SCCM CMG Setup

A few months back I was setting up SCCM IBCM with AWS EC2s. However, as our management only wants one-way communication from our corporate network to DMZ, and the SQL database push-based replication failed during the setup(I opened a case with Microsoft, and they directly told me that one-way communication setup for SCCM is not possible), I have to switch to Microsoft's new Cloud Management Gateway – SCCM CMG.

Here is an old article I used to set up the SQL push-based replication, and apparently it didn't work.

http://archive.wmug.co.uk/wmug/b/r0b/posts/push-based-replica-management-point

So now I switched to the SCCM CMG configurations.

First thing I have to know is the different ways of client authentication methods with CMG:

1. PKI Certificate

This way is recommended by Microsoft, each client has a unique certificate issued by the internal CA. And it can be worked on all windows clients.

2. Azure AD

Clients will be joined to Azure AD. Only Windows 10 devices are supported in this setup. However it supports both user and device.

3. Site Token

Can support all the windows clients, they are best for the environment that doesn't have a PKI infrastructure. The site token has validity between 3-5 days.

References:

About the Client Authentication and Authorization choices:

https://home.memftw.com/cloud-management-gateway-choices/

Azure AD device registration error codes
https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/

Differences of Co-management, Hybrid Azure AD joined and CMG

Digging into Hybrid Azure AD Join

Troubleshooting Hybrid Azure AD Join

Troubleshooting Hybrid Azure AD Join

Troubleshooting hybrid Azure Active Directory joined devices

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

Azure AD – Hybrid Device Join (HDJ) Status – Pending

Azure AD – Hybrid Device Join (HDJ) Status – Pending

Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-azure

Token-based authentication for cloud management gateway

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token

CMG token based authentication with ConfigMgr 2002
http://gerryhampsoncm.blogspot.com/2020/05/cmg-token-based-authentication-with.html

How to setup Cloud Management Gateway with Enhanced HTTP

How to setup Cloud Management Gateway with Enhanced HTTP

Intune SCEP

https://www.anoopcnair.com/intune-scep-deep-dive-made-easy-with-joy-3/

How to find your AADCLIENTAPPID

Differences of Retire/Wipe/Delete/Fresh Start/Autopilot Reset in Intune Device Management

Intune: What is Retire / Wipe / Delete / Fresh Start / Autopilot Reset – Cloud Identity – Modern IT (karstenkleinschmidt.de)

Detection method to in SCCM via Intune

Deploy Configuration Manager Client through Intune, namely Autopilot… – Azure Cloud & AI Blog

Leave a Comment