A few months back I was setting up SCCM IBCM with AWS EC2s. However, as our management only wants one-way communication from our corporate network to DMZ, and the SQL database push-based replication failed during the setup(I opened a case with Microsoft, and they directly told me that one-way communication setup for SCCM is not possible), I have to switch to Microsoft's new Cloud Management Gateway – SCCM CMG.

Here is an old article I used to set up the SQL push-based replication, and apparently it didn't work.

So now I switched to the SCCM CMG configurations.

First thing I have to know is the different ways of client authentication methods with CMG:

1. PKI Certificate

This way is recommended by Microsoft, each client has a unique certificate issued by the internal CA. And it can be worked on all windows clients.

2. Azure AD

Clients will be joined to Azure AD. Only Windows 10 devices are supported in this setup. However it supports both user and device.

3. Site Token

Can support all the windows clients, they are best for the environment that doesn't have a PKI infrastructure. The site token has validity between 3-5 days.


About the Client Authentication and Authorization choices:

Azure AD device registration error codes

Differences of Co-management, Hybrid Azure AD joined and CMG

Digging into Hybrid Azure AD Join

Troubleshooting Hybrid Azure AD Join

Troubleshooting Hybrid Azure AD Join

Troubleshooting hybrid Azure Active Directory joined devices

Azure AD – Hybrid Device Join (HDJ) Status – Pending

Azure AD – Hybrid Device Join (HDJ) Status – Pending

Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication

Token-based authentication for cloud management gateway

CMG token based authentication with ConfigMgr 2002

How to setup Cloud Management Gateway with Enhanced HTTP

How to setup Cloud Management Gateway with Enhanced HTTP

Intune SCEP

How to find your AADCLIENTAPPID

Differences of Retire/Wipe/Delete/Fresh Start/Autopilot Reset in Intune Device Management

Intune: What is Retire / Wipe / Delete / Fresh Start / Autopilot Reset – Cloud Identity – Modern IT (

Detection method to in SCCM via Intune

Deploy Configuration Manager Client through Intune, namely Autopilot… – Azure Cloud & AI Blog

How to manually create SCCM CMG Server App and Client App in Azure:

Importing Apps to set up Cloud Management Gateway (CMG) for Configuration Manager

Leave a Comment