Configuration Manager Service Connection Point doesn't download updates

System Center Configuration Manager (current branch)Microsoft IntuneSystem Center Configuration Manager (current branch - version 1511)

Symptoms


A Service Connection Point that's running on a System Center Configuration Manager current branch doesn't download updates, and entries that resemble the following are logged in DMPDownloader.log:

Download manifest.cab SMS_DMP_DOWNLOADER 8/2/2016 2:20:24 PM 7568 (0x1D90)
WARNING: Failed to download easy setup payload with exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)
WARNING: Retry in the next polling cycle SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)

You may also notice client connectivity issues when you use Microsoft Intune.

Cause


This problem occurs when the Baltimore CyberTrust Root Certificate is missing, expired, or corrupted on the System Center Configuration Manager Site System that has the Service Connection Point role installed. The Service Connection Point uses the Microsoft Intune service when it connects to http://go.Microsoft.com or http://manage.Microsoft.com. Therefore, if this certificate is invalid, the Microsoft Intune connection attempt is rejected.

Resolution


This is a known issue for Microsoft Intune, as documented in Knowledge Base article 2831435. However, this update is no longer displayed on the Microsoft Update Catalog.

As a workaround, you can download the Baltimore CyberTrust Root Certificate from https://cacert.omniroot.com/bc2025.crt. You can also export the certificate from the certificate authority in your environment.

After you've obtained the certificate, you must import it. To do this, follow these steps: 
  1. Open a command prompt with administrative rights (Run as Administrator).
  2. Run the following command: mmc
  3. On the File menu, click Add/Remove Snap-in.
  4. Select Certificates, and then click Add.
  5. Select Computer Account, and then click Next.
  6. Click Local Computer, click Finish, and then click OK.
  7. In the console tree, expand Certificates -> Trusted Root Certificate Authorities -> Certificates.
  8. Right-click Certificates, and then click Import.
  9. Import the Baltimore CyberTrust Root Certificate.
  10. Restart the computer.

You should now see an entry for Baltimore CyberTrust Root under Trusted Root Certificate Authority:



More Information


There is a known in which the Intune Connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate is not installed, is expired, or is corrupted on the computer that's using Microsoft Intune.

For more information, see Connectivity issues may occur when the Baltimore CyberTrust Root certificate is not installed on client computers that use Microsoft Intune.