SCCM CMG Deployment

Prequisites

  1. Hybrid Azure AD Join
    To only configure CMG for your company, you do not need Co-management nor Intune, but your Windows 10 clients need to be hybrid Azure AD join. To fulfill this requirement, complete the task listed below (the links below only covers PTA for authentication).
  2. Ports and data flow – Opening ports is a task for your security or network team.
    • Cloud Services – List of the service endpoints that CMG need access to.
  3. Azure Subscription to host the CMG
  4. Global Admin – is needed to integrate SCCM to Azure by creating the Azure services (Web and client applications)
  5. Azure subscription owner rights – this is required to create the CMG cloud service (the VM’s in Azure)
  6. Unique CMG DNS name – steps outlined below
  7. Server Authentication Certificate (detailed steps are outlined below using internal PKI. Only one web server certificate is required)

Placement of the CMG and CMG Conection Point

The installation steps are listed below. My lab has a CAS, two primaries and the MP, DP, SUP are on remote site systems.

Check if the CMG service name is available

Log into the Azure portal and search for Cloud Services (Classic), then click Add

Type in the desire service name. If it is available you will get a green check. If not, a red exclamation. Enter the full service name (hashmat00cloudCloudapp.net) as the Common name when adding the server authentication certificate to the CAS site server or stand-alone primary, not hierarchy exist.

Create the Server Authentication Certificate

Please refer to my previous post if to make your env as PKI:  SCCM PKI Certificate Implementations

Navigate to the server that has the CA installed and open the Certification Authority console. Right click on Certificate Templates > then click on Manage

Right click on Web Server > Duplicate Template

Under General, enter the Template display name and change or accept the validity period.

Under Subject Name, select Supply in the request

Under Request Handling, select Allow private key to be exported

Under Security, add the name of the server (in my case he CAS server) that you will issue the cert to. Allow Read and Enroll permissions. Click on OK to close the properties page and also the Certificate Template Console.

You should be back on the main Certificate Authoriy console. Right click on Certificate Template > New > Certificate Template to issue

Select the CMG Server Certificate that was just created.

On the Primary site server or the stand-alone primary site server if that is what you have, run mmc.msc to open the Certificates console. Under Personal > right click Certificates > All Tasks > Request New Certificate.

Click next on the Before You Begin and the Select Certificate Enrollment Policy page. On the Request Certificate page, select SCCM CMG Cert  then click on “More information is required to enroll…

Select Common name under Subject name. For Value enter the unique CMG DNS name that was verified in the first step – hashmat00cloud.Cloudapp.net. You can use any available name (hashmat00cloud), but Cloudapp.net cannot be changed. Click on OK

Click Enroll to add the CMG Server Certificate

Once enrolled, the certificate should be listed under Personal > Certificates. Right click the SCCM CMG Cert > Export

Select Yes, export the private key, and on the next page, select Personal Information Exchange – PKCS #12(.PFX) then click Next.

Check Password and enter your password then click Next

Enter the path and name of the file. For example C:\cmgCloudCert.pfx then click Next

Click finish to export the CMG server authentication certificate.

Create the Azure Service – Cloud Management

Open the CM console and navigate to Administration > Cloud Services > right click on Azure Services > Configure Azure Services > Select Cloud Management > Click Next

On the App Properties page, click Browse from Web App

On the Server App page click Create.

On the Create Server Application page

Enter the info on the Create Server Application page and click OK.

Click OK again on the Server App page, then you are back on the App Properties page.

On the App Properties page, click Browse accross from Native Client App

On the Create Client Application page fill in the required information. Use an account with global admin rights to sing into Azure. Use the same account that was used to create the Web Application then click OK.

Click OK to close the Client App page as well, then Next on the App Properties page..

Check Enable Azure AD User Discovery. Click Settings to configure the schedule and delta discovery, then click Next.

Click Next to confirm the settings after which the wizard should be successful. The service should show up under Azure Services.

Log into the Azure portal to confirm that the Apps were created. Search for App Registration and the Apps should present.

 

Perform the same task on both App. Click on ClientApp to open it > API permissions > click on Grant admin consent > then Yes to confirm.

Click Run Full Discovery Now to kick off user discovery.

Enable Enhanced HTTP

This step is neccessary if SCCM is not configured for HTTPS. Open the CM console and navigate to Administration > Overview Site Configuration > Sites > select the site, right click and select properties > on the properties page select Communication Security

When the properties page opens, select HTTPS or HTTP and check Use configuration manager-generated certificates for HTTP site systems. Wait around 30 then check the MP and DP to confirm that the cert was applied.

Navigate to your MP or DP. At the command prompt run Certlm.msc to open the certificate console. Under Personal > Certificates > you will the certificate that generated by the site server. The friendly name of the certificate will be listed as SMS Role SSL Certificate.

Open IIS on the Distribution Point(the bindings will exist on the MP as well). Under Default Web Site you should find the new endpoint named CCMTokenAuth_SMS_DP_SMSPKG$.

Right click Default Web Site > Edit Bindings > Select https > Edit and the edit site binding page will open. On the bottom left you should see the certificate(SMS Role SSL Certificate) that was generated by the site server on the image below.

Create the CMG service in Azure

Create a resource group and storage accout (I used the same name as the unique DNS name) if those items do not exist when you log into your Azure portal.

Open the CM console and navigate to Administration > Overview > Cloud Services > Right click on Cloud Management Gateway > Create Cloud Management Gateway

On the Specify details for this cloud service page, click Sign In. Use an account with Subscription owner rights. If the sign in is successful, the Subscription ID, Azure AD app name and Azure AD tenant name will populate.

On the Specify additional details for this cloud service page, click Browse accross from Certificate file. Earlier we exported the Server Authentication Certificate, browse to that .pfx file and enter the password when prompted.

Configure the desired alerts, then click Next to confirm the summary and start the installation process.

In the CM console, the Status will show Provisioning. After a successful installation the Status will change to Ready. Open CloudMgr.log on the site server to monitor the progress.

Create the CMG Connection Point

Open the CM cosole and navigate to Administration > Overview > Site Configuration > Servers and Site Sytem Roles > Right click on the primary site server or a remote site system > Add Site System Roles > on the General and Proxy page click Next > then select Cloud management gateway connection point

Confirm the settings and click Next.

Confirm the settings, then click next to finish. Open SMS_Cloud_ProxyConnector.log to monitor the progress.

Enable CMG on MP, SUP and Client

Open the MP properties and check Allow Configuration Manager cloud management gateway trafic. Set this on all your MPs and SUPs.

Open the SUP properties and check Allow Configuration Manager cloud management gateway trafic

Navigate to Client Settings, then right click on Default Client Settings (or your custom setting) and click on properties. On the properties page select Cloud Services, then select Yes for Enable clients to use a cloud management gateway.

On azure portal, you can navigate to resource group and you will see resources being created

If you check the Resource Group RBA (Access control), you will see the two azure app created from sccm, they both have contributor role

If you want to check full details of what is inside cloud services

The Azure cloud services created one virtual machine and used windows server 2012 R2

If you want to scale the load, you can change the instance count and configure auto scale based on rules.

and if you login to any of your client vm or machine, you will see the sccm agent details and network settings being changed to cloud cmg

Exit mobile version