Monthly Archives: June 2016

SCCM Azure Cloud Proxy Service for managing clients on the Internet

In Configuration Manager Technical Preview 5 with update 1606, Microsoft introduced the Azure Cloud Proxy Service for managing clients on the Internet. More info can be read here.

This post covers how I set up the Cloud Proxy Service in my ConfigMgr lab to deploy software to a client on the Internet (this is a technical preview and NOT reccomended for production environment, it was simply to test out the Cloud Proxy Service). Make sure your lab Configuration Manager is updated to version 1606 so you have the cloud proxy functionality (In the Configuration Manager console, go to Administration > Cloud Services > Updates and Servicing). I had a Visual Studio MSDN subscription for Azure. You can also sign up for a 30 day Azure trial here

Certificates:

I followed all certificate requirements here  (under certificates section of Cloud Proxy)  to create the custom SSL certificate for the cloud proxy service and to create the client certificates (and also export the client root certificate)

These certificates were created the certificates below using this Technet guide:

ConfigMgr Client Distribution Point Certificate
ConfigMgr Client Certificate
ConfigMgr Cloud-Based Distribution Point Certificate (custom SSL certificate as mentioned in Technet)
ConfigMgr Web Server Certificate

For the management certificate for Azure, I exported the custom SSL certificate with the private key as PFX file, and also exported the certificate as a .cer file which I would upload to Azure. The custom SSL cert will be used when setting up the Cloud service later.

Log into manage.windowsazure.com and click on Settings down the left hand side, then click on Management Certificates. Upload the your management certificate (in my case, I used my .cer as described above). Take a note to copy down your subscription ID in a notepad, you will need it later. This is also shown in Subscriptions right next to Management Certificates below.

azuremangement

In the ConfigMgr console, in Administration, expand Cloud Services, right click on Cloud Proxy Service and click Create Cloud Proxy Service.

2azure

Type in your subscription ID (which you can get from manage.windowsazure.com in the settings where you uploaded the management certificate) and browse to the Azure management PFX certificate(I exported this earlier from the custom ssl certificate). Azure will validate the certificates.

3azure

Type in your Service Name. This will appear as <servicename>.cloudapp.net once created in Azure. Select your region and select Instance number (amount of proxies it creates in Azure). Once you select your custom ssl certificate for “Certificate file” it will automatically fill in your service FQDN. This has to be a unique name in your namespace (ie it cannot exist). For Root certificate file –  select the client root certificate you exported earlier (steps are here under the “Export the client certificate’s root” heading which is in section of Cloud Proxy Service for managing clients on the Internet).
I unticked Verify Client Certificate Revocation.

4azure

Continue on with the rest of the wizard. Once the Cloud Proxy Service starts to provision you can see it in the area below. You can watch CloudMgr.log in the site server log file directory to see what is happening. The status will be set to Ready once complete. It should take around 10-15 minutes.

6azure

DNS:

Once the status was set to Ready, on the public DNS (Internet) I created a CNAME DNS record to point my Service Name to my Cloud Service Name. For example azure.domainname.com to azuretestproxy.cloudapp.net. You can get the Cloud Service name by logging into manage.windowsazure.com  and going into the Cloud Service created by the Cloud Proxy Service, and view the Dashboard. It will say Site URL.

This was so my clients on the Internet could resolve the Service Name when they try and connect. Configuration Manager also needs to be able to resolve the Service Name as it has to establish connections with the Azure proxy. You can see this in the SMS_CLOUD_PROXYCONNECTOR.log later on.

 

Under Site Configuration, click Sites, and right click your site server and click properties then click on the Client Computer Communication tab and make sure you’re set to use PKI certificates,

10azure

Next we will add the Cloud Proxy Connector point. In Servers and and Site System roles, select your site, right click and add the Cloud Proxy Connector point: (details on adding site system roles are here).

7azure

5azure

Once this is complete, pay attention to the SMS_CLOUD_PROXYCONNECTOR.log  on the site server. You will see your Configuration Manager site server try to establish a connection with the Service Name (make sure your CNAME DNS record points the Service Name to the Cloud Service name).

The first time I set this up I saw some illegal character XML errors in SMS_CLOUD_PROXYCONNECTOR.log. I stopped the service and waited for CloudMgr.log to show it was fully stopped until starting it again and it resolved the issue.

6.6.azure

Next we will configure our Management Point and Distribution Point to allow Configuration Manager Proxy traffic (you can also add this to your SUP if you like. Currently only Distribution Point, Management Point and Software Update Point are supported by the Cloud Proxy Service at this time of writing)

In Servers and and Site System roles, right click on your Distribution Point/Management point and click properties then tick the box to allow Configuration Manager Cloud Proxy traffic.

8azure

After you have done the above, you can restart SMS AGENT HOST on one of your lab workstation machines. It should pickup the new Azure proxy location.

Below is the behavior on my Windows 10 client when removing it from the internal network and having Internet access only.

13azure

While still removed from the internal network and only on having Internet access, I deployed a test application and installed it from Software Center:

16azure

When checking the LocationServices.log it came back with the “Service Name” created in the Cloud Proxy Service (I had my public DNS CNAME pointing it to my Azure cloud services name)

15azure

This is a bit of background of what is actually provisioned in Azure to get the Cloud Proxy to work. Earlier we created 2 instances. You can see these below. Also the “Site URL” is what I used to point my DNS CNAME from “Service Name” to “Cloud Service Name”

17azure

You can monitor SMS_CLOUD_PROXYCONNECTOR.log to make sure nothing funny is going on. You can see every 60 seconds it scans the connections and confirm that the proxy connector is connecting to Azure ok.

azure18

Advertisements

PXE – TFTP Download: smsboot\x64\pxeboot.n12 ……….

This happened in a SCCM 2012 R2 SP1 CU3 environment:

When Deploying an OSD task sequence via PXE, at the PXE boot screen the client was stuck on PXE – TFTP Download: smsboot\x64\pxeboot.n12 ……….

First thing I checked was the smspxe.log on the distribution point. I could see it was in a loop with the line “Looking for bootImage XXX00AA1”

tftpdownload

In the ConfigMgr console, I checked Monitoring\Distribution Status\Content Status and verified that the boot image was successfully distributed to the distribution point. It was, but obviously there is an issue.

I went to Administration\Overview\Distribution Points and selected the distribution point having the issue, clicked on Content tab, typed in the boot image name or package ID and clicked Redistribute. Once the boot image had redistributed successfully, I cleared the PXE flag and PXE booted the client again.

It was able to successfully boot and run the Task Sequence.

Update 1606 for Configuration Manager Technical Preview

Update 1606 for Configuration Manager Technical Preview has been released

Automatically categorize devices into collections:
Device categories can be created to automatically place devices into device collections when ConfigMgr is used with Microsoft Intune. Users are required to choose a device category when they enroll a device in Intune. The category of a device can also be changed in the ConfigMgr console.

Enforcement grace period for required application and software update deployments
Users can set a grace period for required application deployments or software updates that are past the deadline. Useful for machines that have been turned off for a while.

Using Configuration Manager as a managed installer with Device Guard
Device Guard is a feature in Windows 10. ConfigMgr can work with Device Guard so that software deployed from ConfigMgr is automatically trusted

Multiple device management points for On-premises Mobile Device Management

Cloud Proxy Service for managing clients on the Internet
New feature to manage ConfigMgr clients on the Internet. The service is deployed to Azure and connects your on-premises ConfigMgr infrastrucutre using the cloud proxy connector point (new role). It currently supports the management point, distribution point and software update point roles.

Manage the Office 365 client agent in Configuration Manager
Instead of using Group Policiy setting, you can configure a ConfigMgr client agent setting to enable Office 365 clients to receive updates from ConfigMgr.

The OSDPreserveDriveLetter task sequence variable has been deprecated
Windows Setup now determines the best drive letter to use (typically C:). You can still change the drive letter location in Apply Operating System task sequence step.

Changes for the Updates and Servicing Node

For more info: https://technet.microsoft.com/en-us/library/mt732696.aspx

Offline Servicing – WIM::MountWIMImage returned code 0x80070005

In ConfigMgr 1602, I was using Offline Servicing to schedule some updates in my Windows 10 wim. It failed. Taking a look in OfflineServicingMgr.log I found:

WIM::MountWIMImage returned code 0x80070005
Image Mount failed with error 5
Schedule processing failed

Error code 0x80070005 is also known as “ACCESS DENIED.”

I resolved this by removing the Read Only attribute from the .wim file I was using. It was originally like this when I copied it from the ISO.

readonlywim