How to use SCCM Cloud Management Gateway bulk registration token

One of the less-known benefits of the SCCM Cloud Management Gateway is the ability to install the Configuration Manager client to devices that are not connected locally and manage those devices without ever being on the internal network. For example DMZ servers. To do so, the client must be installed by a command line with an SCCM CMG Bulk Registration Token.

In this post, we will show how to use the Bulk Registration Token to enroll DMZ servers to the Cloud Management Gateway.

Requirements

• Configuration Manager version 2002 or higher
• Supported OS for Config Manager
• Cloud Management Gateway configured
  • See our post, Setup SCCM Cloud Management Gateway
• The certificate used for the Cloud Management Gateway must be trusted by the client that will be installed
  • If the certificate is a Public certificate, with a CNAME, then this will be trusted by default
  • If the certificate is generated by a private CA, make sure you get the root and sub-root added to the device, so it trusts the communication to the Cloud Management Gateway

Create an SCCM CMG bulk registration token

• Open a command prompt as administrator on the Configuration Manager Primary server and browse to the <ConfigMgr Install folder>\Bin\X64

• Run BulkRegistrationTokenTool.exe /new

• Once run, copy the Token to a safe place, since it isn’t stored anywhere. This token will later be used on a device to install the Configuration Manager client to a device, without communicating first with a management point.

Enroll a device using the SCCM CMG Bulk Registration token

• Copy the Client setup content to the destination device
  • Make sure to use the updated version of the client source, at least build 2002
  • Only CCMSetup.exe is required, other files will be downloaded from the Cloud Management Gateway
• Run a command line as Administrator and run the following command line

ccmsetup.exe /mp:<https://CloudApp.net address> CCMHostName=<CloudApp.net address> SMSSiteCode=<your site code> /regToken:<Registration Token generated earlier>

This is of course on one line, but for clarity, here are the required switches. Pay close attention to the layout of the command.

• Run the command on the DMZ server. Within CCMsetup.log, it will display that the download of the client files is happening from the Cloud Management Gateway

• On the device, in ClientIDManagerStartup.log, a GUID will be visible for the device.

• On the internal SCCM Management point, in MP_RegistrationManager.log, that GUID will show up to confirm the registration of that device.

• On the device, in ClientLocation.log many information will display the communication to the Cloud Mangement Gateway

• The client will display that it’s currently using the Connection Type: Always Internet

Common error

One common error that is likely to happen is to have certificate validation error.

This kind of error is likely because of one of the following:

• The certificate used for the Cloud Management Gateway isn’t trusted by the device
• The Certificate Revocation list isn’t accessible by the device

Review Cloud Management Gateway Bulk Registration Tokens

• In the SCCM Console
• Under Administration/Security/Certificates, Bulk registration token are visible.

• It is possible to Block a bulk registration token if it’s purpose is completed.

Client token renewal

The bulk registration token is only useful for the initial communication with the Cloud Management Gateway, to enroll the device within Configuration Manager.

If no other authentication method is used for this device(certificate or Azure AD authentication), the Configuration Manager client will automatically renew its token once a month and will be valid for up to 90 days.

For more details about the Bulk Registration token, see Microsoft docs.