Managing the SMT Gateway Service with Group Policy


You may want to control what machines are allowed to run the SMT Gateway service, or you may require  Multifactor Authentication (MFA) logon to the Azure portal for security or compliance.

To enable this, we’ve designed the SMT Gateway service to check for the existence of registry keys. If you are not yet familiar with the initial deployment & setup of SMT see this blog post.

The SMT Gateway Service will look for keys named “AllowGateway” and “RequireMFA” in [HKLM|HKCU]\Software\Policies\Microsoft\ServerManagementTools-Gateway. If the keys exist in both paths, HKLM takes precedence.

Here are the full details on each key:

  • AllowGateway
    • Type: DWORD
    • Data: 0 (Disallow) or 1 (Allow)
    • Default: No value (Allow)
    • Description: If AllowGateway is set to 0, any SMT gateway software which gets installed will not process any commands from its queue. This setting allows an admin to lock down an environment by default, and only allow SMT gateways on authorized servers.
  • RequireMFA
    • Type: DWORD
    • Data: 0 (Don’t require MFA) or 1 (Require MFA)
    • Default: No value (Don’t require MFA)
    • Description: If RequireMFA is set to 1, the SMT gateway will only process requests which have a header indicating MFA compliance. The user will be required to log in to the Azure portal using Multi-Factor Authentication for Azure to send the required header.

You can download the ADMX files necessary to manage these keys through Group Policy here. For more information on ADMX files please read Managing Group Policy ADMX Files Step-by-Step Guide.

For one-off testing, here are some PowerShell cmdlets to set the regkey values on the gateway machine:

Create registry key
New-Item -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway
Add registry key property for AllowGateway (0 = disabled, 1=enabled)
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway -PropertyType DWORD -Name AllowGateway -Value 0
Add registry key property for MFA (0 = disabled, 1=enabled):
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\ServerManagementTools-Gateway -PropertyType DWORD -Name RequireMfa -Value 1

 

What other features would you like to see in SMT? Submit your ideas and suggestions via our UserVoice forum and make sure to follow us on Twitter!

Comments (0)

Skip to main content