Category Archives: Azure

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services


Select Cloud Management and click Next


Next create the Server and Client Apps. Click Browse on the Web App then click Create.


Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.


Select the app and click Ok.


Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.


Enable Azure Active Directory User Discovery.


You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.


Login to and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.


Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.


You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT


In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.


On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see


SCCM Cloud Management Gateway – Installing SCCM client on an Internet client manually

The Cloud Management Gateway in SCCM Current Branch allows you to manage computers on the Internet without deploying the traditional IBCM infrastructure. Microsoft have made some improvements in SCCM 1702 for the CMG regarding client registration.

This post will not go into how to set up the CMG, you can view Plan for cloud management gateway in Configuration Manager for that information.

This blog post will show you how you can use the CCMHOSTNAME property when manually installing the SCCM client to specify the Cloud Management Gateway management point. This isn’t official documentation from Microsoft, however it does work. The post assumes you have copied over a PKI certificate for the client and installed the certificate, and also copied over the SCCM client installation files.

1 – On a machine that is on the internal network with the SCCM client installed, view the LocationServices.log and search for the Internet Management Point. You can see mine below highlighted in yellow. Copy the name of the Azure Cloud Management Gateway as you will need this for the CCMHOSTNAME property when installing the client


2 – Launch a command prompt to run ccmsetup.exe and run the command ccmsetup.exe /UsePkiCert SMSSITECODE=<SiteCode> CCMHOSTNAME=<CMG copied above>

3 – Keep an eye on C:\Windows\ccmsetup\Logs\ccmsetup.log and ensure it successfully installs “CcmSetup is exiting with return code 0”. My logs in C:\Windows\CCM\Logs now indicate that the client is registered (ClientIDManagerStartup.log) and communicating with the Cloud Management Gateway (CcmMessaging.log). The machine should now appear in the ConfigMgr console. I can also see in the Configuration Manager Properties of the client that it is Internet based


After it has installed successfully, you should see it communicating and retrieving policies.



ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to
  • Cloud management gateway certificate for <name> Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update


Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.


Enter in your Azure Subscription ID which can be found from or and select the Management Certificate (which needs to already be uploaded to Azure)


When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.


You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.



You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.


Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.


Next the Cloud Management Gateway connection point role will be added.


The information is filled in automatically


Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 


On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.


If you’re curious about what it looks like in Azure, if you go to and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.


Migrating a VMware VM to Azure using Azure Site Recovery

This blog post will show how I migrated a VMware virtual machine  to Azure using Azure Site Recovery. A full list of prerequisites for your Azure and on-prem environment can be found here.

My setup:

  • vSphere 5.5 on-prem
  • VMware account with read-only permission (this is what I chose, see here for account roles and what each one does. I do not need to shutdown the on-prem VM automatically)
  • Site to Site VPN in Azure – (no Expressroute yet) I will be failing over my VM into the Vnet associated with this site to site VPN so I can connect to it over private IP.
  • Configuration Server/Process server – A single Windows Server 2012 R2 in VMware with PowerCLI 6.0 installed. More info can be found here

 Creating the Recovery Services vault

In click on More services, then search for Recovery Services vaults. Once in there create the Recovery Services vault.


Give it a Name, and select the Azure subscription, and either select an existing resource group or create a new one, and select the location.


Once the Recovery Vault is created, the Infrastructure will be prepared. In the Settings of the Recovery Services Vault that was created, select Site Recovery under Getting Started, then select Step 1: Prepare Infrastructure.



Microsoft Azure Site Recovery Unified Setup will be downloaded so it can be installed it on the VMware Configuration Server, and the vault registration key will be downloaded.


Installing Site Recovery Unified Setup on Configuration Server

In order to proceed, the Configuration Server in VMware needs to be setup. To do this Site Recovery Unified Setup needs to be installed on the Configuration Server in VMware.


MySQL Community Server will be downloaded and installed.


Browse to the vault registration key which was downloaded earlier


Depending on the environment, a proxy may need to be specified.


Specify a password which will be used for the MySQL database.


VMware machines will be protected. vSphere Power CLI 6.0 is already installed.


The network interface for the VMware virtual machine is selected.


The installation is completed.


Adding the VMware account to Azure configuration server to discover VM’s

On the desktop of the Configuration Server, there is a shortcut for Cspsconfigtool. Open this and specify the VMware service account. This will be used to discover virtual machines. I have created a service account in vSphere with read-only rights.

“A vCenter user account with a read-only role can run failover but can’t shut down protected source machines. If you want to shut down those machines you’ll need the Azure_Site_Recovery role. If you’re only migrating VMs from VMware to Azure and don’t need to failback then the read-only role is sufficient.”


The Configuration Server and vCenter host has been selected (I have greyed mine out)


Select the Azure subscription. I am using Resource Manager for my deployment model. Make sure you have a storage account to where the virtual machines can be replicated to, and a virtual network.


Give the Replication Policy a name and choose the appropriate values.


Select the appropriate capacity planning for your environment.


Installing mobility service on the VM to be replicated and migrated:

For the virtual machine to replicate to Azure, the mobility service needs to be installed. I have chosen to install this manually. The installation files can be copied from the Configuration Server in C:\Program Files (x86)\Microsoft Azure Site Recovery\home\svsystems\pushinstallsvc\repository directory.


Type in the IP address of the Configuration Server. You can get the passphrase by running the command below in the screenshot.


Now that the mobility service is installed, the virtual machine can be replicated. I have greyed out the values below. The source should be the Configuration Server, select Virtual Machines as machine type, vCenter and Process Server should automatically fill in.


Type in the name of the virtual machine which the mobility service as installed on


Type in the target name or leave it as default if it is supported


After the data has been replicated, the virtual machine is now protected.


In order to migrate the virtual machine to Azure, an Unplanned Failover will be performed. I have shutdown the on-prem virtual machine manually because a read-only account was specified for VMware (read-only role can run failover but can’t shut down protected source machines)

More information on Failovers can be found here


The Unplanned Failover is now complete.


On the virtual machine, select More, then select Complete Migration. This will remove the virtual machine from being replicated.


Once the migration has been completed the virtual machine can be seen running in Azure. I have deleted the on-prem VM in VMware and have updated the on-prem DNS to point to the private IP of the VM in Azure.

The virtual machine will be accessed over the site-to-site VPN (or even better if you are using an Expressroute)


Running VPN gateway dianostics in Azure Resource Manager

Recently when setting up an Azure Site to Site VPN, I was having a lot of issues and ran into Keith Mayer’s great blog post about how to run the diagnostics in Azure resource manager for Azure gateways. Most of the older blog post focused on the gateways in the older Azure portal (

Take a look at Keith’s PowerShell script here – Step-by-Step: Capturing Azure Resource Manager (ARM) VNET Gateway Diagnostic Logs

When you run the script and use your admin credentials to login to Azure resource manager ( and the older Azure portal ( you are left with a vpnlog.txt which has diagnostic information.

Examining the vpnlog.txt I was able to find:

Failure type: IKE/Authip Main Mode Failure
Type specific info:
Failure error code:0x0000362c
Policy match error


I was having a policy error. I was trying to set up RouteBased Azure Gateway with an on-prem Cisco ASA fireall. Looking at the Validated VPN devices in Azure, the Cisco ASA is not compatible with RouteBased.

SQL Server 2016 on Windows Server 2016 images now available in Azure

Now that Windows Server 2016 has been released, you can now find SQL 2016 on Windows Server 2016 images in the Azure Marketplace to deploy. You can deploy them from here.

The versions listed are:
SQL Server 2016 RTM Web on Windows Server 2016
SQL Server 2016 RTM Standard on Windows Server 2016
SQL Server 2016 RTM Enterprise on Windows Server 2016