In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Setup Cloud Management Gateway is not prerequisite for Co-Management, but if you want to deploy ConfigMgr client to AAD Devices from Intune and use ConfigMgr functionality for AAD devices, you will need setup Cloud Management Gateway.

This post is for Scenario 1: Use Co-Management for Azure AD joined machines

In part 3 we are going to run through the process of adding the Cloud Management Gateway in ConfigMgr.

IMPORTANT:

  • Before you continue this, please sure you have created all the certificates what is needed in part 2
  • This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.

Set up the Azure Services app in Configuration Manager Cloud Services

This connects your Configuration Manager site to Azure AD and is requirement for allow Azure AD joined machine authenticate with ConfigMgr.
Azure AD User Discovery is configured as part of Cloud Management Azure service.

  1. Right-Click on Azure Serves, click on Configure Azure Service

  2. Choose install Cloud Management, give name as: Cloud Management (or anything that you like)

  3. Click on Browse… to add Web app

  4. Click on Create, you should see this dialog
    Homepage URL and Add ID URI is automatic assigned
    If it is empty, input the following information as bellow picture.

  5. Click on Sign in… and logon to your Azure tenant

  6. Choose the ConfigMgr-ServerApp that you just created, then click OK.

  7. Click on Browse… to create Native client app
  8. Click on Create, you should see this dialog
    Reply URL is automatic assigned, if it is empty, input the following information as bellow picture

  9. Click on Sign in… and logon to your Azure tenant

  10. Choose the ConfigMgr-ClientApp that you just created, then click OK

  11. Click on Next.. Next.. to complete the wizard.

  12. Grant permissions for these two Apps we just created.
    Go to Azure Portal, Click on Azure Active DirectoryApp registrations (Legacy).
    Find these two Apps we just created, click on Required permissions

    Then click on Grant Permissions, then click OK.
  13. Choose Azure ServicesCloud Management, right-click Azure Active Directory User Discovery, choose Run Full Discovery Now

  14. Check status from SMS_AZUREAD_DISCOVERY_AGENT.log


    If you didn’t do step.12 Grant permissions, you will see error message like this:

 

Setup Cloud Management Gateway (Azure Resource Manager deployment)

Start with ConfigMgr Current Branch 1802, there is new option deploy Cloud Management Gateway: Azure Resource Manager deployment.
Start with ConfigMgr Current Branch 1806, Cloud Management Gateway can now also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. To enable this feature, enable the new option to Allow CMG to function as a cloud distribution point and serve content from Azure storage on the Settings tab of the CMG properties

  1. Choose use “Azure Resource Manager deployment”, click Sign In

  2. After you sign in with your Subscription admin account, you should able to see your subscription ID, Azure AD app name, and Azure AD tenant name.

  3. Choose create new resource group or use existing group.
    Click Browse, choose the cloud management gateway certificate what we created in Part 2

  4. Click on Certificates uploaded to the cloud service: Certificates…
  5. Click on Add, choose RootCA.cer that we created on part 2
    NOTE:
    If you have subordinate CA, add them as Intermediate Certification Authorities.

  6. Next..Next..Next..Close to complete the setup.
  7. To view the status, check CloudMgr.log or from Admin console.
    It took about 20 minutes to finish installation in my test environment


Configure Cloud management gateway connection point setup

  1. Log on to server CM02.zit.local
  2. Add Site System Roles, choose Add Cloud management gateway connection point

  3. Next, it should give you cloud management gateway name. Click Next to start install cloud management gateway role.

 

The Cloud Management Gateway is now configured, we will need to configure the Management point and Software Update point to use the gateway.

Continue on Part 4 (Management point and Software Update point)

Log files for troubleshoot cloud management gateway, see this

More details about Cloud Management gateway, see this

(10020)

comments
  • Nirmal
    Posted at 21:11 August 23, 2018
    Nirmal
    Reply
    Author

    Hi Team, I am trying to configure CMG. But resulted with below error.

    Resource Manager – Initialized SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    Resource Manager – Listing keys of storage service XXXXXXXX SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    ERROR: Resource Manager – Failed to list keys for storage service xxxxxxxx with status code NotFound. Check [Monitor/Activity log] on Azure Portal for more information SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    ERROR: Exception occured during monitoring of service XXXXXXXXX : Exception Hyak.Common.CloudException: Failed to start deployment slot~~ at Microsoft.ConfigurationManager.AzureManagement.ResourceManager.GetStorageServiceKey(String resourceGroupName, String storageServiceName)~~ at Microsoft.ConfigurationManager.CloudServicesManager.ServiceMonitorTask.MonitorCloudDistributionPoint() SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    STATMSG: ID=9429 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_CLOUD_SERVICES_MANAGER” SYS=XXXXSITE SERVER.XX.COM SITE=E01 PID=3196 TID=10768 GMTDATE=Thu Aug 23 18:32:10.217 2018 ISTR0=”xxxxxxx” ISTR1=”Failed to start deployment slot” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=1 AID0=404 AVAL0=”[“Display=\\PRDSCCMCMG.HM.COM\”]MSWNET:[“SMS_SITE=E01″]\\xxxxxx.xx.COM\” SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    WARNING: Warning: Exception during cloud service monitoring task for service XXXXXXX SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    WARNING: Exception Hyak.Common.CloudException:Failed to start deployment slot SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)
    WARNING: Stack trace: at Microsoft.ConfigurationManager.AzureManagement.ResourceManager.GetStorageServiceKey(String resourceGroupName, String storageServiceName)~~ at Microsoft.ConfigurationManager.CloudServicesManager.ServiceMonitorTask.MonitorCloudDistributionPoint()~~ at Microsoft.ConfigurationManager.CloudServicesManager.ServiceMonitorTask.Start(Object taskState) SMS_CLOUD_SERVICES_MANAGER 8/23/2018 8:32:10 PM 10768 (0x2A10)

    • Zeng Yinghua
      Posted at 11:10 August 24, 2018
      Zeng Yinghua
      Reply
      Author

      Hello, are you using CB 1806? Can you run the Connection Analyzer and see what is the result?

      • Shehzad Khan
        Posted at 03:50 July 10, 2019
        Shehzad Khan
        Reply
        Author

        hi Zeng,
        How to do you give “Required Permissions” –> “Grant Permissions” in the latest Azure Console. I reckon the Latest console has these options deprecated. it now gives an option of “API Permissions” and then a number of granular permissions. So i am not sure what exactly to configure in the new console. Can you please help?

        • Zeng Yinghua
          Posted at 13:55 July 10, 2019
          Zeng Yinghua
          Reply
          Author

          Hello, thanks for asking this. You will find the same settings under “App registrations (Legacy)”. I just updated the post.

  • Wyatt
    Posted at 17:03 January 30, 2019
    Wyatt
    Reply
    Author

    Hi Zeng,

    I have the same error. Running the Connection Analyzer I can see de next lines:

    Check the CMG service y inready state
    State of the CMG service is ‘2’. For more information, see CloudMgr.log on Service Connection Point on CMG deployment progress.

    Failed to connect to the CMG service. Unexpected response status code is NameResolutionFailure. For more information, see SmsAdminUI.log.

    Configuration version of the CMG service should be -1.
    Failed to get CMG service metadata. For more information, see SmsAdminUI.log.

    There is no CMG connection point configured to connect to the CMG service.

    There is no site system roles enabled for the CMG service.

    Regards.

  • Luke Torrens
    Posted at 14:42 March 23, 2019
    Luke Torrens
    Reply
    Author

    Did anyone find a solution for the error in the comments? I’m having the same, thank you.

    • Doug
      Posted at 20:54 April 4, 2019
      Doug
      Reply
      Author

      Luke, did you find any solution to this?

  • Binduraj KP
    Posted at 06:02 May 22, 2019
    Binduraj KP
    Reply
    Author

    Grand Permission to your ServerAPP in Azure and create ResourceGroup From Azure Portal

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.