How to configure SCCM 1806 Cloud Management Gateway

Jonathan LefebvreSCCM31 Comments

Download and own the latest version of this SCCM Cloud Management Gateway Installation Guide in a single PDF file.

The PDF file is a 50 pages document that contains all information to install a cloud management gateway with SCCM. Use our products page or use the button below to download it.

The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the Cloud Management Gateway.

The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the Cloud Management Gateway.

If you are new to the concept of Cloud Management Gateway, the main advantage is that it doesn’t expose your SCCM servers to the internet. The downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients.

We strongly encourage to use the Cloud Management Gateway if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away.

If you are not yet running SCCM 1806, but still would like to use Cloud Management Gateway, see our previous post

Here the available features supported through the Cloud Management Gateway:

In this post, we will configure the Cloud Management Gateway by using the Azure Resource Manager.

Some sections from our previous post are brought back here to ease reading.

High-level steps

All steps are done directly in the SCCM console. We will describe each step:

  • Verify a unique Azure cloud service URL
  • Configure Azure Service – Cloud management
  • Configure Cloud Management Gateway server authentication Certificate
  • Configure Client Authentication Certificate
  • Configure Cloud Management gateway
  • Configure SCCM-generated certificates
  • Add the Cloud Management Gateway Connector Point
  • Configure system roles to communicate with the Cloud Management Gateway
  • Configure client settings

SCCM 1806 Cloud Management Gateway Prerequisites

 Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Azure Management certificate

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

  • Log in the Azure portal
  • In the Azure Portal, select Cloud Services on the left, click Add
  • Enter the desired DNS name
  • Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
  • Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as DNS Name for our example
  • Close the window, do not create the service now
SCCM Cloud Management Gateway

Configure the Azure Service – Cloud Management

  • Go to Administration/Cloud Services/Azure Services and select Configure Azure Services
  • Specify a name and select Cloud Management, click Next
  • In this step, the Azure Administrator will be required to create the web app and native client app. Click on Browse for the Web app
  • Click on Create
  • Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed
Important Info
The secret key will need to be renewed before the expiration period.

To do so, go to Administration/Cloud Services/Azure Active Directory Tenants,  at the bottom, it will be possible the Renew Secret key

  • Select the App that was just created and click OK
  • Click Browse for the  Native client app.  Click Create
  • Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed
  • Select the App that was just created and click OK
  • Click Next
  • Chose to Enable Azure Active Directory User Discovery or not.
The Azure AD Discovery is not a requirement for Cloud Management gateway to work
  • Click Next
  • The Azure service is completed. If enabled, the AAD user discovery can be modified
  • the Azure AD Tenant is now configured

Cloud Management Gateway server authentication Certificate requirements

The certificate requirements are the most complex part of configuring the Cloud Management Gateway.

A certificate is needed between the SCCM server and the Cloud Management Gateway.

The following choices are available :

  • Use a certificate from a public trusted provider
    • This option requires a CNAME to be created in the DNS for to the real hostname CMGSCD.CloudApp.Net
  • Use a certificate from an enterprise CA
    • This certificate must be trusted by all computers that will connect with the Cloud Management Gateway
    • Use format <CMG name>.CloudApp.Net
Important Info
In all cases this certificate will determine the name of the Cloud Management Gateway.

Only letters and numbers are allowed in the name.

A valid example is

An invalid example is CMG-SCD.cloudApp.Net

See our post for the complete How-to about the certificate from an Enterprise CA

Follow section Create and issue a custom SSL certificate for the Cloud Management Gateway up to Export the custom Web Certificate

More detail can also be found on

Client authentication certificate requirements

If you are using a certificate from a Public trusted provider for the CMG server authentication, this part can be skipped.

This can also be skipped if you only have client computers that are either Hybrid-domain joined or Azure AD joined.

Otherwise, using an Enterprise CA require this step.

See our post for the complete How-to about the certificate for Client Authentication

Follow section Create a client authentication certificate up to Export the client certificate’s root

Configure SCCM 1806 Cloud Management Gateway

  • Go to Administration/Cloud Services/Cloud Management Gateway, select Create cloud management gateway
  • Sign-in with Azure Administrator rights. The Azure AD App name should be auto-populated, click Next
  • Select :
    • Service name: provided automatically if the certificate is using If using a public certificate or an internal certificate, the name will need to be entered manually.
      • Remember, only letter and number for the name.
    • Region: should be the same as the on-prem Management point
    • Resource group: select an existing or create a new one
    • VM instance: 1
    • Cloud service certificate: select the CMG server authentication certificate or the Public certificate
    • Client authentication certificate: Provide the client authentication certificate when using an Enterprise CA
    • Choose to Verify client certificate revocation or not
    • Choose if you want to enable the Cloud DP
 Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to

This is a reminder about the CNAME requirements.

  • Set the threshold as needed
  • Summary, click Next
  • Click Close
  • The Cloud Management Gateway will show as Provisioning for about 10 minutes
  • The Cloud Management Gateway is ready for next steps
  • The cloud management gateway resources are also visible in the Azure portal.

Configure SCCM-generated certificates

This is a new feature from SCCM 1806, but still in Pre-Release. This means that this feature is still in development but is fully supported.

The goal of this feature is to enable an HTTP Management point and Software Update to support CMG traffic using HTTPS. Prior to SCCM 1806, it was needed to provide an HTTPS MP and SUP in order to connect those services to the Cloud Management Gateway.

  • Go to Administration/Updates and Servicing/Features
  • Turn on the feature Enhanced HTTP site system
  • Go to Administration/Site Configuration/Sites and select properties on your site
  • Under the Client computer communication tab, check to box for Use Configuration Manager-generated certificates for HTTP Systems

For more detail on the SCCM-Generated certificate, see

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
  • Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
  • On the System Role Selection pane, select Cloud management gateway connection point
SCCM Cloud Management Gateway
  • Your Cloud Management Gateway name and region will be auto-populated
SCCM Cloud Management Gateway
  • Review your settings and complete the wizard
SCCM Cloud Management Gateway
SCCM Cloud Management Gateway

You can follow the installation progress in SMS_Cloud_ProxyConnector.log.

Configure System roles to communicate with the Cloud Management Gateway

Prior to SCCM 1806, it was not possible for the current Management Point and Software Update Point to remain in HTTP mode and support the Cloud Management Gateway.

Admins were in need of a new Management Point and Software Update Point configured in HTTPS mode or to switch current ones.

Now with the SCCM-generated certificate, a current HTTP MP and SUP can support the Cloud Management Gateway.

  • Under Administration/Site Configuration/Servers and site System roles, select the Management Point properties
  • Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Client Connections remain in HTTP
  • Under Administration/Site Configuration/Servers and site System roles, select the Software Update Point properties
  • Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Require SSL communication to the WSUS remains unchecked

Configure Client settings

Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes.

Once configure, deploy your client settings to the desired clients.

If you plan to use Cloud Distribution Point, it is also configured here.

Configure clients for cloud management gateway

We will now verify if clients are able to successfully communicate with our server via the SCCM Cloud Management Gateway.

On a client connected to the intranet, do a machine policy retrieval and restart the SMS Agent host.

On the Network tab of the Configuration Manager agent, the * should be visible.

Additional information is available in the ClientLocation.log

SCCM Cloud Management Gateway

Testing client connection to Cloud Management gateway

To test the cloud management gateway, get your machine on the internet … or force the SCCM client to be configured as Always Internet.

In the registry editor, set HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet to 1 and restart the SMS Agent host service.

After the SMS Agent host service, the client will display connection type Always internet

From this point, you can try any of the supported features for the Cloud Management Gateway!


Make sure to whitelist the address in your Enterprise Firewall. We’ve seen an issue with Cisco Umbrella blocking traffic thus preventing the Cloud connector point to keep the connection to the cloud management gateway.

The following error found in the SMS_CLOUD_PROXYCONNECTOR.log was showing Failed to build HTTP connection with XXXXX.CloudApp.Net. The cloud management gateway check the connection every 60 seconds

This was a big one, hope it helped! Are you using the nre Cloud Management Gateway ? Tell us your experience in the comment section.

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)

Share this Post

31 Comments on “How to configure SCCM 1806 Cloud Management Gateway”

  1. quick query , what dns entry i need to put. the warning errror which you mentioned at the bottom i am getting it for internal CMG service FQDN.

    1. i have created the CNAME entry in Public DNS to map to
    2. i have create other Cname entry in local dns server to MAP internal SCCM server IP to local CMG service FQDN

  2. hello this feature can be used on computers out of domain active directory with the use of a public certificate?

  3. Hi, great article.
    I am having an issue with the internet client getting content from the cloud DP. any thoughts? everything else appears to be functional.

  4. Hi!
    I haven’t have any error while creating CMG, certificates, services associated, etc. But when I try to test with Connection Analyzer, I allways get this errors:
    1.- Configuration version of the CMG service should be 3.
    Failed to get CMG service metadata. For more information, see SmsAdminUI.log. In SMSAdminUI.log I see
    thiis entry: [12, PID:5860][05/01/2019 22:37:57] :System.Net.WebException\r\nThe remote server returned
    an error: (403) Forbidden.\r\n at System.Net.HttpWebRequest.GetResponse()
    2.- Failed to refresh MP location. Selected client certificate is not trusted by the CMG service. Check if
    certificate chain for the client certificate is specified to upload to the CMG service and check revocation
    check setting.

    I’ve reviewed everything, I do not find where is the mistake.

    Please any help?


  5. Nice guide! Maybe I’m wrong but shouldnt be the CMG be added to the boundaries before it can be used?

    1. Hi Duuck,

      only if you want to manage internal network sites with the CMG. Like a small remote office with a bad VPN connection, it might be easier to support them with the CMG.

      Otherwise, any client connected to the web will go through the CMG.
      the strategy for the VPN IP range should be reviewed to see if you leverage the CMG or not.



  6. “We have successfully added and tested a CMG Service (SCCM 1810)for both Australia East and East US, but all attempts to create a CMG service in any of the UK regions results in provisioning failed. Is it possible to create a CMG service in the UK at the current date?

  7. I can’t seem to get my clients to detect that the CMG is a new management point now. I got everything setup and everything appears to be connected (the service connection point sees my CMG). But watching ClientLocation.log it still only detects my on-prem management point. I’ve triggered a machine policy & eval cycle as well as restarted the SMS agent service several times but no luck. Thoughts?

  8. Enhanced HTTP isn’t required to have your CMG utilize an HTTP based SUP, only for an HTTP based MP. You can leave a SUP on HTTP regardless if you enable enhanced HTTP or not.

  9. We are running into an issue on our environment (90k+ clients over 5 primary sites) where after 4-8 days the MPs we have installed the CMG connectors on are going in a “disconnected” state. Sometimes we need to restart them as the RDC connection dies & we can no longer login. This seems to be as the TCP/IP ports are exhausted (symptoms are accompanied by TCP/IP 4231/4227 errors in the system event log.) I’ve logged this with MS who have advised updating to 1810. Just reporting here in case anybody else has similar issues. The number of high-end ports has been amended (netsh int ipv4 set dynamicport tcp start=20000 num=45535) & time wait for disconnect reg entry (Create key “TcpipTimedWaitDelay” REG_DWord (32-bit) with dec setting of 40 under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter) have been added, but for us this has had no impact. Am also seeing an inconsistency with the the max number of concurrent connections & number of actual clients. One of our sites has about 25k clients, however the console is reporting 120k+ concurrent connections!

  10. I have had zero luck getting clients to connect in this scenario. MS documentation indicates we do need AAD for this to work. My domain joined laptop, on the internet will not talk to the cloud management point at all.

  11. We have successfully implemented CMG. However, a few weeks later when adding another site / connector it is now stuck at “updating configuration”

    start / stop / synchronise is greyed out.

    Any ideas ? thanks in advance

  12. Hi,
    Recently we configured the CMG with HTTP Option and everything seems to OK when we test CMG Connection Analayzer
    when we configure client computer with external network we getting the following errors

    Raising pending event:
    instance of CCM_CcmHttp_Status
    ClientID = “GUID:D4F03A98-74DE-4FB1-A4C6-93D3AE29F83C”;
    DateTime = “20181029111338.135000+000”;
    HRESULT = “0x80072f78”;
    ProcessID = 32648;
    StatusCode = 600;
    ThreadID = 21268;

    [CCMHTTP] ERROR: URL=https://XXXCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?MPLIST2&AV1, Port=443, Options=1472, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE

    Any suggestions?

  13. Is it possible to have SCCM and Intune on a AAD joined machine only, without a CMG. We really on want SCCM to install software when the devices are on the Intranet only. Then we let Intune manage everything else.

    1. Hi Ronald,

      Yes you can use Co-Management (SCCM + Intune standalone) without the Cloud Management gateway.
      They are not related at all.


  14. We already have two separate environments with On Premise SCCM and Intune Managed Windows 10 devices. We are looking at setting up CoMgmt and have some control over the Intune managed devices for ex. Remote Control, Reporting features of SCCM. May I know what design changes would be required in our case from the above illustrated steps?

    1. Hi Mark,
      the way documented in this post is without AAD.

      AAD can be used if you only have Windows 10 devices in Hybrid domain joined or Azure AD joined.
      hope this clear things


  15. In this setup what if an azure ad joined machine comes onto the local network. Will it be able to communicate with a http management point?

    1. Hi Annabel,

      I believe it should as the SCCM agent will have connection type of Intranet at that point.
      The AAD joined machine as a more simple setup to authenticate against the CMG when outside of the reach of the on-prem Management Point


  16. Thank you for this. I ran through this for our lab environment and I’m getting some errors. I apologize in advance for any formatting issues.


    ERROR: Failed to build Http connection 8adcf040-5723-4055-8597-0e17d43e21fd with server CMG.CLOUDAPP.NET:443. Exception: System.Net.WebException: The remote server returned an error: (990) BGB Session Ended.~~ at System.Net.HttpWebRequest.GetResponse()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnection.Send(Boolean isProxyData, Byte[] data, Int32& statusCode, Byte[]& payload)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections()

    The error that follows is repeated with a bunch of different MessageIDs.


    “MessageID: e7f96f39-1090-4290-8356-53f3dce8294f RequestURI: http://CMG.CLOUDAPP.NET/SMS_MP/.sms_aut?SITESIGNCERT EndpointName: SMS_MP ResponseHeader: HTTP/1.1 404 CMGConnector_NotFound~~ ResponseBodySize: 4880 ElapsedTime: 1 ms

    On the client side I get a number of errors


    [CCMHTTP] ERROR: URL=https://CMG.CLOUDAPP.NET/CCM_PROXY_MUTUALAUTH/72057594037927999/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=1472, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

    [CCMHTTP] ERROR INFO: StatusCode=404 StatusText=CMGConnector_NotFound

    Raising event:
    instance of CCM_CcmHttp_Status
    ClientID = “GUID:b190c666-e77f-43d1-a77b-4480b599397c”;
    DateTime = “20180920163242.595000+000”;
    HostName = “CMG.CLOUDAPP.NET”;
    HRESULT = “0x87d0027e”;
    ProcessID = 4440;
    StatusCode = 404;
    ThreadID = 1892;

    If I run the connection analyzer from the console I get the following message at the “testing the CMG channel for management point” step.

    Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’.

    After getting those errors I figured I must have done something wrong so I blew it all out and started over. I made sure that I had the right certs loaded and exported but I’m getting the same errors. I can successfully distribute content to the cloud dp. The error that you mentioned relating to establishing the HTTP connection is different in my case so I’m not entirely sure where to go from here.

    1. Hey Mikes,
      did you modify the log you copied here? if not, is for sure not a valid entry.
      Go back to step one VERIFY A UNIQUE AZURE CLOUD SERVICE URL and validate the name you want to


      1. Yes, I modified it. The actual name of that service is validated in azure, I just didn’t want to post it here.

        In any event, I think I’ve got it working. I had set the connection point up on a new mp and after digging through more logs I found that bgbisapi.msi couldn’t get installed because BITS was not installed when the mp was installed (I thought that was automatic but I guess it isn’t). I enabled BITS then restarted the site component manger and after that the missing components were installed. From there the bad responses in CMG_CLOUD_PROXYCONNECTOR.log cleared up and were replaced with “ResponseHeader: HTTP/1.1 200 OK” and “ResponseHeader: HTTP/1.1 280 BGB Session Continued”. The connection analyzer also reports success so I think I’m good.


        1. Thank you very much for posting this solution – I’ve been dealing with the exact same issue, and your steps resolved it. I just enabled BITS, restarted the Site Component Manager, and was all set after that! Thank you again, and thank you in general for this site, it’s hugely beneficial!!

Leave a Reply

Your email address will not be published. Required fields are marked *