Cloud Management Gateway (CMG) Community Session with the Patch My PC Team

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Here's a playback of the community session with the Patch My PC team about Cloud Management Gateway in Configuration Manager. In this session, we cover common configurations and possible issues with CMG including:

- CMG server authentication certificate
- CMG trusted root certificate to clients
- Server authentication certificate issued by public provider
- Server authentication certificate issued from enterprise PKI
- Client authentication certificate
- Client trusted root certificate to CMG
- CRL checking
- Q&A

We keep seeing a ton of questions about whether PKI certificates and needed on clients, management points, and the CMG server certificate.

This session will cover all the possible options for certificates on the client (PKI client auth cert, Azure AD, Bulk-Token) and all the certificates options on the server-side (PKI server auth / SSL, Enhanced HTTP for SSL on MP, Public SSL vs. PKI SSL certificate for the CMG SSL certificate).

The majority of the session is Q&A with the community so a lot of common questions covered as well. Side-note: we did hit the 250 max limit on our Teams Meeting. A big thanks to everyone who joined. - Justin Chalfant

πŸ‘οΈŽ︎ 5 πŸ‘€οΈŽ︎ u/PatchMyPCTeam πŸ“…οΈŽ︎ May 27 2020 πŸ—«︎ replies

This was great! Thanks guys!

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/johannesBrost1337 πŸ“…οΈŽ︎ May 27 2020 πŸ—«︎ replies

Good session. Can't wait to watch it again

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/nathan646 πŸ“…οΈŽ︎ May 27 2020 πŸ—«︎ replies

Awesome session. Thank you!

πŸ‘οΈŽ︎ 2 πŸ‘€οΈŽ︎ u/adamscoffee πŸ“…οΈŽ︎ May 27 2020 πŸ—«︎ replies
Captions
alright let's get started first of all I want to thank everybody for joining so we're right at about 220 people right now so we might hit that 250 max for a Microsoft team's meeting before we get going during our actual session we're on you know doing demos with the team and we're just you know talking if you could stay muted just because we have a lot of people here just to make sure things don't get a little bit crazy now if you have any questions like as we're going through demos and showing you things at the beginning part of this meeting just leave them in the comment section of Microsoft teams and we'll be tracking those for discussion at the end of the session now we are gonna have time at the end as well where if you want to come off a mute you know we can get some discussions going if you have any additional questions but as far as this goes I was really hoping to just do a kind of like a gotcha session for CMG just things that can be easily overlooked just go over some of the fundamentals about how it works and really just hopefully make it so that you understand better how cloud management gateway works with config manager so with that said let's go ahead and get started so the first thing that we're going to take a look at is some of the basics about what type of certificates that you need and how things get configured for cloud management gateway so the first thing that we have going on is a cname so whenever you go through and you actually are setting up cloud management gateway the first thing that you get within the wizard now we're not going to go too deep into the actual wizard part of you know this is how you know you go through the next next next type wizard that is covered so if you go to our YouTube channel we have a section for SCCM guides and someone from the team will put a link in the chat window there as well so we do have a session on you know a recorded video about how to actually set it up but one of the things that you're going to get when you actually go and setup CMG is you're going to get prompt for a server certificate and a a service name so what that's actually doing is that's going to allow you to set up a custom domain and this is primarily required because you have to have some type of SSL certificate on your cloud management gateway that lives in Azure so in our case we can see that we're using one of our test domain and setup config manager and the certificate that we're using is or the cname his setup config manager CMG one and that's pointing to cloud app which is essentially the CMG server that's going to be running in Microsoft Azure now one of the key points that you want to keep in mind is you're going to have to redirect so you're gonna have to create a cname so in our case we're using CloudFlare for our dns for public dns and basically what we're doing here is we're just saying any traffic that's going to set up config manager CMG one dot set up config manager com I want to redirect that to set up config manager one dot cloud Abnett so that's gonna be how the traffic that's hitting your CMG using your public dns name actually route to the Microsoft Azure CMG proxy so that's kind of the big first configuration that you want to make sure that you have setup and configured correctly is that that cname is pointing the traffic to the service that you configure so when you go through and set up that service you get prompted what you want to make your cname now with that said there's a there's a big question about whether or not you actually want to use a certificate so whenever you set up CMG you need to have an SSL certificate and the two big questions that you want to take there is do you want to use a public certificate authority so that's going to be something like digi sir right so for example do you want to use something like digi cert or Verisign or do you want to use a SSL certificate from like an internal PKI from Active Directory now generally what you're going to want to do at least for the CMG server that's living out in Microsoft Azure usually you're probably going to want to use a third-party certificate authority because that's going to make sure that all clients trust that certificate that the issue that can come into play like if you use a internal Active Directory certificate services certificate is for example if you're using like an azure ad joined device or if you want to enroll workgroup clients through CMG there's a good chance unless you have some process before the enrollment that they're not going to actually trust the internal PKI that would issue that public SSL certificate so in our case we actually have a couple different labs going on here now before I jump in and actually start showing like CMG and the internal servers the first thing is if you notice whenever we jump to a new machine it's either gonna say site server that's going to be an internal server if it has a cloud background so something like this that is the server and Microsoft Azure running CMG looks like I didn't change the words here and then any client device would have the Windows background here so the first thing that I'm going to look at just mute here is we actually have a scenario we're running both we're running an internal PKI for SSL certificate and then we're also have one we're using a public certificate or 'ti like digi cert so in this case what I'm going to do is jump over to one of our CMG servers now to get into CMG the VM that's running out of Microsoft Azure let's quickly just jump over and show you what that looks like first so whenever you actually get done setting up your wizard to setup a new cloud management gateway for this one you're going to get a storage account if you configure the option port to be a cloud distribution point in the CMG wizard and they're going to get a cloud service account that the cloud services were the actual virtual machine that your clients are talking to through CMG is actually running so in order to actually RDP into the CMG server and Azure the first thing that you want to do is you have to come over to your machine remote desktop and then you would just go through and enable that so if you never done that that's the first thing and that's how I'm able to actually RDP into the via the VM that's running cloud management gateway so jumping over here what actually happened so when you go into that wizard and you say you know let me browse out to my certificate so the pfx file for your ssl certificate that would show up in this wizard it actually goes up and it actually binds that into IAS for the machine running CMG so for example you know if we go and look at that certificate that I configured here and we go out to that CMG server and azure if we go to the proxy service so CMG and in the backend it's really just running a proxy that's going to facilitate the traffic of your clients out on the internet and it's going to proxy that traffic into your management point that you've enabled for CMG traffic so what's actually running out on the azure VM is relatively simple in the fact that it's really just the reverse proxy and it's allowing you to proxy that traffic and it makes things a lot more simple right so if you set up IB cm one thing that you typically would have to worry about is things like DMZ servers and the ports that you would have to set up for the management point that would be taking Internet traffic with CMG you let all that run out and azure and then it's a single connection using port 443 that would actually proxy that traffic from your clients to your MPs and software update points but if we actually look at that web service and we look at the certificate and let's go and view that we can see that this is actually the certificate when I went through and configured CMG this is the certificate that I had for setup config manager calm from digi cert right so that's using a public certificate authority now one of the other labs let me jump over to my demo 3 tenant here now this one I'm actually using an internal PKI certificate that issued the SSL certificate and we're going to go through where that can potential cause issues with client communication so if we go ahead and look at this CMG server and view that certificate we can see that this SSL certificate let's go certificate path we can see that this one was actually issued using an internal certificate authority from my local Active Directory domain so when we go between demo one that's using a public certificate authority that all clients would trust even if it's not part of that domain so that's definitely a plus for helping to avoid some common issues where the certificate may not be trusted on all the clients that you're trying to enroll over here let's jump back over to demo one okay so that's that's the server certificate that's actually running in CMG so regardless of your configuration whenever you go and set that up you do have to have an SSL certificate that can either be issued from internal PKI or a public CA now the actual communication between CMG and your on-prem site systems like your management point or your software update point there's an additional factor there now you have a couple of different configurations that you can use for that so in my case on demo one we've actually got our management point configured for HTTPS so we went through we configured HTTPS this is also available on our youtube channel if you want to go through that process to understand how you can use an internal PGI to convert your config man site to HTTPS you can go through that process there as well but as far as as far as that goes if we go ahead and look at my management point so this is our on-prem management point the server we're on now and we actually look at our default web site so this is what's running you know all the management point is you know bits here and we look at the binding here we can see that we're actually running an SSL certificate and it's configured from our local Active Directory PTI so this sites kind of fully configured for HTTPS ahead of time so this was actually quite simple for us to simply check that box for everything to already be running in HTTPS so when you're CMG server out and azure is making a reverse proxy to actually proxy the traffic from your clients to your site that needs to be secure so either your management point needs to be running in HTTPS using a PKI certificate or there's actually a new feature where you can use enhanced HTTP now this is a question that you know I see come up quite a bit I'm just you know whether it's reddit or different discord you know groups things like that is what is enhanced HTTP actually used for does that mean I don't need to have any certificates at all and the answer is kind of a depends so if I jump over to our demo 3 site this site is actually configured for enhanced HTTP so let me come over to our client communication so within the demo 3 site we can see that we have the option for config manager to generate certificates for HTTP site systems what that actually means is if we go ahead and look at our management point we can see that it's still configured for HTTP so that means that internal clients are still going through and just using HTTP they don't have any SSL certificates or they don't have any client authentication certificates required but we can see that we still also have the option to allow CMG traffic so what enhanced HTTP actually does if we go and look at is on this this management point for demo 3 that's configured for enhanced HTTP only and we look at that default web site let's go ahead and edit bindings here and we look at 443 we can see that there's actually a certificate that's been created called SMS SSL certificate so this is what enhanced HTTP actually is and the difference here is that this search kid was automatically generated from configuration managers so it's actually a self-signed certificate meaning that it didn't get issued from any type of PKI within your internal domain or a public certificate authority now what's nice about that is if you don't have PKI you can still use cloud management gateway so what this self signed certificate is used for is when the cloud management gateway is proxying the traffic from those internet-based clients it can still make a secure connection to your management point using that self signed certificate so there's no kind of like certificate authority that trusted but since config manager generated it it can it can make sure that CMG actually trust that self signed certificate so this could be a scenario where even if you don't have PKI you could potentially set up CMG without having all the complexity of PKI and that's that's really what enhanced HTTP is at the end of the day it's a self signed certificate and it's simply securing the traffic between the cloud management gateway reverse proxy and your internal management point because you wouldn't want that to be going over the internet from that Asscher CMG machine to your management point not encrypted right so that's kind of the difference between enhanced HTTP and using PKI for your actual management points so either way certificates are going to be involved and that's that's you know really important for actually securing that traffic that's being proxy from CMG now the next thing that comes into play are the client certificates so there's a few different options that clients can use for authentication for actually validating they can connect to your site so the server side piece that's only one piece of you know the authentication right so what we've been talking about so far is really just the webserver piece right so for example if we look at that that CMG one public domain name and we go and just you know look at this certificate here all this is really going for what we've talked about so far is just making sure that your clients can connect securely and encrypt - cloud management gateway machine but there's more to that you have to make sure that only clients that are authenticated can actually talk to your site right so there's a few different options that we can use here so you can either use PKI so if you've already got PKI set up and this could probably be a good scenario like if all your machines are joined Active Directory and you wanna you know you already have certificates being deployed for them just setting up PKI could be a good option but there are a few gotchas for using PKI so for example in our environment if we jump over to one of our clients we can see that we've already issued some client certificates for authentication right so if I come and look at my demo to client we can see that we've already issued client certificates that can be used to authenticate whether that's your internal management point if you're requiring HTTPS or whether that's cloud management gateway so as long as the certificate that you're using so let's jump back over to one of our labs here as long as the client certificate that's being issued is trusted by cloud management gateway so if we jump over and look at our cloud management gateway when you go through and set that up you basically will have an option for configuring a certificate authority so if you look at the certificates within this UI this is basically saying any client certificate that's trying to talk to CMG if it's being issued from whatever root certificate that you're using cloud management gateway can trust that so in our case when I went through and set this up I added the root certificate for my Active Directory certificate services and that's gonna let CMG know hey if I have any clients that have a certificate for client authentication that was issued from this certificate authority so in my case it's going to be my local Active Directory certificate services I'm going to allow that client to authenticate through cloud management gateway and then talk to my site so that's the first option so if you do have PKI setup and you're using Active Directory and you have auto enrolment and your clients go out to the internet they're just going to work because they you know that certificates going to be used as the point of now there's also two other options that you can use if you do not have PCI setup so the first one's going to be if you're using a client that is registered with Azure Active Directory it will be able to use Azure authentication to enroll and authenticate to cloud management gateway so let me just jump over and see if I have a machine that's enrolled here in Azure ad I think this one might be let's take a quick look yeah so this one right here this one is enrolled in Azure ad so this client could basically say hey I am enrolled into this Azure ad that's connected to my CMG tenant I can use ad radio authentication to actually communicate with cloud management gateway and the last option is going to be this is actually a new feature that came out in config manager 2002 is bulk tokens so let's say for example you have workgroup machines whether that's internal or out on the internet and you want them to be able to authenticate and connect to your config man site through CMG there's a new feature in config manager 2002 for bulk tokens basically what a bulk token is is it's a way that you can authenticate your client without having the need for a client certificate or without the need for a sure ad authentication so the way that that actually works let me see if I can enroll in a bulk token really quick here we go so on your site server if you want to actually register for a bulk token there's going to be a tool that's in the installation directory of config manager under Ben x64 and it allows you to generate a bulk token so it's the bulk registration token to Lexi and if you've run that tool and you run it with the forward slash new command line what that's going to do is generate a bulk token that you can use to install a client directly over the Internet without the requirement for any certificates so that secret vault token key is essentially what's going to authenticate so if I add a /nu what actually happens is you're going to get this long string for your bulk token and within the CCM setup.exe command you would be able to use this special token and it would allow the client to authenticate to cloud management gateway to let it know that it's a trusted client so that's kind of the three ways from a client perspective how you can authenticate so in 2002 it's definitely easier you can potentially set things up without having PKI on the client side of things if you use a balk token or a shure ad joint now the next piece that really comes in play where we often see issues this would usually correspond to a HTTP error that ends in like two three one it's a pretty common like unspecified error let me see if I can jump over to your client just to show you what we're talking about yeah so one of one of the most common reasons where you might get an error code like this the two three one oftentimes can have to do with crl checking so client revocation lists this is this is a common reason where clients and/or the management point or CMG may have issues authenticating client traffic within your environment so there's really two settings here that I want to make sure that we that we understand if we look at the properties of your site under client communication this is this is a big option here so this is saying whether or not clients that are connecting to site system so whether that's a management point whether that's cloud management gateway anything that's using an SSL certificate this is choosing whether or not they need to check the CRL of revocation list for that site system so what that actually means if you're not familiar with that is let's go ahead and look at one of our ssl certificates this means whenever a client tries to talk to that ssl certificate it has to check whether or not it's been revoked so what that basically means is it's gonna try to reach out to the CRL distribution points this is basically a list of any certificates that have been revoked from that certificate authority so if you if you're using an internal Active Directory PKI certificate and you haven't configured a public crl and if you have the option that clients always need to check the revocation list from that SSL certificate that you can figure for CMG there's a good chance that you're going to get an error because if you've only configured your crl for like an LDAP lookup which would be local Active Directory and you don't have a public URL if you have crl checking that clients need to check for the site system it's never going to be able to download that file and it would basically abort the connection and you get that two three one error code so that's the first factor so do you have your clients checking the certificate revocation list for the SSL certificates for site systems now the second one that comes into play here that can cause issues is on the CMG side of things if you look at the properties of cloud management gateway there's also an option where it says should CMG check the CRL of my clients so the you know the azure machine should it check the client crl for any client that's connecting so we've actually simulated an error here so what we've got if we look at our demo to client and just see if I can pull up our certificate so when I actually configured my client certificate using Active Directory certificate services we didn't have a public crl configured so if I go ahead and look at my crl distribution point for this client we can see that it's only using an LDAP path right so what's what's gonna happen because I still have crl checking for clients enabled within the CMG properties we can see that when this client is trying to connect it's getting that error code saying hey there's a transient error right so we actually look up this error code it's pretty generic let's go ahead and come over here and do an error lookup using ctrl L we can see that we just get a transient error so that means that within that SSL connection something's not right now if we actually go so this is our demo to lab so if we go to demo two on our actual internal management point let's go ahead and take a look at our management point is logs so if we go ahead and look at the log files within our management point we can see that we're getting a 403 dot seven error code within our logs now what that actually means is there's a client authentication error let me see if I can pull up see if I can find the article I think this nope let me see if I can find that okay I think it's this one so we actually go look at that so like we were saying CMG is basically just a proxy so when it's taking in that that client connection it's really just transferring that to your management point it just makes things a lot more simple where you don't have to worry about you know ports and things like that but if we look at that error code that we're actually seeing on our management point within is that saying a client certificate is required so basically what's happening here since on our CMG server we still have crl checking enabled for clients but that client doesn't have a public crl that that machine out in Azure can touch that's why we're getting that error so this definitely comes into play one of the more common errors that we see within CMG is access to CRLs and what I've actually done so a pretty cool tool that you can use to check whether or not a client's ERL is accessible from the CMG server is if you go to the client certificate within the local certificate store for the computer you can export that certificate to a dot serve file and then what I'm doing is out in my Adger CMG server i've actually copied that dot server file to the machine and what we can do here so if we look at our demo to client the dot serve file that we exported I'm gonna run a command so what we're gonna run we're basically running cert util - URL so what this is gonna say is I want to check the URL that's being used for that crl revocation checking from my Azure VM because that's going to be what's actually proxying that traffic and the first point of contact that the client is going to reach out to so if I go out and run this it's going to open a cert util utility and here what we can do we can check whether or not the CRLs are accessible for that client certificate that we exported so if I click retrieve what we can see here is that when that that when that VM out and azure is trying to reach out and hit the URL for the CRL we can see that it's only got the LDAP path right so it's not going to be able to hit that because this CMG servers are basically just a workgroup machine out in Microsoft Azure now I do also have another client machine that I've exported the certificate out for so if we look we can see that we also have a demo one client and if I run that same command for demo one client and let's do that same retrieve we can see that demo one client does in fact have a public crl configured so that means that even if crl checking is enabled within CMG it should work just fine because it can access that public HTTP path that I have within my local certificate authority that I've configured here okay so next thing what we're gonna do let's jump over to one of our client machines demo okay all right so what we're going to do is we're going to attempt to install a client on an azure ad joined device so let's go to and open a command prompt okay so this machine is directly out on the internet we can see that it is using Azure ad so we don't have any relationship for our internal Active Directory domain so what I've done is I have copied over the CCM setup file so if I look on my desktop I can see that I have CCM setup and what we're gonna do is go ahead and run the CCM setup command using the CCM hostname which is just pointing to my CMG server URL right and then we have our site code and then we have it always internet facing so we want this machine to always go through CMG now what we're going to notice here is that if we look at our CCM setup log so when this client is actually trying to run CCM setup we can see that it's getting that this is a pretty common error - we can see that's getting an error message that is saying it can't make a secure connection to our CMV server for the setup files so what's happening in this case if you remember on demo 3 we actually used a internal PKI certificate to issue the SSL cert for CMG so since this machine is directly joined using Azure ad it's not going to have group policy to automatically have the local PKI rootsy a trusted so if you were using that method and you were joining machines that are either workgroup based or using Azure ad there's a good chance that you're going to have a lot of issues with the certificate not being trusted so for example if we were to just open a web browser and try to browse out to the CMG URL we can see that it's it's saying that it's not secure and the reason it's not secure is because there's no root level trust for that local PKI certificate now let's say that we wanted to switch this back to demo one just on that same client that's a sure ad joined we can see that we don't get any type of SSL you know errors here because that's being issued from a public CA so in the event that you actually did want to use a local PKI and you were using workgroup or ad rate each join machines you would have to have some kind of process in place where you could automatically install that root certificate authority on all your clients before running the setup right so once that happened so I just manually installed that now if I come back to my demo three CMG I might have to close the browser out let me just try this once more but once that's installed as a trusted root certificate we can now see that it's fully trusted even though it's coming from that Active Directory PKI so if I go ahead and run that same command again and we look at CCM setup hopefully what's going to happen here is we're not going to have any type of trust errors and we can see that we're now able to download our client directly from the CMG server so at this point you know if you were using PKI from internal that's a big factor where you need to make sure that your client trusts that certificate okay let's jump over here all right now another common error that we see let's jump over to demo one so this is a client that is registered it's actually part of a workgroup so we use the bulk token on this one and it's talking through CMG so what I've done is I have a Google Chrome application that's targeting this device through cloud management gateway so when I go and attempt to install that what we can see is that if we go ahead and look at that error code and if we open up cm trace and do a look-up on that we can see that's getting an error code content not found now if we go and actually look at that Google Chrome application on the demo1 console let's go and look over here we can see that that application has actually been distributed to CMG's so if I look at properties of that and look at our content locations we can see that it is actually out on CMG so you know a lot of times we get you know questions like hey you know everything looks good I've got my content out there but on the machine out on the Internet I'm still getting a content not found so a common issue that can occur is under your client settings by default under the cloud services the option to allow clients to talk to a cloud management distribution point is set to no so what actually happens when the client sends the location lookup requests to your management point and we can actually go and look at this this is kind of interesting if we go and look at our management point logs so these SMS underscore CCM on the management point server and if we look at the MP underscore location I'm just for some context on this log file this is actually the log file that whenever a client says hey I need to go get content on the management point this is what shows that client requests happen so if we actually look at that client location request for that machine the big thing to look at here is we can see that it's set use Azure equals zero so when that client doesn't look up and says hey give me the content for Google Chrome when it does that look up if that client policy is set to no it's gonna not return any content so what we can do is if we go ahead and switch that to yes just mute real quick it sounds like we have some background noise okay so let's go ahead and change that client policy real quick - yes and when we see the location requests come in the next time let's go ahead and set that to yes and on the client side the only thing that's going to happen here is it needs to refresh client policy so let's go ahead and open up policy agent dot log open up that and then we're gonna do a client policy let's see if we've got that setting yet okay looks like it doesn't have it quite yet let's try once more there we go so we can now see that we're downloading some new policy for this device so what that essentially is is it's that client setting change it said hey I can now use cloud managed cloud distribution points so let's go ahead and try to get that again and now we can see it's taking a little bit longer so if we come back to our management point and look at that MP location log we can see that we have another request for that same client but if we come back in here and look at it now we can see use Azure is now one so that's saying based on the client policy targeting this machine it's allowed to go get content from CMG so that's a common setting if you don't have that configured to allow cloud distribution points your clients aren't going to be able to get content for any applications or potentially third-party updates that might be out on CMG that's good and the other thing that could potentially come into play with similar type of errors is if your clients are set for a metered connection so this this might be pretty relevant today where there's so many people working from home if you are not allowing client to communicate from a metered network they would also get that transient error that ends in two three one on the outside as well so it's pretty common like if windows detects that you're connected through like a hotspot it will automatically set your connection state to be metered so if you're getting you know 231 errors and you have you know you kind of validated hey my CR ELLs look good they're accessible my client root certificate for SSL is trusted this could be another setting that you want to make sure is the client on a metered connection because that could also block based on this being set to block okay now the other thing that that might be kind of helpful here is if we go and actually look at our configuration here let's come back over to CMG and so whenever you set up a cloud distribution point so by default like an inbuild I think 1806 or newer it's simply a checkbox of cloud management gateways so in the event that you know you've had you have this check which usually you will is to let CMG function as a azure DP or cloud DP when you actually go and distribute content to that distribution point it does actually live in a storage account so if I come in and look at the storage account for my cloud management gateway on demo one we can actually jump over and look at storage Explorer this is kind of interesting now generally speaking you're probably not going to go into this and actually look at this a lot but this is basically where in Azure blob storage you actually have your content so for example when we went and installed our client using our bulk token with CMG it actually pulled the client file was from our CMG distribution point because when we actually went through and ran that on the client we only had the CCM setup.exe file but it was able to grab all that content from CMG and our distribution points so for example if we go and look at our just look at this one really quick um so this was our package for example for google chrome so for some reason everything looks good for your content and it shows that it's out on cloud management gateway within your con so you know you might be able to go and kind of poke around and see hey does it look like any files are missing if you get to this level you know you probably want to open a support case if you're really having issues and you validate everything looks good but you know it's kind of interesting you can come in here and kind of see all the different content for any packages that you have going out to your CMG distribution point so that's a lot of the gotchas I think anything that I'm missing Cody that you can think of that might be helpful at this point before we go into questions I don't think so I mean the only one that might come to mind I don't know if we talked about the tls checkbox but with I mean a lot of the older os is being deprecated it usually shouldn't be an issue but you never know these days people are buying es use yeah good good point yeah so one of the newer options in 1806 is you can basically enforce TLS 1.2 so what that does is that says when clients connect out to your CMG reverse proxy they need to connect using TLS 1.2 now that's probably not an issue for any modern client I think the only one that might not support that natively might be like XP but that will enforce using a higher level of TLS to secure traffic so for example if you didn't want to allow TLS 1.0 or 1.1 because it's a little less secure you know you could enforce your clients when they're connecting out to CMG to always you know require TLS 1.2 if you need it to I think the foulest is a like Windows 8 and below and 2012 and below actually all them have native support they require like a patch and some registry edits correct yeah I guess the only other thing we could mention is third-party patches so this is a question that comes up quite a bit is for Microsoft updates you don't really have to distribute any of your content to CMG because it's already out on Windows updates right so whenever a client goes and actually downloads that they'll go directly to the Internet because it wouldn't make sense to have to pay you know egress costs for clients to download from CMG the only difference for third-party updates is that one actually does so you know if you are using third-party and Microsoft updates and you're using CMG you're gonna want to have separate deployment packages one for only third-party updates and then you know Microsoft updates would obviously be a different package now the reason that third-party updates have to go out the cloud management gateway is because when you actually publish a third-party update just a little background on that if you look at the cap file within the wsus content folder that's going to be specific to your environment in your wsus signing certificate so you know because of that because you have to have your certificate trusted clients can't just go out to adobe.com for example because there's another layer layer of code signing that happens whenever updates get published so if you if you are using third-party updates and you are using you know CMG for internet clients you do need to make sure the deployment package for that content is located on cloud management gateway because that is using a certificate specific to your environment okay let me just jump over to the comments and see what we have going on here okay so I'm sorry if I missed it does the trusted root certificate authorities path need to be configured in the site properties when you turn on eh TP that's a good question so when you're actually configuring the trusted root for specifically for HTTP there's not really a trusted root path for that because it's self signed so you wouldn't have to worry about that config manager would handle that specific scenario for you by default the trusted root would become more important if you're using like a PKI like Active Directory certificate services you would want to make sure that certificate is defined in the properties of your site as well as the properties of your cloud management gateway yeah so looks like that one's already been answered yeah um the the interesting thing here about client certificates is it doesn't really matter where the client certificate is issued from the only thing that matters is that the server trust the certificate so you would have to make sure that within the properties of your cloud management gateway whatever root certificate is issuing that client certificate that it trusts both the client cert and that the client trust the cloud management gateway SSL certificate outside of that you know whether or not it's Active Directory you know as radiant if you were able to get a client certificate from PKI on an azure ad joint that that might be a little complicated with where you don't have auto enrolment it really doesn't matter how the cert gets there as long as it's trusted both ways there is ways to do it though I mean you can use it n des so I kind of mentioned the link there so there's some good Microsoft Doc's that kind of cover it you know you can do full certificate enrollment the via the internet with an N des and you can publish out all of that you know via Intune policies as well so there are options but definitely you need you ready have has your ad set up you know you already have tokens you're already gonna be able to authenticate to that CMG so it's gonna be a sort of simpler way to go potentially but sometimes you know your company might call for PKI based authentication so and des is an option yeah so if I don't have PKI I can move forward with CMG yeah the answer is yes to that so like like like in the answer back on the team's chat you could use a HTTP right so that's going to allow you to secure the traffic from your management point that's coming from CMG so that's going to be the first step if you don't have PGI right now probably the the harder step is going to be how do your clients authenticate to CMG and if you don't have client certificates from PKI you would either have to use the azure ad join and that's going to be a way that your client can say hey I'm authorized to talk or the Balch token now bulk token is going to be do you want to talk on that Cody what we saw in some of our testing is even clients that were internal using htd P it seemed that they could still register with with the bulk token do sure we have the doc for that Cody yeah I'm gonna move that up pull up the doc yeah so it is token oh did we delete the link so what the docs actually talked about with the bulk token piece in version 2002 which is kind of interesting is your clients are supposed to when they're on the internal network and register they're going to actually get their own token internally from the MP and then they're gonna use that token and it's gonna be valid for 90 days and then they're also gonna renew that token every 30 days and then once they rome out to the Internet they're gonna use their their token that they have with the public certificate that's offered up by the the management point and then it's actually gonna be able to authenticate to your CMG so you're going to be taking HTTP not as your ad joined clients out onto the internet and then using that token to authenticate up to your CMG without PKI or as ready joining now you're the only lost there is definitely gonna be you know any user based scenarios and there's a few cases where you lose all of your user base deployment scenarios it's only gonna be machine based but I mean based on what the docs and a little bit of testing that we did you know your 2002 clients should be able to use that token even without going through that bulk token registration process that's just an alternative if you've got some natively internet-based clients that aren't going to roam back on to your network to get a token yep and I just included a doc that kind of talks about how that works it's not super clear in the docs but based on what we saw is clients that were already registered it seemed to still give them that token even if it wasn't a new client installation okay so this is another good one so if you don't have PKI how many certificates would I need to configure for CMG the answer is going to be one to that right so you would have to configure the certificate for the actual cloud management gateway so what the config matters your team did there is they wanted to eliminate the need for having internal PKI for CMG but you still need to have the public certificate for CMG the reason for that is your client whenever they talk and proxy through that CMG server it has to be encrypted so you you do have to have at least one certificate and the idea there is that if you don't have an internal PKI what you would do is you would have a public certificate authority like digi sir for example where you would go and get the public cname so in our case you know it was like CMG setup config manager one so you in the scenario where you don't have PK you would only need to get one SSL certificate and that would be for cloud management gateway for the actual service that clients talk to just one SSL certificate yeah do you know do you know about this one Cody I think eh TTP is also used for BitLocker communication internally if you don't have a yeah I was kind of looking we might need a little clarification on the question here so in starting in 20 I could see a little bit of conflict especially a nineteen tens implementation of BitLocker and configuration manager but starting in 2002 you do have the option to selectively set only the recovery service to HTTPS the iis site you can still have an HTTP management point otherwise and leverage enhanced HTTP you know alongside the azure ad tokens and all that you would just have to make sure that you're selectively putting the recovery service to HTTPS you don't have to put the full MP to HTTPS and you have to be on the 2002 version but I mean if you're seeing other issues with that configuration that might be something you've got to put in a support ticket for okay so bound your groups let's look at this one so there is an option within the boundary group to prefer cloud I don't know if that would potentially help in this scenario but it looks like we did have a pretty detailed answer in the comment there and I guess it depends on the scenario I've seen some companies are there to selectively allow a split tunnel to certain IP addresses and I guess that might be the scenario that they're wondering about here you'll see some you know because they'll have a forced tunnel but they're excluding IP and it's easy to exclude the CMG IP from your VPN whereas if it's near impossible to exclude the Microsoft CDN via IP address so that might be something you kind of have to play around with the boundary options and the prefer cloud okay so using a cloud DP yeah that's optional so and that would be required if you want any content any Content actions to occur on your client so whether that's applications so if you want to use applications you would need a distribution point if the clients are directly on the Internet but if you only care about let's say Microsoft updates right and only getting policy and things like Hardware inventory that would all work without having a cloud DP but if you're using third-party updates or you're using application deployment you would need to make sure that for clients directly on the internet since they wouldn't you know be coming back into internal distribution points that would be required to have a cloud DP now one thing we might be able to talk about I think will probably do a survey after this is maybe internet-based client management it's definitely more complex but it could be an interesting topic especially at this time so you know we sent a survey out that might be a scenario where you know if you did go the IBC M route you wouldn't need like a cloud distribution point it would simply kind of proxy to the distribution point internally that's configured for IBC M so so by default and interact client should go directly out to Windows updates just to be safe though you you you could you probably wouldn't want to have any of your Microsoft updates like out on CMG but yeah so if there's an Internet client and they don't find any Content that you've already pushed out for Microsoft updates they they do go directly to the Internet I think that now and I want to say there was an update as well where if it's internet-facing by default like it always tries to hit Microsoft updates first I think that's actually the case there that's a good question do you know this one Cody might have to follow up with that one is hybrid Azure ad a hard requirement for user deployments not hybrid no I mean as your ad joined I want to say is I'll see if I can find the doc there's actually a table that shows all of the scenarios for authentication and what is supported whether it's and here no that's not it I'll find it and post it because there's definitely a handful of considerations some of them being a little bit interesting like if you have a non domain joined client when it's actually on premise like it needs to be PKI base to talk to your internal mps kind of little caveats like that I'll try to find it and post it yes so question about clients flipping between on pram and off Prem let's let's go back let's actually do a quick demo on this let me see let's stop screen sharing OneNote and let's come back to our client so what actually controls whether a client is on Prem or not it's going to be whether or not they can hit your site so and where that actually occurs like if you're ever troubleshooting a client if you go on within the CCM logs see where where am I at here students actually the global catalog isn't it yeah yep yep let's do I did find the link for that kind of connection scenario as well I just pasted it in the chat so it'll talk about like whether it's a work with work a group client any domain join a jury to join etc and then what is the management point and it'll actually talk about the types of communication it can do whether it's the user based or machine based I think that's it if not I'll find it yeah so as far as like determining whether a client is on network or off network so whether it's going to talk to your internal MP or not client location and location service are going to give you some good data on whether or not it's in a known location right so whether or not it's joined to Active Directory and what you'll see is generally in this log files I've actually configured this one to always be internet facing when we did the CCM setup command line but what you would typically see here is if it's on Prem you would see something like you know it's able to hit the global catalog for Active Directory but if it's not able to do that you'll usually see a line that says something like client is on Internet and then at that point it would then start communicating with with cloud management gateway as far as client communication like if you see clients that just aren't talking that's actually going to be a good log to look at client location location services to see whether or not is even detecting it's on the Internet if it looks good and it sees that it's on the Internet and trying to talk to CMG the next relevant client log file that you're going to want to check out is CCM messaging because that's going to be what actually shows the web traffic when it's trying to actually do the HTTP requests to your cloud management gateway so this is where if you have issues like crl checking is configured but it's not accessible or whether the root certificate is not trusted you're usually see some type of HTTP result code saying hey we couldn't communicate with that with that system and I did find in highlight in case of the picture so the Doc's could kind of talk about it when it comes to being on-premise 80 joined whether HTTP or HTTPS management point that's going to support device and user but when you're dealing with CMG you need either as your ad join or hybrid joined and if you are work group or ad joined you can have HTTPS connections and it will do user based but eh TTP does not that's from the dock side the link in the photo there in the chat all right question from Donald this is a tricky one and this is it this has been really common especially with you know the clients that just started working from home right so if you have a client that's already off network that can't get policy for CMG what's the best method so running CCM setup with the either a bulk token if they don't have a certificate or with the option to include the CMG management point that is one option there's also another option where you can set a registry value that might be a that might be one we have to follow up on if you're working with support that might be a scenario that they they perform is basically you can configure the management point for CMG within the registry for an existing client and then they would be able to understand hey this is now an available option for a you know kind of CMG management point that i can talk to I want to say it's in like the CCM registry key where you can set that so you could either reinstall the client if there's a machine that just can't get the new policy like if you set up CMG after the client was already registered and out on the internet where it couldn't communicate anymore you can certainly reinstall it or you could set a reg value I'm sure if you google that you can probably find out the specific reg value that you would set to let it know that hey this is now another management point that I can talk to so then as long as it had a certificate or as radiant or using a ball Cokin it would simply work and be able to then understand it might be a little quicker than trying to reinstall all your clients but either way unfortunately there's not like some some great solution where you can just tell a client that you can't communicate with hey go talk to this new CMG because if it's already not on prem and it can't get policy there's no way that client is going to be able to know hey i now have this new server i can talk to so unfortunately is gonna require some type of action unless you have some other management tool that you may be able to run some basic script to let your client know hey CMG is now an option i think that's most of the questions i had that the team was copying so anyone else that has some let's let's come off mute like if you have any questions you should be able to come off mute now if yours hasn't been answered yet in the chat hey Justin this is Dan Clark areum don't wash faces some stuff in the chat I probably got lost in the fray there I've got some legacy clients specifically Windows 7 that I'm trying to get upgraded to Windows 10 and and one of the methods we wanted to do was in-place upgrade over CMG I'm having some real trouble getting mmm some windows 7 clients to pick up the cert correctly we use an internal PKI works on my Windows 10 devices I'm getting a lot of different errors I can get you some detail but I just wondering any any tips on on that have you seen any issues on Windows 7 clients not picking up the correct cert I'm getting messages that the search criteria for the cert that I'm trying to define can't be found but the certs are installed so it's just it doesn't want to talk ok so you have it have you validated the certificate is it has the correct like DNS name for the client because one of the things that your notice in the log when it goes and does a search is it will base it off of like the the DNS name that would have been performed during Auto enrollment so you might want to make sure that you know if you're using it maybe a different template for Windows 7 machines like the subject name is coming from like DNS that's probably the only thing I could think of but you are saying the clients are actually getting the cert template and Auto enrolling with a client authentication certificate yeah far as I can tell I looked at the certificate snap-in it has my my certs internal PKI it has the the root certs all the stuff that I'd expect to see during our config so I pasted some stuff in the chat it's a bit messy but that's the that's the kind of pertinent detail from the client ID manager log what's it called yeah a client ID manager startup so that yes that's definitely the log where you would want to look to see where's my notepad yeah that's definitely logged look at it looks like yeah it's not seeing any client authentication sir that meets the criteria that's I guess that was kind of my question is are you defined how much so it's defined in the client ID manager startup component it's gonna search whether or not it's got a client authentication cert and whether or not the DNS and names would match like the client hostname so do this send me a DM on Twitter include a screenshot of circle M include your certificate under the personal store and then a just include the log file and we'll I'll see if I can figure it out but yeah it's it's definitely something with your certificate is not either meeting the client all thinking authentication bit or the the dns name that was used for enrollment of that sir for some reason isn't matching the client name it is usually what I see that issue in cool she said DM on Twitter yep yep just sent me a DM on Twitter yep alright appreciate it thank you okay any other questions that you guys want to come off mute for looks like the chat super busy so if you haven't got one answered I think unmuting might be probably the best option at this point hey Jason quick question so what is coming to the split tunneling that's something you need to work with you at a networking team coupon figure a couple of IP addresses for split canonic is that correct yeah yeah that's right I like Kody handling I think he knows a little bit more on that yeah so I mean split tunneling VPN and generally it just kind of is gonna depend on the product that you're using so sometimes I split tunnel is just a break of internal versus external so going to google.com goes directly to google.com whereas going to your defined internal resources is going to go over that VPN but also sometimes the split tunnels are a little bit more like a forced tunnel with exceptions I guess you could say so some scenarios would be you know almost everything goes back over your VPN to your data center but you might have a small list of IP addresses that can go directly to there and so one of the scenarios I think someone actually kind of discussed it a little bit in the chat or the question since its kind of a niche scenario but you'll see customers where they have a force tunnel and they're allowed to exclude IP addresses and they'll actually distribute updates the first party Microsoft updates to their CMG and and that's cuz they're allowed to put that fee mg IP address into their like forest tunnel exclusion list and so that allows them to have a forced tunnel maybe to comply with some regulatory you know or other requirements and they can also pull content from a sure but ultimately it's gonna definitely be a network configure your network team or maybe you are the network team that's what it's gonna boil down to is you know seeing what VPN client you have and what options you have available cool thank you okay any other questions that anyone wants to come off mute for yeah I do see it mentioned a couple times is you know how how you get user based deployments to install over the CMG and pasted the the doc there you have to end up in a scenario that's supported for user based connections so the you know the supportive scenario is a workgroup device using an HTTP connection ad domain joist joined device using HTTP connection or if your as your ad join machine or hybrid as your ad join you can be either a HTTP or HTTPS so ultimately you basically need a secure connection and with the workgroup an ad domain join machines you know that that might be the scenario that some customers are running into they're running say ad domain joined and they're relying on eh TTP II and that is not going to allow user base you know user centric scenarios it's only going to allow device centric scenarios so to be a domain join and get a user based scenario you have to be you have to have PKI setup you can't just use HTTP so that's just an additional step that you want to look into all you know all the azure VG joins scenarios are going to support that user centric scenario yeah I can ask a question sure yeah so we've been using CMG and and of course we switched over like everyone else in late February to we enabled according to the cloud management gateway boundary group set the Preferences to enable the preference to cloud and then we added our VPN boundaries in to be a member of that so and then the February we had like 18 boundaries into there everything's working great the clients would be peon clients and would be able to access you know content locally or they would that go out to the Internet for patching or order the cloud DP if downloading a package and the end of March we added like eight more bounty groups and consequently these are bonding groups that we added while we were in we upgraded the 1910 January and all those boundary groups now we added in my end of March the clients now their management point will switch over to the cloud as opposed to using the internal management point like the other ones are using and so the performances you get hit because it's gonna go on the taking a longer path but had a support ticket open Microsoft for a few months still kind of scratching their heads why oh yeah that's a tough one did that scenario sound at all like like the bug that we were looking at on Twitter the other day Cody or now um maybe so there there is a bug that's I don't know if it applies so I mean to kind of outline it there is a bug where if you have a if you take a client that is talking to the CMG and bring it on on-premise so it ends up in a boundary for example um it will not use Azure ad authentication anymore it doesn't and that can cause some issues so I'll link there's like a little there's a Twitter thread whatever that's yeah that's an official Microsoft Doc yeah I think I think it's the one I have up here I'm not sure if that's your scenario or not though um you know if it's been addressed in 2002 it's too late probably to my knowledge no yeah yeah and I'm not a hundred this might not be your scenario but it sounds like you're already working with Microsoft support so that would be happy be the route unfortunately like I don't know it sounds like you haven't got too much like for an answer there but yeah I think you're in the right place if you are talking to their support but that I haven't seen that in any of our setups okay yeah we're gonna have great - mm - soon so we'll see if Ed changes things at all all right thanks okay looking at teams any other questions that that we want to come off mute for this is Dan again if I could ask another question sure routed to a scenario a couple times where my connection point to two CMG got disconnected just randomly had a case over the Microsoft you know we fixed it we restarted the services a few times that's fine I was wondering what folks are doing to kind of monitor CMG health there's nothing built into the console that I'm aware of Microsoft was aware of anything either essentially what happened is my CMG connections went down to zero and I didn't know about it until I kind of happened to go check the console and see who was connected so I didn't know if there was a tool out there or like a you know script I could run or something that would kind of alert me to say hey CMG connections are under this threshold might want to check it out yeah I don't know if there's anything built in the data is definitely there right so I know there's there's there's dashboards and there's reports to look at CMG specific connections one pretty helpful one here is under the CMG and the connection points like you can see a lot of data here so this this should be exposed in WMI so I mean you could certainly get like very specific and like querying this data using like a script or something and have some type of notification let you know if something doesn't seem quite right I don't know about like built-in alerts there's nothing that I'm aware of but I'm sure you know you could you could query this data from the provider and maybe have some type of action built into like a script if you can't find a good way to do it natively yeah that's kind of what I thought I actually put in a DCR for this because I think it should be something we should be able to monitor this component with an alert right like if I manage but points on healthy or wsus isn't healthy I get an alert but the only thing I can see is data trans that's tough the thresholds for data transfer which okay might be something I'm interested in but if my CMG goes offline I might not know it unless I'm poking around the console and happened to you know click on one of those those threads I open up you boys up there all right which what's the title yeah I would say that's definitely the route to go it looks like there's already some built-in alert so I could certainly see some value like having another alert like if client connections are below some threshold let you know hey something might not be quite right yeah here you go this is probably yours Dan Clark yes me yep so I mean that's definitely the route to go if anyone else wants to see it on the call you could probably get some votes real quick here yeah for sure give you three boats here if I have any left this Oh No sorry I'm out I'll have to go see what I voted on cool other questions sorry no you're good thank you how can we import the root CA to clients that are azure ad joined automatically so I know you can use in tune so if during your azure ad join process like if if you're using in tune there's certificate templates where you can deploy certs to the trusted root that would be one option now if you're not using in tune for management for your Azure ad joint I'm not sure if there's anything native within like a sure ad you can use for cert deployments other than in tune but I do know in tune certificate templates could be an option where you could get your root CA internal trusted if that's what you're using for cloud management Gateway for the SSL certificate you could certainly use in tune to deploy that cert in an azure ad joint environment oh yeah yeah good question so what's criteria when increasing the number of instances there yep yep so there's definitely support requirements do you have that doc handy yeah so there's a couple Doc's I've got the performer link them in the chat so I mean one one reason to have the multiple instances would be you know beyond client count would just be to have those fitting multiple locations in Azure but they the doc say each CMG instance supports up to 6000 simultaneous client connections and they're supposed to under high load you know it's supposed to basically queue things up so you might get a delay and when the client actually gets its policy but and keep mine like 6000 simultaneous client connections it doesn't necessarily mean 6000 clients a client will initiate multiple connections over a CMG you know it's going to talk to your management point there's multiple roles on that management point that it's going to talk to whether that be for you know B GB or to send up our inventory and also to your software update point so those are different roles and those are going to be multiple connections but that isn't to say that you know every six thousand clients you have needs a VM either right there those connections are gonna build themselves up and break themselves down so if you're starting to see a lot of delay in your clients getting policy you might want to consider scaling it up you know just to prevent that delay and request so the doctor kind of covered a little bit but I think at the same time you're gonna have to build it out and and see what you're working with and see how it performs in your environment and beyond the CMG instances something to consider too is you know the CMG connection points that's another thing you might want more than one of yep yeah good point there hey Justin what about region is there any considerations when you pick a CMG region yeah good question so as far as I'm aware unless there's been improvements CMG connections aren't region aware unless there is a unless there's been like changes recently clients will just kind of randomly choose one so I don't know if there's like any big consideration other than potentially having one that's close to your connection point like for your you know your connection point that actually brokers the traffic from the CMG reverse proxy to your on-prem MP and sup maybe that could be a factor where you want that connection to be a little bit quicker I don't know anything you can think of Cody for that no that's pretty much it and that's pretty much what the doc stayed - I mean the so the client in the theme G like that connection that there's nothing that's region aware your client is ultimately just gonna reach out to a CMG you know cuz when you're dealing with something like you know on-prem you've got boundaries and you're dictating that when you're dealing with the client and these CMG's and azure then it's not region aware it's just reaching out but you know it's supposed to be pretty much unaffected by the latency so just yeah let it ride - let Microsoft handle it and that's even with ADP enabled on that cng yep there's nothing you can do about dictating that so it's ultimately just you know it's gonna get it the content down and that'll end up on the CDN as well so I mean it's not like the content itself doesn't end up being hosted you know on disks that are on your ACMG it ends up in the in the blob storage so it's you know not like it's coming directly from your VM necessarily monitoring the breakdown of what is being downloaded from CMG's that's a good one I know there's a lot of reports is it monitoring cloud management gateway see we're in the console is the CMG connections cody do you know is it monitoring a cloud management I think this is it yeah so there's a graph here directly in the concert where if you want to see like how much traffic has come from CMG like you can see right here for example so how much communication is going through CMG how many megabytes how many specific requests so there's a lot of data right in the monitoring tab under cloud management that you can get and you can see things like egress cost and there's even a cost calculator I think built into one of the newer builds where you can see like you know how much data is come from my content cost for example it's definitely cheap so I know that Johan did a blog post the other day that went pretty deep into how much cost per client was I know it was like in in the couple of cents per client a month I believe but check his blog post out if you want to have more like some real real data on like you know what this customer saw as far as a you know cost for content for a scenario also if you go to the distribution status node with and monitoring there and go into the client data sources dashboard you can see you know the clients that have used your cloud distribution point and the content that it was and how much and there's this data is also available in the database and you can go and crack it open and start creating some reports I know I want to say it was robbed at York or somebody from the product group put on a Twitter thread recently kind of asking for ID I think they've got an intern that's looking to do some improvements for that dashboard so and by default the clients summarize that data and send it up to your site server every 24 hours so there always be a little bit of a lag but if it leads to point a reference other questions hey Cheston another question if you're using Azure that's actually hosted by CSP and it doesn't allow the was it the classic compute service provider what are your options to work around that yeah I don't know if there is one I know I know David James and team I know they've been working on it I want to say there's some weird licensing things going on with why they still use the classic resource group I don't know if there's a workaround but if you tweet David James I'm sure he'll give you a status update you might have to set up a different instance I don't know if there's a good option but if you tweet him out I know that he would be able to give you whether or not there is an option if you are not using the classic resource which is required I think today's still for CMG but I wouldn't know that one but I'm sure he could get you an answer pretty quickly yeah hi guys wrist is I can add to not answer that because we went through that just recently there are no options the class have computed the only options for the CMG at this time you couldn't have a pay-as-you-go subscription to your tenant to get around that mmm so you can add you can add multiply add a page you go subscription yeah I don't know if I can answer that no you can you cannot be as you yep so here's the user voice looks like it is quite popular to support the CSP subscription so it's definitely getting traction so I mean I would definitely go vote that up you know I'm sure it's something they're trying to work on there's probably some some reason why you know it's not in the works whether it's I I want to say it was something licensing at one of the events that I was at with DGM why they were having some issues but I've got to imagine it's something they want to get done so I probably both that up as far as trying to get that working yeah I haven't seen that one hmm disconnected state yeah I don't have anything good there I'm not sure maybe restart SMS exec see if that helps anything out I'd make sure your Azure VMs are running right so see if you can already pee into it by enabling that option but yeah I'm not sure about that one 503 is typically unavailable so it might be something on your VM and Azure potentially anyone else though that wants to come off on mute for a question I'm not seeing anything new in the chat window so we don't get anyone in the next maybe 15 seconds or so I think we can we can call it I have a quick question sorry sir I think I asked a question but I I don't know if I saw the respond I currently have a CIBC am working in our environment and we were thinking to switch it to CM gtp and MP and so is it worth or looking into it or since I've assumed is working fine everything everything is cool so should we look into it well I mean if it's working fine I don't see why you would I mean if you're happy with it that's ultimately the I'd say the factor there the only the only drawback for us using IBM since you know WH right now everybody's working from home and the bandwidth is getting kind of you know congested on our internet facing DP um we have a DP nor DMZ which is kind of get too much consumed by the guys who downloading content slow yeah yeah that's definitely good factor where you could offload that content coming in to your IBC and facing DP where you could just offload that into an azure cloud distribution right so you know if things are becoming like unworkable right and that that machine in traffic is just not feasible for IBC em with the number of clients you now have yeah I would say that definitely could be a factor where you could you could set up well to be honest like I haven't tested this but you could even possibly look at setting up a cloud distribution point directly and see if you could just point clients that are on the Internet even coming through IBC M to your cloud D P I don't see technically why wouldn't work it's not something I've tested but that might be something you could also look into where you know if IBC is working fine but it's mainly a Content issue you could try to potentially use a cloud DP even though your clients will still be using your mp4 IBC M like internally like that policy should be pretty low though so I mean yeah maybe set up a cloud DPC if that could potentially help out but CMG would definitely be another option where you you could certainly use that as well yeah we're doing all this migration actually upgrade and since the content the OS is kind of huge and it's kind of affecting us badly on our bandwidth on VPN and all this so we were thinking to switch it to a CM TDP so that we can at least you know relax our bandwidth and use anything else are using at a sequence for the upgrade yeah correct yeah I don't know how custom you're getting with that but one other option you could potentially look at is using a feature update directly where that would be hosted on Windows Update yeah unfortunately yeah it's not gonna work because we have multilingual and our image is kind of used with Plex 11 languages built-in into it so people can switch between those languages depending where they are we tried it but it didn't work for us at the future update and it fails because it thinks then we have to download all 11 freaking languages and it was more headache for us than just using you know our custom base image sure yeah that makes sense that makes sense all right thanks yep any other questions looks like we're not getting too much on the chat anyone want to come off on mute for something hi Justin yes oh go ahead yeah it's it's for those just not a question but just I just want to say a brilliant session oh thank you thank you thank you hopefully it helped yes Justin Santosh here yeah so configuring see we thought of PM TK infrastructure so just wanted to know what are the certificate which is required apart from third party oh yeah so I mean if you if you're using si mga without PK I really the only certificate that would be required would be the certificate when you come into your cloud management gateway the one that you would come in and browse for when you set up your CMG so ideally well in your case if you don't have P ki you would you would definitely be getting a public certificate from a public certificate authority like digi sir or Komodo or some public authority and that's gonna be basically what's gonna live on your CMG server or out in Azure right so this would be the one certificate that would be required so you would have to go request one if you're using a public certificate authority you're gonna need to use you you are gonna have to have like validation to like DNS where you can you can validate you own your public domain in my case it was set up config manager com so that's the only cert that would be required as far as internally you can use a eh TTP certificate which is just self signed so you don't need anything there and then if you don't have PK i from client perspective you're either using Azure ad to authenticate or you're using a bulk token if you don't have certificates so in theory if you don't have P ki and you want to go the most simple route you would need one SSL certificate for CMG okay thanks okay cool well if we don't have anything else I'll probably send one follow-up email for everyone that registered and just get some ideas about you know what you liked if this might be helpful to do again about some other topic and maybe you know just ask about different topics that would be helpful for you guys so if you get that please fill it out but outside of that it looks like we're pretty much out of questions so just want to thank everyone for joining Justin can I ask one more question huh yeah absolutely so with the public's SSL that's the only cert you'll need even for the client then potentially right so from a client perspective if you're using Azure ad join machines that would be that could be used for the authentication right so that that potentially doesn't need a client sir or if you're using a bulk token like we did with CCM setup or letting the client register with it if it's already enrolled in 18 2002 this could potentially be the only certificate that you need now if you're using PKI and you've already got client search that's probably gonna be easier just to reuse those but in theory yes you could you could do everything without a client certificate but your clients would either have to be registered in Azure ad or you'd have to have a bulk token on 2002 and that would essentially take the place of the client authentication certificate to have the authentication to CMG so yes you potentially could have at work just fine without a client tsardom we actually have this configured on quite a few of them we have this configured on one of our machines so I think it's demo 3 in tune let me look at that one real quick yeah so this one this is actually one where we installed it using Azure ad right so if we come in look at our cert LM on this machine it's not gonna have any clients err directly from Active Directory or a PKI it's just the Azure stuff so this is a machine that has no client and it's using Azure ad that's being used for authentication so if we go and look at client ID manager start up when the client went to register we can see that it's registering using Azure ad for that machine let me see if I can find where it actually registered for the first time so I'm currently hybrid right now well that my hybrid clients be able to work properly then I think so do you know if hybrid works it does have to be full Cody no hybrid is so yeah hybrid is the scenario that works as well so I mean hybrid azure ad join just means that you have you know on Prem hey you have your ad joined as well as joined to Azure ad so ultimately what you need is you know those tokens in Azure so by being hybrid azure ad joint you have device tokens and those device tokens can be used to authenticate to the CMG so that will work okay yep great here here's another machine so we can see this one has you know absolutely no certificates right and this one was registered using a bulk token so you know we reran CCM setup and in addition to that this is actually a workgroup machine as well so it's not even domain joined at all you see if I can pull this up yeah so this is like kind of you know the ultimate scenario where you don't even have a sure ad you don't have local ad this is simply a workgroup machine and it registered using the bulk token and there is a video we do have a video on our YouTube channel that covers bulk token like how a bit more in detail than what we did today so you know when I went and installed this client it registered using the bulk token and that's how it used essentially the client authentication that traditionally would have been done using a client cert and this is a new feature that came out in 2002 so relatively new and it was specifically done so you know if you don't have PKI you at least have some options where you can still you know manage devices without the complexity of that using that token yeah that's great yeah I'm just looking at what I have right now and then going probably will help situations OB just on a workgroup or whatever so yep cool awesome thank you so much for the help yeah yeah absolutely any other questions from anyone yeah session will be posted up on YouTube yeah I'll probably include a direct link to that as well and like the follow up email thank you thanks for just a quick one guys sure it was more just a weedy issue I experienced on one deployment that threw me off a little bit I did end up resolving it but I'm just wondering if you come across it before but there was there was a client that we we'd upgraded to 2002 and we'd run through the cloud management gateway deployment and when it came to enabling enhanced HTTP honest right obviously not really knowing or seeing what happens in the background when you tick that box what I didn't notice was that it didn't place the certificate that it creates in the correct store on the machine and therefore I I is wasn't able to bind it so that gave me some interesting errors which ended up luckily being able to find that stiphu c't in the SMS store I have seen some scenarios where if you move between whether it be you know HTTP and HTTP and then also checking the enhanced HTTP checkbox you know I've seen occasional inconsistencies where you you don't see that all of the certificate flow kind of happened and and so generally if you just uncheck the box apply let it do its role reinstallation and then check the box I mean it it's kind of resilient in that way it'll do roll free installations but I've definitely seen some oddities kind of like you're describing where just this little piece or that is missed so I yeah I think it's just kind of like you know there's maybe a couple couple handfuls of ways you can flip those settings around and sometimes there's just a bit of a mixup on the order of operations on the backend yeah so yeah so basically your cert was an SMS you simply moved it and then you would go find it and then that worked and then I got nearly blinded it was that's an odd one mate maybe a bug depending on some specific order that you do things I haven't seen that but good to know like the scenario that that might happen maybe that will help someone so basically his cert for the self signed SSL for some reason was only an SMS so that means that is didn't bind it so you basically went in you copied it to personal of the computer did you have to manually bind it after that or did it and yeah so it's essentially if if I went into the bindings and looked for the certificate I couldn't see it at all and till I copied it into the personal store and then I was able to bind it manually yeah yeah good to know I have not seen that it's an interesting one yeah and I was just freaking out that if I couldn't find that certificate somewhere how I was going to get it yeah so you can just cycle the role actually if you flip HT HTTP off apply can even watch like the NPM si log files it'll reinstall the roll it back on and it'll actually regenerate a new certificate and it you know hopefully follow the right process and Enzi about important something that I had tried cycling in it on and off and it it wasn't happy it's still there no plague play nice if it's something you can recreate it couldn't hurt to submit a case and see if it's a bug yeah it was just it it was weed and that was my first deployment as well so that was great it's a fun one but I just thought I'd try that one out there yeah cool anything else not for me all right perfect well thank you everyone for joining I might go ahead and end the meeting this will be posted on YouTube so just check out the YouTube SCCM guides playlist and that's where this should be posted after thanks everyone
Info
Channel: Patch My PC
Views: 9,394
Rating: undefined out of 5
Keywords: CMG SCCM, ConfigMgr CMG, Cloud Management Gateway, SCCM Internet-Clients, Cloud Management Gateware SCCM, Cloud Management Gateway ConfigMgr, Internet-Based Client Management
Id: 8jPYAuOgjD0
Channel Id: undefined
Length: 97min 58sec (5878 seconds)
Published: Tue May 26 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.