Cloud management gateway (CMG) is a new chapter in Microsoft Endpoint Manager Configuration Manager (MEMCM). It is getting improved better and better in each version that gets released. If you look at the technical preview build that was released recently (version 2009), it has a remote control feature for CMG connected devices which is very much needed to support the internet-connected devices and there are many other good features in the technical preview build that might ship in the next production build. But that’s a whole other topic. In this blog post, I will describe the SCCM CMG Policy Violation error that I recently come across at a customer while deploying the SCCM Cloud Management Gateway service.
Due to the COVID-19, lot of workforce is working from home and managing the endpoints over internet or VPN is at most important and meet the compliance.
You can refer to our guide for a complete Cloud Management Gateway installation.
Refer to this TechNet blog if you need more information about managing remote machines with cloud management gateway.
Every time I set up a CMG service, there is always something to learn from it and this time, I have learnt something new about the resource group and region.
Just to brief about the customer infra, SCCM 2006, self-signed certificate, e-HTTP enabled, wild card certificate from public CA for server authentication.
With SCCM 2002+, clients can use token-based authentication if you don’t have PKI, hybrid Azure AD join or Azure AD join. These are different authentication methods for the client to authenticate with CMG service.
SCCM CMG Policy Violation Problem
We used the wild card certificate for the CMG server authentication and started the CMG setup.
We had selected the existing resource group called SCCM and the region as East US.
After the completion of the setup, I had looked the console for the status and status shows provisioning service failed error.
So I have looked at the CMGsetup log on the primary site server log files and found the following error several times.
Error: Resource Manager – Unexpected exception: Hyak.Common.CloudExeception: InvalidTemplatedeployment: The template deployment failed because of the policy violation. Please see the details for more information. Check monitor/activity log on Azure portal for more information.
SCCM CMG Policy Violation Solution
To find the actual reason for this failure (the policy violation) :
- I have logged into the Azure portal
- go the Subscription where the CMG service was targeted for the deployment
- Click Activity log
- In the activity log, you will see several alerts
- Click on any one of the activity log, you will see more information about the error.
- We had the following message: Invalid resource group location ‘East US’. The Resource group already exists in location ‘CentralUS’.
If you remember the region that was selected for the resource group (SCCM) in the CMG setup, it was East US and this resource group SCCM already created with region CentralUS hence a mismatch.
So now, we have couple of options to fix the issue:
- Change the region for the existing resource group in the subscription from CentralUS to East US
- Select Central US in the CMG setup wizard for the existing resource group SCCM
- Create a new resource group and choose the wanted location
- We tried option #1… but we can’t change the location of a resource group once it is created… let’s try #2
- We will now go with either option #2 or #3. We decided to try option 2 by simply changing the region that matches the resource group region Central US in the CMG setup wizard.
This time, the CMG setup wizard successfully executed, and the services were in place in no time. The SCCM CMG Policy Violation error didn’t happen this time
If you want to use the existing resource group for the CMG setup, make sure, you select the same region that was used in the Azure subscription else you will run into this SCCM CMG Policy Violation error.