A closer look at Internet Based Client Management in ConfigMgr 2012

~ Prabhat Joshi

Prabhat JoshiHello Everyone, Prabhat Joshi here with another Configuration Manager support tip for you, this time for Internet Based Client Management (IBCM) in System Center 2012 Configuration Manager (ConfigMgr 2012).

Internet Based Client Management allows you to manage Configuration Manager clients when they are not connected to your company network but still have a standard Internet connection. This arrangement has a number of advantages, including the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timely manner.

Because of the higher security requirements of managing client computers on a public network, Internet Based Client Management requires that the site is using certificates. This ensures that connections to the management point, software update point and distribution points are authenticated by an independent authority, and that data to and from these site systems is encrypted using Secure Sockets Layer (SSL).

New supported scenarios

1. User policies are supported when the Internet based MP can authenticate the user by using Windows authentication.

2. Task Sequences are supported for simple scripts, however just like ConfigMgr 2007, deploying an OS over the Internet is still not supported.

3. Using Microsoft Update to download required software updates rather than from an Internet based DP in their assigned site is supported.

Unsupported scenarios

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL).

The following features are not supported when clients are managed on the Internet:

Ø Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation.

Ø Automatic site assignment.

Ø Network Access Protection (NAP).

Ø Wake-on-LAN.

Ø Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients.

Ø Remote control.

Ø Out of band management.

Ø Software deployment to users, unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location.

Prerequisites for IBCM

- Clients and Site Systems supporting IBCM should have Internet Connectivity.

- Site systems that will support Internet-based client management must be in an Active Directory domain, but can be in a different Active Directory forest from the forest that contains the site server.

- You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.

For more information see Planning for Communications in Configuration Manager at http://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_PrerequisitsForInternetClientMgmt.

The links below can help you in planning & configuring IBCM in your environment:

- Planning for IBCM: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients

- Planning for Communications in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712701.aspx

- Planning for Certificates: http://technet.microsoft.com/en-us/library/gg712284.aspx#BKMK_PlanningForCertificates

- PKI Certificate Requirements for Configuration Manager: http://technet.microsoft.com/en-us/library/gg699362.aspx

- Step by step deployment of certificates: http://technet.microsoft.com/en-us/library/gg682023.aspx

ConfigMgr client install scenarios for IBCM

Internet-only management : Such clients will always contact the FQDN of the Internet Management Point (MP). Below is an example command line used to install a client in this manner.

Ccmsetup.exe /usepkicert ccmhostname=”FQDN of Internet MP” smssitecode=”Site code” CCMALWAYSINF=1

Internet or Intranet management : Clients configured for this scenario will be able contact the FQDN of both Internet and Intranet MPs depending on the network it is on (e.g. LAN or Internet). Note that workgroup clients do not support this scenario. Here’s a command line for this type of install:

Ccmsetup.exe /usepkicert smsmp=”FQDN of Intranet MP” ccmhostname=”FQDN of Internet MP” smssitecode=”Site code”

See the article below to understand the purpose of switches used in both cases. You may add more of them depending upon your requirements.

How to Install Clients on Windows-Based Computers in Configuration Manager : http://technet.microsoft.com/en-us/library/gg712298.aspx

Basic things to check when troubleshooting IBCM client install & registration scenarios

- There should be a site system that will be used as an Internet Management Point. It should be published via public DNS. If there is only one site system that is a site server itself then you can still use it as an Internet MP.

- Under site properties, verify “Client computer communication -> client computer settings” and make sure that “Use PKI client certificate when available” is checked.

- For the site system that will act as an Internet MP, please make sure that correct URL has been specified under the Site System property “Specify an FQDN for this site system for use on the Internet”.

- In the Internet MP properties, make sure that HTTPS is enabled (checked), and depending upon your requirement, that either “Allow Internet-only connections” or “Allow Internet and Intranet connections” is checked.

- After the above is done, make sure that the web server certificate has the name of the Internet MP in the Subject Alternative Name. After you have done this, then bind this certificate in IIS and check MPcontrol.log to confirm the health of the MP.

Some common client registration issues

Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:

Client machine log:

ClientIDmanagerstartup.log - Server rejected request 3

Server Side log:

MP_Registration.log - Registration hint is expired.
CCMValidateAuthHeaders failed (0x87d0029b) to validate headers for client 'GUID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MP Reg: Certificate is not valid, HR = 0x80092012, In-band Cert SubjectName = xxxxxxx.COM (NAME OF THE CLIENT MACHINE)

Cause: Error 0x80092012 reads:

“The revocation function was unable to check revocation for the certificate.
CRL was neither published nor accessible from the client machine.
PORT 10123 was blocked on the hardware firewall in the internal network from the outside network.”


First publish the CRL and verify that it can be accessed from the client. You can verify whether the CRL is accessible by running the following command:

Certutil –verify –urlfetch <cert name>.cer

If this shows that the CRL is not accessible, check the ports. You may notice that port 10123 is blocked.

Port 10123 is used by the Management Point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan. If this is blocked, add the following as an exception to the Windows Firewall:

Outbound: TCP Port 10123

If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-Management Point communication port of HTTP or HTTPS:

Outbound: TCP Port 80 (for HTTP communication)
Outbound: TCP Port 443 (for HTTPS communication)


Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:


LSRefreshTrustedKeyInfo failed with error '0x87d00306'
Failed to refresh trusted key info with error '0x87d00306'
Failed to validate the certificate
'308205E8308204D0A00302010202….0D99AAFC70BB0999B548CD07' from management point 'abc.test.com'

Raising event:
instance of CCM_LocationServices_ManagementPointCertificate_CrossVerificationFailure

DateTime = "20130819094515.860000+000";
ManagementPoint = "abc.test.com";
ProcessID = 1608;
ThreadID = 2192;

Refreshed Certificate Information over HTTP
Failed to verify message. Could not retrieve certificate from MPCERT.
MPCERT requests are throttled for 00:04:59
Failed to send site information Location Request Message to abc.test.com
LSIsSiteCompatible : Client is Always on Internet. Unable to check compatibiliy of Site <SITE CODE>
LSRefreshSiteCode failed with error (0x8000ffff)

Cause: This can occur if the trusted root key on the client is incorrect or non-existent. Follow the steps below to verify if the trusted roots key exists:

1. On the Start menu, click Run, and then type Wbemtest.

2. In the Windows Management Instrumentation Tester dialog box, click Connect.

3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices and then click Connect.

4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section click Enum Classes.

5. In the Superclass Info dialog box, select Recursive and then click OK.

6. In the Query Result window, scroll to the end of the list and then double-click TrustedRootKey ().

7. In the Object editor for TrustedRootKey dialog box, click Instances.

8. In the new Query Result window that displays the instances of TrustedRootKey, double-click TrustedRootKey=@

9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

If the key is not there, complete the resolution steps below.


Uninstall the client using ccmclean utility, then reinstall it by specifying the trusted root key using following command line:

ccmsetup.exe /usePKICert /NOCRLCheck CCMHOSTNAME=abc.test.com CCMALWAYSINF=1 SMSMP=https://abc.test.com SMSSITECODE=001


When multiple CA’s are being used to issue required certificates to Internet MP & Client authentication certificate

CA1: Issuer of web server certificate for Internet MP.

CA2: Issuer of client certificate on IBCM clients.

After installing the client with the above mentioned command line, you may see this error on a client machine:


Failed in GetCertificate(…): 0x87d00281

Error code 87d00281 means “No certificate matching criteria specified”

In order to resolve this, navigate to Client Computer Communication under Site Properties and go to Trusted Root Certification Authorities and click on Set. After doing that, specify the self-signed cert of CA2 without its private key and click on OK.

Then, restart ccmexec on the client machine and now it should be able to register.

Prabhat Joshi | Technical Lead | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Comments (18)
  1. sconfire,

    Please check below article, it should answer your query:


  2. Hello Kichu Muraly,

    Thanks for going through the post.
    I think this article would help:

    Also here is the inside that would help in a longer run:

    Clients know to use the Internet-based software update point when they are on the Internet because they connect to the Internet-based management point, and the Internet-based management point tells the clients to use the software update point that is configured to accept client connections from the Internet. At this point, the local GPO is overwritten with the Internet WSUS URL so that clients connect to the Internet-based software update point. When clients connect to the intranet again, they connect to the default management point, at which point the local GPO is overwritten with the intranet WSUS URL so that clients then connect to the intranet software update point.

  3. Hello Sharath C K,

    Please email them over at v_2pjosh@live.com

  4. Kiran Tamang,

    Is is SCCM 2007 that you are using at this point?

  5. Krishna says:

    That was really Awesome.. I am sure this will really help in troubleshooting IBCM issues..

  6. Anonymous says:

    226 Microsoft Team blogs searched, 52 blogs have new articles. 163 new articles found searching from

  7. Sharath C K says:

    Thanks for the information.

    Prabhat Joshi … Please do share me your mail ID. I have some queries on the IBCM client installation.

  8. Is there any provision under Windows Azure based Internet Based Client Management (IBCM) hosted/managed from CDNs or DCs across various geographies.

  9. cntd..for lower TCO and faster ROI. Thanks

  10. Sarbjeet Singh says:

    It is really going to help others to understand the setup of IBCM. Keep doing the good work sir. 🙂

  11. Kichu Muraly says:

    We have successfully setup a Internet facing MP and DP. Could you pls help us with some idea about Internet facing SUP.

    Thanks In advance

  12. jillian says:

    Pretty informing blog! I recently just came across Snapforce CRM software in which they did all the configuring for their customers, which I think is very convenient and saves time. Reading off of a blog is great and all, but sometimes handling a business and everything else, I personally would want someone to do that for me.
    check them out at http://www.snapforce.com

  13. Whatever Jillian says:

    Nice “plug” for your own business Jillian… Disgraceful.

  14. sconfire says:

    Hi Prabhat,

    Do you have architecture poster about IBCM?

    I’m confused with architecture, is it possible to manage internet based clients with only one management point and dp? or do i have to position another management point and distribution point with IBCM settings on DMZ?


  15. paul says:

    pretty cool blog… looks like you have given a valuable tips of http://officeintranet.in/"> intranet . keep posting.

  16. Andrew says:

    It is an nice and helpful Blog. It content detailed information on internet
    http://www.arokiait.com/internet-intranet-web-applications.htm”> intranet

  17. Kiran Tamang says:

    We have situation in our IBCM infra.We have updated IBCMserver with new certificates issued by new CA server.But those clients that dont come to LAN have old client certificate and old CA root CA certificate.On top of that they have old DocSign certificate.
    Due to this client health percentage decreased a lot.Could you please help or suggest on this.

    1. Kiran, if you have a new CA then for those clients which don’t really come on LAN, please re-install the client and place new certs in respective locations. It will take some effort but will solve your issue.

Comments are closed.

Skip to main content