How to Setup SCCM CMG in Virtual Machine Scale Set Model

In this post, let’s discuss how to Setup SCCM CMG in Virtual Machine Scale Set Model. The VM scale set feature was first started in SCCM CB version 2010 as a pre-release update. Starting in version 2107, it’s a main released feature. I would like to thank Vaishnav for writing and sharing this awesome post with the HTMD community.

CMG deployments with a virtual machine scale set support Azure US Government cloud environment from CB version 2111 onwards. The option to deploy a Cloud Management Gateway (CMG) as a cloud service (classic) is deprecated. From SCCM version 2203 onwards, you can use all CMG deployments with a virtual machine scale set.

In the SCCM console, you may get the above-mentioned Management Insights notification under “Deprecated and unsupported features” if your existing CMG is running in a cloud service (classic) deployment model. Here you won’t get the conversion option. Need to create a new CMG VMSS and decommission/delete the Classic Service later.

The existing CMG is there in the custom domain, you will get an option to “convert” it into the virtual machine scale set model. In this article am going to explain how to create CMG in a virtual machine scale set model if your existing CMG classic is there in the Microsoft-owned domain (xxx.cloudapp.net).

Patch My PC
[sibwp_form id=2]

Pre-requisite to Setup CMG in Virtual Machine Scale Set Model

Here are the Microsoft recommended few basic Prerequisites for a new Cloud Management Gateway VMSS creation.

  • A valid Azure Subscription is required to host CMG.
  • Azure AD site integration to deploy the service with the Azure resource manager.
  • Full Admin access in Configuration Manager console (Full or Infrastructure Administrator).
  • Service Connection Point must be in online mode.
  • The clients must use Internet Protocol version 4.
  • To host the CMG connection point, at least one on-premises Windows server.
  • Configure the Management Point to allow traffic from CMG, it requires HTTPS or Enhanced HTTP.
  • CMG Server Authentication certificate.

What is Cloud Management Gateway (CMG)?

The Cloud Management Gateway provides a way to manage clients on the Internet without the need for a VPN connection to your on-premises network. It allows Configuration Manager clients to communicate with the Configuration Manager site system roles that are placed in Azure.

This is particularly useful for organizations with many devices outside their corporate network, such as remote workers or devices that frequently connect from different locations.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 2
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 2

Classic Cloud Services is Retiring

If you have CMG with a Cloud service (classic) deployment model as per Microsoft recommendation, you have to Convert/Migrate into a Virtual Machine scale set model. Please find the Azure notification screenshot below if the Cloud service is in Classic mode.

Adaptiva
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 3
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 3

Should your CMG’s service name be under the cloudapp.net domain, it is not possible to transform it into a virtual machine scale set.

For instance, if you have obtained a server authentication certificate from your internal PKI with a common name of xyzabc.cloudapp.net, you won’t be able to create a DNS CNAME to map this service name to the new deployment name in the cloudapp.azure.com domain due to Microsoft’s ownership of the cloudapp.net domain.

  1. Generate a fresh server authentication certificate from your internal PKI utilizing a new service name. It is advisable to employ your domain name instead of a Microsoft domain. For additional details, refer to the guidelines on utilizing an enterprise PKI certificate.
  2. Implement a new CMG as a virtual machine scale set, incorporating the newly acquired certificate.
  3. After clients have updated their policies to include the new CMG, proceed to remove the outdated CMG.
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 4
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 4

How to Setup SCCM CMG in Virtual Machine Scale Set Model

Now will see the steps to set up CMG in the Virtual Machine Scale Set Model using SCCM.

First, make sure the “Cloud management gateway with Azure VM scale set” feature is Turned On. To check that, navigate to Administration > Updates and Servicing > Features.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 5
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 5

Now we have to create a CMG web server certificate. If the web server certificate template is already available. Request a certificate from your Configuration Manager Site server.

If you don’t have an active template, create a webserver certificate template from your CA server with a private key exportable option and proceed further. Here I already have a web server template available. So, in Configuration Manager Server:

  • Open Run, type “certlm.msc” and hit Enter.
  • It will open the Manage Computer Certificate MMC for you.
  • Navigate to Certificate (Local Computer) > Personal > Right Click and All Tasks > Request New Certificate
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 6
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 6

You will get the Certificate Enrollment pop-up.

  • Click on Next to proceed further.
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 7
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 7

In Select Certificate Enrollment Policy, leave it as default and click Next.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 8
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 8

Under the Request New Certificate option, select the available web server certificate template. Click on Configure settings and provide the required details for your certificate.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 9
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 9

Here I gave “vklabconfigmgrcmg.WestUS.CloudApp.Azure.Com” as a Common name.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 10
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 10

In Certificate Properties, check the Private Key exportable option while requesting a new certificate.

How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 11
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 11

Once the enrollment is completed, export the newly created certificate in a local path.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 12
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 12

For client authentication, we also require a couple of certificates. Export your client’s Trusted Root Certificate. If your environment has an Intermediate Trusted Root Certificate, export that as well.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 13
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 13

Now we can go ahead and create “Azure Services” from the Configuration Manager console > Administration > Cloud Services > Azure Services node. Give a Name and select the Cloud Management option > Next.

Note! Deploying the Azure services for Cloud Management enables Configuration Manager clients to authenticate with the site using Azure Active Directory (Azure Entra ID). You can also enable this tenant to discover Azure Active Directory resources.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 14
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 14

In order to incorporate the website, it is necessary to establish app registrations in Azure AD. For the CMG, two app registrations are required.

  • Web application (called a server app in Configuration Manager)

The Azure-hosted CMG components are represented by the server app. It outlines the Azure resources to which they have access. The purpose of the server application is to enable users, managed clients, and the CMG connection point to authorize and authenticate against the Azure-based CMG components. Initial CMG provisioning in Azure, Azure AD discovery, and traffic to on-premises management points and software update points are all included in this communication.

  • Native app (in Configuration Manager, referred to as client app)

The client app represents users and managed clients who connect to the CMG. It outlines the resources, including the CMG itself, that they can access within Azure.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 15
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 15

Give Web App (Server) and Native App (Client) Application Names, Secret Key Expire duration and login with an Azure AD Admin account.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 16
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 16

The Discovery page of the wizard is only necessary in some scenarios. It’s optional when you onboard the site to Azure AD, and not required to create the CMG. If you need it to support specific functionality in your environment, you can enable it later.

So, Enable Azure AD User and Group Discoveries based on your requirements.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 17
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 17

Enable Azure AD group synchronization. It also helps to automatically sync the latest data from Azure AD to the Configuration Manager console on a pre-defined interval.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 18
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 18

Log in to the Azure portal https://portal.azure.com/ and verify whether the AD apps are created successfully or not under the Microsoft Entra ID > App Registrations blade.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 19
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 19

Our prerequisites have been completed. Now we’re good to create CMG. So, go back to the configuration manager console and navigate to Administration Workspace > Cloud Management Gateway node Right click and create Cloud Management Gateway.

The Azure environment will be in “Azure Public Cloud”.

Sign In with a user account having Global Administrator and Virtual Machine Contributor roles in Azure Subscription.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 20
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 20

Browse the newly created Web Certificate and select the required Region where you want to create the CMG resource group. You can either select an existing resource group in the same location or create a new one. If you are going with a new resource group, it’s better to give the same name you have already given in the deployment name.

Note! Make sure the deployment name is unique; otherwise, the deployment may fail during the resource-creating time.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 21
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 21

Provide the Virtual Machine size and instances. Only 3 sizes are available in the configuration manager right now.

  • Lab (B2S): 10
  • Standard (A2_V2): 6,000
  • Large (A4_V2): 10,000

Note! Small proof-of-concept environments and lab testing are the only uses for the Lab (B2S) size virtual machine. They are not meant to be used in production with the CMG. The B2S virtual machines are cheap and underpowered. This size supports that number of clients since the Configuration Manager technical preview branch only allows ten clients.

We can scale up or down the VM size at a later point in time. Then Import the client authentication certificates (Trusted Root CA/Intermediate Trusted Root CA). If you Verify Client Certificate Revocation, IIS on the VM instance also verifies client certificate revocation. In this example am not able to understand that. If you didn’t originally enable this setting when creating the CMG, you can enable it after publishing the CRL.

Enforce TLS 1.2. The CMG enables this option by default. Require it to use the TLS 1.2 encryption protocol. Starting in version 2107 with the update rollup, this setting also applies to the CMG storage account. This enforcement is only applied to the Azure cloud service VM. It doesn’t apply to any on-premises Configuration Manager site servers or clients.

Allow CMG to function as a cloud distribution point and serve content from Azure storage. The CMG enables this option by default. If you plan on targeting deployments with content to clients, you need to configure the CMG to serve content.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 22
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 22

Click on Next and reconfigure alerts based on your requirements. In this example am unchecking Stop this service when the critical threshold is exceeded option and changing both the outbound data and storage alert threshold to 500GB.

The remaining Setting is kept as default. You can also change these values based on your requirements in the future.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 23
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 23

Click Next, re-verify the entire summary once before the CMG creation and click Next again.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 24
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 24

Analyse the deployment status from CloudMgr.Log under configuration manager and as well as from Azure portal Activity Log.

Note! Default log path (Eg: C:\Program Files\Microsoft Configuration Manager\Logs\CloudMgr.Log)

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 25
How to Setup SCCM CMG in Virtual Machine Scale Set Model Fig. 25

Login to Azure Portal, Log Path: (Eg: Resource Groups/vklabconfigmgrcmg/Activity log)

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 26
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 26

A successful creation shows like status Ready and Configuration update completed in the Configuration Manager console.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 27
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 27

In the Azure portal, under the newly created Resource Group, you can be able to find the 7 supported resources for cloud service.

(Virtual machine scale set, Key vault, Load balancer, Network security group, Public IP address, Virtual network, Storage account)

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 28
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 28

Also, verify the functionality via the connection analyser option available in the cloud management gateway node.

Navigate (Administration > Cloud Services > Cloud Management Gateway) Right-click on the newly created CMG “vklabconfigmgrcmg.WestUS.CloudApp.Azure.Com” Right-click Connection Analyzer.

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 29
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 29

Sign In with an Azure AD user ID and start here; all the checks have been passed without any error. Now, we can conclude the New CMG virtual machine scale set has been configured successfully!

How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 30
How to Setup CMG in Virtual Machine Scale Set Model using SCCM Fig. 30

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.

Author

Debabrata Pati has more than 8+ years of experience in IT. Skilled in MEMCM, Azure, and Powershell. More than Six (6) years of experience in MEMCM (SCCM) administration, OSD, and Troubleshooting for the environment with more than 100K client devices.

2 thoughts on “How to Setup SCCM CMG in Virtual Machine Scale Set Model”

  1. Great walk through and always helps when I need a reference. I’m reviewing a CMG VM Scale set at my current job. One thing I’ve noticed that on the properties of the CMG and the “certificates” button, the Root Cert nor the Intermediate Cert’s are added. The box is blank. Are those certs needed for the sake of resolving the certificate chain? Are there potential impacts if those aren’t added? They’re not using internal PKI for the client cert, but using the SCCM self-signed cert. However, I’m trying to get them to utilize the workstation cert for security reasons.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.