Covid Co-Management Crisis Part 3: Set it up

If you read Part 2 in this series, then you know what happens now. Here is a rant-free guide to setting up the Cloud Management Gateway for SCCM.

Steps in this guide

*Cloud Management gateway clients can be authenticated via either PKI certificates or Azure AD Authentication. We will leverage the latter. This works with both Azure AD Joined or Hybrid-Azure AD Joined scenarios

Prerequisites

The following prerequisites are required during implementation

  • Azure AD Connect enabled for Hybrid Azure-AD Join

  • SCCM Current Branch version 1910

  • Microsoft.ClassicCompute resource provider registered within Azure subscriptions

  • Microsoft.Storage resource provider registered within Azure subscriptions

Verify a unique URL DNS name

*This will be done for both the Cloud.Compute resource and the Storage resource

1.png
  • In the ‘DNS name’ field, enter your desired name.  A green check will populate if the name is available.  No further configuration is needed; we just needed to validate the name availability.  Close out of this menu and return to the main Azure homepage

2.png
  • Search the ‘resources’ field for Storage accounts

3.png
  • From the Storage accounts menu, click + Add

  • In the ‘Storage account name’ field, enter your desired name.  If a green check mark populates, it is available.  Again, no further configuration needed.  Close out of this menu

4.png

Certificate preparation

*Take note of both names tested above.  Do not proceed with any configuration- we will need those names later.

  • Log into your Certificate Authority server with administrator credentials and launch the Certification Authority console.

  • Right-click on Certificate Templates and click ‘Manage’

1.png
  • Right-click on the Web Server template and click ‘Duplicate Template’

2.png
  • In the ‘General’ tab, enter a display name.

3.png
  • In the ‘Resource Handling’ tab, select the box for Allow private key to be exported.

4.png
  • In the ‘Security’ tab, add the group containing your SCCM site server.  Check the box for Read and Enroll permissions.  Click OK to create the certificate template.

5.png
  • Launch the Certification Authority console again. 

  • Right click on Certificate Templates > New > Certificate Template to Issue

8.png
  • Select the template we’ve just created and click OK

Screen Shot 2020-09-07 at 11.46.52 AM.png

Next, we will request the newly created certificate on our SCCM primary site server.

*It is recommended that you reboot the SCCM server prior to requesting a new certificate.  This will allow the SCCM server to refresh the computer authentication token with the CA.

  • Log into the SCCM primary site server with admin credentials.

  • Launch MMC and add the snap in for Certificates > Local Computer.

  • Navigate to Certificates (Local Computer) > Personal > Certificates.

  • Right-click on Certificates and select All Tasks > Request New Certificate

Screen Shot 2020-09-07 at 11.48.16 AM.png
  • Select Next twice on the Certificate Enrollment window.

Screen Shot 2020-09-07 at 12.10.40 PM.png
  • Select the certificate template we issued and click the ‘more information’ link.

Screen Shot 2020-09-07 at 12.11.34 PM.png
  • Choose Common Name from the ‘Subject Name’ drop-down

  • For the value, enter the unique name we verified was available in Step 1.

Screen Shot 2020-09-07 at 11.27.13 AM.png
  • Click Enroll

Screen Shot 2020-09-07 at 11.27.18 AM.png
  • After the certificate is enrolled, click Finish.

Screen Shot 2020-09-07 at 11.27.26 AM.png

Now we will export the private key from the certificate that requested.

  • On the SCCM site server, launch MMC and add the local computer certificate snap in again.

  • Navigate to Certificates (Local Computer) > Personal > Certificates.

  • Right-click on our new certificate and select All Tasks > Export.

14.png
  • Click Next on the Certificate Export Wizard and select Yes, export the private key

15.png
  • Verify the following options on the ‘Export File Format’ page- click Next

16.png
  • Enter a password to protect your private key and click Next

Screen Shot 2020-09-07 at 12.12.51 PM.png
  • Choose a location and save the .PFX file.

18.png

Azure service integration to SCCM

  • Log into SCCM console and navigate to Administration > Cloud Services > Azure Services

  • Click Configure Azure Services in the ribbon.

  • In the ‘Configure Azure Services’, provide a name and select Cloud Management.

Screen Shot 2020-09-07 at 12.22.09 PM.png
  • We need to provide names for the Web app and Native Client app.  Once provided, sign in to your Azure tenant with Global Administrator credentials. 

  • Once finished, log into https://portal.azure.com and navigate to Azure Active Directory > Enterprise applications.  You will see the two new entries.

Deploy Cloud Management Gateway

  • Log into SCCM console and navigate to Administration > Cloud Services > Cloud Management Gateway

  • Click on Create Cloud Management Gateway in the ribbon.

  • Click Sign In and proceed with your Azure Global Admin account.  Select a subscription from the drop down.  The Azure AD app name should automatically populate from Step 3.  Click Next.

Screen Shot 2020-09-07 at 1.02.16 PM.png
  • On the next page, click Browse to upload the .PFX cert that was created in Step 2.  Enter the password when prompted.  Choose the region you want the Azure service to run in. 

  • Create a new Resource Group

  • For the VM Instance number, keep in mind that one VM per CMG can support up to 6000 clients, 2000 of them simultaneously.  See more information on scaling here.

  • Make to uncheck the box for Verify Client Certificate Revocation.
    Lastly, make sure the box is checked for Allow CMG to function as a cloud distribution point and serve content from Azure storage.

Screen Shot 2020-09-07 at 1.02.27 PM.png
  • Click Next.  Allow several minutes for the service to be provisioned. 

Status of the CMG can be confirmed in both Azure and SCCM.

Verify resource creation in Azure

  • Log into https://portal.azure.com and select All resources.  You will see the two new resources (cloud service and storage account) that make up the CMG

Screen Shot 2020-09-07 at 1.07.02 PM.png
  • Click on the cloud service to see more information.

Configure connection point role

  • In SCCM, navigate to Administration > Site Configuration > Servers and Site System Roles

  • Right-click on the primary site server and select Add Site System Roles

  • Click Next through the wizard to reach the Specify roles for this server window.  Check the box for Cloud management gateway connection point and click Next.

Screen Shot 2020-09-07 at 1.09.04 PM.png
  • The role should now be listed under Site System Roles for that server

Site system and management point settings

  • On the Servers and Site System Roles page, select the primary site.  Right-click on Management point.

Screen Shot 2020-09-07 at 1.12.37 PM.png
  • Make sure the box is checked for Allow Configuration Manager cloud management gateway traffic

*In my instance, I had the dropdown above set to Allow intranet and Internet connections.  If you decide to use a dedicated management point for internet clients, that is an option.

  • Click OK to complete the management point setup.

Enable software update point

  • On the Servers and Site System Roles page, select the primary site.  Right-click on Software update point.

  • Make sure the box is checked for Allow Configuration Manager cloud management gateway traffic

Primary site settings

  • Navigate to Administration > Site Configuration > Sites.

  • Right-click on the primary site and select Properties

Screen Shot 2020-09-07 at 1.17.31 PM.png
  • Select the ‘Communication Security’ tab.  Check the box for User Configuration Manager-generated certificates for HTTP site systems.

  • Ensure the box for Use PKI client certificate (client authentication capability) when available is unchecked.

  • Click OK

Client settings

  • Navigate to Administration > Site Configuration > Client Settings.  Right-click on current client and choose Properties

Screen Shot 2020-09-07 at 1.20.58 PM.png
  • Select Cloud services.  Ensure that Allow access to cloud distribution point and Enable clients to use a cloud management gateway are both set to Yes.

Deploy client to Intune

  • Navigate to Administration > Cloud Services > Co-management.  Click Configure co-management in the ribbon

  • Copy the command line arguments from the properties window.  We will use these to deploy the client through Intune.

  • The .MSI client should be located in \\<SCCM-SITE>\Client\ccmsetup.msi

Screen Shot 2020-09-07 at 1.24.23 PM.png

If you’ve gotten this far, I would assume you don’t need to know how to wrap an application for Intune deployment. But, just in case, here you go.

Okay- I’m pretty tired after that. Good luck with the setup.

Steve Weiner