4.9 ( 7 )

Download and own the latest version of this SCCM Cloud Management Gateway Installation Guide in a single PDF file. The PDF file is a 50 pages document that contains all information to install a cloud management gateway with SCCM. Use our products page or use the button below to download it. Download

We can also set up a Cloud Management Gateway for your organization through our consulting services. See our Fixed Price Plan page to see our prices.



The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the SCCM Cloud Management Gateway.

If you are new to the concept of Cloud Management Gateway, the main advantage is that it doesn’t expose your SCCM servers to the internet. The downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients.

We strongly encourage to use the Cloud Management Gateway if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away.

May 2020 This post has been updated to reflect recent addition with SCCM 2002 release. This post has been updated to reflect recent addition with SCCM 2002 release. The main new feature is Token-based authentication for clients.

Also added more tips and tricks to ease implementation

If you are not yet running SCCM 1806 , but still would like to use Cloud Management Gateway, see our previous post

Here the available features supported through the Cloud Management Gateway:

In this post, we will configure an SCCM Cloud Management Gateway by using the Azure Resource Manager.

Some sections from our previous post are brought back here to ease reading.

High-level steps

All steps are done directly in the SCCM console. We will describe each step:

Verify a unique Azure cloud service URL

Configure Azure Service – Cloud management

Configure Cloud Management Gateway server authentication Certificate

Configure Client Authentication Certificate

Configure Cloud Management gateway

Configure SCCM-generated certificates

Add the Cloud Management Gateway Connector Point

Configure system roles to communicate with the Cloud Management Gateway

Configure client settings

SCCM 1806 Cloud Management Gateway Prerequisites

SCCM Current Branch 1806 or higher

Have a valid Azure Subscription

Azure administrators rights – We used a Global Administrator role but the official documentation is not clear as which level of Administrator is needed. It is not required that the Azure admin account has access in SCCM.

role but the official documentation is not clear as which level of Administrator is needed. On-prem server to host Cloud management gateway connection point

The SCCM service connection point must be set to Online

Note Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Azure Management certificate

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

Log in the Azure portal

In the Azure Portal , select Cloud Services on the left, click Add

, select on the left, click Enter the desired DNS name

Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case

Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as DNS Name for our example

as DNS Name for our example Close the window, do not create the service now

Verify Azure subscription’s Resource Provider

This is not documented in the official Cloud Management gateway docs from Microsoft, but 2 resource providers are now defaulted to Not Registered for newer Azure Subscription.

To validate the status, follow these steps

Log in the Azure portal

In the Azure Portal, select Cost management and billing

Click on Cost Management and select Go to subscription If you see multiple subscriptions, select the one that will host the Cloud Management Gateway

Under the section Settings, select Resource Provider

Make sure Microsoft.ClassicCompute and Microsoft.Storage are registered. If not, select one and click on Register

Configure the Azure Service – Cloud Management

Go to Administration/Cloud Services/Azure Services and select Configure Azure Services

Specify a name and select Cloud Management, click Next

In this step, the Azure Administrator will be required to create the web app and native client app. Click on Browse for the Web app

Click on Create

Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

Important Info The secret key will need to be renewed before the expiration period. The secret key will need to be renewed before the expiration period. To do so, go to Administration/Cloud Services/Azure Active Directory Tenants, at the bottom, it will be possible the Renew Secret key

Select the App that was just created and click OK

Click Browse for the Native client app. Click Create

Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

Select the App that was just created and click OK

Click Next

Chose to Enable Azure Active Directory User Discovery or not.

Note The Azure AD Discovery is not a requirement for Cloud Management gateway to work

Click Next

The Azure service is completed. If enabled, the AAD user discovery can be modified

the Azure AD Tenant is now configured

Cloud Management Gateway server authentication Certificate requirements

The certificate requirements are the most complex part of configuring the Cloud Management Gateway.

A certificate is needed between the SCCM server and the Cloud Management Gateway.

The following choices are available :

Use a certificate from a public trusted provider This option requires a CNAME to be created in the DNS for CMGSCD.SystemCenterDudes.com to the real hostname CMGSCD.CloudApp.Net

Use a certificate from an enterprise CA This certificate must be trusted by all computers that will connect with the Cloud Management Gateway Use format <CMG name>.CloudApp.Net



Important Info In all cases this certificate will determine the name of the Cloud Management Gateway. In all cases this certificate will determine the name of the Cloud Management Gateway. Only letters and numbers are allowed in the name. A valid example is CMGSCD.cloudapp.net An invalid example is CMG-SCD.cloudApp.Net

See our post for the complete How-to about the certificate from an Enterprise CA

Follow section Create and issue a custom SSL certificate for the Cloud Management Gateway up to Export the custom Web Certificate

More detail can also be found on Docs.Microsoft.com

Client Authentication

SCCM clients can authenticate on the Cloud Management gateway following one of these methods:

Devices are Azure AD joined (Hybrid AD Joined) Azure AD registered device is not enough for authentication This isn’t covered in this guide, but here’s more information from Microsoft Docs

Token-based authentication This feature is only available from SCCM 2002 release and above

Client certificate using an Enterprise CA

Token-based authentication

This feature is only available from SCCM 2002 or higher. If you do not have an Enterprise CA and computers are not joined yet to Azure AD, this is a good alternative.



The token-based does not require any kind of configuration or enablement once SCCM is up to date with 2002 or higher. The most important part is that the update on the client-side is mandatory to use the Token-based authentication.

The way it is working is simple. The Management Point issue a token to the client to be authenticated on the Cloud Management gateway while connected on-prem. This token is then automatically renewed each month and is valid for up to 90 days.

Important Info Microsoft still recommends using Azure AD joined to authenticate on the Cloud Management Gateway.

It is also possible to generate a bulk registration token to allow external devices for a first communication with the Cloud Management Gateway. This could be useful for devices in a DMZ for example.

For more details about Token-based authentication, see Microsoft docs

Client authentication certificate requirements

This method relies on an Enterprise CA to manage the client certificate.

If computers are Azure AD joined, or you have chosen to leverage the new Token-based authentication, this step can be skipped.

See our post for the complete How-to about the certificate for Client Authentication

Follow section Create a client authentication certificate up to Export the client certificate’s root

Configure SCCM 1806 Cloud Management Gateway

Go to Administration/Cloud Services/Cloud Management Gateway, select Create cloud management gateway

Sign-in with Azure Administrator rights. The Azure AD App name should be auto-populated, click Next

Select : Service name: provided automatically if the certificate is using .cloudapp.net. If using a public certificate or an internal certificate, the name will need to be entered manually. Remember, only letter and number for the name. Region: should be the same as the on-prem Management point Resource group: select an existing or create a new one VM instance: 1 Cloud service certificate: select the CMG server authentication certificate or the Public certificate Client authentication certificate: Provide the client authentication certificate when using an Enterprise CA Choose to Verify client certificate revocation or not See the following blog post for details about certificate revocation Choose if you want to enable the Cloud DP See our previous post about CMG to function as a cloud DP for more details about the feature.



Note Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to .cloudapp.net. Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to .cloudapp.net. This is a reminder about the CNAME requirements.

Set the threshold as needed

Summary, click Next

Click Close

The Cloud Management Gateway will show as Provisioning for about 10 minutes

The Cloud Management Gateway is ready for next steps

The cloud management gateway resources are also visible in the Azure portal.

Configure SCCM-generated certificates

This is a new feature from SCCM 1806, but still in Pre-Release. This means that this feature is still in development but is fully supported.

The goal of this feature is to enable an HTTP Management point and Software Update to support CMG traffic using HTTPS. Prior to SCCM 1806, it was needed to provide an HTTPS MP and SUP in order to connect those services to the Cloud Management Gateway.

Go to Administration/Updates and Servicing/Features

Turn on the feature Enhanced HTTP site system

Go to Administration/Site Configuration/Sites and select properties on your site

Under the Client computer communication tab, check to box for Use Configuration Manager-generated certificates for HTTP Systems

For more detail on the SCCM-Generated certificate, see Docs.Microsoft.com



Add the Cloud Management Gateway Connector Point

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles

Select your server which will serve as your cloud management gateway connection point and select Add Site System Role

On the System Role Selection pane, select Cloud management gateway connection point

Your Cloud Management Gateway name and region will be auto-populated

Review your settings and complete the wizard

You can follow the installation progress in SMS_Cloud_ProxyConnector.log.

Configure System roles to communicate with the Cloud Management Gateway

Prior to SCCM 1806, it was not possible for the current Management Point and Software Update Point to remain in HTTP mode and support the Cloud Management Gateway.

Admins were in need of a new Management Point and Software Update Point configured in HTTPS mode or to switch current ones.

Now with the SCCM-generated certificate, a current HTTP MP and SUP can support the Cloud Management Gateway.

Under Administration/Site Configuration/Servers and site System roles , select the Management Point properties

, select the Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Client Connections remain in HTTP

Under Administration/Site Configuration/Servers and site System roles , select the Software Update Point properties

, select the Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Require SSL communication to the WSUS remains unchecked

Configure Client settings

Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes.

Once configure, deploy your client settings to the desired clients.

If you plan to use Cloud Distribution Point, it is also configured here.

In order to be able to see Applications deployment targeted to users, the following client setting is also required.

Configure clients for cloud management gateway

We will now verify if clients are able to successfully communicate with our server via the SCCM Cloud Management Gateway.

On a client connected to the intranet, do a machine policy retrieval and restart the SMS Agent host.

On the Network tab of the Configuration Manager agent, the *.CloudAPP.net should be visible.

Additional information is available in the ClientLocation.log

Testing client connection to Cloud Management gateway

To test the cloud management gateway, get your machine on the internet … or force the SCCM client to be configured as Always Internet.

In the registry editor, set HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet to 1 and restart the SMS Agent host service.

After the SMS Agent host service, the client will display connection type Always internet

From this point, you can try any of the supported features for the Cloud Management Gateway!

Warning Make sure to whitelist the address XXXX.cloudapp.net in your Enterprise Firewall. We’ve seen an issue with Cisco Umbrella blocking traffic thus preventing the Cloud connector point to keep the connection to the cloud management gateway. The following error found in the SMS_CLOUD_PROXYCONNECTOR.log was showing Failed to build HTTP connection with XXXXX.CloudApp.Net. The cloud management gateway check the connection every 60 seconds

Bonus Resources

If you want to easily identify your CMG client, we have developed a free report.

This was a big one, hope it helped! Are you using the Cloud Management Gateway ? Tell us your experience in the comment section.

Share this Post

How useful was this post? Click on a star to rate it!







Submit Rating Average rating 4.9 / 5. Vote count: 7 No votes so far! Be the first to rate this post.