The SCCM Cloud Management Gateway (CMG) has been a very popular feature in the past months. With the explosion of work from home, managing devices on the internet has become a must for many organizations. Installing and troubleshooting an SCCM Cloud Management Gateway (CMG) can be challenging. That’s why we released a detailed installation guide a couple of months ago.
This post will focus on the CMG troubleshooting steps, on the Server Side and most importantly, on the client-side. We’ll try to guide you through various troubleshooting steps to make sure that your SCCM clients are communicating successfully to your newly installed CMG.
For this post, we used SCCM 2010 server and Windows 10 20H2 client with the SCCM 2010 client. If you’re using an outdated server or client you should upgrade to the latest version as the CMG feature has evolved a lot in the latest release.
SCCM CMG Troubleshooting – Server Side
After you’ve completed your CMG Installation, here’s how to check if everything is communicating correctly. We recommend checking first on the server-side of things. Because if the er is not correctly communicating, there are no chances that clients are ok.
The first place to look if your CMG is healthy is in the console. There are various ways to check CMG health.
- Go to Administration / Cloud Services / Cloud Management Gateway
- Ensure that the Status is Ready and Connected. If it’s not the case, continue reading.
- Go to Monitoring / Cloud Management. Natiguate to the bottom of the Dashboard, in the Cloud Management Gateway Statistics section
- From there you can validate that there’s some client communicating and their authentication methods.
If there’s anything wrong, the next step is to use the Cloud Management Gateway Connection Analyser. This tool will helps diagnose the problem.
- Go to Administration / Cloud Services / Cloud Management Gateway
- Click on the Connection Analyser button on the top ribbon
The Cloud Management Gateway connection analyzer tools opens. From there, you can test the connection using Azure AD user or the Client Certificate.
What you’re looking for is all green check boxes :
Fellow MVP Ronny de Jong wrote a perfect article on all the possible state of the Connection Analyzer tool. If you’re running into issues with one of the components, refer to his complete blog post which describes it.
Cloud Management Gateway Server Log files
There’s also various log file on the server side to look at potential problems :
They are located in the SCCM Installation folder \ Logs folder on the primary site server
- CMG-<cloud_service_name>-ProxyService_IN_0-CMGSetup.log: Records details about the second phase of the cloud management gateway deployment (local deployment in Azure).
- CloudMgr.log : Records details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service.
- CMG-<cloud_service_name>-ProxyService_IN_0-CMGService.log: Records details about the cloud management gateway service core component in Azure.
- SMS_Cloud_ProxyConnector.log : Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point.
- For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log
SCCM CMG Troubleshooting – Client Side
Once all service are up and running you may want to check if your external client are actually “talking” to the Cloud Management Point.
The main error at that point is thinking that all your internet clients will just work now. This is a mistake, the client needs first to receive the Client Policy stating that they can use the Cloud Management Gateway. Once the policy has been acquired on the internal network, the client can be tested on the Internet… and not before that.
Another tip is to upgrade your clients to the latest version. Many organization are not updating their client using the Auto-Upgrade Feature so many clients is out of date.
Validate that your CMG Client Settings is set correctly and deployed to the test client :
At that phase, if you are working in the internal network or with a VM, the easiest way to test the communication is to force the client to communicate as if it’s on the internet. To do so, there’s a registry key you can change to simulate as if the client is on an internet connection.
- In the registry editor go to HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet
- Set the value to 1 and restart the SMS Agent host service
- After the restart, the client will display the connection type Always internet
Once you make sure that the client is on the Internet, click on the Network Tab. Validate that the client “knows” the CMG Name. This should fit your deployment name.
Cloudapp.net or internal name (ex: scd.com) is fine. It depend on the certificate type you used when you created the CMG.
In the SCCM console, go to Devices and ensure that some machine are set to True under Device Online from Internet and that the Device Online Management point list your CMG.
Cloud Management Gateway Client Log files
On an internet client, you need to first check if the client is rotating to the Cloud Management Gateway.
On a client open the C:\Windows\CCM\Logs\ directory. There are 3 logs that give relevant information :
- LocationService.log – Records the client activity for locating management points, software update points, and distribution points.
You need to have a line stating Internet Management Point from assigned MP. Just after this line, your CMG will be listed. Ensure that there’s no error there.
- CCMMessaging.log – Records activities related to communication between the client and management points.
Ensure that there’s no error. You’ll want to see : Deliver Successfully to host…[your CMG URL]
- ClientIDManagerStartup.log – Creates and maintains the client GUID and identifies tasks during client registration and assignment
This is where you’ll see certificate error or see if the client is using the SCCM Token-based authentification
SCCM Cloud Management Gateway Client Report
If you want to easily identify your CMG client, we have developed a free report to show all clients communicating through the Cloud Management point. Feel free to download it and let us know your comment so that we improve it.
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.