Overview
- In this video guide, we will review the new feature for Token-based authentication for cloud management gateway released in Configuration Manager current branch 2002 https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002#token-based-authentication-for-cloud-management-gateway.
Topics in Video
- Please see youtube: https://youtu.be/e5QSv1Yna6M
Helpful Resources
- Token-based authentication for cloud management gateway – https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-2002
- Register for token on the internal network – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#register-on-the-internal-network
- Create a bulk registration token – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#create-a-bulk-registration-token
- Bulk registration token tool usage – https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/deploy-clients-cmg-token#bulk-registration-token-tool-usage
I'm Justin Chalfant! I'm the founder of 
Very helpful video Justin, thanks.
I was wondering about approval for a workgroup machineS, but as always you answered right in the video.
:), yeah it seems the token is essentially the factor that allows the site to trust the client and auto-approve unless like a traditional workgroup ccmsetup installation.
This video shows for 1 computer registration in the cloud. How do I manage 1000+ computers in Cloud Environment
You could use PKI for existing devices or Intune to auto-enroll into ConfigMgr.
What’s the secret sauce? For some reason it’s not recognizing the new /regtoken and still trying with certificates. I see in your video CCMTOKENAUTH=1, currently mine says =0, does this mean anything in your brilliance?
Hmm, so your machine has a client authentication certificate as well?
I had a similar issue. Mine was caused by omitting required parameters from the ccmsetup.exe install string. I did not include the SMSMP parameter; turns out it’s required. SMSSITECODE, SMSMP, CCMHOSTNAME and /mp are all REQUIRED. Hope this helps.
Amazing stuff and at 11:59, what i understood is when client goes for registration it goes with client GUID and certificate thumbprint. Thumbprint is of self-signed certificate.
That’s correct. CMG will use PKI cert, Azure AD, or Bulk token for the auth/registration.
this was very informative, but i need info on client auth check. MS article after 90 days the token expires , what after that ? how the systems will connect back. how the registration happens if the system is in internet without LAN access
The token will auto-renew for clients that have access to the MP.
Can i use this single token to authorize multiple machines ?
You can as long as it’s not expired!
Great tutorial Justin! What if you have say 50 machines what is the suggested deployment method?
A script 🙂 not a great method if you don’t have an existing method to access the machine though.
Hello,
Did you guys managed to bootstrap a task sequence during the bulk token auth client installation?
For us it did not work 🙂 we are receiving”content location failed” messages.
I haven’t tried this scenario.
Hey Justin, We are using CMG in EHTTP mode and we dont have any MP running on https mode. all our MPs are in HTTP mode. i have ran token based command on internet based standalone system which is not in our domain joined but getting the below errors
error 1: CcmSetup failed with error code 0x87d00455
error 2: [CCMHTTP] AsyncCallback(): —————————————————————–
[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered ccmsetup
[CCMHTTP] : dwStatusInformationLength is 4
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : *lpvStatusInformation is 0x8
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
ccmsetup 10/6/2020 9:21:10 AM 3972 (0x0F84)
[CCMHTTP] AsyncCallback(): —————————————————————–
Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f ccmsetup 10/6/2020
Error 3:
RetrieveTokenFromStsServerImpl failed with error 0x80072f8f
Failed to create SMS client object. Error 0x80040154
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80070002
Any help on this
The client doesn’t seem to trust the SSL cert.