Category Archives: SCCM Technical Preview

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.


Select Browse next to Web App and click on Create to create the web app in Azure.


Give everything a name, then sign into Azure AD and click on OK.


Follow the same steps for the Native Client app. Once created, click OK.


You can configure the polling schedule by clicking on Settings. Next Next finish…


Now we need to grant the permissions in the apps we created in the Azure portal. Login to Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created


Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.


Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.


I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname> to <cmgname>

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.



Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.


To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here


Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings


Cloud Distribution Point:

First, login to the Azure portal then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.


I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname> to <clouddpservicename> If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.


Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal ( go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.


Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.


Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.


On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.


The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.


I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.


I will deploy the application to my Cloud Distribution Point.


On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.




SCCM TP 1708 – Software Center Customization

With the recently released SCCM Technical Preview 1708, you can now customize the Software Center look including the company name and logo, colour schemes, and hiding different tabs. This post will demonstrate how you can customize Software Center and how it looks.

These settings are configured in the Client Settings. You can see that there is now a Software Center section as displayed in the picture below.

Once you select Yes for Select these new settings to specify the company information, you can configure all the other settings. In my example below, I have set a company name, I have set the colour scheme and also used a logo. If you like, you can also choose to hide certain tabs.


When setting a logo for Software Center, note that the maximum dimensions are 100×400 pixels, and the file cannot be larger than 750kb in size.


This is how my Software Center previously looked without doing any customization.


Now after adding the colour scheme, Software Center logo and company name, the Software Center looks like the image below.


Update 1606 for Configuration Manager Technical Preview

Update 1606 for Configuration Manager Technical Preview has been released

Automatically categorize devices into collections:
Device categories can be created to automatically place devices into device collections when ConfigMgr is used with Microsoft Intune. Users are required to choose a device category when they enroll a device in Intune. The category of a device can also be changed in the ConfigMgr console.

Enforcement grace period for required application and software update deployments
Users can set a grace period for required application deployments or software updates that are past the deadline. Useful for machines that have been turned off for a while.

Using Configuration Manager as a managed installer with Device Guard
Device Guard is a feature in Windows 10. ConfigMgr can work with Device Guard so that software deployed from ConfigMgr is automatically trusted

Multiple device management points for On-premises Mobile Device Management

Cloud Proxy Service for managing clients on the Internet
New feature to manage ConfigMgr clients on the Internet. The service is deployed to Azure and connects your on-premises ConfigMgr infrastrucutre using the cloud proxy connector point (new role). It currently supports the management point, distribution point and software update point roles.

Manage the Office 365 client agent in Configuration Manager
Instead of using Group Policiy setting, you can configure a ConfigMgr client agent setting to enable Office 365 clients to receive updates from ConfigMgr.

The OSDPreserveDriveLetter task sequence variable has been deprecated
Windows Setup now determines the best drive letter to use (typically C:). You can still change the drive letter location in Apply Operating System task sequence step.

Changes for the Updates and Servicing Node

For more info:

Software updates not synchronizing – Sync failed: WSUS update source not found on site

I installed a trial of Configuration Manager 2016 Technical Preview 4 and set up and configured the Software Update point. I wasn’t able to synchronize any updates.

I checked wsyncmgr.log and saw Sync failed: WSUS update source not found on site

The workaround was to configure the Software Update Point and disable/remove all Classifications and Products and then to schedule another sync.


After this, I scheduled another sync, and the sync completed.


I then went back and re-configued the Software Update Point for the Classifications and Products I wanted, then scheduled another sync and it worked fine.


Lab Build – System Center Configuration Manager Technical Preview

Today I wanted to check out the new features of the Microsoft System Center Configuration
Manager Technical Preview

The technical preview includes new features such as:
Windows 10 in-place upgrade
Mobile Application Management
Data protection for mobile devices
Preferred management points
On-premises mobile device management (MDM)
Support for Microsoft Azure virtual machines
Client deployment status in console monitoring

All ISO’s in this lab were downloaded from Technet’s Evaluation Center

The servers in my lab are running Server 2012 R2

Configuration: I have 3 Hyper-V Machines

Domain controller – Server 2012 R2
SQL Server – SQL 2012 SP1, Server 2012 R2
SCCM Server – System Center Configuration Manager Technical Preview, Server 2012 R2

Windows Firewall is disabled.

On my SQL machine I kiceked off the SQL 2012 SP1 build


I selected SQL Server Feature Installation.


Selected Database Engine Services, Reporting Services and Management Tools.


I used the default instance for this lab.


Earlier I created a normal domain account called ser-sql which I used for my
SQL service accounts.

I changed Startup Type to Automatic for SQL Server Agent.


SQL Collation is SQL_Latin1_General_CP1_CI_AS.


Added my current user as a SQL Administrator and left Windows authentication mode selected.


Once SQL has been installed, I opened up SQL management studio, right clicked on the
SQL server then memory, and
changed the maximum memory from unlimited to 2048MB to suit my lab.


In Computer Management, added my SCCM server to local administrator group.


Extending the Schema is the same as in SCCM 2012.
Make sure the account you’re running is a member of Schema Admins

Run SMSSETUP\BIN\X64\extadsch.exe and make sure it says it is successful.


Next opened up ADSIEdit to create the System Management container and give
the SCCM computer account the correct permissions.


Connected to default naming context. Right click system and create new object. Create a container.

Give it the value of System Management

Right click system management container after creating, then properties, then security and
add the SCCM computer account.

Click Full Control then advanced.


Select the SCCM computer account and click Edit

Select Applies to This object and all descendant objects



Install Windows Assessment and Deployment Kit (ADK)
Select Deployment Tools
Windows Preinstallation Environment (Windows PE)
User State Migration Tool (USMT)

Net Framework 3.5 Features
Background Intelligent Transfer Services (BITS)
Remote Differential Compression

IIS Configuration:
Application Development:
ISAPI Extensions

IIS Security:
Windows Authentication

IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility


Install a Configuration Manager Primary Site


I left options as default.


Enter in the path to download any required files


Choose your site code and site name


This is a lab so log files will be kept as default.



I will be using HTTP not HTTPS


My lab machine will be both management point and distribution point


Click Next, if any of the PreReq’s fail, read what has failed to rectify the issues.


Once the installation has finished, you can open the Configuration Manager console and
view Configuration Manager Preview.


When I have time I will be looking into the new features next.