IBM Support

How to Deploy, Configure, and Manage a Cloud Management Gateway (CMG) in Microsoft Configuration Manager

How To


Summary

The Cloud Management Gateway (CMG) allows Configuration Manager to manage internet based devices securely without requiring VPN or exposing on premises infrastructure. The CMG uses Azure cloud services to proxy client communication back to on premises Management Points (MP), Software Update Points (SUP), and other roles.

Objective

This guide consolidates every essential step required to plan, deploy, authenticate, configure, and validate a CMG deployment in Microsoft Configuration Manager. Following this structured framework ensures a secure, scalable, and fully supported cloud‑attached client management environment.

Environment

CMG Hierarchy Design & Architecture Components

 

A CMG deployment includes the following core components:

ComponentPurpose
CMG service in AzureProxies internet client requests over HTTPS
CMG Connection Point (On-premises)Maintains active connection to Azure CMG & forwards client traffic
Service Connection Point (On-premises)Deploys/monitors CMG & connects to Azure
Management Point / Software Update PointHandles policy, inventory, updates
Internet ClientsConnect over HTTPS (443) via CMG

Steps

Setup Checklist for CMG

According to Microsoft, the CMG setup process consists of five major phases:

Certificate Preparation

  • Obtain CMG server authentication certificate (public CA or internal PKI).
  • CN must match CMG service name.

Configure Microsoft Entra ID

  • ConfigMgr requires two app registrations (server and client).
  • Created automatically or by Azure admins.

Configure Client Authentication Method

Choose between:

  • Entra ID
  • PKI
  • Site-issued tokens

Deploy CMG

  • Create CMG service in Azure (VM Scale Set only in modern versions).
  • Add CMG Connection Point.
  • Configure MP/SUP for CMG traffic.

Configure Clients

  • Ensure client settings allow cloud communication.
  • Off-prem devices may require bootstrap parameters.

Full Deployment Procedure: Step-by-Step

Step 1 — Prepare Certificates

  • Determine whether you will use public CA or internal PKI.
  • Create the CMG server auth certificate.
  • Export certificate with private key (.PFX) for ConfigMgr.

     

Step 2 — Integrate ConfigMgr with Microsoft Entra ID

  • In ConfigMgr console:
    Administration → Cloud Services → Azure Services
  • Launch Azure Services Wizard.
  • Select service type: Cloud Management.
  • Sign in as Entra Global Admin.
  • Automatically create or import pre-created app registrations.

     

Step 3 — Configure Client Authentication

Choose authentication method appropriate for environment:

MethodRequirements
Entra IDEntra join/hybrid join, MP ASP.NET 4.5, user discovery
PKIClient auth certs + trusted CA
TokensNo PKI/Entra join needed

 

Step 4 — Deploy the Cloud Management Gateway

  • In console:
    Administration → Cloud Services → Cloud Management Gateway
  • Click Create CMG.
  • Choose AzurePublicCloud or AzureUSGovernmentCloud.
  • Deployment method: Virtual Machine Scale Set.
  • Upload server auth certificate.
  • Specify resource group, region, and VM settings.
  • Complete wizard.
  • Add CMG Connection Point role.

     

Step 5 — Configure Management Point / SUP

  • Enable CMG traffic.

  • Ensure MP supports client authentication method selected.

     

Step 6 — Configure Clients to Use CMG

  • In Client Settings → Cloud Services, enable CMG usage.
  • Off-prem devices may require CCMHOSTNAME or token bootstrap.
  • To force CMG use:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security
  • ClientAlwaysOnInternet = 1
  • Validate with PowerShell:
  • Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate |
  • Where-Object {$_.Type -eq "Internet"}

 

Step 7 — Validation & Monitoring

Verify Client CMG Connectivity

  • Check CMGService.log, SMS_Cloud_ProxyConnector.log on servers.
  • On clients, verify Internet MP assignment in Control Panel or WMI.

     

Monitor CMG Health

  • Console → Monitoring → Cloud Management → CMG
  • Use Connection Analyzer for Entra & certificate checks.

     

 

 

 

 

 

 

Additional Information

Authentication Methods for CMG

CMG supports three authentication methods:

Microsoft Entra ID (Recommended)

  • Supports user‑centric scenarios and Windows 10+ devices.
  • Requires devices to be cloud‑joined or hybrid‑joined.
  • Requires ConfigMgr to be integrated with Entra ID.

PKI Client Authentication Certificates

  • Use if organization already has an internal PKI.
  • Client certificate must support 2048/4096‑bit keys and CNG v3 support.

Site-Issued Tokens

  • Token-based device authentication.
  • Best for devices not Entra joined and without PKI deployment.

CMG Data Flow

 

 

 

 

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTKH9","label":"Microsoft Azure"},"ARM Category":[{"code":"a8mKe000000004XIAQ","label":"AZURE"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
23 January 2026

UID

ibm17257970

Page Feedback