Server.

To turn off the CRL on CMG, go to CMG properties and click Settings tab. Uncheck the option Verify Client Certificate Revocation. Click OK.

Verify Client Certificate Revocation
Verify Client Certificate Revocation

On the site level you can turn off the CRL. On the site properties, click Communication Security tab. Uncheck Client Check Certificate Revocation list for Site Systems and click OK.

Client Check Certificate Revocation list for Site Systems
Client Check Certificate Revocation list for Site Systems

After making the above changes and rebuilding the boot disk, I could perform OSD via Boot Media and CMG without any errors. I hope this post helps.

Need Assistance?

Send us a message or post your question in forums.