The CMG is a role introduced in ConfigMgr Current Branch 1610. The purpose of the Cloud Management Gateway is to simplify installation and strengthen security of managing clients over the Internet. This is achieved by hosting the necessary services in Azure. To date however many customers have been hesitant to deploy a CMG due to the perceived complexity of the certificate requirements that the solution has required. Using ConfigMgr 1804 tech preview and working along-side the Microsoft product team I have been able to reduce the certificates required down to 1 single certificate. My certificate is issued by a public certificate provider therefore I’ve also eliminated the need for any internal PKI what-so-ever. I am using a wildcard cert if you choose to use named certs you will need 2 certificates rather than 1. This is part 1 of a 2 part series. I will also be publishing a guide on deploying a Cloud Distribution Point.

1.  Pre-requisites


a.       You must have an
Azure subscription and users must by sync’d to Azure AD using AAD

b.       Computers must be
Azure AD joined or AAD registered.

c.       Find an available
service name in Azure DO NOT CREATE THE
just find an available name.

                                                               i.      Log on to the Azure
portal at

                                                             ii.      In the Azure Portal,
you will see a Cloud Services node on the left. Choose to create a new cloud

                                                           iii.      Note down the unique
DNS name(s) that will be used for the Cloud Management as you will add this
information to Configuration Manager.

                                                           iv.      While here take note
of your Azure subscription ID.

d.       Create a public
facing CNAME record that maps your service name (ex to your
service name at (ex

e.       Enable the CMG under
administration>Updates and servicing>features

                                                               i.      Processing of the
change is often immediate, but it can take up to 30 minutes to complete,
depending on the HMAN processing cycle. After the change is processed, you must
restart the console before you can view new UI related to that

f.        A new server to act
as a ConfigMgr HTTPS management point for internet

g.       If your internal
domain name doesn’t match your external domain name you must internally host a
DNS zone matching your external domain name.



2.  Create a Wildcard Cert


Beginning with 1802 ConfigMgr now supports wildcard
certificates. We will be using a single wildcard certificate for the deployment
of the CMG.

Beginning with 1802 ConfigMgr an HTTPS enabled MP is
required when installing a CMG

This guide is using publicly issued certificate and public
certificate authorities will only issue certificates whose have subject names
contain an FQDN which you can prove you own. For this reason, if your internal
domain name doesn’t match a public domain name which you own you must change the
FQDN of the server to a public FQDN which you own.
We will cover how to change a server FQDN later in this


a.       Use the DigiCert CSR
generator tool to generate a CSR for a wildcard SSL certificate.

b.       Download a cer from
Digicert, import it back into the DigiCert CSR generator and export it out with
the private key as a .pfx file.

c.       Import the pfx into
the local machine store on any domain-joined computer
making sure to mark the private key as exportable.

d.       Open the certificates
snap-in MMC and export the certificate out as a DER encoded binary x.509 (.CER)
[G3] .
Save this as ‘exported digicert.cer’
[G4] .[G5] 

e.       While in the
certificate snap-in export the certificate again but this time export the
private key as well save this as ‘exported


3. Prepare A New Windows
Server for HTTPS MP Installation


This is
ONLY required if your internal domain name differs from your external
It is quite common for an
organizations internal domain name to not match its external facing domain
name. If this is the case for your organization you will need to change the
FQDN of the newly created server on which you will install the HTTPS enabled
MP. You will also need to create an A record for the server on your internal
DNS. If you do not internally host a zone matching your external domain name
this solution will not work for you.


a.       Change the FQDN of
the server

                                                               i.      On the server which
will become the new HTTPS management point open System Properties in the control

                                                             ii.      Select Change
Settings under the computer name, domain and workgroup

                                                           iii.      On the computer name
tab click Change…

                                                           iv.      On the Computer
Name/Domain Changes click More…

                                                             v.      Change the Primary
DNS Suffix of this computer to your external domain name.

                                                           vi.      Uncheck the box
change the Primary DNS Suffix of this computer when the domain

                                                          vii.      Click OK and then
restart the server

b.       A Host (A) record
should have been automatically created in the zone hosting your external DNS
namespace. Confirm this by either i or ii below.

                                                               i.      Ping from any machine inside your network
to confirm that it resolves to an IP address.

                                                             ii.      Open DNS on a DNS
server and ensure the Host (A) record was created.

c.       Repeat step B for the
internal dns zone and create a Host (A) record for the server on the internal
DNS namespace is it’s not present already.

4.  Install
Management Point Role on Newly Created Server

Beginning with 1802 ConfigMgr an HTTPS enabled MP is
required when installing a CMG. Unless you already use HTTPS on your site roles
we will be installing a separate management point to act as the HTTPS MP for CMG
traffic. Obviously, you could achieve this in other ways, I just chose this
method because it’s the least impact on my existing environment.


a.       Ensure the flowing
prerequisites are installed:

                                                               i.      Windows Server roles and features: 

1.       .NET Framework 4.5.2
(or later)

2.       BITS Server
Extensions (and automatically selected options) or Background Intelligent
Transfer Services (BITS) (and automatically selected options)

                                                             ii.      IIS configuration: 

1.       Application

a.       ISAPI Extensions

2.       Security:

a.       Windows

3.       IIS 6 Management

a.       IIS 6 Metabase

b.       IIS 6 WMI

b.       In the Configuration
Manager console of the primary site server, navigate to System Center
Configuration Manager / Site Database / Site Management /< site code> –
<site name> / Site Settings / Site Systems / <site system

c.       Right-click< site
system name> and click New Roles to start the New Site Systems Role

d.       On the General tab,
you have the options to do the following:

                                                               i.      Specify the new (the
external domain) FQDN as the Name.

                                                             ii.      Specify the external
FQDN for Internet-based clients to communicate with this site system.

                                                           iii.      Click

e.       On the Proxy page
configure it if required and click Next

f.        On the System Role
Selection page, select Management point and click

g.       On the Management
Point page do the following:

                                                               i.      Select

                                                             ii.      Select Allow
Configuration Manager cloud management gateway

                                                           iii.      Select Allow
Internet-only connections

                                                           iv.      Click

h.       On the Management
Point Database page click Next.

i.         On the Summary page
click Next.

j.         The Progress page
displays the progress of saving the site system settings to the site

k.       The Completion page
displays whether or not the site system settings were successfully saved in the
site database. Click Close.


5.  Install Certificate


a.       Install the wildcard
certificate to the local machine certificate store.

                                                               i.      Copy the wildcard
certificate .pfx to the new MP.

                                                             ii.      Double click the
certificate to start the certificate import wizard.

                                                           iii.      Select local machine
and then click Next.

                                                           iv.      On the file to import
page click Next.

                                                             v.      On the private key
protection page:

1.       Enter the password of
the certificate.

2.       Do not check the box
to mark the key as exportable.

3.       Click

                                                           vi.      On the certificate
store page click Next

                                                          vii.      On the complete the
certificate import wizard page click Finish

b.       Bind the certificate
to the default web site

                                                               i.      On the new MP open
Internet Information Services (IIS) Manager.

                                                             ii.      Expand Sites,
right-click Default Web Site, and then choose Edit Bindings.

                                                           iii.      Choose the https
entry, and then choose Edit.

                                                           iv.      In the Edit Site
Binding dialog box, select the wildcard certificate that you imported in to the
certificates store and then choose OK.

                                                             v.      Choose OK in the Edit
Site Binding dialog box, and then choose Close.

                                                           vi.      Close Internet
Information Services (IIS) Manager.


6.  Configure Azure


a.       In the Configuration
Manager console, go to the Administration workspace, expand Cloud

b.       Right Click Azure
Services and select Configure Azure Services.

                                                               i.      Give the service a
name, I’m using OrgName Cloud Management Service

                                                             ii.      Select Cloud

                                                           iii.      Click

c.       On the App Page do
the following:

                                                               i.      Select Azure Public

                                                             ii.      On the Web App click

1.       Click

a.       Give the application
a name, it can be anything you’d like. I used OrgName

b.       The HomePage URL and
App IU URI can be anything however I recommend you leave them set to

c.       Change the secret key
validity to 2 years.

d.       Sign in with an Azure
global admin account

e.       Click

2.       On the Native Client
app click Browse

3.       Click

a.       Give the application
a name, it can be anything you’d like. I used OrgName Native

b.       The Reply URL is not
used for anything therefore put anything you’d like here.

c.       Sign in with an Azure
global admin account

d.       Click

4.       Highlight the client
app you’ve just created and Click OK

5.       Click

                                                           iii.      On the discover page
you can take the defaults, the settings on this page have no effect on the CMG
so do whatever you’d like.

                                                           iv.      On the Summary page
click Next and

                                                             v.      On the Completion
page click Close


7.  Install the


a.       Install the

                                                               i.      Go to
administration>cloud service>cloud management gateway, right click and
select create new cloud management gateway.

                                                             ii.      On the general pane
of the install CMG wizard:

1.       Select

2.       Select Azure Resource
Manager Deployment

3.       Click Sign in… and
sign in to Azure as a global Admin

4.       Verify
the correct subscription ID is selected

5.       Click

                                                           iii.      On
the Setting pane of the create cloud management

1.       select
your exported wildcard pfx as the server PKI certificate for the cloud server
and then enter a unique service FQDN

2.       select
the exported cer file as the certificate for authenticating client

3.       Enter
your unique service FQDN which you found in the pre-requisites step of this

4.       Uncheck
Verify client certificate

5.       Click

                                                           iv.      Accept the default
thresholds and click next

                                                             v.      On the summary page
click next

                                                           vi.      On the completion
page click close.

b.       Monitor the CMG in
the Cloud Management Gateway node of the console. You should see the status
“ready” within 15 minutes. If you do not check the CloudMgr.log in the SCCM Logs
folder of the site server for error (note: If your CM server time is incorrect
CMG install will fail on 1803)


8.  Add the CMG Connection


The CMG role can be installed on any site system. Since
we built a new server to host the HTTPS enabled MP that is likely as good a
place as any to install the role.


a.       In the Configuration
Manager console, click Administration.

b.       In the Administration
workspace, expand Site Configuration, and click Servers and Site System Roles.
Then select the server that you want to use for the CMG connection

c.       On the Home tab, in
the Server group, click Add Site System Roles.

d.       On the General page,
review the settings, and then click Next.

e.       On the Proxy page,
specify settings for a proxy server, if site system roles that run on this site
system server require a proxy server to connect to locations on the Internet.
Then click Next.

f.        On the System Role
Selection page, select the cloud management gateway connection point role then
click Next.

g.       On the specify the
cloud management gateway connection point settings page you should see the CMG
installed in the previous steps of this guide. Click

h.       On the summary page
click next

i.         On the completion
page click close.


9.  Create CMG


a.       In both internal and
external DNS you should create a CNAME entry for
your unique service FQND to For example I selected SCACMG as my service name
therefore my CNAME is and


10.  Configure Client Agent

For authentication to
your internal HTTPS management point, which you will create during this guide,
certificate authentication is not being used. For this reason, users must be
sync’d with Azure Active Directory and computers either registered or joined to
Azure Active Directory.

a.       Configure the
following client agent settings in the Cloud Service node of client agent

                                                               i.      Automatically
register new Windows 10 domain joined devices with Azure Active Directory:

                                                             ii.      Enable clients to use
a cloud management gateway: Yes

                                                           iii.      Allow access to a
cloud distribution point: Yes


11.  Prepare Internal
ConfigMgr Roles for CMG Traffic


Perform the following steps on the HTTPS management
point as well as your SUP


a.       In the Configuration
Manager console, go to the Administration workspace, expand Site Configuration,
right-click Servers and Site System Roles, and select Management point from the

b.       Select the new site
system server where you installed the HTTPS MP.

c.       Select the Management
point role in the details pane, and then click Properties in the

d.       In the Management
point properties sheet under Client Connections, check the box next to Allow
Configuration Manager cloud management gateway

e.       Click

f.        Repeat these steps
for any software update points.


12.  Test the


In order to simulate a client being outside of your
internal network set the following registry key:
ClientAlwaysOnInternet = 1


Be sure to
remove this key once testing has been


a.       Create
and deploy package

                                                               i.      In
the Configuration Manager console, click Software

                                                             ii.      In
the Software Library workspace, expand Application Management, and then click

                                                           iii.      In
the Home tab, in the Create group, click Create

                                                           iv.      On
the Package page of the Create Package and Program Wizard, specify the following

1.       Name:
Specify a name for the package for example Test

2.       This
package contains source files: Do not check this

3.       Source
folder: Leave this empty

                                                             v.      On the Program Type
page of the Create Package and Program Wizard, select Standard Package and then
click Next.

                                                           vi.      On the Standard
Program page of the Create Package and Program Wizard, specify the

1.       Name: CMG Test

2.       Command Line:

3.       Run:

4.       Program can run: Only
when a user is logged on

5.       Run mode: Run with
administrative rights

6.       Allow users to view
and interact with the program installation: Do not check this

7.       Dive mode: run with
UNC name

                                                          vii.      Click next through
all remaining screens to complete the wizard

b.       Deploy the test

                                                               i.      On a test PC set the
following registry value

1.       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security,
ClientAlwaysOnInternet = 1

                                                             ii.      Create a new
collection and add a test PC to the new

                                                           iii.      Deploy the test
package as required to the collection containing the test

1.       It is not necessary
to select a distribution point during the

2.       Be sure to make the
package required

3.       Set the assignment
schedule to As soon as possible

4.       On the User
Experience page be sure to select “Allow users to run the program independently
of advertisements.

c.       On the test client
open the configuration manager control panel applet, go to the actions tab and
run a machine policy retrieval & Evaluation Cycle.

d.       Monitor the
execmgr.log on the client to verify the test program

e.       Open software center
to ensure the test package is display