Supported configurations for cloud management gateway

Applies to: Configuration Manager (current branch)

Use this article as a reference for the features and configurations that are supported by the Configuration Manager cloud management gateway (CMG).


  • All Windows versions listed in Supported operating systems for clients and devices are supported for CMG.

  • CMG only supports the management point and software update point roles.

  • CMG doesn't support clients that only communicate with IPv6 addresses.

  • Software update points using a network load balancer don't work with CMG.

  • Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is removed. All CMG deployments should use a virtual machine scale set. For more information, see Removed and deprecated features.

  • CMG names need to be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens.

Support for Configuration Manager features

The following table lists CMG support for Configuration Manager features:

Feature Support
Software updates Supported.
Endpoint protection Supported. Note 1
Hardware and software inventory Supported.
Client status and notifications Supported.
Run scripts Supported.
CMPivot Supported.
Compliance settings Supported.
Automatic client upgrade Supported.
Client install
(with Microsoft Entra integration)
Client install
(with token authentication)
Software distribution (device-targeted) Supported.
Software distribution (user-targeted, required)
(with Microsoft Entra integration)
Software distribution (user-targeted, available)
(all requirements)
BitLocker Management Supported.
Pull distribution point source Supported.
Windows in-place upgrade task sequence Note 2 Supported.
Task sequence without a boot image, deployed with the option to Download all content locally before starting task sequence Note 2 Supported.
Task sequence without a boot image, deployed with either download option Note 2 Supported.
Task sequence with a boot image, started from Software Center Note 2 Supported.
Task sequence with a boot image, started from bootable media Note 2 Supported.
Any other task sequence scenario Note 2 Not supported.
Content for PXE or multicast-enabled deployments Not supported.
Client push Not supported.
Automatic site assignment Not supported.
Software approval requests Not supported.
Configuration Manager console Not supported.
Remote tools Not supported. Note 3
Reporting website Not supported.
Wake on LAN Not supported.
macOS clients Not supported.
Peer cache Not supported.
On-premises MDM Not supported.
Alternate content providers Not supported. Note 4
Content for App-V streaming applications Not supported.
Content for Microsoft 365 Apps updates Not supported.
Prestage content Not supported.
Supported. = This feature is supported with CMG by all supported versions of Configuration Manager
Supported. (YYMM) = This feature is supported with CMG starting with version YYMM of Configuration Manager
Not supported. = This feature isn't supported with CMG

Support notes

Note 1: Support for endpoint protection

Clients that communicate via a CMG can immediately apply endpoint protection policies without an active connection to Active Directory.

Note 2: Support for task sequences

For more information about support for deploying a task sequence to a client via the CMG, see Deploy a task sequence over the internet.

Note 3: Support for remote tools

As announced at Microsoft Ignite 2021, a public preview of the new remote assistance solution is now available in the Microsoft Intune admin center. This cloud-based tool can help you more securely support users of Windows devices.

For more information, see the following resources:

Note 4: Support for alternate content providers

Alternate content providers aren't supported to get content from a content-enabled CMG. You can still use them on a client that communicates with a CMG and gets content from other supported content locations.


Starting in version 2203, you can also configure the task sequence to allow token authentication with alternate content providers. For more information, see Task sequence variables: SMSTSAllowTokenAuthURLForACP.

Next steps

Next, plan how the design the CMG for the best performance at the appropriate scale: