How to use SCCM Cloud Management Gateway bulk registration token

Jonathan LefebvreSCCMLeave a Comment

5
(1)

One of the less-known benefits of the SCCM Cloud Management Gateway is the ability to install the Configuration Manager client to devices that are not connected locally and manage those devices without ever being on the internal network. For example DMZ servers. To do so, the client must be installed by a command line with an SCCM CMG Bulk Registration Token.

In this post, we will show how to use the Bulk Registration Token to enroll DMZ servers to the Cloud Management Gateway.

Requirements

  • Configuration Manager version 2002 or higher
  • Supported OS for Config Manager
  • Cloud Management Gateway configured
  • The certificate used for the Cloud Management Gateway must be trusted by the client that will be installed
    • If the certificate is a Public certificate, with a CNAME, then this will be trusted by default
    • If the certificate is generated by a private CA, make sure you get the root and sub-root added to the device, so it trusts the communication to the Cloud Management Gateway

Create an SCCM CMG bulk registration token

  • Open a command prompt as administrator on the Configuration Manager Primary server and browse to the <ConfigMgr Install folder>\Bin\X64
SCCM CMG bulk registration
  • Run BulkRegistrationTokenTool.exe /new
SCCM CMG bulk registration
BulkRegistrationTokenTool command line switches

The tool is simple. Only 3 switches are available:

  • /?
  • /New
  • /LifeTime

When /new is used without /LifeTime, it will have a default life time of 3 days.

The /LifeTime can be specified and have up to 10,080 minutes (seven days).

  • Once run, copy the Token to a safe place, since it isn’t stored anywhere. This token will later be used on a device to install the Configuration Manager client to a device, without communicating first with a management point.

Enroll a device using the SCCM CMG Bulk Registration token

  • Copy the Client setup content to the destination device
    • Make sure to use the updated version of the client source, at least build 2002
    • Only CCMSetup.exe is required, other files will be downloaded from the Cloud Management Gateway
  • Run a command line as Administrator and run the following command line

ccmsetup.exe /mp:<https://CloudApp.net address> CCMHostName=<CloudApp.net address> SMSSiteCode=<your site code> /regToken:<Registration Token generated earlier>

This is of course on one line, but for clarity, here are the required switches. Pay close attention to the layout of the command.

Important Info
  • To get the Cloud Management Gateway complete address, run the following command line on a device with the SCCM client, in Powershell

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq “Internet”}).MP`

For more details about Configuration Manager client install command lines, see Microsoft docs.

  • Run the command on the DMZ server. Within CCMsetup.log, it will display that the download of the client files is happening from the Cloud Management Gateway
SCCM CMG bulk registration
  • On the device, in ClientIDManagerStartup.log, a GUID will be visible for the device.
  • On the internal SCCM Management point, in MP_RegistrationManager.log, that GUID will show up to confirm the registration of that device.
SCCM CMG bulk registration
  • On the device, in ClientLocation.log many information will display the communication to the Cloud Mangement Gateway
  • The client will display that it’s currently using the Connection Type: Always Internet
SCCM CMG bulk registration
Common error

One common error that is likely to happen is to have certificate validation error.

SCCM CMG bulk registration

This kind of error is likely because of one of the following:

  • The certificate used for the Cloud Management Gateway isn’t trusted by the device
  • The Certificate Revocation list isn’t accessible by the device

Review Cloud Management Gateway Bulk Registration Tokens

  • In the SCCM Console
  • Under Administration/Security/Certificates, Bulk registration token are visible.
SCCM CMG bulk registration
  • It is possible to Block a bulk registration token if it’s purpose is completed.
SCCM CMG bulk registration

Client token renewal

The bulk registration token is only useful for the initial communication with the Cloud Management Gateway, to enroll the device within Configuration Manager.

Bulk Registration token

It is not possible to renew a Bulk registration token. Whenever the need for a bulk registration comes, a new must be generated and used toward new devices.

If no other authentication method is used for this device(certificate or Azure AD authentication), the Configuration Manager client will automatically renew its token once a month and will be valid for up to 90 days.

For more details about the Bulk Registration token, see Microsoft docs.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Reply