Cloud Management Gateway with Sub CA – CTGlobal

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there.

In this environment we have a PKI with a Sub CA, and as part of the certificate upload somehow the certificate chain was broken (and yes, there is a script that describes how to upload the cert).

Client errors

In this example the error message in ccmmessaging.log (on the Internet client) was:

Post to https://MyCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request failed with 0x87d00231.

a couple of things to check when this happen:

From a client, open IE and see if you can browse to https://MyCMG.CLOUDAPP.NET. if you get an error like 403, something is broken and you need to dig into the IIS log files on the Azure box. Enable remote desktop on the cloud management gateway, and open the IIS log files to investigate further. In this example the log file had several lines like the one below. This error indicates 2017-03-14 09:15:47 W3SVC1273337584 RD00155D81000 IPadr CCM_POST /CCM_Proxy_MutualAuth/72057594037928257/ccm_system/request - 443 – IP adr HTTP/1.1 ccmhttp - - 401 0 0 1589 3928 78 Next step in troubleshooting is opening the certificate manager snap-in and check the computer store. In here your CMG certificate chain should include the correct certificate chain. as you can see in the illustration, the issuer of this certificate can’t be found, and as such our trust is broken. To fix the issue, copy and import your missing root certificate(s) to the Azure cloud management gateway server. The certificates are to be imported to the Intermediate Certification store. The correct way to get this done, is by running the script as described in this blog post - If you upload the certificate manually it might be overwritten during maintenance of the virtual machine in Azure.

After that, check you ccmmessaging log and you should see traffic floating – once again………VPN is not really the way forward in the world of modern device management

When to use SCCM in the cloud with a CMG

Microsoft System Center Configuration Manager remains a preeminent tool for system and device management across an enterprise, but it faces increased challenges for remote devices connecting through the internet.

Microsoft is improving System Center Configuration Manager (SCCM) to meet these remote management challenges, and the cloud management gateway (CMG) feature offers a convenient means of managing Configuration Manager client devices over the internet. IT can deploy CMG as a cloud service in Azure, effectively using the CMG as an SCCM management point in Azure.

The goal is to allow the public cloud to support roaming devices without the need for additional local infrastructure or the risks involved with exposing more local infrastructure to the internet.

Prerequisites for using a Cloud Management Gateway Using SCCM through the cloud management gateway requires numerous infrastructure components -- both on site and in Azure. There are four principal local services that IT must have in place. Management point : the system role that services normal local client requests for device management and reporting;

: the system role that services normal local client requests for device management and reporting; Software update point : the system role that services normal local client requests for software updates;

: the system role that services normal local client requests for software updates; Service connection point : the system role that connects to Azure's cloud service manager component, which operates CMG deployment tasks. The service connection point also monitors and reports service health and log information from Azure Active Directory; and

: the system role that connects to Azure's cloud service manager component, which operates CMG deployment tasks. The service connection point also monitors and reports service health and log information from Azure Active Directory; and CMG connection point: the system role that establishes a continuous, high-performance connection from the local network to the CMG service in Azure. This connection forwards endpoint client requests from the cloud to the local data center. The CMG connection point also communicates settings to the CMG such as connection information and security settings. There are also two major components in Azure that desktop admins need in place: CMG cloud service : This Azure service authenticates and forwards requests from System Center Configuration Manager to the local CMG connection point. This service is the Azure side of the CMG link; and

: This Azure service authenticates and forwards requests from System Center Configuration Manager to the local CMG connection point. This service is the Azure side of the CMG link; and Cloud distribution point: This is responsible for distributing content to internet-based client endpoints. This entire connection also depends on internet-based client endpoints connecting to the CMG. Certificate-based HTTPS keeps communication between the internet and client devices secure, while public key infrastructure (PKI) certificates or Azure AD provide the device identity and authentication. Unsupported features with SCCM and CMG The Cloud Management Gateway can be a versatile option for managing remote devices through SCCM, but it's not perfect. Although the CMG brings many SCCM features to the cloud, there are many SCCM functions that the CMG does not support. Some of the most notable examples of this missing support include Configuration Manager console, client push, automatic site assignment and BitLocker.

Common use cases for SCCM in the cloud There are numerous use cases for SCCM with CMG in the enterprise. For example, IT can manage traditional Windows 8.1 and Windows 10 client endpoints with a CMG joined to the enterprise domain through Active Directory (AD). In this example, PKI certificates encrypt communication between the enterprise and the endpoints. As an alternative, CMG can help IT admins manage Windows 10 client endpoints joined to the cloud domain through Azure AD. In this case, clients can authenticate through Azure AD directly and forego the use of PKI certificates. Using either approach, IT administrators can accomplish a wide range of tasks such as rolling out software updates, implementing endpoint protection, determining endpoint inventory and status -- also known as device health --, enforcing compliance settings, distributing software to endpoint devices and handling Windows 10 upgrades. The use of Azure AD also allows administrators to distribute software to the remote user and not just the remote device. IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients using a mix of both SCCM in the cloud -- with CMG -- and Microsoft Intune. Another use case for CMG and SCCM in the cloud is that administrators can install a Configuration Manager client on Windows 10 endpoints over the internet. This approach relies on Azure AD for device authentication to the CMG. CMG registers and assigns the client devices that connect in this case. IT can install the Configuration Manager client manually or through a software distribution platform such as Microsoft Intune. It's worth noting that Microsoft recently combined SCCM and Intune and rebranded the platform as Microsoft Endpoint Manager. IT professionals could also opt for co-management when it's desirable to manage Windows 10 endpoint clients using a mix of both SCCM in the cloud -- with CMG -- and Microsoft Intune. In this situation, IT can configure existing client systems without CMG. For new devices, however, IT admins will need CMG, Azure AD, Microsoft Intune, Configuration Manager and Windows Autopilot. Co-management can add complexity to the environment, but it is necessary when an organization chooses to offload some management to the cloud or other specialized tools. Co-management can allow IT admins to handle Windows Server Update Services software updates as Windows Update for Business updates. Similarly, IT can address traditional Group Policy Object policies, security settings, SCCM software distribution and SCCM endpoint protection as Intune baseline policies, Intune security policies, Intune software distribution and Intune endpoint protection, respectively.

Cloud Management Gateway and Azure tags

I encountered this problem recently while deploying a CMG for a customer. Perhaps there was a better way for me to solve it but I'll explain the problem and how I worked around it.

I got this error when creating the CMG. On my first try I was creating the resource group in the wizard.

“Error occurred when granting Contributor permission to the Azure AD app for resource group xxxxx. For more information, see SmsAdminUI.log".

The error wasn't clear to me. I knew that I was using a Global Administrator account, which was also an Owner of the Azure subscription. I didn't really understand the problem until I looked at the logs.

In the Azure activity log I found this .

It told me that the resource I was creating was disallowed by an Azure policy that had been configured. The policy was called "Require a tag and it's value on resource" and meant that resources could not be created in the subscription without tags and their associated values. I found the same text in the SmsAdminUI.log file. That makes sense. It's good for housekeeping, right?

However, ConfigMgr couldn’t create the resource group as there was a policy in place enforcing Azure tags, which I couldn’t configure in the wizard.

I figured that I should create the resource group manually and apply tags to it. However I got the exact same error when I re-ran the wizard.

I finally solved it and created the CMG by disabling the policy. Perhaps there was a more graceful way to solve it but it allowed me to continue.

Remember, in ConfigMgr, logs are your friend.