I recently published a post on OSD via Boot media and CMG. While working on it, my task sequence failed with a generic error 0x80004005. Let me share my findings and solution to this issue.
Deploying task sequence over internet via CMG is an awesome feature and you must try it. The remote machine will not be a domain joined. But hey you can image a remote client using a task sequence with a boot image and CMG.
OSD via Boot Media and CMG Fails with Error 0x80004005
So after I created a boot media, I configured my client machine to boot from it and I got an error. Failed to Run Task Sequence. An error occurred while retrieving policy for this computer (0x80004005). For more information, contact your system administrator or helpdesk operator.
First of all, the 0x80004005 is generic error code. You can’t guess anything from that error. You must examine the smsts.log file to find out the actual errors.
When I reviewed the smsts.log file, I saw WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED error. In addition, there were other errors as well such sending with winhttp failed; 80072f8f.
Scrolling down further, I saw another error SyncTimeWithMP() failed. 80072ee7. Failed to get time information from MP. This actually made no sense because there was nothing wrong with the CMG and my client.
Here is the smsts.log file output.
[TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap [TSMESSAGING] : dwStatusInformationLength is 4 TSMBootstrap [TSMESSAGING] : *lpvStatusInformation is 0x1 [TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set [TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap Error. Received 0x80072f8f from WinHttpSendRequest. Sending with winhttp failed; 80072f8f. retrying. Retrying and Ignoring date security failures. Sending with winhttp failed; 80072f8f Will retry in 44 second(s) Sending with winhttp failed; 80072ee7 End of retries Failed to get client identity (80072ee7) failed to request for client SyncTimeWithMP() failed. 80072ee7. Failed to get time information from MP: https://PRAJWALCMG.PRAJWAL.ORG/CCM_Proxy_MutualAuth/72057594037927939. Failed to select MP TSMBootstrap
First I want you all take a look at WINHTTP_STATUS_CALLBACK functions. The error I have in smsts.log file is WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED. This error translates to certification revocation checking has been enabled. However the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable.
I have to mention here my colleague Tom Degreef encountered the same error. So after a week, he suggested a trick and that worked.
What Tom did is he turned off CRL checking on CMG. But that alone did not fix the issue. He also turned off the CRL checking at site level. Rebuilding the boot disk after turning off CRL checking at the site level did the trick.
Client Certificate Revocation
When deploying a CMG using PKI, we configure the service to Verify client certificate revocation on the Settings tab. This setting configures the service to use a published certificate revocation list (CRL).
According to Microsoft, this CMG option verifies the client authentication certificate.
- If the client is using Azure AD authentication, the CRL doesn’t matter.
- If you use PKI, and externally publish the CRL, then enable this option (recommended).
- When you use PKI, don’t publish the CRL, then disable this option.
In my case the I was using PKI and I don’t host my CRL on a internet facing web server. Hence I decided to disable the CRL on CMG and Site Server.
To turn off the CRL on CMG, go to CMG properties and click Settings tab. Uncheck the option Verify Client Certificate Revocation. Click OK.
On the site level you can turn off the CRL. On the site properties, click Communication Security tab. Uncheck Client Check Certificate Revocation list for Site Systems and click OK.
After making the above changes and rebuilding the boot disk, I could perform OSD via Boot Media and CMG without any errors. I hope this post helps.