Updates from editor

Author: v-phoebh

support/mem/configmgr/client-management/cmg-communication-error.md

@@ -1,13 +1,13 @@
 ---
-title: Configuration Manager clients can't communicate with CMG
-description: Provides details about log files and solutions for common issues when Configuration Manager clients can't communicate with CMG.
-ms.date: 02/11/2025
+title: Configuration Manager Clients Can't Communicate with CMG
+description: Provides details about log files and solutions to common issues when Configuration Manager clients can't communicate with CMG.
+ms.date: 02/28/2025
 ms.custom: sap:Cloud Services\Cloud Management Gateway (CMG)
 ms.reviewer: kaushika, bmoran
 ---
 # Configuration Manager clients fail to communicate with CMG
 
-This article provides solutions for common issues when Configuration Manager clients fail to communicate with a Cloud Management Gateway (CMG).
+This article provides solutions to common issues when Configuration Manager clients fail to communicate with a Cloud Management Gateway (CMG).
 
 _Original product version:_   Configuration Manager (current branch)  
 _Original KB number:_   4503442, 4495265
@@ -33,7 +33,7 @@ Received response `https://InternalMP.contoso.com/SMS_MP/.sms_aut?MPLIST2&CM1` f
 
 ### Cause
 
-The CMG connection point requires a [server authentication certificate](/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_clientauth) to securely forward client requests to an HTTPS management point. If the server authentication certificate is missing, configured incorrectly, or invalid, status code 403 is returned. In scenarios in which the Management Point (MP) operates in enhanced HTTP mode with token-based authentication, the certificate isn't required but is always recommended.
+The CMG connection point requires a [server authentication certificate](/mem/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway#bkmk_clientauth) to securely forward client requests to an HTTPS management point. If the server authentication certificate is missing, misconfigured, or invalid, status code 403 is returned. In scenarios wh the Management Point (MP) operates in enhanced HTTP mode with token-based authentication, the certificate isn't required but is always recommended.
 
 ### Resolution
 
@@ -42,7 +42,7 @@ To resolve this issue, generate a [server authentication certificate](/mem/confi
 > [!NOTE]
 > In the certificate, computers must have a unique value in the **Subject Name** or **Subject Alternative Name** field.
 
-### How to verify CMG has a server certificate
+### How to verify the CMG has a server certificate
 
 After you enable verbose logging, the **SMS_Cloud_ProxyConnector.log** file will show the list of available certificates on the server. To verify if a valid server authentication certificate to establish communication between the CMG connection point and the management point exists, check the number of certificates in the **Filtered cert count with client auth:** line. See the following log for an example:
 
@@ -76,7 +76,7 @@ In the following log file, error messages that resemble the following entries ar
 
 ### Cause
 
-There's a mismatch between the Internet Information Services (IIS) bindings and the management point in HTTP mode. If the management point is moved from HTTPS mode to enhanced HTTP mode, without cleaning the bindings, the Configuration Management client might not be able to configure an **SMS Role SSL certificate**, which is used in enhanced HTTP mode. In other situations, an incorrect certificate (expired or revoked) exists in the IIS bindings and needs to be cleaned.
+There's a mismatch between the Internet Information Services (IIS) bindings and the management point in HTTP mode. If the management point is moved from HTTPS mode to enhanced HTTP mode without cleaning the bindings, the Configuration Management client might be unable to configure an **SMS Role SSL certificate** used in enhanced HTTP mode. In other situations, an incorrect certificate (expired or revoked) exists in the IIS bindings and needs to be cleaned.
 
 ### Resolution
 
@@ -86,9 +86,9 @@ There's a mismatch between the Internet Information Services (IIS) bindings and
 
 1. In the right pane, select **Bindings**.
 
-1. In the **Site Bindings** dialog box, select the 443 port binding, and then select **Edit**.
+1. In the **Site Bindings** dialog, select the 443 port binding, and then select **Edit**.
 
-1. In the **Edit Site Binding** dialog box, select the certificate accordingly:
+1. In the **Edit Site Binding** dialog, select the certificate accordingly:
 
     - Enhanced HTTP: **SMS Role SSL certificate**
 
@@ -119,35 +119,35 @@ Before the error message, other events might also be logged:
 
 > [!NOTE]
 >
-> - `WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED` indicates that the `/NoCRLCheck` parameter is missing with the `CCMSetup` command, and the certificate revocation list (CRL) isn't published on the internet.
+> - `WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED` indicates that the `/NoCRLCheck` parameter is missing from the `CCMSetup` command, and the certificate revocation list (CRL) isn't published on the Internet.
 >
 > - `WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA` indicates that the root certificate authority (CA) certificate required to validate the server authentication certificate for a CMG is missing.
 >
-> - `WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID` indicates that the host name in the certificate common name is incorrect.
+> - `WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID` indicates that the hostname in the certificate common name is incorrect.
 
 ### Cause
 
 This issue occurs if one or more of the following conditions are true:
 
 - The client doesn't have the necessary PKI Root CA to validate the server authentication certificate.
 - The certificate presented to the client is incorrect.
-- The CRL that contains the certificate isn't published on the Internet and the client is enforced to validate the CRL.
+- The CRL that contains the certificate isn't published on the Internet, and the client is forced to validate the CRL.
 
 ### Resolution
 
 If you're using a PKI server authentication certificate, follow these steps:
 
 1. Make sure that the certificate presented to the client has the expected CMG name. If you're using non-Microsoft services that use certificate pinning and modify the presented certificate, the clients can't validate the server certificate.
 
-    To verify which certificate is presented, open the following URL in the web browser:
+    To verify which certificate is presented, open the following URL in a web browser:
 
     `https://<CMGFQDN>/CCM_Proxy_MutualAuth/ServiceMetadata`
 
-    Replace the `<CMGFQDN>` placeholder with your CMG public fully qualified domain name (FQDN) name.
+    Replace the `<CMGFQDN>` placeholder with your CMG public fully qualified domain name (FQDN).
 
-2. Make sure that the client has the certificate in the Trusted Root Certification Authorities certificate store locally. Otherwise, the client doesn't trust the CMG, even when using Microsoft Entra or token-based authentication. This modern authentication method is only available for the CMG to validate the server authentication, but not in the responses sent from the CMG to the client. When you use a non-Microsoft certificate for the authentication, the client is typically able to validate the public Root CA over the Internet.
+2. Make sure that the client has the certificate in the local Trusted Root Certification Authorities certificate store. Otherwise, the client doesn't trust the CMG, even when using Microsoft Entra or token-based authentication. This modern authentication method is only available for the CMG to validate the server authentication but not for the responses sent from the CMG to the client. When you use a non-Microsoft certificate for authentication, the client can typically validate the public Root CA over the Internet.
 
-3. If the CRL isn't published on the Internet, make sure that the site doesn't enforce clients to validate the CRL and disable CRL checking for clients:
+3. If the CRL isn't published on the Internet, make sure that the site doesn't force clients to validate the CRL and disable CRL checking for clients:
 
     1. In the Configuration Manager console, navigate to the **Administration** workspace.
 
@@ -160,11 +160,11 @@ If you're using a PKI server authentication certificate, follow these steps:
     1. On the **Communication Security** tab, clear the **Clients check the certificate revocation list (CRL) for site systems** checkbox.
 
     > [!NOTE]
-    > When installing clients from the Internet, make sure that the `/NoCRLCheck` parameter is included with the `CCMSetup` command.
+    > When installing clients from the Internet, make sure that the `/NoCRLCheck` parameter is included in the `CCMSetup` command.
 
 ## Error code 401 (CMGService_Invalid_Token)
 
-The client hasn't communicated with the site (via CMG or MP) for more than 30 days, or the `CCMSetup` command is attempting to use an expired token with the `/regtoken` parameter. In the following log files, error messages that resemble the following entries are logged:
+The client hasn't communicated with the site (via the CMG or MP) for more than 30 days, or the `CCMSetup` command is attempting to use an expired token with the `/regtoken` parameter. In the following log files, error messages that resemble the following entries are logged:
 
 **Ccmsetup.log**
 
@@ -185,7 +185,7 @@ Current time: '10/28/2020 13:05:05'.
 
 ### Cause
 
-This issue occurs because the token is expired or not properly added, renew, and ensure a token is added.
+This issue occurs because the token has expired or wasn't properly added.
 
 ### Resolution
 
@@ -197,10 +197,10 @@ For further troubleshooting, do the following actions:
 
 - Check the IIS logs on the management point.
 
-    In the following sample log, the **403 7** response indicates that the server certificate can't be found:
+    In the following sample log, the `403 7` response indicates that the server certificate can't be found:
 
     > \<Date> \<Time> \<IP_address_of_MP> GET /SMS_MP/.sms_aut SITESIGNCERT 443 - \<IP_address_of_CMG_connectionpoint> SMS+CCM+5.0 - **403 7** 0 5573 11
 
-- Enable verbose logging for the **SMS_Cloud_ProxyConnector.log** log file by setting the `VerboseLogging` registry entry value to `1` under the following registry key, and then restart the SMS_EXECUTIVE service.
+- Enable verbose logging for the **SMS_Cloud_ProxyConnector.log** file by setting the `VerboseLogging` registry entry value to `1` under the following registry key, and then restart the SMS_EXECUTIVE service.
 
     `HKLM\SOFTWARE\MICROSOFT\SMS\SMS_CLOUD_PROXYCONNECTOR`