In this guide, I will demonstrate the procedure to remove Cloud Management Gateway from the SCCM. If your organization no longer wants to use CMG to serve internet clients, you can delete CMG from SCCM using the console or by using PowerShell.

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients over the internet. In the CMG setup guide, I have explained how you can install and configure Cloud Management Gateway in your Configuration Manager.

If you have found a better solution to serve the content to your clients over the internet, the CMG service can be easily removed from your setup. Microsoft advises that if you need to delete the CMG, only do it from the Configuration Manager console. Manually removing any components in Azure causes the system to be inconsistent. This state leaves orphaned information, and unexpected behaviors may occur.

Reasons for deleting SCCM CMG

From my experience, the primary reason why organizations delete CMG service is the costs associated with it. The cloud management gateway (CMG) service uses several components in Microsoft Azure, and these components incur charges to the Azure subscription account.

Another reason to delete the CMG is when you have set it up in your lab in an isolated environment away from production and want to start afresh. Regardless of the reason, the objective is to make sure the CMG is removed from your setup in a clean manner without interfering with the other services.

Prerequisites

Some important things to remember before you delete CMG:

  1. You must use an account that is a member of the Full Administrators role in SCCM. The administrative user who installs Configuration Manager is automatically granted this security role, all scopes, and all collections.
  2. Ensure no content is being distributed to the CMG VM during the removal process.
  3. Before removing the CMG, download any important data that may have been stored on the CMG virtual machine. That’s because when you remove CMG from SCCM, the CMG VM is deleted automatically.

Remove Cloud Management Gateway from SCCM

Let’s go through the steps for removing the CMG from the Configuration Manager setup. Launch the SCCM Console. Go to Administration > Overview > Cloud Services > Cloud Management Gateway. Select the CMG instance and in the top ribbon, click Delete.

Remove Cloud Management Gateway from SCCM
Remove Cloud Management Gateway from SCCM

A confirmation box appears with the message: Are you sure you want to delete the ‘CMG’ Cloud Management Gateway? Click Yes to proceed with CMG removal.

Remove Cloud Management Gateway from SCCM
Remove Cloud Management Gateway from SCCM

Monitor the CMG Removal in SCCM

After deleting the CMG service in the SCCM console, you’ll notice that the status of the service is changed from Ready to Deleting. This means the CMG is being removed now.

Monitor the CMG Removal in SCCM
Monitor the CMG Removal in SCCM

To find out the progress of the CMG removal, I recommend checking the CloudMgr.log on the site server. This log records details about deploying the CMG service, ongoing service status, and use data associated with the service.

As per the CloudMgr.log, when you delete CMG service, the following components are deleted from Azure.

  • Virtual network
  • Network Security Group
  • Load Balancer for CMG
  • Public IP address assigned to CMG
  • CMG service
Monitor the CMG Removal in SCCM CloudMgr.log
Monitor the CMG Removal in SCCM CloudMgr.log
Resource Manager - VM scale set prajwalcmg deleted
Resource Manager - VM scale set prajwalcmg does not exist anymore.
Resource Manager - Deleting storage account prajwalcmg
Resource Manager - storage account prajwalcmg deleted
Resource Manager - Deleting key vault prajwalcmg
Resource Manager - key vault prajwalcmg deleted SMS_CLOUD_SERVICES_MANAGER
Resource Manager - Deleting virtual network prajwalcmg
Resource Manager - virtual network prajwalcmg deleted
Resource Manager - Deleting network security group prajwalcmg
Resource Manager - network security group prajwalcmg deleted
Resource Manager - Deleting load balancer prajwalcmg
Resource Manager - load balancer prajwalcmg deleted
Resource Manager - Deleting public IP address prajwalcmg
Resource Manager - public IP address prajwalcmg deleted

Verify if SCCM CMG Service is Removed

In this section, I will show you how to find out if the CMG service is deleted from the Configuration Manager setup. There are multiple ways to verify this, and I have listed all the methods below.

In the Configuration Manager console, go to Administration > Cloud Services > Cloud Management Gateway. Here, if you don’t see your CMG instance, it means the CMG removal is successful.

Verify if SCCM CMG Service is Removed
Verify if SCCM CMG Service is Removed

The line “Successfully deleted deployment for service cmgname” in the CloudMgr.log confirms that you have successfully removed the Cloud Management Gateway from the setup.

Verify if SCCM CMG Service is Removed
Verify if SCCM CMG Service is Removed

Lastly, sign in to the Azure portal and when you attempt to access the CMG VM, you should see the message “Error 404: Resource not found.” This also confirms that when you delete CMG service, the associated CMG VM instance is also deleted from Azure.

Remove CMG from SCCM
Remove CMG from SCCM

Remove CMG Connection Point Role

The CMG connection point is the site system role that’s required for communication from your on-premises Configuration Manager deployment to the cloud-based CMG. After you remove CMG from SCCM, there is no use of the CMG connection point role. Hence, you can remove it with these steps:

  • Launch the Configuration Manager console.
  • Navigate to Administration\Site Configuration\Servers and Site System Roles.
  • Select the server on which the CMG Connection Point Role is installed.
  • Under the System Roles, right-click the Cloud Management Gateway connection point and select Remove Role.
Remove CMG Connection Point Role
Remove CMG Connection Point Role

A confirmation box appears with the message: Are you sure that you want to remove the selected role, Cloud Management Gateway connection Point, from the server? Click Yes to confirm.

Remove CMG Connection Point Role
Remove CMG Connection Point Role

Remove CMG using PowerShell

The PowerShell cmdlet Remove-CMCloudManagementGateway can be used to remove a cloud management gateway (CMG) service from the site. This is an alternate method for deleting the CMG instead of using the Configuration Manager console.

Launch the PowerShell from the SCCM console and run the below command to remove the CMG service from the site. Make sure you replace the CMG name with yours in the command before executing it.

Get-CMCloudManagementGateway -Name "prajwalcmg.cloudapp.net" | Remove-CMCloudManagementGateway

Finally, after deleting the CMG service in SCCM, in case you see any remaining traces of CMG in the Resource Group in Azure, make sure you remove those entries manually.

Delete Microsoft Entra ID User and Group Discovery

One of the primary requirements for using Microsoft Entra authentication for internet-based clients with a CMG is to integrate the site with Microsoft Entra ID. After you remove the CMG, you can safely remove the Microsoft Entra ID User discovery and Microsoft Entra ID group discovery from the SCCM console.

In the SCCM console, go to Administration\Overview\Cloud Services\Azure Services. Right-click on the Azure service and select Delete. When you do this, the connection between Microsoft Entra ID and the configuration manager will be removed.

Remove Azure AD User and Group Discovery
Remove Azure AD User and Group Discovery

Delete the Client and Server App Registrations

During the CMG setup, you come across a step where you integrate the Configuration Manager site with your Microsoft Entra tenant. When you configure Microsoft Entra ID for CMG, you create app registrations, namely:

  • Web app (also referred to as a server app in Configuration Manager)
  • Native app (also referred to as a client app in Configuration Manager)

After removing the CMG from your setup, you must remove these app registrations. You may not find the option for deleting the client and server app in the SCCM console. You’ll have to delete them from the Azure Portal.

Sign in to the Azure portal. In the search box, type “App registrations” and from the search results, select App registrations. Here you should find the client app and server app that you configured for SCCM. Select the Client App and Server App individually and delete them.

Delete the Client and Server App Registrations
Delete the Client and Server App Registrations

Delete Microsoft Entra ID Tenant

This step removes the configured Entra ID tenant from the Configuration Manager console. Go to Administration > Cloud Services > Microsoft Entra ID Tenants. Right-click on your tenant and select Delete.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC
Delete Microsoft Entra ID Tenant
Delete Microsoft Entra ID Tenant

That completes the guide on how to remove Cloud Management Gateway from the SCCM site. I hope this guide helps.

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a strong focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.