Systems Management

Building a ConfigMgr Lab from Scratch: Step 13 – Cloud Management Gateway (CMG) – Certs PreReq

Gary Blok
Published on: May 8, 2020
Topics: Systems Management

Receive notification right in your inbox whenever new content like this is released & sign up for our email list!

We’ll send you the latest updates, how-to’s, and solutions to empower you at every endpoint.

By signing up you agree to our Privacy Policy.

Building a ConfigMgr Lab from Scratch: Step 13

Cloud Management Gateway (CMG) – Certs PreReq

Hey, so I’m going back to working on my lab, and now I’m adding a Cloud Management Gateway (CMG). If you followed along, you’ll be all set for where I pick up.

Assumptions: you’ve got an Internal Enterprise CA setup, and you’ll use your Internal CA to support CMG and the required Certs needed.

See the Certificate Authority Post to help setup your CA if you haven’t done that yet.

I’ll also mention this is NOT the only way to setup CMG, you can do it without an Internal CA, and use a certificate from a 3rd party Certificate Authority, but I’m not going to cover that here.

Recommended reading and viewing:

Full disclosure, those are the three items I used to setup CMG, and I highly recommend them. So why continue? MS Docs are good, but I’m a visual guy and like to see the images. The Videos are great, but then you’ve got to get good at pausing videos and working through it. It’s just a matter of personal preference. I give credit to those three items for educating me to be able to create this content.

With that intro behind, let’s layout how we’re going to go through this:

  1. Create the Required Certificated needed (Lower in this This Post)
  2. Ensure Workstations are getting their Client Certificates [Lab Setup Post 14]
  3. Talk Pre-Reqs for Azure Portal
  4. Setup the Azure Connection in CM Console
  5. Confirm Connection in Azure Portal
  6. Start the CMG Setup in CM
  7. Confirm CMG setup in Azure

With that outline, let’s get started.

Create the Required Certificates needed

So, what Certificates are needed? [MS Docs]

  • Client Authentication Certs (on each of the client machines) [MS Docs]
  • Web Cert for CMG device. [MS Docs]
  • Root CA Cert

Client Auth Cert:

So hopefully you setup your CA, set the Client Auth Cert to Auto Enroll and all of your clients have the cert. For a good walk through, Justin has that on Video too: [YouTube @ 9:26]

You create a Duplicate of Workstation Cert, Name it what you want, then add Domain Computers to have Read, Enroll and Autoenroll security rights.

On the workstations, they auto-enroll and will get this after the next policy update:

Web Cert for CMG device:

Here you’ll make a duplicate of the Web Server Certificate, and setup a few things. Justin’s video does good job of explaining this too.

You’ll need to be able to Export the private key
Subject Name: Supply in the request: because we’ll need to specify that for the CMG

Here I’ve got it set to a group of servers, so I can enroll from any of those to create the cert to export.  Now on one of my webservers, I can request the cert:

Choose the CMG Cert, Add the DNS name. Either use the exact DNS name of your CMG or use a wildcard so you can specify it later during the setup. We’ll cover that more in a future post.

Now that we have it, we need to export it

Yes, export that private key!

Set a Password on your cert

Now then, save the cert pfx file for use when we setup the CMG stuff.

Root CA Export:

While there are several ways to get this, this is how I did it, since I was already here:

Certificate Authority Console -> Right Click on Server -> Properties -> General -> View Certificate -> Details -> Copy to file… -> Next

DER (.CER) is what we need.

Then Save it to a location.

One more thing we’ll want to do in CM is allow CM to use the PKI cert. [MS Docs]
Administration Node -> Site Configuration -> Sites -> Properties -> Communication Security Tab

Here I’ve checked the Use PKI when available, and then added the Root CA Cert

This cert and others will be used in other places, but this is getting long enough for now. Stick around for the next post.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

  1. Setting up your Domain Controller
  2. Creating a Router for your Lab using Windows Server 
  3. Certificate Authority – On Domain Controller [Optional]
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs)
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services
  13. Cloud Management Gateway (CMG) – Certs PreReq – You are Here
  14. Cloud Management Gateway (CMG) – Azure Subscription
  15. Azure Services Connection
  16. Setting up CMG in the Console
  17. Cloud Management Gateway (CMG) – Post CMG Config
  18. Cloud Management Gateway – Client CMG Endpoints

Trending Topics

Open-Source Third-Party Patching Solutions: What Admins Should Know 

Switching to a MacBook: A Windows Admin’s Guide

Right Click Tools Browser Extension: Beyond Intune 

CVE, Then and Now: Overview and Practical Integration with Application Workspace 

Related Resources

Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Series Intro

Gary Blok
Gary Blok
May 21, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 1 – Domain Controller VM

Gary Blok
Gary Blok
May 20, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 2 – Gateway Virtual Machine (VM)

Gary Blok
Gary Blok
May 19, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 3 – Certificate Authority

Gary Blok
Gary Blok
May 18, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 4 – ConfigMgr Server Pre-Reqs

Gary Blok
Gary Blok
May 17, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 5 – Configuration Settings (AD / GPO)

Gary Blok
Gary Blok
May 16, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 6 – ConfigMgr Source Share

Gary Blok
Gary Blok
May 15, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 7 – Installing SQL for ConfigMgr

Gary Blok
Gary Blok
May 14, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 8 – ConfigMgr Install

Gary Blok
Gary Blok
May 13, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 9 – ConfigMgr Settings Setup

Gary Blok
Gary Blok
May 12, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 10 – ConfigMgr Collections and App Deployments

Gary Blok
Gary Blok
May 11, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 11 – Operating System Deployment

Gary Blok
Gary Blok
May 10, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 12 – SQL Reporting Services (SSRS)

Gary Blok
Gary Blok
May 9, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 14 – Cloud Management Gateway (CMG) – Azure Subscription

Gary Blok
Gary Blok
May 7, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 15 – Azure Services Connection

Gary Blok
Gary Blok
May 6, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 16 – Setting up CMG in the Console

Gary Blok
Gary Blok
May 5, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 17 – Cloud Management Gateway (CMG) – Post CMG Config

Gary Blok
Gary Blok
May 4, 2020
Featured Image
Building a CM Lab

Building a ConfigMgr Lab from Scratch: Step 18 – Cloud Management Gateway – Client CMG Endpoints

Gary Blok
Gary Blok
May 3, 2020
Back to Top