In this post we will set up the CMG. You can start from here if you already have HTTPS client communication configured, otherwise start with the previous post.

We will address the following:

  1. Verify CMG name availability in Azure
  2. Azure Management certificate
  3. Create CMG certificates
  4. Set up DNS
  5. Set up CMG
  6. Validate CMG

In the image below, in green, you can see the objects/communication we will set up

1. Verify CMG name availability in Azure

CMG is a virtual server (2012 R2) in Azure cloud – This service will be set up by an SCCM API, directly into Azure, on the subscription we have as a prerequisite. However, it is recommended to check the availability of the name prior creating the certificates, in case the name is already taken

  • login to Azure portal
  • click create resource and type in “cloud service”

  • select cloud service resource type and click Create

  • type in the CMG resource name that you want to check.
  • validate the green check sign just above

  • once validated, close the portal – do not create the resource. SCCM will do this as part of the CMG set up.

2. Azure Management Certificates

Azure Management certificates are required to establish the SCCM API – Azure trust. This connection is needed by the SCCM API to create and configure the CMG and CDP resources

2.1 Create Azure Management Certificate

  • Open the PowerShell ISE
  • Create the following script:

$cert = New-SelfSignedCertificate -DnsName “” -CertStoreLocation “Cert:\LocalMachine\My”

$password = ConvertTo-SecureString -String “yourpassword” -Force -AsPlainText

Export-PfxCertificate -Cert $cert -FilePath “yourCMG.pfx” -Password $password

Export-Certificate -Type CERT -Cert $cert -FilePath “yourCMG.cer”

  • Replace your CMG name and password
  • Run the script
  • Two certificate files should have been created under the working directory.

2.2 Upload Azure Management Certificate

  • Open the azure portal where you have a valid subscription to create resources
  • Click Cost Management + Billing -> Subscription
  • Select your subscription

  • Click Management Certificates->Upload

  • Upload the .cer certificate file
  • Wait for confirmation that upload was complete, and the certificate is in place

3. CMG certificates

This step is similar with the one where we created Web Server Certificates for the SCCM server (MP and SUP). Considering CMG is a web proxy that runs an IIS service, same kind of certificates are required

3.1 Create Certificate

  • Open Certification Authority (on a server with CA role)
  • Right-click Certificate Templates->Manage

  • In newly opened Certificate Template Console, right-click SCCM Web Server template (the one we previously created) -> Duplicate Template

  • In Properties of New Template leave compatibility settings to Server 2003
  • Under General tab enter a Template display name. i.e : CMG Web Certificate

  • Under Request Handling tab check Allow private key to be exported

  • Click ok to close the window and return to certsvr window
  • Right-click Certificate Templates -> New ->Certificate Template to issue

  • Select newly created CMG Web Server Certificate, then OK

3.2 Enroll CMG certificate

  • Connect to the SCCM server where you previously enroll the SCCM Web Certificate. Considering the CMG Web Certificate was created as a duplicate of SCCM Web Certificate, it inherited same Security permissions including enrolment from SCCM server (i.e. cm1 server)
  • Open manage local computer certificate: mmc->File->Add Remove Snap-in->Select Certificates->Add->Computer Account->Local Computer->Next->Finish->Ok

  • In newly opened console expand Certificates
  • Right-click Personal->All Tasks->Request New Certificate->Next->Next

  • Select CMG Web Certificate that we’ve just created

  • Click “More Information ..”

  • In the Certificate Properties window under General tab enter a friendly name, i.e : CMGWebCertificate

  • Under Subject tab select Type = Common name
  • Enter <yourCMG> as value i.e.:

  • OK->Enroll->Finish

3.3 Export CMG Certificate

  • In the manage local computer certificate console on SCCM server
  • Open Certificates (Local Computer)->Personal->Certificates
  • Select the newly enrolled CMG web certificate
  • Right-click->all Tasks->Export->Next

  • In the Export Wizard select yes Export the private key

  • Keep default settings and continue the wizard
  • Enter a Password
  • Continue the wizard and export the .pfx certificate file and Finish the wizard
  • Repeat the process for the public key (.cer) file
  • Now you should have 2 certificate files for CMG set up

4.Setup DNS

Internet based clients will have to be able to resolve the CMG cloud service DNS name. Therefore, CMG resource will have to be registered on your external domain name server.

Connect to your DNS provider and create a CNAME that will point to the resource

i.e. ->


5. Set up CMG

Starting SCCM 1802, CMG has been released as fully supported feature. Note that CMG was available starting 1610 as a pre-released feature

Now, we are at the point where all the prerequisites have been completed and we can create the CMG.

  • Open SCCM console
  • Under Administration->Cloud Services
  • Right-click Cloud Management Gateway -> Create Cloud Management Gateway

  • Check Classic Service Deployment
  • Enter a valid Subscription ID that you can find on your Azure Portal under Cost Management + Billing ->Subscriptions
  • Enter the azure Management certificate .pfx file that we previously created using the PowerShell script
  • The certificate file will ask for the password you provided into the script
  • Click Next
  • On the Settings window
  • Select your Region
  • Upload the .pfx CMG web Certificate file that we previously created
  • Upload the RootCA certificate file
  • Uncheck Verify Client Certificate Revocation considering CMG will not be able to contact any CRL DP and this will render the client certificate as invalid

  • Click Next
  • On Alerts tab click next
  • Continue the wizard till is complete
  • The service we just created should be under provisioning status. Wait till it gets ready, or better get out for beer instead

  • Back from beer? The status should be ready


6. Validate CMG

Let’s see if CMG is working correctly. The following part require basic knowledge of SCCM collections and deployments that I will not cover. We will check CMG functionality by deploying a SCCM client policy to an internet based client.

  • Create a Custom Client Device Settings

  • Add Computer Agent settings

  • Under “Organization name …” enter the text you want to be displayed

  • Create a test device collection
  • Deploy custom client settings to a test collection containing a test device (or several, your choice 😊)

  • Make sure the test device is not in your intranet.
  • On client run control Panel -> configuration manager ->action tab -> Machine policy … (to speed up SCCM client policy request process)
  • Wait several minutes
  • Open software center and check the title