How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet Clients

Рет қаралды 90,087

Күн бұрын

In this video guide, we will be covering how you can set up the cloud management gateway in Configuration Manager to manage clients on the internet. This guide covers essential aspects of CMG such as certificates, site system roles, Azure prerequisites, and much more!
Blog Post 👉 setupconfigmgr.com/how-to-set...
Introduction - (0:00)
CMG Vs. IBCM - (0:42)
Certificates needed for Cloud Management Gateway - (3:06)
Create Web Server CMG Certificate Template - (4:49)
Review Client Communication Settings- (6:41)
Request Server/Web Server Certificate for CMG - (7:26)
Export Internal Root CA Certificate to use in CMG - (9:43)
Allow Client to Use Cloud DP and CMG - (10:22)
Configure Azure Subscription - (10:58)
Give App Registrations Permissions in Azure - (13:41)
Create Cloud Management Gateway - (14:44)
Install Cloud Management Gateway Connection Point Role - (26:40)
Set Management Point and Software Update Point to Allow CMG Traffic - (27:40)
Distribute Content to CMG - (29:15)
Enable RDP for the Azure CMG Server - (31:09)
Verify Client Receive CMG Server for IBCM Mangement Point - (35:54)
Verify Client Notifications Work on Internet Client - (39:32)
Verify App Deployment Works from Internet Client using CMG - (41:31)
Verify Software Updates Works from Internet Client using CMG - (42:03)
Verify Hardware Inventory from Client Notification Channel Works - (44:10)
Wrap-up - (46:35)
#SCCM #ConfigMgr #CMG

Пікірлер: 167

@Shloeb 6 жыл бұрын

Please keep up the great work. I was waiting for a high quality channel for SCCM and it seems like I have found it. Subbed

@PatchMyPC 6 жыл бұрын

Shloeb Thanks!

@Magdann 3 жыл бұрын

I've watched so many of your video and it helped me so much i just can't leave without subscribing. Done

@PatchMyPC 3 жыл бұрын

Thanks!

@varunstyle1986 5 жыл бұрын

Just Completed setting up CMG for internet clients. All working well software/inventory/updates deployments. Thanks for Nice Explanations !!!! :)

@PatchMyPC 5 жыл бұрын

Excellent!

@nirmalp1559 5 жыл бұрын

Hi Varun, if possible, could you please help on the issue related with Client communication with CMG?

@varunchitra3163 5 жыл бұрын

@@nirmalp1559 yes please, tell where ur stuck.

@nirmalp1559 5 жыл бұрын

@@varunchitra3163 Have deployed CMG and enabled CDP. In our environment,we dont have any internet based clients. So we created one workgroup machine in Azure and made that as always internet and installed agent with the parameters "ccmsetup.exe /UsePkiCert SMSSITECODE=XXX CCMHOSTNAME=CMGSCCM.XX.COM/CCM_Proxy_MutualAuth/72057XX5940XXXXXXXX" . Whether this is the right approach? or any specific parameter need to be checked? please suggest.. thank you

@varunchitra3163 5 жыл бұрын

@@nirmalp1559 1. Pc should have client authentication certificate for mutual authentication. 2. For first time device must be on intranet to fetch polices from gpo and SCCM and then switch to internet. 3. Locationservices.log should have success message with MP and SMS_CLOUD_PROXYCONNECTOR.log on site server will show success communication with cdp.

@bahnjee 3 жыл бұрын

Thank you tremendously for these so-very-helpful videos. You turn Microsoft's sorely-lacking text documentation and turn it into something that's actually useful and much more comprehensible. One request: These awesome videos would be even awesomer if we could see the bar at the top of your screen that indicates which computer we're looking at. You move very quickly and sometimes it's hard to tell whether we're looking at a client, a server, and/or which server. This vid was not so hard to follow in that aspect, but the one for setting up HTTPS/PKI got a bit tricky to keep up with. I realize that maybe your recording tool doesn't allow for that but I know it can be done because the videos that PolicyPak records (also awesome) does show that bar at the top.

@PatchMyPC 3 жыл бұрын

Good feedback, I will think about adding the bar in next video

@allbymyself85 3 жыл бұрын

Thanks Justin. Great video

@PatchMyPC 3 жыл бұрын

Thanks for watching!

@divefraggle 4 жыл бұрын

Amazing video, thanks!

@PatchMyPC 4 жыл бұрын

Thanks for watching

@albrough 4 жыл бұрын

Awesome video! If you have a new azure subscription in Australia, raise a case with support and request access to AustraliaEast or AustraliaSouthEast, AustraliaCentral (which is the default for new subs) does not work and is not an option when provisining your CMG! We had to create a new sub as our CSP was not able to provision us the Cloud Service (Classic) required for CMG

@PatchMyPC 4 жыл бұрын

Thanks for the tip!

@kichumuraly1524 5 жыл бұрын

This is one of the best videos on CMG I have ever come across. Thanks for the great job on making it. Just one Question may be a scenario what happens if a client with a valid client authentication certificate Hybrid joined to AAD goes out to internet and then the certificate expires?. It would start communicating over modern auth or stops communicating to CMG itself?

@PatchMyPC 5 жыл бұрын

I believe AAD devices auto-renew their certs.

@djmumbles81 4 жыл бұрын

great video!

@PatchMyPC 4 жыл бұрын

Glad you enjoyed it

@tomm5564 5 жыл бұрын

Great video! Will the Software Update deployments need to have the "...download from MS updates" and "Allow clients on a metered Interconnection..." boxes checked on the Download settings tab?

@PatchMyPC 5 жыл бұрын

No, when internet facing that checkbox shouldn't matter.

@VeniVV 6 жыл бұрын

Hey Justin, great video. I have the CMG setup as well as a CDP (I'm on 1802) and they seem to work great and the steps were the same as the ones you took in your video. We used a public cert, but other than that identical. I do have a question, and that is if you will be making a video about co-management with Microsoft Intune? I currently have it setup in my environment but I like watching your videos to validate what I have done.

@PatchMyPC 6 жыл бұрын

Tyler Fleming I do plan to do some co-management videos soon I might do a few Imaging ones before that though

@yuvimaggi 5 жыл бұрын

Thanks for the great video. I have a question on configuring CMG. Do we definitely need OWNER and CO-ADMINISTRATOR credentials on azure to configure CMG or just OWNER credentials is enough?

@PatchMyPC 5 жыл бұрын

I believe just owner is needed.

@santoshkhaple4660 4 жыл бұрын

Thank you Justin for the wonderful Video, Will CMG be Configured on Non PKI infrastructure as we have Azure AD Sync.

@PatchMyPC 4 жыл бұрын

Nice

@abhiram211 5 жыл бұрын

Hi Justin, thanks for a very informative video. I have a question if you could answer. I have two environments, one with sccm and other with intune. Both are seperate environments and now I want to setup Co management. With this i want the currently managed intune devices to be part of sccm(specifically for reporting purpose) and all on-premise devices should not be part of intune after setting up of co management. Do you know how can I achieve this?

@PatchMyPC 5 жыл бұрын

Hey! Yeah, I think co-management could do this for you docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview. TBH, I haven't dug that deep into co-management yet. I have it on the list of things to do and a future video. Hopefully, that documentation may be helpful for you until I deep a bit deeper and do a video.

@alexanderson6616 4 жыл бұрын

I just finished watching video # 3 , it was great , I do have a question. In this video the "Trusted Root Certificate Authorties" have been selected where in the prior video it was not set, any guidance on setting that up would be great ..thank you

@PatchMyPC 4 жыл бұрын

That was my root certificate authority from ny internal PKI

@mikegorski783 3 жыл бұрын

Hi Justin. Thanks for the videos. I can't count the number of times I've referred to them. I have a question regarding the wizard when creating the CMG. I noticed in SCCM 2010 the Azure Resource Manager option has been replaced with Virtual Machine Scale Set. I understand this option should be used if I have a CSP subscription for Azure. Do you know if this option should only be used for that case? Does it matter if I use it and don't have a CSP? Is it preferable to use one vs the other? I'm trying to stand up my first CMG and I've done a lot of research on this but haven't been able to find a solid answer. Thanks in advance.

@PatchMyPC 3 жыл бұрын

Unfortunately, I actually haven't played around with this newer option so I'm not sure

@Gauravalld 6 жыл бұрын

Hi Justin like always very informative video. I had a quick question currently I am working in sccm 1702 version which is quite different from 1802. Can you please suggest any documentation while doing configuration with 1702

@PatchMyPC 6 жыл бұрын

Gaurav Jain are you moving to 1802 anytime soon. It's certainly simpler to setup in 1802 and 1806.

@ShehzadKhan-yk3pb 5 жыл бұрын

Hi Justin, in the video at timeline 14:02, you mentioned to go into "Settings" and "Grant Permissions". However i can't see the Settings --> Required Permissions --> Grant Permission in the latest Azure console. Can you please help?

@PatchMyPC 4 жыл бұрын

Did you get this figured out?

@thereflecs 5 жыл бұрын

Hi Justin, great video. One thing I am missing is how to rollout the configmgr agent to Azure AD clients.

@PatchMyPC 5 жыл бұрын

Hoping to do some co-management and enrollment soon.

@thereflecs 5 жыл бұрын

@Patch My PC I'm trying to get it to work but my logs fill up with ssl and certificate errors. Eventualy the installation of the clients failes with errorcode 0x87d00455 Followed this guide: www.scconfigmgr.com/2017/11/30/deploy-configmgr-client-to-aad-device-from-intune/#comment-78523 Internal (AD Joined) device connect to the CMG with no issues. So it should be something to do with a missing certificate I believe.

@thereflecs 5 жыл бұрын

Just got my breakthrough! Somehow I forgot to add distribution point groups to the CMG DP role.

@PatchMyPC 5 жыл бұрын

Nice!

@davidpaulzimmer 3 жыл бұрын

You mention a video regarding PKI certificate for the client cert. I can't seem to find it anywhere. If we have a CA server configured in our environment, how do we generate the cert needed for the clients during the setup of the CMG?

@PatchMyPC 3 жыл бұрын

Hey David, This would cover the PKI setup if you go that route. kzbin.info/www/bejne/pHTLfH6DbqaDd7M

@habitmohammadi 5 жыл бұрын

Hi Justin, thank you for the very helpful video tutorial. I have configured my test environment as per instructions in the video. I can target application and have them installed on internet-facing client which is fantastic. However I have an issue where domain joined computers that are on the internet will not receive Windows software updates or PatchMyPC third-party updates. What I have noticed in the video, the clients would retrieve the content for Windows updates from MS CDN. However in my case, the LocationServices.log indicates the WSUS path is pointed to the FQDN of CMG proxy server in Azure. Obviously I don't have SUP role configured on CMG server in Azure therefore the updates won't be available to install. SUP is configured on the Primary server on-prem for intranet clients. Any idea how this can be fixed? Any help would be much appreciated. Thanks

@PatchMyPC 4 жыл бұрын

Third-party updates should work fine over CMG, are you still having issues?

@kshitijjgulati 5 жыл бұрын

Hey Justn, Thanks again! Informative video. I currently have IBCM in my environment. If I want to transition to CMG, should I just go ahead? I mean will the clients need to be reconfigured or will they now automatically connect to either the IBCM or the CMG when they are on internet. I am guessing that they would automatically choose one. And with the course of time after analyzing costs of CMG, I can shutdown my IBCM so that clients only connect to CMG moving further. Is my understanding correct?

@PatchMyPC 4 жыл бұрын

Sorry for the delay did you switch over ok?

@ParasKumarJain 5 жыл бұрын

Hi Justin, Can you please provide a video on BitLocker Management via SCCM current branch as well?

@PatchMyPC 5 жыл бұрын

I will keep that in mind for future videos

@ljbizserv 3 жыл бұрын

At 29:05 when you enable the Software Update Point, does that require SQL and WSUS to be installed on that server?

@PatchMyPC 3 жыл бұрын

The SUP was already installed. You would need to to enable CMG access

@kevnufc 4 жыл бұрын

Can a CMG be used to deploy/enforce BitLocker policies for internet based clients? We currently use a combination of Configuration Items/Baselines for deployment to domain connected devices.

@PatchMyPC 4 жыл бұрын

Wouldn't those CI's also work for internet clients? It may depends on how you store keys.

@garimaprakash4254 4 жыл бұрын

This video is so helpful and detailed, thanks. Can we host all the cmg roles along with MP/SUP on a different site server as my primary site's MP is http?

@PatchMyPC 4 жыл бұрын

The mp would need to at least use ehttp

@garimaprakash4254 4 жыл бұрын

So can I add another MP(new site server) as ehttp or https?

@PatchMyPC 4 жыл бұрын

@@garimaprakash4254 You could add a new site system with MP role yes.

@garimaprakash4254 4 жыл бұрын

Thanks !

@vickg 5 жыл бұрын

Hey, i have everything configured in SCCM and Azure however my connection point stays disconnected and the following error in SMS_Cloud_ProxyConnectory.log: Failed to build TCP connection and there is no firewall. Any idea?

@PatchMyPC 5 жыл бұрын

Hmm, not sure about that one.

@jimcox6923 5 жыл бұрын

Great video, got me most of the way there. My CMG is set up , connection point is connected, and i see my CMG MP clients in the Cloud Management section of the Monitoring section. But I have an issue... My issue is when i open software center on my CMG MP managed machine it eventually crashes and says that it cant be opened. Any pointers on where i should start to troubleshoot, like log wise? I looked in the location services log and i can see where its trying to contact my cloud app, it states that theres a certificate problem, but ive confirmed my root and intermediate certs are valid.

@PatchMyPC 5 жыл бұрын

What's ccmmessaging.log say on the client?

@jimcox6923 5 жыл бұрын

@@PatchMyPC , this is pretty much it repeating over and over... Raising event: instance of CCM_CcmHttp_Status { ClientID = "GUID:XXXXXXXXXX"; DateTime = "20190211185607.596000+000"; HostName = "servicename.CLOUDAPP.NET"; HRESULT = "0x87d0027e"; ProcessID = 10368; StatusCode = 515; ThreadID = 9224; }; CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) Successfully queued event on HTTP/HTTPS failure for server 'servicename.CLOUDAPP.NET'. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) Post to servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request failed with 0x87d00231. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) [CCMHTTP] ERROR: URL=servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300) [CCMHTTP] ERROR INFO: StatusCode=515 StatusText=Upstream Certificate is untrusted or expired CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300)

@jimcox6923 5 жыл бұрын

So i checked Azure and noticed that there was infact an expired intermediate cert in the certificates section of the application. I deleted it and resynched the CMG. Still, however getting the error.

@jimcox6923 5 жыл бұрын

@@PatchMyPC Ok, so it boiled down to a few things... 1. There is a bug in 1806 that does CRL checking even if you tell it not to. Apparently this is workaroundable in 1810 (you have to create a reg key) 2. Our published crl was expired. We had to fire up the root ca and renew it 3. our MP was hanging on to Internet config settings for proxy from a bygone era. once we fixed that issue, everything magically began working. The values in the following key is where they were. We deleted them, rebooted and it got the correct config:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections this article helped as well: community.spiceworks.com/topic/1567165-can-t-remove-proxy-settings-windows-7-server-2012-r2-domain-help

@Gauravalld 5 жыл бұрын

Hi Justin, Thanks for the great video really very informative. I am also in the process to set up a CMG in a dev environment. Currently I have installed the CMG site role to an on premise server and it shows as ready state however the connection point shows disconnected. Now as I understood from MS documents that port ( 443 and 10124) needs to enabled from site system CMG connection point and Azure CMG. Now my question is port ( 443 and 10124) should enabled should be b/w on premise site server with CMG and Azure CMG server ( i.e. IP of the xxx.cloudapp.net) . Please correct me if I am wrong. Also 443 ports b/w client and Azure CMG server ( i.e. IP of the xxx.cloudapp.net).

@PatchMyPC 5 жыл бұрын

Sounds correct to me, have you happened to see this one: docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#ports-and-data-flow

@mukmusicdiary 5 жыл бұрын

Hey, thanks for the wonderful guide! I was wondering how did you set it up so the devices get auto approved? I know how to do this for domain joined devices, but can't seem to get it working for CMG devices since they are WORKGROUP devices.

@PatchMyPC 5 жыл бұрын

Workgroup? Did you join the devices using Azure AD?

@mukmusicdiary 5 жыл бұрын

@@PatchMyPC Yep these aren't domain joined devices. Just Azure AD devices via Intune.

@mikeg9662 4 жыл бұрын

@@mukmusicdiary Hi Mark, Did you ever find a solution for your workgroup PCs? I have a large number of laptops in the field that are in workgroups and cannot be domain joined for various company policy related reasons. I would like to see if I can manage them via CMG, primarily for patching purposes as it seems to be easier than forcing the users to connect to our VPN environment to allow the SCCM client to communicate with our SCCM infrastructure. I've been doing a lot of research and cannot find a definite yes or no if a CMG can manage these types of machines, and if yes, how to do it. Everything I read appears to assume the clients are all domain joined. Thanks

@PatchMyPC 4 жыл бұрын

Token-based auth will make workgroup machines very easy kzbin.info/www/bejne/m2a0hKlnjtOUbK8

@TheThesuresh 5 жыл бұрын

In the CMG setup is mandatory to use public issued certificate?

@PatchMyPC 5 жыл бұрын

No, but usually the easiest option since the CRL is already public.

@GaarEnSappig 3 жыл бұрын

Thanks for the video! I am going to try my luck and as the question here, We're using SCCM in a multi-tenant way. We have a CAS with 2 Primary sites, one for our own usage and one for our customers. The primary sites is configured in our own domain. We have a one-way trust with the domain of our customers. We've setup a MP and a DP in our customers domain and configured the boundries so that their devices connect to their own MP. This server conects to the Primary Site in our own domain. Since the whole pandemic hit we are currently looking into using CMG so that SCCM will still connect to machines outsides of our Intranet. Now to the question: Is it actually possible to make use of CMG's in the construction described above or should we think of making a primary site for each customer?

@PatchMyPC 2 жыл бұрын

I'm not actually sure about this one, sorry. The docs may have some info.

@GaarEnSappig 2 жыл бұрын

@@PatchMyPC Thanks for taking the time to try answering the question. As far as I understand so far from the docs it is only possible to have 1 tenant per Primary Site. So yeah, we need to change up the design a bit.

@JessieS 4 жыл бұрын

I know this is late in the game but, do you need to configure HTTPS on all your management points and Software update point and what Client PKI do I need to deploy to my users first before enabling this? Also I've notice that you configured this by right clicking on the Management role, I've seen other articles stating to go to "Configure site components" what is the difference? Thank you in advance.

@PatchMyPC 4 жыл бұрын

management points and Software update point No, just the one CMG talks to. Client PKI do I need to deploy to my users first before enabling this? It depends, clients can use PKI, Azure AD, or Bulk token for CMG.

@TheMunzie 2 жыл бұрын

Hi Justin. If I have eHTTP enabled and not PKI is it the same steps?

@PatchMyPC 2 жыл бұрын

It should be similar, the MS Docs do cover eHTTP pretty well.

@unitedguy28 3 жыл бұрын

Hello, Our Primary site server is not considered a DP or MP. Should I be deploying the CMG connection point service on the MP or MP's or does it not matter? We have multiple MP's for redundancy Thank you!

@PatchMyPC 3 жыл бұрын

Doesn't really matter, you can also have multiple connection points I think

@unitedguy28 3 жыл бұрын

@@PatchMyPC ok. Yes correct you can have multiple points. Thanks

@bITTERSWWWEET 3 жыл бұрын

@ about 14 minutes in the video you grant access to the the client and server app. Does this still need to be done. The Azure environment looks a bit different now.

@PatchMyPC 3 жыл бұрын

It may look slightly different now, but I think this process should still apply unless there's been improvements to do this automatically.

@growley 3 жыл бұрын

I just deployed on MECM 2006 and it was all done for me.

@shadyss96 4 жыл бұрын

Silly question- but do I need to have our on-prem set to HTTPS before being able to fully utilize this feature?

@Nawdiral 4 жыл бұрын

To securely forward client requests, the CMG connection point requires a client authentication certificate that corresponds to the server authentication certificate on the HTTPS management point. >>> If clients use Azure AD authentication, or you configure the management point for Enhanced HTTP, this certificate isn't required. For more information, see Enable management point for HTTPS.

@Nawdiral 4 жыл бұрын

Note that HTTP over internet to a MP is not possible, while HTTP over intrnet to a DP is possible.

@PatchMyPC 4 жыл бұрын

You can a few options for how certificates and be used with CMG docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

@mohananaidu4627 Жыл бұрын

As per Microsoft all the internet-based clients will get the software update content from Windows Update. This update content download (from windows update) will use local internet which will choke the low bandwidth sites. If we are going to force all datacenter to use CMG - will branch cache or Peer cache or any other caching technologies work with CMG within datacenter to share the content? Or can we redirect the software update content download from local DP( if we setup local DP) instead of going to Windows update, so that local client will get the content from local DP? If yes, I assume we can use existing on-prem data center Primary Server to setup CMG for Servers in datacenter.

@PatchMyPC Жыл бұрын

Thanks for the input.

@SALalnashri 4 жыл бұрын

Hi Justin ,what if the machines already left the on-premises network? can the CMG manage the these machines ?how the SCCM clients gets update internet-base management point (FQDN) ?

@PatchMyPC 4 жыл бұрын

No, your would need to touch those devices because they can't get the CMG policy.

@SALalnashri 4 жыл бұрын

@@PatchMyPC so CMG policy should be updated on these devices before going outside network . Any workaround to update cmg policy for these devices ? Pls help me.

@jpine77 4 жыл бұрын

Hi Justin, I really appreciate all your setup videos. I am running CB1910 and currently have IBCM deployed and have just set up Cloud Management Gateway with DP. Our VPN is configured with split tunneling and on-prem DP's are blocked through the VPN tunnel, so users need to end their VPN connection to receive content. CMG was set up allow content to be received by remote clients whether or not a VPN connection is established. I am having an issue receiving content when VPN is connected. The Internet-based management point in the ConfigMgr client properties is the CMG. I have created a VPN Boundary Group with the CMG and the VPN IP range boundary. The CMG is shown as the assigned management point in the client properties. "Prefer cloud based sources over on-premise sources" is enabled. In the cas.log file after the ContentLocationRequest is, No reply received, Failed to create Location Request Message body and GetLocationSyncEx3 failed with error 0x80004005. Can IBCM and CMG coexist? Do you have any thoughts what may be causing the issue? BTW, the content has been distributed to the CMG DP. Thanks in advance for any insights you may provide, John

@PatchMyPC 4 жыл бұрын

I think probably one or the other would be the best approach.

@brent4770 5 жыл бұрын

Has anyone tried Azure free acct.? Do they automatically charge after 30 days if you forget to cancel?

@PatchMyPC 4 жыл бұрын

Did you get this figured out?

@sunilpal7933 4 жыл бұрын

Do we need to create any internal Cname entry for cloudapp.net in local DNS.

@PatchMyPC 4 жыл бұрын

Shouldn't need to

@gsmegaphone 5 жыл бұрын

Question - in my SCCM console (running version 1810), under Administration > Cloud Services, I don't have any "Cloud Management Gateway" option. Cloud Distribution Points is there, but no CMG??

@PatchMyPC 5 жыл бұрын

Do you have the service connection point enabled in the site and is "Cloud Management Gateway" enabled/on in the Updates and Servicing > Feature node?

@gsmegaphone 5 жыл бұрын

@@PatchMyPC ah, the U&S > Feature was turned off. That did it! THanks!

@gsmegaphone 5 жыл бұрын

@@PatchMyPC Ok, one other question as I have this thing 99.999% done. I've got the CMG all setup successfully and am able to distribute content/RDP/etc. The only thing I cant get is my clients are not picking up the CMG as a management point. I've done Machine Policy & Retrieval and restarted SMS service several times, but watching the log the only one it ever picks up is my primary on-prem management point. (PS: I know you don't really make any money answering questions from novices like myself on KZbin, so if you happen to have a paypal or place to accept donations as appreciation for great content like this, please let me know and I would be happy to send some $$ your way!)

@PatchMyPC 5 жыл бұрын

@@gsmegaphone Can you post clientlocation and locationservices from the client?

@gsmegaphone 5 жыл бұрын

@@PatchMyPC Just fyi, I got this working. I had to turn OFF "Allow configuration manager cloud management gateway traffic" on the MP, wait about 10 minutes, turn it back on, and viola, it started working. So Something must have just gone screwy when the MP reinstalled itself the first time. Thanks for your help as always.

@ehabgalal9181 5 жыл бұрын

Hi justin, Just quick question if I have two MP in our environment. Both must be run over https?

@PatchMyPC 4 жыл бұрын

Only the one with CMG connections need it.

@ehabgalal9181 4 жыл бұрын

@@PatchMyPC do you believe after enhanced http released still need to switch MP or SUP to https to enable CMG

@PatchMyPC 4 жыл бұрын

@@ehabgalal9181 You can use EHTTP for MP docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http

@theg00d1 4 жыл бұрын

u have forgoton in previous certification video how to add ROOT CA that I see u seems to have to provided Root CA , could u give some clarity on it ,

@PatchMyPC 4 жыл бұрын

This would be the root ca certificate for an Internal PKI

@soheluddin6382 4 жыл бұрын

Hi Justin,Gday !! could you please help me on this "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account or can you share a link from where i can resolve this.

@PatchMyPC 3 жыл бұрын

You may want to try to build the app in Azure directly in this case.

@soheluddin6382 3 жыл бұрын

@@PatchMyPC thanks !!

@walterh1223 5 жыл бұрын

I think some of my issue is Azure has changed a fair amount, I got past my previous issue by manually creating the web / native apps. Now I have an issue when trying to create the management gateway, I am getting an error "a valid Azure AD app is required. please deploy the azure service for cloud management first" Trying to find a way around this but everything I find is out dated.

@PatchMyPC 4 жыл бұрын

Are you all good here?

@soheluddin6382 4 жыл бұрын

@@PatchMyPC Could you plzz help, i am still struck there. No idea why,

@omarjg7859 Жыл бұрын

Is it possible to migrate to Cloud Service (Extended Support)?

@PatchMyPC Жыл бұрын

I'm not sure about this one. There may be some info on the MS docs though.

@siddharthbhatia9114 3 жыл бұрын

My CMG connection is showing partially connected how to troubleshoot that?

@PatchMyPC 3 жыл бұрын

You can run the troubleshooting wizard.

@SHAKTI4601 5 жыл бұрын

Hi Justin, Need one help. I have configured the CMG using the wildcard certificate issued by the public CA. We don't have PKI in our environment so which certificate I can upload in client authentication ? My wildcard certificate is both server authentication and client authentication however if I am trying to upload it in client authentication certs, its giving me warning that cert is not having valid root. ☹️ Please suggest... Thank you in advance.

@PatchMyPC 5 жыл бұрын

You would need to upload the root CA 9.cer file) for your PKI in the CMG properties.

@SHAKTI4601 5 жыл бұрын

@@PatchMyPC Thanks a lot. I have one small doubt... Our public cer has one intermediate CA and one Root CA. If I understand correctly, I need to export that Root CA and upload it to CMG properties under client authentication certs. I have configured my MP to allow SSL traffic on SCCM self signed certificate (enhanced http feature) so my primary site server is having the self signed cert in IIS.. will that be any issue ?

@PatchMyPC 5 жыл бұрын

@@SHAKTI4601 You would include both certs then for the root and intermediate.

@SHAKTI4601 5 жыл бұрын

@@PatchMyPC Thanks a lot. Finally my CMG has started working. I had to import the certificate on client to make it work. I thought if its issued by public CA, we don't need to import it on client machines..

@walterh1223 5 жыл бұрын

Anyone had the error "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account and have many other services/apps/vms running without any issues. This is the step where you create the server app. Thanks!

@PatchMyPC 4 жыл бұрын

Thanks for the tip

@csealok 5 жыл бұрын

@PatchMyPC 4 жыл бұрын

You're welcome!

@mohananaidu4627 4 жыл бұрын

We don't have Azure AD authentication in our infra. all are on-premises systems. we are planning to use third-party certificates.Do we need get the client authentication certificate from Third-Party certificate providers? We are going to use the EHTTP option. any suggestion on this

@PatchMyPC 4 жыл бұрын

What third-party are you using? So you aren't going to use AD Certificate Services?

@mohananaidu4627 4 жыл бұрын

We are using your product Patch My PC thank for your response

@mohananaidu4627 4 жыл бұрын

@@PatchMyPC we are using patch my PC. We configured with third party wild card certificate and everything works fine . published the 7zip update , it's shown up in the software ware center but when I click download content download failed. Content is present in the cloud dp. Cas log showing cloud dp path

@PatchMyPC 4 жыл бұрын

@@mohananaidu4627 let me now if this helps patchmypc.com/third-party-update-considerations-with-cloud-management-gateway-cmg-in-sccm

@mohananaidu4627 4 жыл бұрын

@@PatchMyPC thank you Sir. I willl go through the vedio

@coderedex 5 жыл бұрын

Thankyou for your helpful video. I'm getting stuck the the CMG setup creation. Do you have to wait 24 hours for the "CNAME" to replicate across ,I named mine "sccmclient.sccmXXXXX.net" which would redirect to sccmclient.appnet.net?. Do I need to configure anything on my local IIS Server? Many Thanks for your assistance.

@ShehzadKhan-yk3pb 5 жыл бұрын

Jazz: how were you able to Grant Permissions?

@ShehzadKhan-yk3pb 5 жыл бұрын

As far as your query is concerned: No, you don't need any configuration on your local IIS

@coderedex 5 жыл бұрын

@@ShehzadKhan-yk3pb I still cannot get this right. Failed at povisioning. Here is my log info from cloudmgr.log.

@coderedex 5 жыл бұрын

ERROR: Resource Manager - Failed to list keys for storage service clientsccm with status code NotFound. Check [Monitor/Activity log] on Azure Portal for more information~~

@PatchMyPC 4 жыл бұрын

Did you figure this one out?

@hanenchhibi6882 4 жыл бұрын

i have a tenant id Azure i don't have a subscription and tha't my problem

@PatchMyPC 3 жыл бұрын

You figure this one out?

@sagar4mane 4 жыл бұрын

We are having SCCM 1902 and configured CMG So Can we install sccm client in workgroup machines in CMG ?( machines which are not in Azure AD but connected to internet)

@sagar4mane 4 жыл бұрын

Actually these are laptops which connected internet via data card and it's not in domain, we are using PKI certificate for authentication but facing error while installing sccm client in this laptops Plz suggest

@PatchMyPC 4 жыл бұрын

You can but it's more complicated. ConfigMgr 2002 will make it easier kzbin.info/www/bejne/m2a0hKlnjtOUbK8

@mohammedzubair9694 3 жыл бұрын

Hi Justin, Thanks for sharing this video. I have one quick query and need your support. My Active Directory Domain is for example xyz.com for all domain joined machines, but my SSL certificate domain is xyz.co.in , so can I add Wildcard certificate of xyz.co.in in CMG? Please need your support.

@mohammedzubair9694 3 жыл бұрын

adding another point: The Wildcard certificate of xyz.co.in will be from Digicert

@PatchMyPC 2 жыл бұрын

It should be the public DNS name

@cli3335 Жыл бұрын

hello team @patchmypc, i have a question regarding the CMG web server certificate. In your video, you opted to use a cert from a public CA, which is what i'm planning to do as well because even though i have an internal PKI setup, i don't have an externally available CRL site. My question is will there any issue for me doing that (using a CMG web server cert from a public CA) considering i have already setup SSL communication between my SCCM servers and SCCM client using my internal PKI? which by the way, i have followed the instructions from your SSL video kzbin.info/www/bejne/pHTLfH6DbqaDd7M&ab_channel=PatchMyPC

@PatchMyPC Жыл бұрын

No that scenario should still work fine where you have a public certificate for your CMG and internal for your site systems and servers

@cli3335 Жыл бұрын

@@PatchMyPC Thank, I got my CMG setup successfully following your video.