Starting with ConfigMgr 1805 tech preview it is possible to use the Azure Resource Manager platform when creating an instance of the cloud distribution point. ARM eliminates the need for management certificates by utilizing Azure Active Directory for authentication. The other major improvement in this iteration of the CDP is that it eliminates the need for a management certificate.
This process should be the same for ConfigMgr 1806, if not I will update this blog when 1806 is released.
a. You must have Azure AD.
b. Create a public facing CNAME record that maps your service name (ex mycmg.mydomain.com) to your service name at cloudapp.com (ex mycmg.cloudapp.net)
c. For this guide I am using a publicly issued certificate purchased from DigiCert. You may certainly choose to use a certificate issued from your internal PKI.
d. DNS CNAME mapping your service FQDN to the cloudapp.net FQDN.
2. Create an SSL Cert for the Cloud DP
At this time the cloud DP does not support wildcard certificates. You should generate a web server certificate from either a public certificate provider or your own internal PKI. For this guide I am using a cert issued by DigiCert.
a. Use the DigiCert CSR generator tool to generate a CSR for an SSL certificate with the SAN being the external FQDN which you’d like to use for your CDP (mycdp.mydomain.com)
b. Download a .cer from Digicert, import it back into the DigiCert CSR generator and export it out with the private key as a .pfx file as exportedCDP.pfx
3. Install the Cloud DP
Be aware that a cloud DP is not required for Microsoft updates, those will be downloaded from Microsoft.
a. In the Configuration Manager console go to the administration node, expand cloud services, right click cloud distribution points and select create new cloud distribution point.
b. On the General page:
i. Select the appropriate Azure environment.
ii. Select Azure Resource Manager deployment.
iii. Sign in to Azure using an Azure admin account.
iv. If you have multiple Azure subscriptions you should select the one which you would like to host the could distribution point.
v. You should see the Azure AD app name and Azure AD tenant name auto populate.
vi. Click Next.
c. On the Settings page:
i. The service name should auto populate
ii. Select a region where you’d like your cloud DP hosted. I select the nearest to my physical location.
iii. If you have multiple primary sites you select the appropriate site for your DP.
iv. Browse to the .pfx file you created in step 2 of this guide.
v. Enter the password for the .pfx file and click OK.
vi. The service FQDN will be populated using the common name entered in your CSR. This is the URL your clients will use to communicate with the cloud distribution point.
vii. Click Next
d. On the Alerts page either click Next taking the defaults or you edit them based on your preferences then click Next.
e. On the Summary page click Next.
f. On the Completion page click Close.
g. In the Configuration Manager console go to the administration node, expand cloud services, right click cloud distribution points. Notice the status is provisioning. This may take 30 minutes or so to complete. DO NOT proceed with the following steps until provisioning has completed.
4. Create a DNS CNAME
a. Log in to the Azure portal as a global admin or co-administrator.
b. Click All services in Azure services list, then select Cloud Services in the Compute group and select your cloud DP service.
c. Copy the cloud service site URL.
d. Close the Azure portal.
e. In both internal and external DNS you should create a CNAME entry which maps your cloud DP service FQDN, which was defined in the common name of the SSL certificate, to the cloud service site URL. (example: mycloudDP.systemcenteradmin.com = mycloudDP.cloudapp.net)
5. Test the CDP
In order to simulate a client being outside of your internal network set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security ClientAlwaysOnInternet = 1
Be sure to remove this key once testing has been completed.
a. Create and deploy package
i. In the Configuration Manager console, click Software Library.
ii. In the Software Library workspace, expand Application Management, and then click Packages.
iii. In the Home tab, in the Create group, click Create Package.
iv. On the Package page of the Create Package and Program Wizard, specify the following information:
1. Name: Specify a name for the package for example Test CMG.
2. This package contains source files: Check this box.
3. Source folder: Browse to the source files for this package.
v. On the Program Type page of the Create Package and Program Wizard, select Standard Package and then click Next.
vi. On the Standard Program page of the Create Package and Program Wizard, specify the following:
1. Name: CDP Test Program
2. Command Line: Enter the install command line for your package.
3. Run: Normal
4. Program can run: Only when a user is logged on
5. Run mode: Run with administrative rights
6. Allow users to view and interact with the program installation: Do not check this box
7. Dive mode: run with UNC name
vii. Click next through all remaining screens to complete the wizard.
b. Deploy the test package
i. Create a new collection and add a test PC to the new collection.
ii. Deploy the test package as required to the collection containing the test PC.
1. Distribute the content to ONLY the cloud DP.
2. Make the package required.
3. Set the assignment schedule to as soon as possible.
4. On the User Experience page be sure to select “Allow users to run the program independently of advertisements.
c. On the test client open the configuration manager control panel applet, go to the actions tab and run a machine policy retrieval & Evaluation Cycle.
d. Monitor the cas.log to confirm that the content has been located on the CDP.
e. Monitor the execmgr.log on the client to verify the test program runs.
f. You should also see the package Software Center.