Troubleshooting Cloud Management Gateway: Quick & effectively /w CMG Connector Analyzer

In Technical Preview 1805 of Configuration Manager Current Branch, Microsoft introduced the Cloud Management Gateway Connector Analyzer. A highly valued feature which is a great starting point to troubleshoot your Cloud Management Gateway (CMG) in case you ran in to any issues. In short, it’s a more than welcome and helpful feature!

In a nutshell the Cloud Management Gateway Connection Analyzer validates you Cloud Management Gateway deployment on 6 points, namely:

  1. Validates whether CMG is in a ready state;
  2. Validates whether CMG services are running;
  3. Validates whether CMG is using a up to date configuration;
  4. Validates connection state between CMG Connection Point and CMG;
  5. Validates whether site systems are associated with CMG;
  6. Validates whether Management Point is available and/or well configured;

This blog post provides a first aid guidance to troubleshoot you Cloud Management Gateway(s).

Client Authentication Method

The Cloud Management Gateway Connection Analyzer can be found in the Cloud Services section part of the Administration pane. There are two clients authentication options to connect to the Cloud Management Gateway.

  • Azure AD User (this can be a regular Azure AD user);
  • Client certificate (currently use the Certificate File option as the console is by default started in a user context instead of system context);

CMG_sign_in

Once connected successfully with a valid Azure AD Account or Client Certificate we can start the connection analyzer to verify the Cloud Management Gateway is working properly.

Cloud Management Gateway Ready State

By deploying the Cloud Management Gateway as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. The cloud services authenticates and forwards Configuration Manager client requests to the CMG connection point. The status of the cloud services has the following statuses:

  • ServiceState 0 – Started
  • ServiceState 3 – UndergoingMaintenance
  • ServiceState 4 – Starting
  • ServiceState 5 – Stopping
  • ServiceState 6 – Stopped
  • ServiceState 7 – ReadyRole

The illustration below indicates the CMG service is in ready state and therefore available.

CMG_ready_state

CMG_cloudmgr.log

The illustration below indicates the CMG service is not in a ready state.

CMG_ready_state_maintenance

To troubleshoot CMG Ready state, use CloudMgr.log.

Cloud Management Gateway Services

The illustration below indicates the CMG service is running.

CMG_service_running

The illustration below indicates the CMG service is not running and therefore not available.

CMG_service_failed

In this case the CMG cloud services might be not running. To troubleshoot CMG services, use CMG-<cloud_service_name>-ProxyService_IN_0-CMGService.log (or CMG-<cloud_service_name>-ProxyService_IN_1-CMGService.log in case of 2 or more VM instances) and SMS_Cloud_ProxyConnector.log.

Cloud Management Gateway Configuration

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_in_sync

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_not_in_sync

This is an easy one, just makes sure the CMG configuration data is in sync by enforcing “Synchronize configuration” under Cloud Services section part of the Administration pane.

Cloud Management Gateway Connection Point

The CMG connection point is the site system role for communicating with the CMG. By default the CMG connection point establishes TCP-TLS connections (10140-10155) to connect to CMG cloud service in Azure. In case of 2 or more VM instances, the second VM instance uses port 10141, up to the sixteenth on port 10155.

CMG_tcp_connections_established

Make sure <cloud_service_name>.cloudapp.net:10140 is reachable and can be resolved (name resolution) properly. To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

The illustration below indicates the CMG configuration point is able to communicate with CMG in Azure.

CMG_connection_point_status

The illustration below indicates the CMG configuration point is not able to communicate with CMG in Azure.

CMG_connection_point_status_not_connected

To troubleshoot CMG services, use SMS_Cloud_ProxyConnector.log.

Site System roles assigned to Cloud Management Gateway

Make sure you have configured the management point and/or software update point site systems linked to your CMG to accept CMG traffic from clients which are on the internet.

CMG_site_system_role_assigned

When there is no site system role assigned (whether management point or software update point) clients on the internet won’t be able to take benefit of the concerning service(s).

CMG_no_site_system_role_assigned

Make sure you’ve assigned at least one management point or more to service clients on the internet.

Management Point Availability & Configuration

The CMG connect point forwards client communications to on-premise site system role(s) (management point(s) and/or software update point(s). In this case the site system roles should be available

CMG_management_point_status

In case you’ve bind a wrong web server certificate to you management point or software update point (IIS) or the certificate isn’t trusted (certificate chain) incoming client communications from CMG cloud service won’t be accepted.

CMG_pki_configuration

In the table below an overview of a few scenarios whereby the management point isn’t available for various reasons.

Error Solution
Failed to get ConfigMgr token with Azure AD token. Status code is ‘503’ and status description is ‘CMGConnector_ServiceUnavailable’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘ServiceUnavailable’.

 

Make sure IIS services is running properly.

Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Internal server error. For more information, see the management point logs for more details to see why internal server error returns.

Make sure you bind the right web server certificate to IIS or make sure the correct root- and/or intermediate CA is added.

Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘401’ and status description is ‘CMGConnector_Unauthorized’

A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Unauthorized’.
Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘500’ and status description is ‘CMGService_No_Connector’.

 

A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. There is no CMG connection point that is connecting to the CMG service. For more information, see the SMS_CLOUD_PROXYCONNECTOR.log on the CMG connection point.

 

Make sure firewall or proxies aren’t blocking network traffic. Click here for a complete overview of ports required by CMG.

Cloud Management Gateway Log files

The following table lists the log files that contain information related to the cloud management gateway.

 

Log name Description Computer with log file
CloudMgr.log Records details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service.

You can configure the logging level be editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGER

The installdir folder on the primary site server or CAS.
CMGSetup.log1 Records details about the second phase of the cloud management gateway deployment (local deployment in Azure)

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGHttpHandler.log1 Records details about the cloud management gateway http handler binding with Internet Information Services in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGService.log1 Records details about the cloud management gateway service core component in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
SMS_Cloud_

ProxyConnector.log

Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point. Site system server

1 These are local Configuration Manager log files that cloud service manager sync from Azure storage every five minutes. The cloud management gateway pushes logs to Azure storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect both local and remote logs. The actual file names include the service name and role instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log

  • For troubleshooting deployments, use CloudMgr.log and CMGSetup.log
  • For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
  • For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.

Sources

Please find below the resources I’ve used to writeup this blog post.

Microsoft, Plan for the cloud management gateway in Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway

Microsoft, Log files in System Center Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files#cloud-management-gateway

Further I want to pay attentions of a great blog post series of how to set up your Cloud Manage Gateway by fellow MVP Zeng Yinghua

SCConfigMgr, How to setup Co-Management

http://www.scconfigmgr.com/2017/11/23/how-to-setup-co-management-part-1/

Advertisements

Keep your Microsoft Intune tenant clean and tidy /w Azure Automation & Graph API

Nowadays Microsoft provides us a lot of flexibility to empower end-users to be productive as never before. Users are able to register their devices in order to access corporate resources anytime, anywhere on devices they love. Provisioning of Windows 10 devices to your enterprise has never been easier for end-users. They are even able to join their brand new devices to the corporate from home taking benefit of Windows Autopilot & Azure AD MDM auto-enrollment.

From an end-user perspective this is great, productivity can be restored in minutes instead of hours or even days. However the flexibility we provide for the end-users has a downside from an IT Admin perspective. As we’re able to join or register devices to Microsoft Intune/Azure AD, it causes a lot of obsolete device objects in your tenants. Continue reading “Keep your Microsoft Intune tenant clean and tidy /w Azure Automation & Graph API”

Enable Windows 10 Multifactor Authentication with Windows Hello Multifactor Device Unlock & Microsoft Intune

In this blog post I’ll explain how to configure and enable Windows Hello Multifactor Device Unlock using Microsoft Intune. Windows Hello Multifactor Device Unlock provides multifactor device authentication for login or unlocking  Windows 10 devices.

Windows Hello for Business

Continue reading “Enable Windows 10 Multifactor Authentication with Windows Hello Multifactor Device Unlock & Microsoft Intune”

Improved MDM diagnostics from Windows 10 Insider Preview #16232

Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.

In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.

Traditional vs Modern

The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.

Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools  (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!

Troubleshooting

To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .

Microsoft Intune Custom Policy

Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.

Updated interface

Update Management Profile GUI

In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications. 

 Improved Management Profile GUI PolicyManager MDM Category

Management Diagnostic log files

The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html

MDM Diagnostics GUI

The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.

Base MDM Diagnostic Information

First of all it provides insights of the configuration sources and resource (CSPs) and  whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.

MDM Configuration Sources

Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.

In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy.  It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.

MDM Managed Policies

When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\AppHVSI

PolicyManager MDM Registry

Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.

PolicyManager MDM Group Policy

Installed Applications

As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.

Managed Applications by MDM

Finally, we also have access to settings which are not set via CSP.

Unmanaged MDM Policies

Summary

The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.

Sources

Introduction to configuration service providers (CSPs) for IT pros

https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

WindowsDefenderApplicationGuard CSP

https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp

Continue reading “Improved MDM diagnostics from Windows 10 Insider Preview #16232”

Control Access to SharePoint Online/OneDrive from unmanaged devices

In a mobile-first cloud first world the need of accessing corporate resources on unmanaged devices is rising. This is the cutting edge of managing your corporate data (keeping it safe) and give your users the freedom to be productive on any device.

With Conditional Access we can control access to corporate data (such as Exchange Online, SharePoint Online, Yammer, Delve, Teams, etc.) based on a device (health) status such as being managed or complaint. These scenarios (conditions) are based on devices being managed by your company (MDM managed). With the introduction of Session Controls, organizations are enabled to grant limited access to corporate resources without losing control on unmanaged devices.

Conditional Access Session Controls

Continue reading “Control Access to SharePoint Online/OneDrive from unmanaged devices”

Available now: Enterprise Mobility + Security E5 IUR for Microsoft Partners

Today I was happily surprised with the announcement, as of today Microsoft Enterprise Mobility + Security E5 licenses are available through Internal Use Rights (IUR). This is great news for those who’re a Silver or Gold EMM competency partner. By this Microsoft Partners are enabled to adopt the latest security features in their own organization too. “Practice what you preach”

Enterprise Mobility + Security E5 IUR

One of the main benefits of the Microsoft Partner program are the IUR, which allows you to use Microsoft products in your own organization for free based on your partner competence levels. This applies to traditional software, software keys and Microsoft Online Services.

With IUR Microsoft Partners are able increase productivity, business value, and savings with your internal-use rights (IUR) benefits. The Enterprise Mobility + Security E3 had been available for some quite long time however the E5 was missing here, the more we’ve an imported role as partner to enable our customers with the latest Microsoft technology.

More information regarding Internal Use Rights can be found here.

New features like Azure AD Identity Protection & Azure AD Privileged Identity Management forms important (security) components in a more than ever emerging Enterprise Mobility + Security E5 proposition.

Click here to unlock your IUR benefits today!

ps. special thanks for those who make this possible ;-)

One license solution rule them all: Azure AD Group Based Licensing!

A long awaited feature became this week available in the new Azure portal: Azure AD Group Based licensing. With this we have an one-stop-shop to assign licenses on a per user- or group based. azure-ad-group-based-licensing-1

Azure AD Group Based licensing was already available in the classic Azure portal,  however it was limited to  Azure AD Premium, Azure Rights Management, Microsoft Intune and Enterprise Mobility + Security licenses.  For other licenses like Office 365 we were designated to the Office 365 Admin portal or custom (automated) solutions such as PowerShell or Graph API. Continue reading “One license solution rule them all: Azure AD Group Based Licensing!”