How to setup ConfigMgr PKI – part 4 (Management point and Software Update point)

In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

IMPORTANT: before you continue this, please sure you have created all the certificates what is needed in part 2

Change Site properties

  1. Go to Site PropertiesClient Computer Communication
  2. Site system settings: HTTPS or HTTP
  3. Check the check box User PKI client certificate (client authentication capability) when available
  4. Uncheck “Clients check the certificate revocation list (CRL) for site systems, if you didn’t publish your CRL to internet.”

Configure Internet Information Service (IIS)

  1. Do the following configuration on your Management point and Software Update point servers
    In my case, I need to configure IIS settings for CM01.zit.local and CM02.zit.local
  2. Open Internet Information Service (IIS)
  3. Open Default Web Site, and choose Binding on the right panel
  4. Edit https

  5. Set the SSL certificate for https, choose the ConfigMgr Web Server certificate that we created on part 2

  6. Open WSUS Administration, and choose Binding on the right panel

  7. Edit https

  8. Set the SSL certificate for https, choose the ConfigMgr Web Server certificate that we created on part 2

  9. Select the virtual directories APIRemoting30, In Features View, double-click SSL Settings
  10. On the SSL Settings page, select Require SSL and click Apply in the Actions pane.

  11. Repeat the previous step for the following virtual directories:


  12. Configure the health monitoring feature of WSUS to use SSL.

    “C:\Program Files\Update Services\Tools\WsusUtil.exe” configuressl <Intranet FQDN of the site system server>

  13. Remember do the same configurations on all your servers that are using HTTPS.

Configure Management point and Software Update point

  1. Open Management point properties
  2. Change Client connection from HTTP to HTTPS
  3. For CM02.zit.local, Check the checkbox Allow Configuration Manager cloud management gateway traffic.
  4. For CM02.zit.local, Choose Allow intranet and Internet connections
  5. For CM02.zit.local, Choose Allow mobile devices and Mac computers to use this management point

  6. Click OK to complete
  7. Open Software update point properties
  8. Check the checkbox Require SSL communication to the WSUS server
  9. For CM02.zit.local, Check the checkbox Allow configuration Manager cloud management gateway traffic
  10. For CM02.zit.local, Choose Allow Internet and intranet client connections

  11. Click OK to complete
  12. On CM02.zit.local, open SMS_CLOUD_PROXYCONNECTOR.log, in my logs it shows:

    ReportOnlineConnections – state message to send: <Connections ServerName=”CM02.ZIT.LOCAL” Time=”11.21.2017″><Connection ID=”665d0ea6-xxxxx”

  13. In Admin console, Open Cloud Management Gateway, role endpoints tab show which server’s service are using cloud management point.

Configure Client settings to allow client use cloud services

  1. IMPORTANT: DO NOT modify Default Client settings.
    In ConfigMgr 1706, Enable client to use a cloud management gateway is Enabled by default, if you want set it disable, create a new Device policy to do that.
    For more information see this.
  2. Create a new Device settings policy, set Client PolicyEnable user policy requests from Internet clients to Yes.
    Deploy it to All Systems collection.

    If you don’t make this setting, you will see this in PolicyAgent.log when client is on internet connection.

    Skipping request for user policy assignments for client residing on internet due to agent configuration for authority ‘SMS:ZIT’.

  3. Create device collection name Pilot Co-Management, add few domain joined testing devices to this collection for test Co-management.
  4. Create user collection name MDM Users, and add few Intune testing users to this collection.
  5. Create new Device settings name Default Machine Settings (Allow Cloud) for enable clients to use cloud distribution point and could management gateway, set it as priority 1.
    Deploy it to Pilot Co-Management devices collection

  6. Create User Settings name Default Users Settings (Allow Cloud) for enable clients to use cloud distribution point and cloud management gateway, set it as priority 2
    Deploy settings to MDM Users users collection

Verify Client gets correct settings

  1. Put the testing device to internal network (device must be added to Pilot Co-Management collection, don’t put your client on internet connection yet), run machine policy and user policy.
  2. After policies are applied, check General tab, confirm that Client certificate is PKI, connection Type is Currently intranet
  3. Check Configuration manager Properties – Network, it should shows client Internet-base management point (FQDN) settings

  4. To verify that client’s management point configuration, you can also run the following PowerShell command on the client computer:

    Get-WmiObject -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate

  5. (OPTIONAL) You can force the client to always use cloud management gateway regardless of whether it’s on the intranet or Internet.
    (I wouldn’t do that on domain-joined machines)

    If you want to do that, set the following registry key on the client computer:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

  6. Put the device on internet connection
  7. Restart SMS Agent Host service
  8. Wait for a while, open Configuration Manager Properties, you show see Connection Type changed to Currently Internet.

  9. In cloud management gateway server (CM02.zit.local), SMS_CLOUD_PROXYCONNECTOR.log shows MessageID when client try to communicate with CM02.zit.local.

  10. You will see some applications or packages in Software Center.

    NOTE: Because of Application catalog (including software approval requests) is not supported in cloud management gateway, user targeted new deployments will not show up in Software Center.

  11. Check if client gets correct Software Update point settings:
    Open LocationServices.log on client, you should see WSUS Path is assigned to Internet-base management point (FQDN)

    Open registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, you should see Windows Update settings are changed.

  12. Let’s run Software Updates Scan cycle:

NOTE: For internet client, there is not need to assign this CM02.ZIT.local (cloud gateway connected Management point and Software Update point) to any boundary groups. How ever, if you want intranet client (example VPN clients) use cloud management gateway or cloud resource, you need to assigned CMG to boundary group.

More details about monitor client on cloud management gateway, see this

Log files for troubleshoot cloud management gateway, see this

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the blog and is now a blogger on MSEndPointMgr.


  • Hi ,

    After configuration till Part-4, My SCCM client giving errors as it tries to reach Primary MP instead of Internet site MP.

    Error . URL=https://SMSBOOTCMG.cloudapp.NET/CCM_Proxy_MutualAuth/720……/SMS_mp/.sms_aut?SITESIGNCERT, PORT =443,OPTIONS = 448, ccm_e_bad_http_status_code

    • Hi, in your error message is internet address, SMSBOOTCMG.cloudapp.NET is example in my post, have you check if this SMSBOOTCMG.cloudapp.NET service name still available before you deploy your CMG?


Categories use cookies to ensure that we give you the best experience on our website.