How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet Clients
Вставка
- Опубліковано 7 сер 2024
- In this video guide, we will be covering how you can set up the cloud management gateway in Configuration Manager to manage clients on the internet. This guide covers essential aspects of CMG such as certificates, site system roles, Azure prerequisites, and much more!
Blog Post 👉 setupconfigmgr.com/how-to-set...
Introduction - (0:00)
CMG Vs. IBCM - (0:42)
Certificates needed for Cloud Management Gateway - (3:06)
Create Web Server CMG Certificate Template - (4:49)
Review Client Communication Settings- (6:41)
Request Server/Web Server Certificate for CMG - (7:26)
Export Internal Root CA Certificate to use in CMG - (9:43)
Allow Client to Use Cloud DP and CMG - (10:22)
Configure Azure Subscription - (10:58)
Give App Registrations Permissions in Azure - (13:41)
Create Cloud Management Gateway - (14:44)
Install Cloud Management Gateway Connection Point Role - (26:40)
Set Management Point and Software Update Point to Allow CMG Traffic - (27:40)
Distribute Content to CMG - (29:15)
Enable RDP for the Azure CMG Server - (31:09)
Verify Client Receive CMG Server for IBCM Mangement Point - (35:54)
Verify Client Notifications Work on Internet Client - (39:32)
Verify App Deployment Works from Internet Client using CMG - (41:31)
Verify Software Updates Works from Internet Client using CMG - (42:03)
Verify Hardware Inventory from Client Notification Channel Works - (44:10)
Wrap-up - (46:35)
#SCCM #ConfigMgr #CMG - Наука та технологія
Please keep up the great work. I was waiting for a high quality channel for SCCM and it seems like I have found it. Subbed
Shloeb Thanks!
I've watched so many of your video and it helped me so much i just can't leave without subscribing. Done
Thanks!
Just Completed setting up CMG for internet clients.
All working well software/inventory/updates deployments.
Thanks for Nice Explanations !!!! :)
Excellent!
Hi Varun, if possible, could you please help on the issue related with Client communication with CMG?
@@nirmalp1559 yes please, tell where ur stuck.
@@varunchitra3163 Have deployed CMG and enabled CDP. In our environment,we dont have any internet based clients. So we created one workgroup machine in Azure and made that as always internet and installed agent with the parameters "ccmsetup.exe /UsePkiCert SMSSITECODE=XXX CCMHOSTNAME=CMGSCCM.XX.COM/CCM_Proxy_MutualAuth/72057XX5940XXXXXXXX"
. Whether this is the right approach? or any specific parameter need to be checked? please suggest.. thank you
@@nirmalp1559 1. Pc should have client authentication certificate for mutual authentication.
2. For first time device must be on intranet to fetch polices from gpo and SCCM and then switch to internet.
3. Locationservices.log should have success message with MP and SMS_CLOUD_PROXYCONNECTOR.log on site server will show success communication with cdp.
Thanks Justin. Great video
Thanks for watching!
Amazing video, thanks!
Thanks for watching
Thank you tremendously for these so-very-helpful videos. You turn Microsoft's sorely-lacking text documentation and turn it into something that's actually useful and much more comprehensible.
One request: These awesome videos would be even awesomer if we could see the bar at the top of your screen that indicates which computer we're looking at. You move very quickly and sometimes it's hard to tell whether we're looking at a client, a server, and/or which server. This vid was not so hard to follow in that aspect, but the one for setting up HTTPS/PKI got a bit tricky to keep up with. I realize that maybe your recording tool doesn't allow for that but I know it can be done because the videos that PolicyPak records (also awesome) does show that bar at the top.
Good feedback, I will think about adding the bar in next video
great video!
Glad you enjoyed it
This is one of the best videos on CMG I have ever come across. Thanks for the great job on making it. Just one Question may be a scenario what happens if a client with a valid client authentication certificate Hybrid joined to AAD goes out to internet and then the certificate expires?. It would start communicating over modern auth or stops communicating to CMG itself?
I believe AAD devices auto-renew their certs.
Awesome video!
If you have a new azure subscription in Australia, raise a case with support and request access to AustraliaEast or AustraliaSouthEast, AustraliaCentral (which is the default for new subs) does not work and is not an option when provisining your CMG! We had to create a new sub as our CSP was not able to provision us the Cloud Service (Classic) required for CMG
Thanks for the tip!
Hey Justin, great video. I have the CMG setup as well as a CDP (I'm on 1802) and they seem to work great and the steps were the same as the ones you took in your video. We used a public cert, but other than that identical. I do have a question, and that is if you will be making a video about co-management with Microsoft Intune? I currently have it setup in my environment but I like watching your videos to validate what I have done.
Tyler Fleming I do plan to do some co-management videos soon I might do a few Imaging ones before that though
Great video! Will the Software Update deployments need to have the "...download from MS updates" and "Allow clients on a metered Interconnection..." boxes checked on the Download settings tab?
No, when internet facing that checkbox shouldn't matter.
Thanks for the great video. I have a question on configuring CMG. Do we definitely need OWNER and CO-ADMINISTRATOR credentials on azure to configure CMG or just OWNER credentials is enough?
I believe just owner is needed.
Thank you Justin for the wonderful Video, Will CMG be Configured on Non PKI infrastructure as we have Azure AD Sync.
Nice
Hi Justin like always very informative video. I had a quick question currently I am working in sccm 1702 version which is quite different from 1802. Can you please suggest any documentation while doing configuration with 1702
Gaurav Jain are you moving to 1802 anytime soon. It's certainly simpler to setup in 1802 and 1806.
I just finished watching video # 3 , it was great , I do have a question. In this video the "Trusted Root Certificate Authorties" have been selected where in the prior video it was not set, any guidance on setting that up would be great ..thank you
That was my root certificate authority from ny internal PKI
Hey Justn,
Thanks again! Informative video. I currently have IBCM in my environment. If I want to transition to CMG, should I just go ahead? I mean will the clients need to be reconfigured or will they now automatically connect to either the IBCM or the CMG when they are on internet. I am guessing that they would automatically choose one. And with the course of time after analyzing costs of CMG, I can shutdown my IBCM so that clients only connect to CMG moving further. Is my understanding correct?
Sorry for the delay did you switch over ok?
Hi Justin, thanks for a very informative video. I have a question if you could answer. I have two environments, one with sccm and other with intune. Both are seperate environments and now I want to setup Co management. With this i want the currently managed intune devices to be part of sccm(specifically for reporting purpose) and all on-premise devices should not be part of intune after setting up of co management. Do you know how can I achieve this?
Hey! Yeah, I think co-management could do this for you docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview. TBH, I haven't dug that deep into co-management yet. I have it on the list of things to do and a future video. Hopefully, that documentation may be helpful for you until I deep a bit deeper and do a video.
Hi Justin, great video. One thing I am missing is how to rollout the configmgr agent to Azure AD clients.
Hoping to do some co-management and enrollment soon.
@Patch My PC I'm trying to get it to work but my logs fill up with ssl and certificate errors. Eventualy the installation of the clients failes with errorcode 0x87d00455
Followed this guide: www.scconfigmgr.com/2017/11/30/deploy-configmgr-client-to-aad-device-from-intune/#comment-78523
Internal (AD Joined) device connect to the CMG with no issues. So it should be something to do with a missing certificate I believe.
Just got my breakthrough! Somehow I forgot to add distribution point groups to the CMG DP role.
Nice!
Hi Justin. Thanks for the videos. I can't count the number of times I've referred to them. I have a question regarding the wizard when creating the CMG. I noticed in SCCM 2010 the Azure Resource Manager option has been replaced with Virtual Machine Scale Set. I understand this option should be used if I have a CSP subscription for Azure. Do you know if this option should only be used for that case? Does it matter if I use it and don't have a CSP? Is it preferable to use one vs the other? I'm trying to stand up my first CMG and I've done a lot of research on this but haven't been able to find a solid answer. Thanks in advance.
Unfortunately, I actually haven't played around with this newer option so I'm not sure
This video is so helpful and detailed, thanks. Can we host all the cmg roles along with MP/SUP on a different site server as my primary site's MP is http?
The mp would need to at least use ehttp
So can I add another MP(new site server) as ehttp or https?
@@garimaprakash4254 You could add a new site system with MP role yes.
Thanks !
You mention a video regarding PKI certificate for the client cert. I can't seem to find it anywhere. If we have a CA server configured in our environment, how do we generate the cert needed for the clients during the setup of the CMG?
Hey David, This would cover the PKI setup if you go that route. ua-cam.com/video/nChKKM9APAQ/v-deo.html
Hi Justin, thank you for the very helpful video tutorial. I have configured my test environment as per instructions in the video. I can target application and have them installed on internet-facing client which is fantastic. However I have an issue where domain joined computers that are on the internet will not receive Windows software updates or PatchMyPC third-party updates. What I have noticed in the video, the clients would retrieve the content for Windows updates from MS CDN. However in my case, the LocationServices.log indicates the WSUS path is pointed to the FQDN of CMG proxy server in Azure. Obviously I don't have SUP role configured on CMG server in Azure therefore the updates won't be available to install. SUP is configured on the Primary server on-prem for intranet clients. Any idea how this can be fixed? Any help would be much appreciated. Thanks
Third-party updates should work fine over CMG, are you still having issues?
Tx
You're welcome!
Hi Justin, in the video at timeline 14:02, you mentioned to go into "Settings" and "Grant Permissions". However i can't see the Settings --> Required Permissions --> Grant Permission in the latest Azure console. Can you please help?
Did you get this figured out?
Hi Justin,
Can you please provide a video on BitLocker Management via SCCM current branch as well?
I will keep that in mind for future videos
At 29:05 when you enable the Software Update Point, does that require SQL and WSUS to be installed on that server?
The SUP was already installed. You would need to to enable CMG access
Can a CMG be used to deploy/enforce BitLocker policies for internet based clients? We currently use a combination of Configuration Items/Baselines for deployment to domain connected devices.
Wouldn't those CI's also work for internet clients? It may depends on how you store keys.
Hi Justin, Thanks for the great video really very informative. I am also in the process to set up a CMG in a dev environment. Currently I have installed the CMG site role to an on premise server and it shows as ready state however the connection point shows disconnected. Now as I understood from MS documents that port ( 443 and 10124) needs to enabled from site system CMG connection point and Azure CMG. Now my question is port ( 443 and 10124) should enabled should be b/w on premise site server with CMG and Azure CMG server ( i.e. IP of the xxx.cloudapp.net) . Please correct me if I am wrong. Also 443 ports b/w client and Azure CMG server ( i.e. IP of the xxx.cloudapp.net).
Sounds correct to me, have you happened to see this one: docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#ports-and-data-flow
Thanks for the video!
I am going to try my luck and as the question here,
We're using SCCM in a multi-tenant way. We have a CAS with 2 Primary sites, one for our own usage and one for our customers. The primary sites is configured in our own domain. We have a one-way trust with the domain of our customers.
We've setup a MP and a DP in our customers domain and configured the boundries so that their devices connect to their own MP. This server conects to the Primary Site in our own domain.
Since the whole pandemic hit we are currently looking into using CMG so that SCCM will still connect to machines outsides of our Intranet.
Now to the question:
Is it actually possible to make use of CMG's in the construction described above or should we think of making a primary site for each customer?
I'm not actually sure about this one, sorry. The docs may have some info.
@@PatchMyPC Thanks for taking the time to try answering the question.
As far as I understand so far from the docs it is only possible to have 1 tenant per Primary Site. So yeah, we need to change up the design a bit.
Hey, thanks for the wonderful guide! I was wondering how did you set it up so the devices get auto approved? I know how to do this for domain joined devices, but can't seem to get it working for CMG devices since they are WORKGROUP devices.
Workgroup? Did you join the devices using Azure AD?
@@PatchMyPC Yep these aren't domain joined devices. Just Azure AD devices via Intune.
@@mukmusicdiary Hi Mark, Did you ever find a solution for your workgroup PCs? I have a large number of laptops in the field that are in workgroups and cannot be domain joined for various company policy related reasons. I would like to see if I can manage them via CMG, primarily for patching purposes as it seems to be easier than forcing the users to connect to our VPN environment to allow the SCCM client to communicate with our SCCM infrastructure. I've been doing a lot of research and cannot find a definite yes or no if a CMG can manage these types of machines, and if yes, how to do it. Everything I read appears to assume the clients are all domain joined. Thanks
Token-based auth will make workgroup machines very easy ua-cam.com/video/e5QSv1Yna6M/v-deo.html
Great video, got me most of the way there.
My CMG is set up , connection point is connected, and i see my CMG MP clients in the Cloud Management section of the Monitoring section. But I have an issue...
My issue is when i open software center on my CMG MP managed machine it eventually crashes and says that it cant be opened.
Any pointers on where i should start to troubleshoot, like log wise? I looked in the location services log and i can see where its trying to contact my cloud app, it states that theres a certificate problem, but ive confirmed my root and intermediate certs are valid.
What's ccmmessaging.log say on the client?
@@PatchMyPC , this is pretty much it repeating over and over...
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:XXXXXXXXXX";
DateTime = "20190211185607.596000+000";
HostName = "servicename.CLOUDAPP.NET";
HRESULT = "0x87d0027e";
ProcessID = 10368;
StatusCode = 515;
ThreadID = 9224;
};
CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408)
Successfully queued event on HTTP/HTTPS failure for server 'servicename.CLOUDAPP.NET'. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408)
Post to servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request failed with 0x87d00231. CcmMessaging 2/11/2019 1:56:07 PM 9224 (0x2408)
[CCMHTTP] ERROR: URL=servicename.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037958067/ccm_system/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300)
[CCMHTTP] ERROR INFO: StatusCode=515 StatusText=Upstream Certificate is untrusted or expired CcmMessaging 2/11/2019 1:57:18 PM 8960 (0x2300)
So i checked Azure and noticed that there was infact an expired intermediate cert in the certificates section of the application. I deleted it and resynched the CMG. Still, however getting the error.
@@PatchMyPC Ok, so it boiled down to a few things...
1. There is a bug in 1806 that does CRL checking even if you tell it not to. Apparently this is workaroundable in 1810 (you have to create a reg key)
2. Our published crl was expired. We had to fire up the root ca and renew it
3. our MP was hanging on to Internet config settings for proxy from a bygone era. once we fixed that issue, everything magically began working. The values in the following key is where they were. We deleted them, rebooted and it got the correct config:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
this article helped as well: community.spiceworks.com/topic/1567165-can-t-remove-proxy-settings-windows-7-server-2012-r2-domain-help
Hi Justin. If I have eHTTP enabled and not PKI is it the same steps?
It should be similar, the MS Docs do cover eHTTP pretty well.
In the CMG setup is mandatory to use public issued certificate?
No, but usually the easiest option since the CRL is already public.
Hello, Our Primary site server is not considered a DP or MP. Should I be deploying the CMG connection point service on the MP or MP's or does it not matter? We have multiple MP's for redundancy
Thank you!
Doesn't really matter, you can also have multiple connection points I think
@@PatchMyPC ok. Yes correct you can have multiple points. Thanks
I know this is late in the game but, do you need to configure HTTPS on all your management points and Software update point and what Client PKI do I need to deploy to my users first before enabling this? Also I've notice that you configured this by right clicking on the Management role, I've seen other articles stating to go to "Configure site components" what is the difference? Thank you in advance.
management points and Software update point
No, just the one CMG talks to.
Client PKI do I need to deploy to my users first before enabling this?
It depends, clients can use PKI, Azure AD, or Bulk token for CMG.
Hi Justin, I really appreciate all your setup videos. I am running CB1910 and currently have IBCM deployed and have just set up Cloud Management Gateway with DP. Our VPN is configured with split tunneling and on-prem DP's are blocked through the VPN tunnel, so users need to end their VPN connection to receive content. CMG was set up allow content to be received by remote clients whether or not a VPN connection is established. I am having an issue receiving content when VPN is connected. The Internet-based management point in the ConfigMgr client properties is the CMG. I have created a VPN Boundary Group with the CMG and the VPN IP range boundary. The CMG is shown as the assigned management point in the client properties. "Prefer cloud based sources over on-premise sources" is enabled. In the cas.log file after the ContentLocationRequest is, No reply received, Failed to create Location Request Message body and GetLocationSyncEx3 failed with error 0x80004005. Can IBCM and CMG coexist? Do you have any thoughts what may be causing the issue? BTW, the content has been distributed to the CMG DP. Thanks in advance for any insights you may provide, John
I think probably one or the other would be the best approach.
As per Microsoft all the internet-based clients will get the software update content from Windows Update. This update content download (from windows update) will use local internet which will choke the low bandwidth sites. If we are going to force all datacenter to use CMG - will branch cache or Peer cache or any other caching technologies work with CMG within datacenter to share the content? Or can we redirect the software update content download from local DP( if we setup local DP) instead of going to Windows update, so that local client will get the content from local DP? If yes, I assume we can use existing on-prem data center Primary Server to setup CMG for Servers in datacenter.
Thanks for the input.
@ about 14 minutes in the video you grant access to the the client and server app. Does this still need to be done. The Azure environment looks a bit different now.
It may look slightly different now, but I think this process should still apply unless there's been improvements to do this automatically.
I just deployed on MECM 2006 and it was all done for me.
Silly question- but do I need to have our on-prem set to HTTPS before being able to fully utilize this feature?
To securely forward client requests, the CMG connection point requires a client authentication certificate that corresponds to the server authentication certificate on the HTTPS management point.
>>> If clients use Azure AD authentication, or you configure the management point for Enhanced HTTP, this certificate isn't required. For more information, see Enable management point for HTTPS.
Note that HTTP over internet to a MP is not possible, while HTTP over intrnet to a DP is possible.
You can a few options for how certificates and be used with CMG docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway
Do we need to create any internal Cname entry for cloudapp.net in local DNS.
Shouldn't need to
Hey, i have everything configured in SCCM and Azure however my connection point stays disconnected and the following error in SMS_Cloud_ProxyConnectory.log: Failed to build TCP connection and there is no firewall. Any idea?
Hmm, not sure about that one.
Hi Justin ,what if the machines already left the on-premises network? can the CMG manage the these machines ?how the SCCM clients gets update internet-base management point (FQDN) ?
No, your would need to touch those devices because they can't get the CMG policy.
@@PatchMyPC so CMG policy should be updated on these devices before going outside network . Any workaround to update cmg policy for these devices ? Pls help me.
Question - in my SCCM console (running version 1810), under Administration > Cloud Services, I don't have any "Cloud Management Gateway" option. Cloud Distribution Points is there, but no CMG??
Do you have the service connection point enabled in the site and is "Cloud Management Gateway" enabled/on in the Updates and Servicing > Feature node?
@@PatchMyPC ah, the U&S > Feature was turned off. That did it! THanks!
@@PatchMyPC Ok, one other question as I have this thing 99.999% done. I've got the CMG all setup successfully and am able to distribute content/RDP/etc. The only thing I cant get is my clients are not picking up the CMG as a management point. I've done Machine Policy & Retrieval and restarted SMS service several times, but watching the log the only one it ever picks up is my primary on-prem management point.
(PS: I know you don't really make any money answering questions from novices like myself on UA-cam, so if you happen to have a paypal or place to accept donations as appreciation for great content like this, please let me know and I would be happy to send some $$ your way!)
@@gsmegaphone Can you post clientlocation and locationservices from the client?
@@PatchMyPC Just fyi, I got this working. I had to turn OFF "Allow configuration manager cloud management gateway traffic" on the MP, wait about 10 minutes, turn it back on, and viola, it started working. So Something must have just gone screwy when the MP reinstalled itself the first time. Thanks for your help as always.
Has anyone tried Azure free acct.? Do they automatically charge after 30 days if you forget to cancel?
Did you get this figured out?
Hi justin,
Just quick question if I have two MP in our environment. Both must be run over https?
Only the one with CMG connections need it.
@@PatchMyPC do you believe after enhanced http released still need to switch MP or SUP to https to enable CMG
@@ehabgalal9181 You can use EHTTP for MP docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http
Hi Justin,Gday !! could you please help me on this "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account or can you share a link from where i can resolve this.
You may want to try to build the app in Azure directly in this case.
@@PatchMyPC thanks !!
Is it possible to migrate to Cloud Service (Extended Support)?
I'm not sure about this one. There may be some info on the MS docs though.
Hi Justin,
Need one help. I have configured the CMG using the wildcard certificate issued by the public CA. We don't have PKI in our environment so which certificate I can upload in client authentication ?
My wildcard certificate is both server authentication and client authentication however if I am trying to upload it in client authentication certs, its giving me warning that cert is not having valid root. ☹️
Please suggest... Thank you in advance.
You would need to upload the root CA 9.cer file) for your PKI in the CMG properties.
@@PatchMyPC Thanks a lot. I have one small doubt... Our public cer has one intermediate CA and one Root CA. If I understand correctly, I need to export that Root CA and upload it to CMG properties under client authentication certs.
I have configured my MP to allow SSL traffic on SCCM self signed certificate (enhanced http feature) so my primary site server is having the self signed cert in IIS.. will that be any issue ?
@@SHAKTI4601 You would include both certs then for the root and intermediate.
@@PatchMyPC Thanks a lot. Finally my CMG has started working. I had to import the certificate on client to make it work. I thought if its issued by public CA, we don't need to import it on client machines..
I think some of my issue is Azure has changed a fair amount, I got past my previous issue by manually creating the web / native apps. Now I have an issue when trying to create the management gateway, I am getting an error "a valid Azure AD app is required. please deploy the azure service for cloud management first" Trying to find a way around this but everything I find is out dated.
Are you all good here?
@@PatchMyPC Could you plzz help, i am still struck there. No idea why,
u have forgoton in previous certification video how to add ROOT CA that I see u seems to have to provided Root CA , could u give some clarity on it ,
This would be the root ca certificate for an Internal PKI
My CMG connection is showing partially connected how to troubleshoot that?
You can run the troubleshooting wizard.
We don't have Azure AD authentication in our infra. all are on-premises systems. we are planning to use third-party certificates.Do we need get the client authentication certificate from Third-Party certificate providers? We are going to use the EHTTP option. any suggestion on this
What third-party are you using? So you aren't going to use AD Certificate Services?
We are using your product Patch My PC thank for your response
@@PatchMyPC we are using patch my PC. We configured with third party wild card certificate and everything works fine . published the 7zip update , it's shown up in the software ware center but when I click download content download failed. Content is present in the cloud dp. Cas log showing cloud dp path
@@mohananaidu4627 let me now if this helps patchmypc.com/third-party-update-considerations-with-cloud-management-gateway-cmg-in-sccm
@@PatchMyPC thank you Sir. I willl go through the vedio
We are having SCCM 1902 and configured CMG
So
Can we install sccm client in workgroup machines in CMG ?( machines which are not in Azure AD but connected to internet)
Actually these are laptops which connected internet via data card and it's not in domain, we are using PKI certificate for authentication but facing error while installing sccm client in this laptops
Plz suggest
You can but it's more complicated. ConfigMgr 2002 will make it easier ua-cam.com/video/e5QSv1Yna6M/v-deo.html
i have a tenant id Azure i don't have a subscription and tha't my problem
You figure this one out?
Thankyou for your helpful video. I'm getting stuck the the CMG setup creation. Do you have to wait 24 hours for the "CNAME" to replicate across ,I named mine "sccmclient.sccmXXXXX.net" which would redirect to sccmclient.appnet.net?. Do I need to configure anything on my local IIS Server? Many Thanks for your assistance.
Jazz: how were you able to Grant Permissions?
As far as your query is concerned: No, you don't need any configuration on your local IIS
@@ShehzadKhan-yk3pb I still cannot get this right. Failed at povisioning. Here is my log info from cloudmgr.log.
ERROR: Resource Manager - Failed to list keys for storage service clientsccm with status code NotFound. Check [Monitor/Activity log] on Azure Portal for more information~~
Did you figure this one out?
Hi Justin, Thanks for sharing this video. I have one quick query and need your support. My Active Directory Domain is for example xyz.com for all domain joined machines, but my SSL certificate domain is xyz.co.in , so can I add Wildcard certificate of xyz.co.in in CMG? Please need your support.
adding another point: The Wildcard certificate of xyz.co.in will be from Digicert
It should be the public DNS name
Anyone had the error "Failed to create client App. Server app might not be present in the tenant specified" I am the global admin for my Azure account and have many other services/apps/vms running without any issues. This is the step where you create the server app. Thanks!
Thanks for the tip
hello team @patchmypc, i have a question regarding the CMG web server certificate. In your video, you opted to use a cert from a public CA, which is what i'm planning to do as well because even though i have an internal PKI setup, i don't have an externally available CRL site. My question is will there any issue for me doing that (using a CMG web server cert from a public CA) considering i have already setup SSL communication between my SCCM servers and SCCM client using my internal PKI? which by the way, i have followed the instructions from your SSL video ua-cam.com/video/nChKKM9APAQ/v-deo.html&ab_channel=PatchMyPC
No that scenario should still work fine where you have a public certificate for your CMG and internal for your site systems and servers
@@PatchMyPC Thank, I got my CMG setup successfully following your video.