PKI Infrastructure and Configuration Manager

Heimdallr 46 Reputation points
2021-12-08T11:53:40.13+00:00

Hi,

I have a question regarding setting new co managed environment with cloud management gateway.

Is there any requirement to create a PKI infrastructure in order to have a standard on-prem, ECM environment working, along with WSUS there + CMG so that clients out of office can connect ?

I am asking because I am not sure whether PKI infrastructure is required or technology creates self signed certs somehow and we can avoid setting another part of infra there, or perhaps Azure serices can supplement us there, any hints?

Thanks.

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Rahul Jindal [MVP] 9,041 Reputation points MVP
    2021-12-08T22:11:03.39+00:00

    If you want the ability to manage clients over internet, then you will need CMG. You can configure your ConfigMgr environment for full PKI or you have the option to use EHTTP with token based authentication. However, you will still need a CMG server certificate which can be a PKI cert or a 3rd party.

    You also have the option of configuring Co-management which doesn't require any kind of certs. However, you will need to hybrid join your devices to be able to manage all the supported Workloads. It all depends on your requirements.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 11,411 Reputation points
    2021-12-08T21:51:33.96+00:00

    CMG requires certs, 3rd party or PKI. Co-management only does not require certs. Since you are mentioning WSUS, I would suggest that don't setup CMG only for updates, but for anything else. You can easy deploy updates to clients in the internet by allowing them to download them from Internet. It is common misstake to distribute updates via CMG.

    0 comments No comments

  2. Heimdallr 46 Reputation points
    2021-12-09T13:14:12.287+00:00

    Thanks for the answers! They gave me a lot of good information. I was running meanwhile through the documentation and stumbled upon information that, at some point Configuration Manager will stop supporting HTTP so I would have go with HTTPS or eHTTP and since the latter requires no additional infrastructure, I think I am going to create the service based on eHTTP + get CMG to use either AAD or buy a trusted cert.

    Removal of HTTP Source: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures#:~:text=Sites%20that%20allow,November%201%2C%202022

    "Clients that connect to a cloud management gateway (CMG) are potentially on the untrusted public internet. Because of the client's origin, they have a higher authentication requirement. There are three options for identity and authentication with a CMG:

    Azure AD
    PKI certificates
    Configuration Manager site-issued tokens"
    Source: https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-client-authentication

    0 comments No comments

  3. Jason Sandys 31,121 Reputation points Microsoft Employee
    2021-12-10T00:06:47.553+00:00

    A handful of comments here:

    • To use a CMG, clients must be able to authenticate using one of the following:
      • A PKI issued client auth cert
      • A token issued from Azure AD because the device is AAD joined or hybrid Azure Active Directory joined
      • A token issued by ConfigMgr
    • The use of enhanced HTTP is not connected to which client auth mechanism you choose specifically.
    • CMG service certs should always come from a public CA. This isn't a technical requirement, but it is a requirement for success IMO.
    • Co-management without a CMG should also never be done unless you have a consistent guarantee of some other connectivity like the device is on site always or regularly or a regularly connected VPN.
    • Hybrid Azure Active Directory join is not required for co-management. For co-management, Windows endpoints must be hybrid Azure Active Directory join or Azure Active Directory join. All workloads are available to both join types.
    • Clients managed across the Internet using a CMG (or IBCM) always download update content for Windows updates from Windows Update. Thus, setting up a CMG for this is totally fine although I do strongly recommend you consider enabling co-management + CMG and then using Windows Update for Business for updates instead.
    0 comments No comments