In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

In part 2, we will prepare and create all the required certificates, the steps are long and boring but very important!

Table of content for easy navigation

Create Azure Management certificate

An Azure management certificate is required to deploy Azure services by authenticating with service management APIs. For each service you deploy, you should create a new Azure management certificate for it. In this case I use only one Azure Management certificate for cloud management gateway and cloud distribution point, because I think they are both part of ConfigMgr service. Of course you could create two separate Azure management certificates for them, as each in its own right is a service.

  1. User PowerShell create a self-signed cert, change Subject name for your own domain name, and save it to D:\ConfigMgr folder.
    #Change Subject name for your own domain name.
    $cert = New-SelfSignedCertificate -DnsName "" -FriendlyName "AzureConfigMgrMgmt" -CertStoreLocation "cert:\LocalMachine\My"
    $password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText
    if (!(Test-Path "D:\ConfigMgr")) { New-Item -Path "D:\ConfigMgr" -ItemType Directory -Verbose }
    Export-PfxCertificate -Cert $cert -FilePath "D:\ConfigMgr\AzureManagement.pfx" -Password $password
    Export-Certificate -Type CERT -Cert $cert -FilePath "D:\ConfigMgr\AzureManagement.cer"


  2. You should able to see two certificates are exported.
  3. Upload AzureMangement.cer to Azure. Log on
  4. Go to Subscriptions, choose your subscriptions.
    In my case, I have Pay-As-You-Go. Choose Management certificates

  5. Click on Upload, browse the location where you exported those Azure management certificates, in my case D:\ConfigMgr. Choose AzureManagement.cer, then click upload

  6. You should see your certificate is uploaded to Azure.

Create certificate templates

Create ConfigMgr Web server certificate template for server authentication (IIS)

This is for setup process for the Management Point and Software Update point certificates.

  1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
  2. Right-click Web Server, then click Duplicate Template

  3. Make sure use Windows Server 2003, not Server 2008 (if you have Certificate Services installed in Server 2008)

  4. Click on General tab, input Template display name ConfigMgr Web Server Certificate.
  5. Change Validity period as your wish

  6. Click on tab Security, click Add.
  7. Add your ConfigMgr servers or ConfigMgr server AD group (if you created one), give permissions Allow Read, Enroll.
    In my case, I added CM01 and CM02

  8. Click OK close the dialog.
Create Cloud services (for Cloud Management gateway and Cloud Distribution point) certificate template
  1. Create a Duplicate Template of the ConfigMgr Web Server Certificate we just created. (Remember choose Windows server 2003)

  2. In General tab, change the template display name to ConfigMgr Cloud Services Certificate

    You don’t need to create separate cert template for cloud management gateway and cloud distribution point.

  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported

  5. Click OK close the dialog.
Create client authentication certificate template
  1. Right-click on Workstation Authentication and click Duplicate Template.
  2. In General tab, change display name to ConfigMgr Client Certificate
  3. Change Validity period as your wish

  4. Click on tab Security, click Add.
  5. Add Domain Computers, give permissions Allow Read, Enroll, Autoenroll

  6. Click OK to close the dialog.
Create Distribution point certificate template
  1. Right-click on Workstation Authentication and click duplicate template.
  2. In General tab, change display name to ConfigMgr Distribution Point certificate
  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported
  5. Click on tab Security, click Add.
  6. Add your distribution point server, give permissions Allow Read, Enroll
  7. Click OK to close the dialog.

Now we should see four ConfigMgr certificate templates created. Close certificate template console.

Enable Certificates to be issued

  1. Right-click on Certificate Templates, then New Certificate Template to Issue

  2. Choose the four certificate templates we just created
  3. You should able to see something like this

  4. Close Certification Authority


Request certificates

Request certificate for Cloud management gateway
  1. You need to have a unique DNS name in your Azure subscription for cloud services, so go to your Azure portal
    Click New and type Cloud Service. Click on Cloud Service and click Create

  2. In DNS name input the name that you wish to use, and check it’s availability. In my case, I will use as my Cloud management gateway address.
    IMPORTANT: Do not create the cloud service, this is step is only for check DNS name availability.

  3. Open MMC as administrator
  4. Clock on FileAdd/Remove snap-in…
  5. In Available snap-ins list, choose certificates
  6. In Certificates snap-in, choose Computer account

  7. Click NextFinishOK
  8. Open Certificates (Local Computer) – Personal – Certificates
  9. Right-click on Certificates, choose All Tasks- Request New Certificate…

  10. Click Next, Next. You should able to see available templates for enroll

  11. Check the checkbox on ConfigMgr Cloud Services Certificate
  12. Click on “More information is required to enroll for this certificate. Click here to configure settings.”
  13. In the Subject tab under Subject Name Type drop-down choose Common Name
  14. Input Value: (See step 2), Click Add >

  15. On the General tab, input Friendly name and Description as ConfigMgr CMG

    Tip: I always put some text on Friendly name and Description, it is easier to find those certificates for later use. This is especially true when you have many ConfigMgr roles on same server.

  16. Click on OK, then Enroll..Finish.

  17. Now you have requested your cloud management gateway certificate
Request certificate for Cloud Distribution point

This is almost the same process as request certificate for cloud management gateway

  1. Same as above “Request certificate for cloud management gateway”, verify a unique DNS name in Azure Portal Cloud services, I use
  2. Use ConfigMgr Cloud Services Certificate template to request certificate
  3. In Subject name, select Type: Common name and Value:,  then click Add
  4. In Alternative name, select Type: DNS and Value:, then click Add
  5. In General tab, input Friendly name and Description as ConfigMgr Cloud DP
  6. Click OK, then Enroll.
Request Web certificate (IIS) for MP, SUP, DP

We need to request a web certificate for the Management Point, Software Update point and Distribution point. Then we will need to assign these certificates in IIS.

  1. Logon servers that hosts MP, SUP and DP roles
  2. Use ConfigMgr Web Server certificate template to request certificate
  3. Don’t change anything on Subject name Type
  4. In Alternative name type, choose DNS
  5. Input Value, put both FQDN and NETBIOS name of your MP, or SUP or DP

  6. In General tab, input Friendly name and Description: ConfigMgr CM01 Web Server
Request certificate for Distribution point
  1. Use ConfigMgr Distribution Point certificate template to request certificate
  2. Click on Enroll

Export certificates

You will need to export all of the certificates you have just created.

Export Cloud management gateway certificates
  1. Right-Click on ConfigMgr CMG certificate, choose All TasksExport, go thought the wizard

  2. Choose No, do not export the private key, save it as CMG.cer to D:\ConfigMgr folder.

  3. Export ConfigMgr CMG certificate again, this time choose Yes, export private key

  • Add password to protect you private certificate

  • Next, Save it as CMG.pfx to D:\ConfigMgr folder.
Export Cloud distribution point certificates
  1. Right-Click on ConfigMgr Cloud DP certificate. Repeat the same steps as the export ConfigMgr CMG certificate, with and without private key
  2. Save them as CloudDP001.cer and CloudDP001.pfx to D:\ConfigMgr folder.
Export Distribution point certificates

Note: This has nothing to do with Co-management. Since most of ConfigMgr roles are using SSL however, I wanted to use SSL on the distribution point too.

  1. Right-Click on ConfigMgr Distribution point certificate. Repeat the same steps as the export ConfigMgr CMG certificate, export only the private key
  2. Save it as CM01DP.pfx to D:\ConfigMgr folder.
Export Root certificates
  1. Open any of those certificates, example ConfigMgr CM01 Web Server

  2. Choose Certification Path tab, Click on View Certificate

  3. Click on Details, then click on Copy to File…

  4. Save it as RootCA.cer to D:\ConfigMgr folder.
  5. If you have subordinate CA, you need to export that as well.

Configuring Auto enrollment of the Workstation Authentication Template by Using Group Policy

  1. Create a new GPO name Autoenroll Certificate

  2. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
  3. Open Certificate Services ClientAuto-Enrollment, Choose configuration Model: Enabled
  4. Right-Click on Trusted Root Certification Authorities, choose Import…


  • Import the RootCA.cer we just created, using the default settings

  • Link this GPO to your domain, so that domain joined computer will automatic get ConfigMgr Client certificate
  • Logon to a domain joined machine, run gpupdate /force (So that it apply the auto-enroll certificate policy that we just created, or you can restart the computer)
  • After auto-enroll certificate GPO is applied, you should see it like this, Certificate Template column shows ConfigMgr Client Certificate


When you are finished all these steps, you should have 8 certificates in total in D:\ConfigMgr folder.

Next we will start Part 3 – setup cloud management gateway.


  • Spotter
    Posted at 03:04 December 2, 2017


    Thanks for the informative blog. With the certificate creations, which server do we use? Does it matter? For example, the Azure certificates, do we generate that from the web server or any server is fine.

    I am looking at setting this up for a corporate customer. They have a strict security policy and not liking the idea of auto provisioning the Azure VM instance when creating the CMG. They want to set one up prior with the proper subnet etc, and security settings. My question is, after the creation of CMG on the console, can we point it to the Azure VM we want?


    • Zeng Yinghua
      Posted at 12:16 December 5, 2017
      Zeng Yinghua

      Hi, If you are making self-singed Azure Management Certificates, you can do that in any server. For you second question, I don’t have answer for that, I didn’t test multiple VM instances. Based on this article ( ), support client number per CMG VM instance is 6k in the 1702 release, if your customer don’t have 6k internet client, perhaps one VM instance is enough.

      • Spotter
        Posted at 01:08 December 6, 2017

        Thanks for your reply. Appreciate it.

  • Peter
    Posted at 15:09 December 20, 2017

    Hello Sandy, first of all, great blog!
    Secondly, I have a question:
    is it necessary for the azure management certificate to have the suffix “” in the DNS name?

    • Zeng Yinghua
      Posted at 17:00 December 20, 2017
      Zeng Yinghua

      Hi Peter,
      Based on my test for CMG and Cloud DP, it was not necessary use suffix “” for Azure management certificate.
      But since it was mentioned in Microsoft Docs, so perhaps there are some reasons for that. Honestly I don’t know. 🙂
      — Sandy

  • Varun
    Posted at 10:13 September 30, 2018

    Hi ,

    Could you please tell , if i don’t use “https” MP,SUP,DP on primary site then which certificates and enrollment are NOT required.

    • Zeng Yinghua
      Posted at 14:25 September 30, 2018
      Zeng Yinghua

      If you don’t https, which means you are using ConfigMgr CB1806 enhanced http, is that right? In this case, you don’t need web service certificate and distribution point certificate. However, in my steps create cloud services template are duplicate of web service certificate template, so you will need create the correct templates.

      • Varun Chitra
        Posted at 14:49 September 30, 2018
        Varun Chitra

        I’m using 1802. Testing in lab.
        Have setup like: Primary site with MP,DP(http).

        And want to make another site which is https enabled for internet clients having CMG,MP,SUP, DP.

        PLEASE suggest as per this setup.

  • Drew Klingler
    Posted at 15:46 May 28, 2019
    Drew Klingler

    Is there any usage costs in Azure for uploading the AzureManagement.cer cert?

    • Zeng Yinghua
      Posted at 11:16 June 5, 2019
      Zeng Yinghua

      I didn’t find any cost details on this. Seems remember one subscription can upload 150 AzureManagement cert, but not 100% sure.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.