Monthly Archives: May 2018

SCCM Technical Preview 1805 – Improved secure client communications

One of the nice new features in the SCCM Technical Preview 1805 is the ability for an Azure AD joined device to communicate through the Cloud Management Gateway when the management point is configured for HTTP and not HTTPS. In the SCCM 1802 production release, the management point needs to be in HTTPS for this to work.

To view more about this feature see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#improved-secure-client-communications

The post below will show how to configure an Azure AD joined Windows 10 1803 device communicate with the CMG whilst the management point is in HTTP mode. This post assumes that you have already created the Azure services and Cloud Management Gateway, and that the MP is in HTTP mode.

The first step is to check the box Use Configuration Manager-generated certificates for HTTP site systems on the site properties.

HTTPCMG01

Once it has been checked, if you open up computer certificates in MMC, you will see there is a new SMS Role SSL Certificate in the personal store.

HTTPCMG02

Once the certificate has been generated, you need to update your cloud services wizard, select the tenant from Azure Active Directory Tenants and select Update Application Settings and proceed with the prompts.

HTTPCMG03

Next part is to select the new certificate on the HTTPS bindings in IIS.

HTTPCMG04

Select the SMS Role SSL Certificate and click OK.

HTTPCMG05

One of the new cool features in the Technical Preview 1805 is the Connection analyzer. You can do this to check for any issues in your Cloud Management Gateway.

HTTPCMG06

Now previously my HTTPS bindings had no certificate selected. So when I tested the Azure AD Authentication with the CMG, I got the below error.

HTTPCMG07

Once I selected the certificate in the IIS bindings the tests worked fine.

HTTPCMG08

On a test Windows 10 1803 client which is joined to Azure Active Directory, I copied the SCCM client set up files and used the co-management command generated by the wizard (I did not enable co-management, I cancelled out of it after I got the set up switches) to install the client. I have added the /source switch to specify the source, and removed the /mp switch.

HTTPCMG09

The client has been installed on my Azure AD joined machine with my management point in HTTP and is communicating with the Cloud Management Gateway.

HTTPCMG10

The device ow shows up in the console and shows the current logged on user which is my Azure AD user.

HTTPCMG11

 

Advertisements

Cloud distribution point support for Azure Resource Manager

This post will show deploying a Cloud Distribution Point in Azure Resource Manager which is a new feature in SCCM Technical Preview 1805. Now you don’t need to create and upload a management certificate to Azure.

For a list of the other new awesome features in SCCM Technical Preview 1805, see https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805#cloud-distribution-point-support-for-azure-resource-manager

First step is to configure Azure Services to create the Client and Server app registration in Azure, otherwise you will get this error when creating the Cloud DP:

ARMCloudDP01

Right click Azure Services and select Configure Azure Services

ARMCloudDP02

Give it a name and select Cloud Management and click Next.

ARMCloudDP03

Click on Browse to create the Server and Client apps.

ARMCloudDP04

Click on Create

ARMCloudDP05

Give it a name and sign into Azure then click on OK to create the App. Do the same for the Client App.

ARMCloudDP06

Once you have created both apps, click on Next.

ARMCloudDP07

You can see the apps now in App registrations, then click on All apps in portal.azure.com

ARMCloudDP08

Azure Active Directory User Discovery doesn’t need to be enabled for this example. If you do choose to configure it, make sure to give permissions to the Azure apps above in the Azure portal. There are plenty of other blogs for this. Click on Next and leave the other options as default to finish off the wizard.

ARMCloudDP09

I have created/requested/exported a certificate using these steps here https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . I have gone into portal.azure.com then Cloud Services, and clicked Add to create a new cloud service and entered in the cloud service name I wanted, only to make sure it was available (unique) like in the picture below then canceled out. I have used that name for the common name when requesting the certificate.

ARMCloudDP11

In the ConfigMgr console, right click Cloud Distribution Points, click Create Cloud Distribution Point.

ARMCloudDP10

We now get the option to use the Azure Resource Manager deployment. Sign in with your Azure account and click Next.

ARMCloudDP12

I have chosen to create a new Azure Resource Group. Browse to the certificate you exported from https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_clouddp2008_cm2012 . This will re-populate the service name (which I made sure was unique earlier) and click Next and configure the rest of the settings like Alerts etc.

ARMCloudDP13

Once the Cloud Distribution Point status is Ready in \Administration\Overview\Cloud Services\Cloud Distribution Points, or check CloudMgr.log make sure the Cloud DP is enabled in the Client Settings under Cloud Services.

ARMCloudDP14ARMCloudDP15

Now I have distributed an application to the Cloud DP, tested downloading the application from Software Center on the client, and in the DataTransferService.log you can see it downloading from the new Cloud DP.

ARMCloudDP16