- Hybrid Azure AD Join
To only configure CMG for your company, you do not need Co-management nor Intune, but your Windows 10 clients need to be hybrid Azure AD join. To fulfill this requirement, complete the task listed below (the links below only covers PTA for authentication).
- Ports and data flow – Opening ports is a task for your security or network team.
- Cloud Services – List of the service endpoints that CMG need access to.
- Azure Subscription to host the CMG
- Global Admin – is needed to integrate SCCM to Azure by creating the Azure services (Web and client applications)
- Azure subscription owner rights – this is required to create the CMG cloud service (the VM’s in Azure)
- Unique CMG DNS name – steps outlined below
- Server Authentication Certificate (detailed steps are outlined below using internal PKI. Only one web server certificate is required)
Placement of the CMG and CMG Conection Point
- Primary Site (CAS)
- CMG – Always place the CMG at the top level of your hierarchy. So if you have a CAS, that is where you should place your CMG.
- CMG Connection Point – Place the CMG connection point on each primary. If you have two primary sites, then the connection point should be installed at each primary site. You do not have to install it on the Primary site server, it can be placed on a remote site system in the same site.
- Service Connection Point – This lives on the CAS site server.
- Stand-Alone Primary
- CMG – Install it on the primary site server.
- CMG Connection Point – Install on the Primary site server or on a remote site system.
- Service Connection Point – Install on the primary site server.
The installation steps are listed below. My lab has a CAS, two primaries and the MP, DP, SUP are on remote site systems.
Check if the CMG service name is available
Log into the Azure portal and search for Cloud Services (Classic), then click Add
Type in the desire service name. If it is available you will get a green check. If not, a red exclamation. Enter the full service name (hashmat00cloudCloudapp.net) as the Common name when adding the server authentication certificate to the CAS site server or stand-alone primary, not hierarchy exist.
Create the Server Authentication Certificate
Please refer to my previous post if to make your env as PKI: SCCM PKI Certificate Implementations
Navigate to the server that has the CA installed and open the Certification Authority console. Right click on Certificate Templates > then click on Manage
Right click on Web Server > Duplicate Template
Under General, enter the Template display name and change or accept the validity period.
Under Subject Name, select Supply in the request
Under Request Handling, select Allow private key to be exported
Under Security, add the name of the server (in my case he CAS server) that you will issue the cert to. Allow Read and Enroll permissions. Click on OK to close the properties page and also the Certificate Template Console.
You should be back on the main Certificate Authoriy console. Right click on Certificate Template > New > Certificate Template to issue
Select the CMG Server Certificate that was just created.
On the Primary site server or the stand-alone primary site server if that is what you have, run mmc.msc to open the Certificates console. Under Personal > right click Certificates > All Tasks > Request New Certificate.
Click next on the Before You Begin and the Select Certificate Enrollment Policy page. On the Request Certificate page, select SCCM CMG Cert then click on “More information is required to enroll…“
Select Common name under Subject name. For Value enter the unique CMG DNS name that was verified in the first step – hashmat00cloud.Cloudapp.net. You can use any available name (hashmat00cloud), but Cloudapp.net cannot be changed. Click on OK
Click Enroll to add the CMG Server Certificate
Once enrolled, the certificate should be listed under Personal > Certificates. Right click the SCCM CMG Cert > Export
Select Yes, export the private key, and on the next page, select Personal Information Exchange – PKCS #12(.PFX) then click Next.
Check Password and enter your password then click Next
Enter the path and name of the file. For example C:\cmgCloudCert.pfx then click Next
Click finish to export the CMG server authentication certificate.
Create the Azure Service – Cloud Management
Open the CM console and navigate to Administration > Cloud Services > right click on Azure Services > Configure Azure Services > Select Cloud Management > Click Next
On the App Properties page, click Browse from Web App
On the Server App page click Create.
On the Create Server Application page
- Application Name: Enter any name, for example “Cmg Setup”
- HomePage URL: You can keep the existing value or makeup another URL
- App ID URI: You can keep the existing value or makeup another
- Secret key validity period: Keep 1 year of change it to 2
- Azure admin account: Sign into Azure with the account that has global admin rights
- Azure AD tenant name: Once signed in, this field will display the name of your tenant.
Enter the info on the Create Server Application page and click OK.
Click OK again on the Server App page, then you are back on the App Properties page.
On the App Properties page, click Browse accross from Native Client App
On the Create Client Application page fill in the required information. Use an account with global admin rights to sing into Azure. Use the same account that was used to create the Web Application then click OK.
Click OK to close the Client App page as well, then Next on the App Properties page..
Check Enable Azure AD User Discovery. Click Settings to configure the schedule and delta discovery, then click Next.
Click Next to confirm the settings after which the wizard should be successful. The service should show up under Azure Services.
Log into the Azure portal to confirm that the Apps were created. Search for App Registration and the Apps should present.
Perform the same task on both App. Click on ClientApp to open it > API permissions > click on Grant admin consent > then Yes to confirm.
Click Run Full Discovery Now to kick off user discovery.
Enable Enhanced HTTP
This step is neccessary if SCCM is not configured for HTTPS. Open the CM console and navigate to Administration > Overview > Site Configuration > Sites > select the site, right click and select properties > on the properties page select Communication Security
When the properties page opens, select HTTPS or HTTP and check Use configuration manager-generated certificates for HTTP site systems. Wait around 30 then check the MP and DP to confirm that the cert was applied.
Navigate to your MP or DP. At the command prompt run Certlm.msc to open the certificate console. Under Personal > Certificates > you will the certificate that generated by the site server. The friendly name of the certificate will be listed as SMS Role SSL Certificate.
Open IIS on the Distribution Point(the bindings will exist on the MP as well). Under Default Web Site you should find the new endpoint named CCMTokenAuth_SMS_DP_SMSPKG$.
Right click Default Web Site > Edit Bindings > Select https > Edit and the edit site binding page will open. On the bottom left you should see the certificate(SMS Role SSL Certificate) that was generated by the site server on the image below.
Create the CMG service in Azure
Create a resource group and storage accout (I used the same name as the unique DNS name) if those items do not exist when you log into your Azure portal.
Open the CM console and navigate to Administration > Overview > Cloud Services > Right click on Cloud Management Gateway > Create Cloud Management Gateway
On the Specify details for this cloud service page, click Sign In. Use an account with Subscription owner rights. If the sign in is successful, the Subscription ID, Azure AD app name and Azure AD tenant name will populate.
On the Specify additional details for this cloud service page, click Browse accross from Certificate file. Earlier we exported the Server Authentication Certificate, browse to that .pfx file and enter the password when prompted.
- Service Name – will auto populate
- Deployment name – will auto populate
- Description – enter desired description
- Region – select your region
- Resource Group – select the resource group that was created earlier or use an existing one.
- VM Instance – Each VM will support 6,000 clients. Increase the VM count depending on the number of clients. One CMG can support 16 VM. If needed, increase the VM count from the SCCM console and not from the Azure portal.
- Clients will use Azure AD for authentication when they are Hybrid Azure AD joined, so there is no need for a client certificate if CM is configured for eHTTP. When Hybrid Azure AD joined, the clients get a work place joined (WPJ) certificate which is used to establish trust.
- Check Allow CMG to function as a cloud distribution point and serve content from Azure storage to eliminate to need to deploy a cloud DP.
Configure the desired alerts, then click Next to confirm the summary and start the installation process.
In the CM console, the Status will show Provisioning. After a successful installation the Status will change to Ready. Open CloudMgr.log on the site server to monitor the progress.
Create the CMG Connection Point
Open the CM cosole and navigate to Administration > Overview > Site Configuration > Servers and Site Sytem Roles > Right click on the primary site server or a remote site system > Add Site System Roles > on the General and Proxy page click Next > then select Cloud management gateway connection point
Confirm the settings and click Next.
Confirm the settings, then click next to finish. Open SMS_Cloud_ProxyConnector.log to monitor the progress.
Enable CMG on MP, SUP and Client
Open the MP properties and check Allow Configuration Manager cloud management gateway trafic. Set this on all your MPs and SUPs.
Open the SUP properties and check Allow Configuration Manager cloud management gateway trafic
Navigate to Client Settings, then right click on Default Client Settings (or your custom setting) and click on properties. On the properties page select Cloud Services, then select Yes for Enable clients to use a cloud management gateway.
On azure portal, you can navigate to resource group and you will see resources being created
- Cloud service (classic)
- Storage Account
If you check the Resource Group RBA (Access control), you will see the two azure app created from sccm, they both have contributor role
If you want to check full details of what is inside cloud services
The Azure cloud services created one virtual machine and used windows server 2012 R2
and if you login to any of your client vm or machine, you will see the sccm agent details and network settings being changed to cloud cmg