What Does CMG Mean?
On This Page
Quick Definition
CMG stands for Cloud Management Gateway. It is a bridge between your devices on the internet and your company's internal management servers. Instead of requiring devices to connect directly inside your network, CMG allows them to be managed securely from anywhere. It uses the cloud to keep devices updated, report their status, and receive policies.
Commonly Confused With
Cloud Attach is a broad concept of connecting ConfigMgr to Microsoft Intune and Azure. CMG is a specific component under Cloud Attach that provides a cloud-based relay for client management. Cloud Attach also includes co-management and tenant attach.
Cloud Attach is like setting up a whole new office branch in the cloud. CMG is just the secure mailroom in that branch.
Intune is a fully cloud-native MDM service that does not require any on-premises infrastructure. CMG extends an existing on-premises ConfigMgr to the cloud. Intune manages devices directly; CMG is a relay for ConfigMgr.
Intune is like moving to a fully cloud-managed apartment. CMG is like adding a smart doorbell to your existing house so you can answer from anywhere.
A VPN creates an encrypted tunnel that makes a remote device appear to be on the corporate network. CMG does not create a full network tunnel; it only relays specific management traffic. VPN is point-to-point; CMG uses a cloud intermediary.
VPN is like a private underground tunnel from your home to the office. CMG is like using a secure public postal service to send letters back and forth.
Must Know for Exams
The MD-102 exam (Endpoint Administrator) covers CMG extensively because it is central to managing hybrid environments. Specifically, the exam objective 'Manage endpoints using Microsoft Intune' includes deploying and configuring the Cloud Management Gateway. You can expect questions that test your understanding of when to use CMG versus VPN, how to scale CMG, and what certificate requirements are needed.
In the exam, you will see multiple-choice questions asking about prerequisites for CMG deployment. Common correct answers include: an Azure subscription, a CMG connection point role installed on a Windows Server, and a public certificate signed by a trusted root CA. Distractors often mention needing a VPN or DirectAccess, or using self-signed certificates – both of which are incorrect.
You may also encounter scenario-based questions. For example: 'A company has 2000 remote Windows 10 devices. They want to deploy critical security updates without requiring users to connect to the VPN. What should they implement?' The correct answer is CMG. The distractors might include co-management with Intune, which is related but not the complete solution for ConfigMgr-managed content delivery.
Another common exam pattern involves troubleshooting. A question might describe a situation where clients are not receiving policies after CMG is deployed, even though the CMG status shows healthy. You must know to check the client authentication certificate, verify that the CMG connection point is correctly installed, and ensure the management point is configured to accept CMG traffic.
The MD-102 exam also tests your understanding of CMG limitations. For instance, CMG does not support client push installation or OS deployment. It only manages existing clients. It also does not support all site system roles – only management points and software update points are supported behind CMG. Knowing these limitations will help you answer 'which of the following is NOT supported by CMG' questions.
Finally, you should understand the difference between CMG and Intune standalone. CMG is for hybrid devices managed by ConfigMgr with cloud connectivity. Intune standalone is for devices managed solely from the cloud. The exam may present a case study where an organization has an existing ConfigMgr infrastructure and needs to extend remote management – CMG is the right answer. If they had no ConfigMgr, Intune would be the correct choice.
Simple Meaning
Think of CMG as a secure mailbox that sits at the edge of your company's property, but located in the cloud. In the old days, if a laptop left the office, it had to come back physically to get software updates or security policies. That was like having to return to the post office every time you wanted to pick up mail. CMG changes that by providing a cloud-based post office box that your device can access from any Wi-Fi or mobile network.
When a device wants to check for new software or report a security problem, it sends a message to this cloud mailbox. The message is encrypted, so no one can read it while traveling over the internet. Your company's internal management server periodically checks this mailbox, picks up the messages, and drops off replies. The device then collects those replies the next time it checks in.
This whole process happens automatically, without the user needing to do anything special. The device does not need a VPN (Virtual Private Network), and it does not need to be plugged into the office network. CMG handles the handshake and makes sure only authorized devices can use that mailbox. It is a way to extend your office management reach to any device, anywhere, as long as it has internet access. It is like having a remote control for your company laptops that works from any coffee shop in the world.
Full Technical Definition
Cloud Management Gateway (CMG) is a Microsoft Intune feature that enables client management of internet-based devices without requiring a site-to-site VPN or DirectAccess. It acts as a reverse proxy and forwarding relay between Configuration Manager (ConfigMgr) client systems and the on-premises ConfigMgr site server. CMG runs as a cloud service in Microsoft Azure, using a set of virtual machine scale sets that automatically scale based on load.
The architecture involves three main components: the CMG cloud service itself, the CMG connection point (a site system role installed on-premises), and the ConfigMgr client. When a client needs to communicate with the management point or software update point, it sends HTTPS requests over TCP port 443 to the CMG service endpoint. The CMG then forwards these requests through the CMG connection point to the appropriate on-premises role. Responses flow back through the same path.
All traffic is encrypted using SHA-256 certificates and TLS 1.2. The CMG uses client authentication certificates issued by your internal PKI or by Microsoft if you choose the simpler Azure AD-based authentication. For certificate-based authentication, each client must have a trusted root CA certificate chain. The CMG itself has a service certificate that clients trust to verify they are talking to the correct gateway.
From a protocol standpoint, the client uses the same HTTPS-based management point communication it uses on the internal network. The CMG translates these requests, maintaining session persistence and load balancing. It supports both management point traffic and software update point traffic. It also supports the new Microsoft Connected Cache feature to reduce bandwidth consumption for content distribution.
The CMG connection point is a separate site system role that must be installed on a Windows Server that has outbound internet access to Azure. This role creates a persistent outbound TCP connection to the CMG cloud service, which avoids opening inbound firewall ports. This is critical for security because no inbound ports need to be opened on the corporate firewall. The CMG connection point also manages the certificate renewal and monitoring of the cloud service.
In terms of scaling, Microsoft recommends one CMG per primary site. Each CMG deployment can support up to 10,000 concurrently managed devices, and you can deploy multiple CMG instances across different Azure regions to reduce latency. The service can be set to automatic scaling based on CPU utilization, or manual scaling for predictable workloads.
Real-Life Example
Imagine you own a small restaurant that has a private recipe book locked in a safe at home. Every day, before opening, you have to drive home, open the safe, read the recipe for the special sauce, and drive back to the restaurant. That is how old IT management worked – devices had to be physically on the office network to get policies and updates. Now imagine you install a small secure drop box at a public library. You put a copy of the recipe in the drop box, and your chef can go to any library branch, open the drop box with a special key, and read the recipe.
The drop box is the CMG. It sits in a public location (the cloud). The safe at home is your on-premises ConfigMgr server. The chef is your managed laptop. The special key is the client certificate installed on the laptop. When the chef (laptop) needs the recipe (security policy or software update), she goes to the library drop box (CMG). She uses her key (certificate) to prove who she is. The drop box accepts the request and sends it through a secure tube to your home safe (via the CMG connection point). Your home safe (ConfigMgr server) reads the request, grabs the recipe, and sends it back through the same tube to the drop box. The chef picks up the recipe during her next check-in.
The beauty is that you never opened a hole in your home wall. The tube is a one-way outbound connection initiated from your home to the drop box. No hacker can force their way into your home because no inbound port was opened. This is exactly how CMG works – it uses an outbound-only connection from your on-premises environment to Azure, making it very secure.
Why This Term Matters
CMG matters because the modern workforce is no longer tied to desks. IT professionals must manage laptops used by employees working from home, traveling, or sitting in client offices. Before CMG, the only way to manage these remote devices was through VPNs, DirectAccess, or third-party cloud management tools. VPNs require users to connect before receiving updates, which often fails because users forget to connect, or VPNs create network bottlenecks. DirectAccess required specific Windows editions and complex infrastructure.
CMG solves these problems by removing the dependency on a VPN. A device checks into CMG over the public internet, just like you check your email. This ensures that security policies, antivirus definitions, and critical software updates are delivered even when the user never connects to the office network. For compliance, this is huge – you can enforce BitLocker encryption, firewall rules, and application whitelisting on any device, anywhere.
From an infrastructure perspective, CMG reduces the attack surface. Because no inbound firewall ports are opened, your on-premises management servers are not directly exposed to the internet. The CMG connection point initiates all communication outbound, which means attackers cannot scan or target your ConfigMgr infrastructure from the outside. This aligns with the Zero Trust security model: never trust, always verify, and assume breach.
For IT professionals preparing for the MD-102 exam, understanding CMG is critical. Microsoft positions CMG as the recommended solution for managing hybrid-joined devices that are not always on the corporate network. It is a core component of the Modern Device Management strategy that the MD-102 exam heavily emphasizes. Without CMG, you cannot fully implement a cloud-managed hybrid environment that keeps devices compliant whether they are on-premises or remote.
How It Appears in Exam Questions
Questions about CMG on the MD-102 exam appear in three main patterns: deployment prerequisites, configuration decisions, and troubleshooting.
Deployment prerequisite questions often ask: 'Which of the following is required to deploy a Cloud Management Gateway?' Options include an Azure subscription, a PKI infrastructure for client certificates, a CMG connection point role, and TCP port 443 open inbound. The trick is that inbound port 443 is NOT required – the CMG connection point uses outbound communication only. You must also know that the site server must be running a minimum version of ConfigMgr, currently 2010 or later.
Configuration decision questions present a scenario. Example: 'Your company has devices that are Azure AD-joined and managed by ConfigMgr. Users travel globally. You need to ensure devices receive software updates without VPN. Which CMG scaling option should you use?' The correct answer is to deploy CMG in multiple Azure regions to reduce latency. The distractor might be to increase the number of VM instances in one region.
Troubleshooting questions are common. A typical question: 'Clients report that policy updates are not being received after deploying CMG. The CMG service status shows healthy. Client certificates are valid. Management point is configured to allow CMG traffic. What should you check next?' The answer is to verify that the CMG connection point server can reach the CMG service endpoint on Azure over TCP 443. If the connection point's firewall blocks outbound 443, the whole chain breaks.
Another troubleshooting scenario involves certificate issues. A question might say: 'Client logs show error 0x87d00227. The CMG service certificate expires in 30 days. What is the cause?' The trap is that the service certificate expiring is often not the immediate issue – clients check certificate validity, and they will fail if the certificate is not trusted. The correct answer might be that the client does not trust the issuing CA for the service certificate.
Finally, you may get questions that mix CMG with co-management. Example: 'An organization uses both ConfigMgr and Intune for device management. What role does CMG play in this scenario?' The answer: CMG allows ConfigMgr to manage internet-based clients while Intune handles policies for co-managed workloads. The distractor might suggest that CMG replaces Intune, which is false. CMG extends ConfigMgr, not Intune.
Study MD-102
Test your understanding with exam-style practice questions.
Example Scenario
Contoso Ltd. is a medium-sized company with 800 employees. Most employees work from home three days a week. The IT team manages devices using Microsoft Configuration Manager (ConfigMgr) on-premises. Recently, they noticed that remote laptops often miss critical security updates because users seldom connect to the VPN. The IT manager, Priya, decides to deploy Cloud Management Gateway (CMG) to solve this.
Priya first ensures she has an active Azure subscription. She then installs the CMG connection point role on a Windows Server 2022 that has internet access. She requests a public certificate from a trusted CA (Certificate Authority) for the CMG service. She configures the CMG in the Configuration Manager console, selecting the appropriate Azure region close to most employees, which is East US. She sets scaling to automatic with a minimum of two VMs.
After deployment, Priya verifies that the CMG status shows 'Ready'. She then configures the default management point to allow CMG traffic. She creates a new software update group for critical Windows security patches and deploys it to a test collection of 50 remote devices.
The next morning, her colleague Thomas, working from a coffee shop, powers on his laptop. The ConfigMgr client initiates a policy check. It finds the CMG endpoint and sends an encrypted HTTPS request. The CMG forwards this to the on-premises management point via the CMG connection point. The management point responds with the new update policy. Thomas's laptop then downloads the security update directly from the CMG content location or from a connected cache. The update installs successfully. Thomas never had to start a VPN.
Priya checks the console and sees that all 50 devices reported success. She then deploys the update to the entire company. Within two days, 95% of remote devices are patched. The only failures are due to laptops that were powered off for the entire period. Priya is relieved because the VPN bottleneck is gone, and the company's security posture is significantly improved.
Common Mistakes
Thinking CMG requires inbound firewall ports to be opened on the corporate network.
CMG uses an outbound-only connection from the CMG connection point to Azure. No inbound ports are needed on the corporate firewall.
Remember that the CMG connection point initiates a persistent outbound connection to Azure. Your firewall only needs to allow outbound TCP 443.
Believing CMG only works with Azure AD-joined devices.
CMG supports both Azure AD-joined and domain-joined devices, as long as they have a client authentication certificate and can reach the CMG endpoint.
CMG is for hybrid environments. Domain-joined devices with PKI certificates work perfectly. Azure AD-join is not a requirement.
Assuming CMG can be used to deploy operating systems to new computers.
CMG only supports managing existing clients. It does not support task sequences or PXE boot for OS deployment.
Use traditional ConfigMgr methods or Windows Autopilot for OS deployment. CMG is for ongoing management, not initial provisioning.
Thinking you need one CMG per device or per user.
A single CMG deployment can support up to 10,000 clients. Scaling is handled by VM instances, not by deploying more CMGs.
Deploy one CMG per primary site. Use automatic scaling to handle more clients instead of creating multiple CMG deployments.
Exam Trap — Don't Get Fooled
{"trap":"In a question about CMG prerequisites, an option says 'A VPN connection between Azure and on-premises is required.' Many learners choose this because they assume cloud services need a VPN.","why_learners_choose_it":"They confuse CMG with other Azure services that require a site-to-site VPN or ExpressRoute for security.
CMG is specifically designed to avoid VPN.","how_to_avoid_it":"Remember that CMG is built to eliminate the need for VPN. The outbound-only CMG connection point is the key differentiator.
If a question option includes VPN or DirectAccess as a requirement for CMG, it is almost certainly wrong."
Step-by-Step Breakdown
Assess Prerequisites
You need an active Azure subscription, a ConfigMgr site running version 2010 or later, a Windows Server for the CMG connection point with internet access, and a public certificate for the CMG service. Client authentication certificates are also required unless using Azure AD authentication.
Install the CMG Connection Point Role
In the ConfigMgr console, add a new site system role on a Windows Server. Choose Cloud Management Gateway Connection Point. This server must have outbound internet access to Azure on TCP 443. It will manage the communication bridge.
Create the CMG Cloud Service
In the ConfigMgr console, right-click Cloud Services and select Create Cloud Management Gateway. Provide a name, select the Azure environment, and upload the public certificate. Configure scaling settings and the Azure region. The wizard deploys the service to your Azure subscription.
Configure Management Point for CMG
Go to the properties of your management point site system role. On the General tab, enable 'Allow Configuration Manager cloud management gateway traffic'. This tells the management point to accept requests coming through CMG.
Configure Client Settings
Create a custom client settings policy that enables 'Enable clients to use a cloud management gateway'. Deploy this policy to the collection of devices you want to manage remotely. Clients will then attempt to discover and use the CMG endpoint.
Distribute Client Authentication Certificates
Ensure all target devices have a valid client authentication certificate issued by a CA trusted by the ConfigMgr site. You can use group policy or a certificate profile to deploy certificates. Without this, clients cannot authenticate to CMG.
Monitor and Verify
Check the CMG status in the Cloud Services node. It should show as Ready. On a client device, open the Configuration Manager control panel and verify it lists the CMG in the Management Points tab. Check client logs (LocationServices.log, ClientIDManagerStartup.log) for successful CMG location discovery.
Practical Mini-Lesson
When deploying CMG in a production environment, the first practical step is to plan your certificate strategy. You have two authentication options: client authentication certificates (PKI) or Azure AD authentication. For PKI, you need a two-tier PKI: an offline Root CA and an issuing CA. The issuing CA must be published in the certificate revocation list (CRL) that clients can reach over the internet. If the CRL is not accessible, clients will fail to authenticate. Many deployments stumble here by not publishing the CRL to a publicly accessible URL.
Next, consider the CMG service certificate. This is the certificate that the client uses to verify the CMG endpoint's identity. It must be issued by a public CA (like DigiCert or Let's Encrypt) or by an internal CA that clients already trust. Using an internal CA means you must export the root CA certificate and deploy it to all managed clients as a trusted root. For simplicity, many organizations use a public CA certificate for the CMG service because clients already trust public CAs by default.
Scaling is another practical consideration. Automatic scaling works well, but you should set a minimum number of VM instances to handle baseline traffic. When you deploy a new software update, CMG VMs may spike in CPU usage. Automatic scaling adds instances, but there is a delay of about 5 minutes. For predictable large deployments (like a monthly Patch Tuesday), consider manually scaling up a few hours before.
Content distribution is also important. CMG can store content (application files, updates) in Azure storage. However, downloading content from Azure across WAN links can be slow for large files. Microsoft recommends using Connected Cache, which caches content on local servers or on the CMG itself to reduce bandwidth. Alternatively, use peer-to-peer content distribution with Delivery Optimization. Finally, monitor the CMG connection point server. It must have reliable internet connectivity. If the connection point goes offline, all cloud management stops. Use redundant CMG connection points for high availability. You can install up to two connection points per primary site. Also, set up alerts in ConfigMgr to notify you if the CMG service becomes unhealthy or if the certificate is about to expire.
Memory Tip
Think 'Outbound Only, No VPN' – the CMG connection point only talks out, making it secure and eliminating the need for VPN.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Frequently Asked Questions
Does CMG require an Azure subscription for each site?
Yes, each primary site that uses CMG needs its own Azure subscription. You can use the same subscription for multiple sites, but each CMG deployment is tied to one subscription.
Can CMG manage macOS or Linux devices?
No, CMG only supports Windows devices managed by Configuration Manager. For macOS or Linux, you need Intune or a third-party MDM.
What happens if the CMG connection point server goes offline?
Clients will continue to cache policy and inventory data locally. When the connection point returns, the data will be forwarded. However, no new policies or updates will be delivered until the connection is restored.
Is CMG the same as the Intune management gateway?
No. CMG is specific to Configuration Manager. The Intune management gateway is a conceptual term for how Intune communicates with devices. They are different technologies.
Do users see any notification when using CMG?
No, CMG operates transparently in the background. Users do not see any pop-ups or prompts related to CMG.
Can I use CMG with a third-party certificate for the service?
Yes, you can use a certificate from any trusted public CA. The certificate must have a subject name matching the CMG service name and must support TLS 1.2.
How many CMG connection points can I have per site?
You can deploy up to two CMG connection points per primary site for redundancy.
Does CMG support IPv6?
Yes, as of Configuration Manager 2103, CMG supports IPv6 addresses for client communication.
Summary
Cloud Management Gateway (CMG) is a critical component for any IT professional managing a hybrid environment with Configuration Manager. It extends the reach of your on-premises management infrastructure to any internet-connected Windows device without requiring a VPN. This is a game-changer for remote work, ensuring that devices receive security updates, compliance policies, and software deployments regardless of their physical location.
For the MD-102 exam, you must understand the prerequisites, configuration steps, and limitations of CMG. Remember that it requires an Azure subscription, a CMG connection point role, and proper certificates. It operates with outbound-only connections, which enhances security. It supports management point and software update point traffic but does not support OS deployment or client push.
The key exam takeaway is that CMG is the bridge between the on-premises world and the cloud, enabling modern device management without overhauling your existing infrastructure. Master the deployment steps, common pitfalls (like certificate issues and scaling), and you will be well-prepared for exam questions on this topic.