Configuration Manager service connection point doesn't download updates
This article helps you fix an issue where a service connection point doesn't download updates. This issue occurs when the Baltimore CyberTrust Root certificate is missing, expired, or corrupted.
Original product version: Configuration Manager (current branch), Microsoft Intune
Original KB number: 3187516
Symptoms
A service connection point that's running in a Configuration Manager current branch environment doesn't download updates, and entries that resemble the following are logged in DMPDownloader.log:
Download manifest.cab SMS_DMP_DOWNLOADER 8/2/2016 2:20:24 PM 7568 (0x1D90)
WARNING: Failed to download easy setup payload with exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)
WARNING: Retry in the next polling cycle SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)
You may also notice client connectivity issues when you use Microsoft Intune.
Cause
The service connection point uses the Intune service when it connects to http://go.Microsoft.com or https://manage.Microsoft.com. If the Baltimore CyberTrust Root certificate is missing, expired, or corrupted, the Intune connection attempt is rejected.
Resolution
This is a known issue for Intune, as documented in Connectivity issues may occur when the Baltimore CyberTrust root certificate is not installed. However, this update is no longer displayed on the Microsoft Update Catalog.
As a workaround, you can export the certificate from the certificate authority in your environment.
After you've obtained the certificate, you must import it. To import the certificate, follow these steps:
- Open a command prompt with administrative rights (run as Administrator).
- Run the
mmccommand. - On the File menu, select Add/Remove Snap-in.
- Select Certificates, and then select Add.
- Select Computer Account, and then select Next.
- Select Local Computer, select Finish, and then select OK.
- In the console tree, expand Certificates > Trusted Root Certificate Authorities > Certificates.
- Right-click Certificates, and then select Import.
- Import the Baltimore CyberTrust Root certificate.
- Restart the computer.
You should now see an entry for Baltimore CyberTrust Root under Trusted Root Certificate Authority:
More information
The Intune Connector experiences connectivity issues if the Baltimore CyberTrust Root certificate is not installed, is expired, or is corrupted on the computer that's using Intune.
For more information about this issue, see Connectivity issues may occur when the Baltimore CyberTrust root certificate is not installed.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for