The cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet.
In the previous post, we discussed about server authentication certificate requirements for CMG. In the part 3 of SCCM CMG setup guide series, we will discuss about SSL configurations for SCCM site and client authentication certificate requirements.
Post in this series:
- Part 1 | Cloud Management Gateway (CMG) Setup Guide
- Part 2 | Issue, Enroll & Export Server Authentication Certificate
- Part 3 | Configure SCCM Site for SSL
- Part 4 | Integrate Azure Active Directory with ConfigMgr
- Part 5 | Setup Cloud Management Gateway
- Part 6 | Validate CMG Health & Client Communication
Deploy Client Authentication Certificate for ConfigMgr Clients
A client certificate is required on any computer that needs SSL communication with the Configuration Manager HTTPS Management Point or SSL Software Update Point.
A client certificate is also required on any computer that will be managed via the Cloud Management Gateway ( CMG ), and devices are not Azure AD / Hybrid AD joined. It is also required on the server that will host the Cloud Management Gateway connection point.
Follow the steps below to issue and auto-enroll a client authentication certificate for Configuration Manager clients. We will issue the certificate from Microsoft Active Directory Certificate Service (PKI) and use Group Policy ( GPO) to auto-enroll the certificate on all domain computers.
Issue and auto-enroll client authentication certificate for SCCM clients
- Issue Client Authentication Certificate
- Configure Client Authentication Certificate Auto Enrollment
- Export Trusted Root Certificate
Note: The certificate exported in the last step will be required during CMG setup.
Configure Management Point for HTTPS
The Cloud management gateway (CMG) requires an HTTPS management point for secure communication. You need at least one management point in HTTPS mode in your hierarchy to support internet-based client through CMG.
If you don’t have an HTTPS management point in your ConfigMgr hierarch,y then follow the below article to configure the same prior to going ahead with CMG setup.
Configure Management Point for HTTPS | SCCM | ConfigMgr
Configure Software Update Point for SSL
The Cloud management gateway (CMG) requires an SSL-enabled software update point to support an internet-based client. You need at least one SSL-enabled software update point in the hierarchy to deploy software updates on internet-based clients.
If you don’t have an SSL-enabled software update point in your ConfigMgr hierarchy, then follow the below article to configure the same. The software update point role is not a mandatory requirement for CMG setup, and you can perform this step later as well.
Configure Software Update Point for SSL | ConfigMgr | SCCM
Configure SCCM Site for HTTPS
The SCCM site needs to be configured for SSL communication with clients. Please ensure that the following settings are configured.
In the SCCM console, go to Administration/Site configuration/Sites, select Properties, and click on the Communication Security tab.
- Ensure that the HTTPS or HTTP option is selected under Site System Settings.
- Under Client Settings, select Use PKI client certificate when available
- Under Trusted Root Certificate Authority, click on Set and upload the trusted root certificate you exported during client authentication certificate deployment (refer: Export Trusted Root Certificate ).

Next Post: Part 4 | Integrate Azure Active Directory with ConfigMgr
Related posts:
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Configure Software Update Point for SSL | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
- SCCM CMG Part 1 | Cloud Management Gateway (CMG) Setup Guide
- SCCM CMG Part 2 | Issue, Enroll & Export Server Authentication Certificate
- SCCM CMG Part 3 | Configure SCCM Site for SSL
- SCCM CMG Part 4 | Integrate Azure Active Directory with ConfigMgr
- SCCM CMG Part 5 | Setup Cloud Management Gateway
- SCCM CMG Part 6 | Validate CMG Health & Client Communication
- Location of smsts.log file during Operating System Deployment (OSD)
- Schedule SCCM Client Reboot through ConfigMgr
- Check Software Center Business Hours of Remote Computer
- SCCM Software deployment strategy
- How to deal with wrong deployment in ConfigMgr
- How to Initiate SCCM client agent actions using PowerShell
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.