Please keep up the great work. I was waiting for a high quality channel for SCCM and it seems like I have found it. Subbed
@PatchMyPC6 жыл бұрын
Shloeb Thanks!
@Magdann3 жыл бұрын
I've watched so many of your video and it helped me so much i just can't leave without subscribing. Done
@PatchMyPC3 жыл бұрын
Thanks!
@bahnjee4 жыл бұрын
Thank you tremendously for these so-very-helpful videos. You turn Microsoft's sorely-lacking text documentation and turn it into something that's actually useful and much more comprehensible. One request: These awesome videos would be even awesomer if we could see the bar at the top of your screen that indicates which computer we're looking at. You move very quickly and sometimes it's hard to tell whether we're looking at a client, a server, and/or which server. This vid was not so hard to follow in that aspect, but the one for setting up HTTPS/PKI got a bit tricky to keep up with. I realize that maybe your recording tool doesn't allow for that but I know it can be done because the videos that PolicyPak records (also awesome) does show that bar at the top.
@PatchMyPC4 жыл бұрын
Good feedback, I will think about adding the bar in next video
@varunstyle19866 жыл бұрын
Just Completed setting up CMG for internet clients. All working well software/inventory/updates deployments. Thanks for Nice Explanations !!!! :)
@PatchMyPC6 жыл бұрын
Excellent!
@nirmalp15596 жыл бұрын
Hi Varun, if possible, could you please help on the issue related with Client communication with CMG?
@varunchitra31636 жыл бұрын
@@nirmalp1559 yes please, tell where ur stuck.
@nirmalp15596 жыл бұрын
@@varunchitra3163 Have deployed CMG and enabled CDP. In our environment,we dont have any internet based clients. So we created one workgroup machine in Azure and made that as always internet and installed agent with the parameters "ccmsetup.exe /UsePkiCert SMSSITECODE=XXX CCMHOSTNAME=CMGSCCM.XX.COM/CCM_Proxy_MutualAuth/72057XX5940XXXXXXXX" . Whether this is the right approach? or any specific parameter need to be checked? please suggest.. thank you
@varunchitra31636 жыл бұрын
@@nirmalp1559 1. Pc should have client authentication certificate for mutual authentication. 2. For first time device must be on intranet to fetch polices from gpo and SCCM and then switch to internet. 3. Locationservices.log should have success message with MP and SMS_CLOUD_PROXYCONNECTOR.log on site server will show success communication with cdp.
@allbymyself854 жыл бұрын
Thanks Justin. Great video
@PatchMyPC4 жыл бұрын
Thanks for watching!
@albrough4 жыл бұрын
Awesome video! If you have a new azure subscription in Australia, raise a case with support and request access to AustraliaEast or AustraliaSouthEast, AustraliaCentral (which is the default for new subs) does not work and is not an option when provisining your CMG! We had to create a new sub as our CSP was not able to provision us the Cloud Service (Classic) required for CMG
@PatchMyPC4 жыл бұрын
Thanks for the tip!
@inside3ds21 күн бұрын
Thank you for this guide, quick question regarding hybrid environments and CMG. I'm trying to setup CMG to be able to pre-provision devices using Autopilot, using the hybrid join method. Do I need to setup HTTPS for this to work?
@tomm55645 жыл бұрын
Great video! Will the Software Update deployments need to have the "...download from MS updates" and "Allow clients on a metered Interconnection..." boxes checked on the Download settings tab?
@PatchMyPC5 жыл бұрын
No, when internet facing that checkbox shouldn't matter.
@divefraggle4 жыл бұрын
Amazing video, thanks!
@PatchMyPC4 жыл бұрын
Thanks for watching
@ljbizserv4 жыл бұрын
At 29:05 when you enable the Software Update Point, does that require SQL and WSUS to be installed on that server?
@PatchMyPC4 жыл бұрын
The SUP was already installed. You would need to to enable CMG access
@mikegorski7833 жыл бұрын
Hi Justin. Thanks for the videos. I can't count the number of times I've referred to them. I have a question regarding the wizard when creating the CMG. I noticed in SCCM 2010 the Azure Resource Manager option has been replaced with Virtual Machine Scale Set. I understand this option should be used if I have a CSP subscription for Azure. Do you know if this option should only be used for that case? Does it matter if I use it and don't have a CSP? Is it preferable to use one vs the other? I'm trying to stand up my first CMG and I've done a lot of research on this but haven't been able to find a solid answer. Thanks in advance.
@PatchMyPC3 жыл бұрын
Unfortunately, I actually haven't played around with this newer option so I'm not sure
@ShehzadKhan-yk3pb5 жыл бұрын
Hi Justin, in the video at timeline 14:02, you mentioned to go into "Settings" and "Grant Permissions". However i can't see the Settings --> Required Permissions --> Grant Permission in the latest Azure console. Can you please help?
@PatchMyPC4 жыл бұрын
Did you get this figured out?
@alexanderson66164 жыл бұрын
I just finished watching video # 3 , it was great , I do have a question. In this video the "Trusted Root Certificate Authorties" have been selected where in the prior video it was not set, any guidance on setting that up would be great ..thank you
@PatchMyPC4 жыл бұрын
That was my root certificate authority from ny internal PKI
@yuvimaggi5 жыл бұрын
Thanks for the great video. I have a question on configuring CMG. Do we definitely need OWNER and CO-ADMINISTRATOR credentials on azure to configure CMG or just OWNER credentials is enough?
@PatchMyPC5 жыл бұрын
I believe just owner is needed.
@santoshkhaple46604 жыл бұрын
Thank you Justin for the wonderful Video, Will CMG be Configured on Non PKI infrastructure as we have Azure AD Sync.
@PatchMyPC4 жыл бұрын
Nice
@garimaprakash42544 жыл бұрын
This video is so helpful and detailed, thanks. Can we host all the cmg roles along with MP/SUP on a different site server as my primary site's MP is http?
@PatchMyPC4 жыл бұрын
The mp would need to at least use ehttp
@garimaprakash42544 жыл бұрын
So can I add another MP(new site server) as ehttp or https?
@PatchMyPC4 жыл бұрын
@@garimaprakash4254 You could add a new site system with MP role yes.
@garimaprakash42544 жыл бұрын
Thanks !
@mukmusicdiary5 жыл бұрын
Hey, thanks for the wonderful guide! I was wondering how did you set it up so the devices get auto approved? I know how to do this for domain joined devices, but can't seem to get it working for CMG devices since they are WORKGROUP devices.
@PatchMyPC5 жыл бұрын
Workgroup? Did you join the devices using Azure AD?
@mukmusicdiary5 жыл бұрын
@@PatchMyPC Yep these aren't domain joined devices. Just Azure AD devices via Intune.
@mikeg96625 жыл бұрын
@@mukmusicdiary Hi Mark, Did you ever find a solution for your workgroup PCs? I have a large number of laptops in the field that are in workgroups and cannot be domain joined for various company policy related reasons. I would like to see if I can manage them via CMG, primarily for patching purposes as it seems to be easier than forcing the users to connect to our VPN environment to allow the SCCM client to communicate with our SCCM infrastructure. I've been doing a lot of research and cannot find a definite yes or no if a CMG can manage these types of machines, and if yes, how to do it. Everything I read appears to assume the clients are all domain joined. Thanks
@PatchMyPC4 жыл бұрын
Token-based auth will make workgroup machines very easy kzbin.info/www/bejne/m2a0hKlnjtOUbK8
@abhiram2116 жыл бұрын
Hi Justin, thanks for a very informative video. I have a question if you could answer. I have two environments, one with sccm and other with intune. Both are seperate environments and now I want to setup Co management. With this i want the currently managed intune devices to be part of sccm(specifically for reporting purpose) and all on-premise devices should not be part of intune after setting up of co management. Do you know how can I achieve this?
@PatchMyPC6 жыл бұрын
Hey! Yeah, I think co-management could do this for you docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview. TBH, I haven't dug that deep into co-management yet. I have it on the list of things to do and a future video. Hopefully, that documentation may be helpful for you until I deep a bit deeper and do a video.
@thereflecs6 жыл бұрын
Hi Justin, great video. One thing I am missing is how to rollout the configmgr agent to Azure AD clients.
@PatchMyPC6 жыл бұрын
Hoping to do some co-management and enrollment soon.
@thereflecs6 жыл бұрын
@Patch My PC I'm trying to get it to work but my logs fill up with ssl and certificate errors. Eventualy the installation of the clients failes with errorcode 0x87d00455 Followed this guide: www.scconfigmgr.com/2017/11/30/deploy-configmgr-client-to-aad-device-from-intune/#comment-78523 Internal (AD Joined) device connect to the CMG with no issues. So it should be something to do with a missing certificate I believe.
@thereflecs6 жыл бұрын
Just got my breakthrough! Somehow I forgot to add distribution point groups to the CMG DP role.
@PatchMyPC6 жыл бұрын
Nice!
@unitedguy284 жыл бұрын
Hello, Our Primary site server is not considered a DP or MP. Should I be deploying the CMG connection point service on the MP or MP's or does it not matter? We have multiple MP's for redundancy Thank you!
@PatchMyPC4 жыл бұрын
Doesn't really matter, you can also have multiple connection points I think
@unitedguy284 жыл бұрын
@@PatchMyPC ok. Yes correct you can have multiple points. Thanks
@ParasKumarJain5 жыл бұрын
Hi Justin, Can you please provide a video on BitLocker Management via SCCM current branch as well?
@PatchMyPC5 жыл бұрын
I will keep that in mind for future videos
@kevnufc4 жыл бұрын
Can a CMG be used to deploy/enforce BitLocker policies for internet based clients? We currently use a combination of Configuration Items/Baselines for deployment to domain connected devices.
@PatchMyPC4 жыл бұрын
Wouldn't those CI's also work for internet clients? It may depends on how you store keys.
@kichumuraly15245 жыл бұрын
This is one of the best videos on CMG I have ever come across. Thanks for the great job on making it. Just one Question may be a scenario what happens if a client with a valid client authentication certificate Hybrid joined to AAD goes out to internet and then the certificate expires?. It would start communicating over modern auth or stops communicating to CMG itself?
@PatchMyPC5 жыл бұрын
I believe AAD devices auto-renew their certs.
@GaarEnSappig3 жыл бұрын
Thanks for the video! I am going to try my luck and as the question here, We're using SCCM in a multi-tenant way. We have a CAS with 2 Primary sites, one for our own usage and one for our customers. The primary sites is configured in our own domain. We have a one-way trust with the domain of our customers. We've setup a MP and a DP in our customers domain and configured the boundries so that their devices connect to their own MP. This server conects to the Primary Site in our own domain. Since the whole pandemic hit we are currently looking into using CMG so that SCCM will still connect to machines outsides of our Intranet. Now to the question: Is it actually possible to make use of CMG's in the construction described above or should we think of making a primary site for each customer?
@PatchMyPC2 жыл бұрын
I'm not actually sure about this one, sorry. The docs may have some info.
@GaarEnSappig2 жыл бұрын
@@PatchMyPC Thanks for taking the time to try answering the question. As far as I understand so far from the docs it is only possible to have 1 tenant per Primary Site. So yeah, we need to change up the design a bit.
@davidpaulzimmer4 жыл бұрын
You mention a video regarding PKI certificate for the client cert. I can't seem to find it anywhere. If we have a CA server configured in our environment, how do we generate the cert needed for the clients during the setup of the CMG?
@PatchMyPC4 жыл бұрын
Hey David, This would cover the PKI setup if you go that route. kzbin.info/www/bejne/pHTLfH6DbqaDd7M
@jimcox69235 жыл бұрын
Great video, got me most of the way there. My CMG is set up , connection point is connected, and i see my CMG MP clients in the Cloud Management section of the Monitoring section. But I have an issue... My issue is when i open software center on my CMG MP managed machine it eventually crashes and says that it cant be opened. Any pointers on where i should start to troubleshoot, like log wise? I looked in the location services log and i can see where its trying to contact my cloud app, it states that theres a certificate problem, but ive confirmed my root and intermediate certs are valid.
@PatchMyPC5 жыл бұрын
What's ccmmessaging.log say on the client?
@jimcox69235 жыл бұрын
@@PatchMyPC , this is pretty much it repeating over and over... Raising event: instance of CCM_CcmHttp_Status { ClientID = "GUID:XXXXXXXXXX"; DateTime = "20190211185607.596000+000"; HostName = "servicename.CLOUDAPP.NET"; HRESULT = "0x87d0027e"; ProcessID = 10368; StatusCode = 515; ThreadID = 9224; }; CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) Successfully queued event on HTTP/HTTPS failure for server 'servicename.CLOUDAPP.NET'. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) Post to servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request failed with 0x87d00231. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408) [CCMHTTP] ERROR: URL=servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300) [CCMHTTP] ERROR INFO: StatusCode=515 StatusText=Upstream Certificate is untrusted or expired CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300)
@jimcox69235 жыл бұрын
So i checked Azure and noticed that there was infact an expired intermediate cert in the certificates section of the application. I deleted it and resynched the CMG. Still, however getting the error.
@jimcox69235 жыл бұрын
@@PatchMyPC Ok, so it boiled down to a few things... 1. There is a bug in 1806 that does CRL checking even if you tell it not to. Apparently this is workaroundable in 1810 (you have to create a reg key) 2. Our published crl was expired. We had to fire up the root ca and renew it 3. our MP was hanging on to Internet config settings for proxy from a bygone era. once we fixed that issue, everything magically began working. The values in the following key is where they were. We deleted them, rebooted and it got the correct config:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections this article helped as well: community.spiceworks.com/topic/1567165-can-t-remove-proxy-settings-windows-7-server-2012-r2-domain-help
@SHAKTI46015 жыл бұрын
Hi Justin, Need one help. I have configured the CMG using the wildcard certificate issued by the public CA. We don't have PKI in our environment so which certificate I can upload in client authentication ? My wildcard certificate is both server authentication and client authentication however if I am trying to upload it in client authentication certs, its giving me warning that cert is not having valid root. ☹️ Please suggest... Thank you in advance.
@PatchMyPC5 жыл бұрын
You would need to upload the root CA 9.cer file) for your PKI in the CMG properties.
@SHAKTI46015 жыл бұрын
@@PatchMyPC Thanks a lot. I have one small doubt... Our public cer has one intermediate CA and one Root CA. If I understand correctly, I need to export that Root CA and upload it to CMG properties under client authentication certs. I have configured my MP to allow SSL traffic on SCCM self signed certificate (enhanced http feature) so my primary site server is having the self signed cert in IIS.. will that be any issue ?
@PatchMyPC5 жыл бұрын
@@SHAKTI4601 You would include both certs then for the root and intermediate.
@SHAKTI46015 жыл бұрын
@@PatchMyPC Thanks a lot. Finally my CMG has started working. I had to import the certificate on client to make it work. I thought if its issued by public CA, we don't need to import it on client machines..
@Gauravalld6 жыл бұрын
Hi Justin like always very informative video. I had a quick question currently I am working in sccm 1702 version which is quite different from 1802. Can you please suggest any documentation while doing configuration with 1702
@PatchMyPC6 жыл бұрын
Gaurav Jain are you moving to 1802 anytime soon. It's certainly simpler to setup in 1802 and 1806.
@shadyss964 жыл бұрын
Silly question- but do I need to have our on-prem set to HTTPS before being able to fully utilize this feature?
@Nawdiral4 жыл бұрын
To securely forward client requests, the CMG connection point requires a client authentication certificate that corresponds to the server authentication certificate on the HTTPS management point. >>> If clients use Azure AD authentication, or you configure the management point for Enhanced HTTP, this certificate isn't required. For more information, see Enable management point for HTTPS.
@Nawdiral4 жыл бұрын
Note that HTTP over internet to a MP is not possible, while HTTP over intrnet to a DP is possible.
@PatchMyPC4 жыл бұрын
You can a few options for how certificates and be used with CMG docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway
@VeniVV6 жыл бұрын
Hey Justin, great video. I have the CMG setup as well as a CDP (I'm on 1802) and they seem to work great and the steps were the same as the ones you took in your video. We used a public cert, but other than that identical. I do have a question, and that is if you will be making a video about co-management with Microsoft Intune? I currently have it setup in my environment but I like watching your videos to validate what I have done.
@PatchMyPC6 жыл бұрын
Tyler Fleming I do plan to do some co-management videos soon I might do a few Imaging ones before that though
@kshitijjgulati5 жыл бұрын
Hey Justn, Thanks again! Informative video. I currently have IBCM in my environment. If I want to transition to CMG, should I just go ahead? I mean will the clients need to be reconfigured or will they now automatically connect to either the IBCM or the CMG when they are on internet. I am guessing that they would automatically choose one. And with the course of time after analyzing costs of CMG, I can shutdown my IBCM so that clients only connect to CMG moving further. Is my understanding correct?
@PatchMyPC4 жыл бұрын
Sorry for the delay did you switch over ok?
@Ello_o.2 ай бұрын
Hi, after deploying the CMG, at the enable rdp for azure CMG server, looks like Microsoft have removed the Cloud services (classic). Where can I find the remote desktop icon to setup proxyservice? Thank you
@Ello_o.2 ай бұрын
hmmm the server doesn't have SMS installed - is there a newer video I could follow?
@gsmegaphone5 жыл бұрын
Question - in my SCCM console (running version 1810), under Administration > Cloud Services, I don't have any "Cloud Management Gateway" option. Cloud Distribution Points is there, but no CMG??
@PatchMyPC5 жыл бұрын
Do you have the service connection point enabled in the site and is "Cloud Management Gateway" enabled/on in the Updates and Servicing > Feature node?
@gsmegaphone5 жыл бұрын
@@PatchMyPC ah, the U&S > Feature was turned off. That did it! THanks!
@gsmegaphone5 жыл бұрын
@@PatchMyPC Ok, one other question as I have this thing 99.999% done. I've got the CMG all setup successfully and am able to distribute content/RDP/etc. The only thing I cant get is my clients are not picking up the CMG as a management point. I've done Machine Policy & Retrieval and restarted SMS service several times, but watching the log the only one it ever picks up is my primary on-prem management point. (PS: I know you don't really make any money answering questions from novices like myself on KZbin, so if you happen to have a paypal or place to accept donations as appreciation for great content like this, please let me know and I would be happy to send some $$ your way!)
@PatchMyPC5 жыл бұрын
@@gsmegaphone Can you post clientlocation and locationservices from the client?
@gsmegaphone5 жыл бұрын
@@PatchMyPC Just fyi, I got this working. I had to turn OFF "Allow configuration manager cloud management gateway traffic" on the MP, wait about 10 minutes, turn it back on, and viola, it started working. So Something must have just gone screwy when the MP reinstalled itself the first time. Thanks for your help as always.
@ehabgalal91815 жыл бұрын
Hi justin, Just quick question if I have two MP in our environment. Both must be run over https?
@PatchMyPC4 жыл бұрын
Only the one with CMG connections need it.
@ehabgalal91814 жыл бұрын
@@PatchMyPC do you believe after enhanced http released still need to switch MP or SUP to https to enable CMG
@PatchMyPC4 жыл бұрын
@@ehabgalal9181 You can use EHTTP for MP docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http
@TheThesuresh5 жыл бұрын
In the CMG setup is mandatory to use public issued certificate?
@PatchMyPC5 жыл бұрын
No, but usually the easiest option since the CRL is already public.
@JessieS4 жыл бұрын
I know this is late in the game but, do you need to configure HTTPS on all your management points and Software update point and what Client PKI do I need to deploy to my users first before enabling this? Also I've notice that you configured this by right clicking on the Management role, I've seen other articles stating to go to "Configure site components" what is the difference? Thank you in advance.
@PatchMyPC4 жыл бұрын
management points and Software update point No, just the one CMG talks to. Client PKI do I need to deploy to my users first before enabling this? It depends, clients can use PKI, Azure AD, or Bulk token for CMG.
@sunilpal79334 жыл бұрын
Do we need to create any internal Cname entry for cloudapp.net in local DNS.
@PatchMyPC4 жыл бұрын
Shouldn't need to
@bITTERSWWWEET3 жыл бұрын
@ about 14 minutes in the video you grant access to the the client and server app. Does this still need to be done. The Azure environment looks a bit different now.
@PatchMyPC3 жыл бұрын
It may look slightly different now, but I think this process should still apply unless there's been improvements to do this automatically.
@growley3 жыл бұрын
I just deployed on MECM 2006 and it was all done for me.
@TheMunzie3 жыл бұрын
Hi Justin. If I have eHTTP enabled and not PKI is it the same steps?
@PatchMyPC3 жыл бұрын
It should be similar, the MS Docs do cover eHTTP pretty well.
@SALalnashri4 жыл бұрын
Hi Justin ,what if the machines already left the on-premises network? can the CMG manage the these machines ?how the SCCM clients gets update internet-base management point (FQDN) ?
@PatchMyPC4 жыл бұрын
No, your would need to touch those devices because they can't get the CMG policy.
@SALalnashri4 жыл бұрын
@@PatchMyPC so CMG policy should be updated on these devices before going outside network . Any workaround to update cmg policy for these devices ? Pls help me.
@Gauravalld6 жыл бұрын
Hi Justin, Thanks for the great video really very informative. I am also in the process to set up a CMG in a dev environment. Currently I have installed the CMG site role to an on premise server and it shows as ready state however the connection point shows disconnected. Now as I understood from MS documents that port ( 443 and 10124) needs to enabled from site system CMG connection point and Azure CMG. Now my question is port ( 443 and 10124) should enabled should be b/w on premise site server with CMG and Azure CMG server ( i.e. IP of the xxx.cloudapp.net) . Please correct me if I am wrong. Also 443 ports b/w client and Azure CMG server ( i.e. IP of the xxx.cloudapp.net).
@PatchMyPC6 жыл бұрын
Sounds correct to me, have you happened to see this one: docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#ports-and-data-flow
@mohananaidu46272 жыл бұрын
As per Microsoft all the internet-based clients will get the software update content from Windows Update. This update content download (from windows update) will use local internet which will choke the low bandwidth sites. If we are going to force all datacenter to use CMG - will branch cache or Peer cache or any other caching technologies work with CMG within datacenter to share the content? Or can we redirect the software update content download from local DP( if we setup local DP) instead of going to Windows update, so that local client will get the content from local DP? If yes, I assume we can use existing on-prem data center Primary Server to setup CMG for Servers in datacenter.
@PatchMyPC Жыл бұрын
Thanks for the input.
@soheluddin63824 жыл бұрын
Hi Justin,Gday !! could you please help me on this "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account or can you share a link from where i can resolve this.
@PatchMyPC4 жыл бұрын
You may want to try to build the app in Azure directly in this case.
@soheluddin63824 жыл бұрын
@@PatchMyPC thanks !!
@djmumbles814 жыл бұрын
great video!
@PatchMyPC4 жыл бұрын
Glad you enjoyed it
@habitmohammadi5 жыл бұрын
Hi Justin, thank you for the very helpful video tutorial. I have configured my test environment as per instructions in the video. I can target application and have them installed on internet-facing client which is fantastic. However I have an issue where domain joined computers that are on the internet will not receive Windows software updates or PatchMyPC third-party updates. What I have noticed in the video, the clients would retrieve the content for Windows updates from MS CDN. However in my case, the LocationServices.log indicates the WSUS path is pointed to the FQDN of CMG proxy server in Azure. Obviously I don't have SUP role configured on CMG server in Azure therefore the updates won't be available to install. SUP is configured on the Primary server on-prem for intranet clients. Any idea how this can be fixed? Any help would be much appreciated. Thanks
@PatchMyPC4 жыл бұрын
Third-party updates should work fine over CMG, are you still having issues?
@jpine774 жыл бұрын
Hi Justin, I really appreciate all your setup videos. I am running CB1910 and currently have IBCM deployed and have just set up Cloud Management Gateway with DP. Our VPN is configured with split tunneling and on-prem DP's are blocked through the VPN tunnel, so users need to end their VPN connection to receive content. CMG was set up allow content to be received by remote clients whether or not a VPN connection is established. I am having an issue receiving content when VPN is connected. The Internet-based management point in the ConfigMgr client properties is the CMG. I have created a VPN Boundary Group with the CMG and the VPN IP range boundary. The CMG is shown as the assigned management point in the client properties. "Prefer cloud based sources over on-premise sources" is enabled. In the cas.log file after the ContentLocationRequest is, No reply received, Failed to create Location Request Message body and GetLocationSyncEx3 failed with error 0x80004005. Can IBCM and CMG coexist? Do you have any thoughts what may be causing the issue? BTW, the content has been distributed to the CMG DP. Thanks in advance for any insights you may provide, John
@PatchMyPC4 жыл бұрын
I think probably one or the other would be the best approach.
@mohananaidu46274 жыл бұрын
We don't have Azure AD authentication in our infra. all are on-premises systems. we are planning to use third-party certificates.Do we need get the client authentication certificate from Third-Party certificate providers? We are going to use the EHTTP option. any suggestion on this
@PatchMyPC4 жыл бұрын
What third-party are you using? So you aren't going to use AD Certificate Services?
@mohananaidu46274 жыл бұрын
We are using your product Patch My PC thank for your response
@mohananaidu46274 жыл бұрын
@@PatchMyPC we are using patch my PC. We configured with third party wild card certificate and everything works fine . published the 7zip update , it's shown up in the software ware center but when I click download content download failed. Content is present in the cloud dp. Cas log showing cloud dp path
@PatchMyPC4 жыл бұрын
@@mohananaidu4627 let me now if this helps patchmypc.com/third-party-update-considerations-with-cloud-management-gateway-cmg-in-sccm
@mohananaidu46274 жыл бұрын
@@PatchMyPC thank you Sir. I willl go through the vedio
@omarjg78592 жыл бұрын
Is it possible to migrate to Cloud Service (Extended Support)?
@PatchMyPC2 жыл бұрын
I'm not sure about this one. There may be some info on the MS docs though.
@vickg5 жыл бұрын
Hey, i have everything configured in SCCM and Azure however my connection point stays disconnected and the following error in SMS_Cloud_ProxyConnectory.log: Failed to build TCP connection and there is no firewall. Any idea?
@PatchMyPC5 жыл бұрын
Hmm, not sure about that one.
@mohammedzubair96944 жыл бұрын
Hi Justin, Thanks for sharing this video. I have one quick query and need your support. My Active Directory Domain is for example xyz.com for all domain joined machines, but my SSL certificate domain is xyz.co.in , so can I add Wildcard certificate of xyz.co.in in CMG? Please need your support.
@mohammedzubair96944 жыл бұрын
adding another point: The Wildcard certificate of xyz.co.in will be from Digicert
@PatchMyPC2 жыл бұрын
It should be the public DNS name
@walterh12235 жыл бұрын
I think some of my issue is Azure has changed a fair amount, I got past my previous issue by manually creating the web / native apps. Now I have an issue when trying to create the management gateway, I am getting an error "a valid Azure AD app is required. please deploy the azure service for cloud management first" Trying to find a way around this but everything I find is out dated.
@PatchMyPC4 жыл бұрын
Are you all good here?
@soheluddin63824 жыл бұрын
@@PatchMyPC Could you plzz help, i am still struck there. No idea why,
@siddharthbhatia91144 жыл бұрын
My CMG connection is showing partially connected how to troubleshoot that?
@PatchMyPC4 жыл бұрын
You can run the troubleshooting wizard.
@hanenchhibi68824 жыл бұрын
i have a tenant id Azure i don't have a subscription and tha't my problem
@PatchMyPC4 жыл бұрын
You figure this one out?
@coderedex5 жыл бұрын
Thankyou for your helpful video. I'm getting stuck the the CMG setup creation. Do you have to wait 24 hours for the "CNAME" to replicate across ,I named mine "sccmclient.sccmXXXXX.net" which would redirect to sccmclient.appnet.net?. Do I need to configure anything on my local IIS Server? Many Thanks for your assistance.
@ShehzadKhan-yk3pb5 жыл бұрын
Jazz: how were you able to Grant Permissions?
@ShehzadKhan-yk3pb5 жыл бұрын
As far as your query is concerned: No, you don't need any configuration on your local IIS
@coderedex5 жыл бұрын
@@ShehzadKhan-yk3pb I still cannot get this right. Failed at povisioning. Here is my log info from cloudmgr.log.
@coderedex5 жыл бұрын
ERROR: Resource Manager - Failed to list keys for storage service clientsccm with status code NotFound. Check [Monitor/Activity log] on Azure Portal for more information~~
@PatchMyPC4 жыл бұрын
Did you figure this one out?
@walterh12235 жыл бұрын
Anyone had the error "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account and have many other services/apps/vms running without any issues. This is the step where you create the server app. Thanks!
@PatchMyPC4 жыл бұрын
Thanks for the tip
@theg00d14 жыл бұрын
u have forgoton in previous certification video how to add ROOT CA that I see u seems to have to provided Root CA , could u give some clarity on it ,
@PatchMyPC4 жыл бұрын
This would be the root ca certificate for an Internal PKI
@brent47705 жыл бұрын
Has anyone tried Azure free acct.? Do they automatically charge after 30 days if you forget to cancel?
@PatchMyPC4 жыл бұрын
Did you get this figured out?
@sagar4mane5 жыл бұрын
We are having SCCM 1902 and configured CMG So Can we install sccm client in workgroup machines in CMG ?( machines which are not in Azure AD but connected to internet)
@sagar4mane5 жыл бұрын
Actually these are laptops which connected internet via data card and it's not in domain, we are using PKI certificate for authentication but facing error while installing sccm client in this laptops Plz suggest
@PatchMyPC4 жыл бұрын
You can but it's more complicated. ConfigMgr 2002 will make it easier kzbin.info/www/bejne/m2a0hKlnjtOUbK8
@csealok5 жыл бұрын
Tx
@PatchMyPC4 жыл бұрын
You're welcome!
@cli3335 Жыл бұрын
hello team @patchmypc, i have a question regarding the CMG web server certificate. In your video, you opted to use a cert from a public CA, which is what i'm planning to do as well because even though i have an internal PKI setup, i don't have an externally available CRL site. My question is will there any issue for me doing that (using a CMG web server cert from a public CA) considering i have already setup SSL communication between my SCCM servers and SCCM client using my internal PKI? which by the way, i have followed the instructions from your SSL video kzbin.info/www/bejne/pHTLfH6DbqaDd7M&ab_channel=PatchMyPC
@PatchMyPC Жыл бұрын
No that scenario should still work fine where you have a public certificate for your CMG and internal for your site systems and servers
@cli3335 Жыл бұрын
@@PatchMyPC Thank, I got my CMG setup successfully following your video.