Modify a cloud management gateway

Applies to: Configuration Manager (current branch)

If you need to change the configuration, you can modify the cloud management gateway (CMG).

Configure properties

After you create a CMG, you can modify some of its settings. Select the CMG in the Configuration Manager console and select Properties. Configure settings on the following tabs:

Settings tab

  • Certificate file: Change the server authentication certificate for the CMG. This option is useful when you renew the certificate before it expires. When you get a new certificate, make sure its common name is the same.


    When you renew the server authentication certificate for the CMG, the FQDN that you specify for the certificate's common name (CN) is case-sensitive. For example, if the CN of the current certificate is, create the new certificate with the same lowercase CN. The wizard won't accept a certificate with the CN https://GRANITEFALLS.CONTOSO.COM.

  • VM Instance: change the number of virtual machines that the service uses in Azure. This setting allows you to dynamically scale the service up or down based on usage or cost considerations.

  • Certificates: add or remove trusted root or intermediate CA certificates. This option is useful when adding new CAs, or retiring expired certificates.

  • Verify Client Certificate Revocation: If you didn't originally enable this setting when you created the CMG, you can enable it afterwards after you publish the CRL. For more information, see Publish the certificate revocation list.

  • Enforce TLS 1.2: Require the CMG to use the TLS 1.2 encryption protocol. For more information on TLS 1.2, see How to enable TLS 1.2.

  • Allow CMG to function as a cloud distribution point and serve content from Azure storage: The CMG enables this option by default. A CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs.

Alerts tab

Reconfigure the alerts at any time after you create the CMG. For more information, see Monitor the CMG: Set up outbound traffic alerts.

Content tab

View the packages that are assigned to the cloud storage account for this CMG. See how much space each package uses in the storage account. When you select a package, you can redistribute or remove the content files.

To verify that the content files for a package are available on the content-enabled CMG, go to the Content Status node in the Monitoring workspace. For more information, see Monitor content you distribute.

Redeploy the service

More significant changes, such as the following configurations, require that you redeploy the service:

  • Subscription
  • Service name
  • Region
  • Resource group

Always keep at least one active CMG for internet-based clients to receive updated policy. Internet-based clients can't communicate with a removed CMG. Clients don't know about a new one until they refresh policy. When you create a second CMG instance to delete the first, also create another CMG connection point.

Clients refresh policy by default every 24 hours. Before you delete the old CMG, wait at least one day after you create a new one. If clients are turned off or without an internet connection, you may need to wait longer.

If you have an existing CMG from Configuration Manager version 1810 or earlier, it uses the Azure Service Manager deployment method with an Azure management certificate. Redeploy a new CMG to use the Azure Resource Manager deployment method.

The process to redeploy the service depends upon your service name and whether you want to reuse it.


If you already deployed a CMG with the cloud service (classic) method, you can't deploy another CMG as a virtual machine scale set, and vice versa. First delete the existing CMG, and then create a new one with the other deployment method. All CMG instances for the site need to use the same deployment method. For more information, see Topology design: Virtual machine scale sets.

Replace a CMG and reuse the same service name


This process assumes that you already have at least two CMG services, and are replacing one of them at a time. You need to have at least one active CMG for internet-based clients.

  1. Delete the old CMG.

  2. Create a new CMG with the same server authentication certificate.

  3. Reconfigure the CMG connection point to use the new CMG.

Replace a CMG with a new service name

  1. Get a new server authentication certificate.

  2. Create a new CMG.

  3. Create a new CMG connection point and link it with the new CMG.

  4. Wait at least one day for internet-based clients to receive policy about the new CMG. If clients are turned off or without an internet connection, you may need to wait longer.

  5. Delete the old CMG and associated CMG connection point.

Stop and start the service

Use the Configuration Manager console to stop and start the service if you need to.

  1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Cloud Management Gateway node.

  2. Select the CMG instance.

  3. In the ribbon, select one of the following actions:

    • To stop a running CMG, select Stop service.
    • To start a stopped CMG, select Start service.

Configuration Manager can stop a CMG service when the total data transfer goes over your limit. For more information, see Stop CMG when it exceeds threshold


Even if the service isn't running, there are still costs associated with the cloud service. Stopping the service doesn't eliminate all associated Azure costs. To remove all cost for the cloud service, delete the CMG.

When you stop the CMG service, internet-based clients can't communicate with Configuration Manager.

You can also use PowerShell to stop and start a CMG:

Determine deployment model

To determine the current deployment model of a CMG:

  1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Cloud Management Gateway node.

  2. Select the CMG instance.

  3. In the Details pane at the bottom of the window, look for the Deployment Model attribute.

    For a Resource Manager deployment, this attribute is Azure Resource Manager. The legacy deployment model with the Azure management certificate displays as Azure Service Manager.

    Starting in version 2010, you'll see either Cloud service (classic) or Virtual machine scale set.

You can also add the Deployment Model attribute as a column to the list view.

Modifications in the Azure portal

Only modify the CMG from the Configuration Manager console. Making modifications to the service or underlying VMs directly in Azure isn't supported. Any changes may be lost without notice. As with any platform as a service (PaaS), the service can rebuild the VMs at any time. These rebuilds can happen for backend hardware maintenance, or to apply updates to the VM OS.

Delete the service

If you need to delete the CMG, only do it from the Configuration Manager console. Manually removing any components in Azure causes the system to be inconsistent. This state leaves orphaned information, and unexpected behaviors may occur.