Share via

What's causing Software Center Device Compliance to report "An error occurred during the compliance check... GET_AAD_TOKEN_ERROR : FFFFFFFF80131500"?

Beckwith Ian (RYG) IT COLLABORATIVE 5 Reputation points
2025-09-30T13:17:15.8866667+00:00

When checking Device Compliance in Software Center we are seeing the message:-
"An error occurred during the compliance check. Please run the compliance check again.
GET_AAD_TOKEN_ERROR : FFFFFFFF80131500"

Removing and reinstalling the SCCM Client and the error still occurs.

The only way we have found to "temporarily" remove this is to stop the SMS Host Service, rename the C:\Windows\CCM\CCMStore.sdf, restart the SMS Host Service and then the compliance reports okay. Typically a day later and the error occurs again though. The CCMStore.sdf is between 2MB and 3MB when the error occurs.

Has anyone got any solutions how to permanently fix this or suggestions on what might be causing the CCMStore.sdf file to cause this problem?

Windows for business | Windows Client for IT Pros | Devices and deployment | System management components

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HarryPhan-2691 8,170 Reputation points Independent Advisor
    2025-09-30T14:29:01.04+00:00

    Hi Beckwith,

    That GET_AAD_TOKEN_ERROR is essentially the client failing to get a proper authentication token from Azure. The CCMStore is where it caches this and other compliance data. When that file gets corrupted or hits a sync conflict, it just gets stuck in this loop.

    Since a reinstall didn't work, it means the problem isn't with the client files themselves, but with the data being written to that cache. A 2-3MB file size isn't crazy, but it could be bloated with stale token data.

    Instead of just renaming the file, try this more thorough cache reset on one device:

    Stop the "SMS Agent Host" service.

    Rename the entire C:\Windows\CCM folder to C:\Windows\CCM.old.

    Restart the service. This will force the client to rebuild everything from scratch, not just the store file.

    If that fixes it permanently, we know it's a broader cache issue. If the problem comes back, the root cause is likely on the service side. I'd then check the SCRegCIT.log and ClientIDManagerStartup.log files on the client right after the error returns—they often contain the real AAD communication failure that the generic error message hides.

    Hope this gives you a new path to try. If this does the trick, please mark it as the accepted answer 🙂

    0 comments
  2. Mirco G 0 Reputation points
    2025-10-06T11:28:36.21+00:00

    Hello. I'm pretty sure that this is not a cache issue. First I thought that this problem came up with the SCCM Hotfix KB33177653 (Azure for US Government Update) which we accidently installed on July 3rd. Accidently installed means that we do not use the US Government Cloud. We use the Public Cloud. But diving deeper into the logs it seems that this error came up after installing the latest microsoft june update KB5060842 which was installed on June 16th. So almost 3 weeks earlier then the SCCM hotfix. Even new clients which got installed with the SCCM client a few days ago still report this issue. Renaming the folder will not solve the problem.

    Since June 16th, so right after installing the Microsoft June Update, I can see lots of errors at the event viewer AAD-> Operational.. there were no errors before the KB5060842 June Update..

    But since i installed the update there are lots of Token Broker errors:

    Error: 0xCAA5001C Token broker operation failed.

    Operation name: GetTokenSilently, Error: -895352823 (0xcaa20009), Description: AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-283421221-3183566570-1718213290-751554359-3541592344-2312209569-3374928651' specified in the request does not match the redirect URIs configured for the application 'ecd6b820-32c2-49b6-98a6-444530e5a77a'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this. Trace ID: 38f08b5b-2763-43f5-899b-ba7ab6ea8b00 Correlation ID: 2518257c-30a6-468a-a259-fc32fa8dd7cb Timestamp: 2025-07-31 07:40:08Z

    Logged at WebAccountProcessor.cpp, line: 723, method: AAD::Core::WebAccountProcessor::ReportOperationError.

    And authentication errors:

    Error: 0xCAA20009 Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).

    Code: invalid_client

    Description: AADSTS50011: The redirect URI 'ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-283421221-3183566570-1718213290-751554359-3541592344-2312209569-3374928651' specified in the request does not match the redirect URIs configured for the application 'ecd6b820-32c2-49b6-98a6-444530e5a77a'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this. Trace ID: 38f08b5b-2763-43f5-899b-ba7ab6ea8b00 Correlation ID: 2518257c-30a6-468a-a259-fc32fa8dd7cb Timestamp: 2025-07-31 07:40:08Z

    TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token

    Logged at OAuthTokenRequestBase.cpp, line: 505, method: OAuthTokenRequestBase::ProcessOAuthResponse.

    Request: authority: https://login.microsoftonline.com/common, client: ecd6b820-32c2-49b6-98a6-444530e5a77a, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-283421221-3183566570-1718213290-751554359-3541592344-2312209569-3374928651, resource: https://edgesync.microsoft.com, correlation ID (request): 2518257c-30a6-468a-a259-fc32fa8dd7cb

    The clients work well. I am able to install software packages, the client baselines work well, i can uninstall / reinstall.. everything without any problems. But the GET_AAD_TOKEN_ERROR still persists.

    Maybe this will help anyone to investigate the problem.

    Best Wishes

    Mirco

    0 comments
  3. Mirco G 0 Reputation points
    2025-10-20T14:36:51.7233333+00:00

    Hello.

    The problem got solved with the new SCCM Hotfix-Rollup KB32851084.

    https://free.blessedness.top/de-de/intune/configmgr/hotfix/2503/32851084

    So this thread can be closed.

    Best wishes

    Mirco

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.