Download and own this SCCM Cloud Distribution Point Installation Guide in a single PDF file.

The PDF file is a 42 pages document that contains all information to install a cloud distribution point with SCCM. Use our products page or use the button below to download it.

Download

A  cloud distribution point is an SCCM distribution point that is hosted in Microsoft Azure. The client will access it as a normal distribution point using port 443 (SSL). Some benefits of using cloud distribution points are for clients on the internet, fallback scenario or to quickly provision a distribution point if extra bandwidth is needed for a limited time. The whole process should take about an hour, a bit more if you’re not familiar with certificates which are a big part of this guide.

Plan

If you’re unsure if the cloud distribution point is the right choice for your organization, read the following Microsoft documentation which explains in detail the features and benefits. The article also lists what features are supported or not.

Cost

We also suggest reading the Microsoft article explaining the cost of using a cloud distribution point as this could be a show stopper for a small size business.

Prerequisites for SCCM Cloud Distribution Point

  • An Azure Subscription
  • Your Windows Azure Subscription ID
  • A self-signed or public key infrastructure (PKI) management certificate for communication from your primary site server to the Azure service (.cer file)
  • A service certificate (PKI) that Configuration Manager clients use to connect to cloud distribution points and download content from them by using HTTPS
  • DNS alias and a CNAME record in your DNS namespace for clients to resolve the name of the cloud service
  • Client Settings configured correctly
  • The client must have internet access
  • Boundary group must be configured

We will cover all those requirements in this post.

Certificates Requirements

To make an authenticated, secured (SSL) connection between your Primary Site installation and your Windows Azure subscription, you need to create your own management certificates, which can be self-signed or issued by a certification authority (CA). We recommend using a certification authority in a production environment. For testing (or lab) purposes you can use the self-sign certificate which is easier to implement.

The high-level certificate requirements:

  • Provide the .cer file of the management certificate to Azure. You must upload this certificate to Azure before you install a cloud distribution point. This certificate enables SCCM to access the Azure API.
  • Provide the .pfx file of the management certificate to SCCM when you install the cloud distribution point. SCCM will store this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into SCCM.
  • If you use a self-signed certificate, you must first export a certificate as a .cer file and then export it again as a .pfx file

Create a Self-Signed Certificate

Only follow this section if you are using a self-signed certificate. If you’ll be using a certificate from your certification authority (CA), jump to the next section.

  • Open MMC
  • On the File menu, choose Add/Remove Snap-in…  select Certificates, and click Add

  • When prompted for what you want to manage certificates for, select Computer Account, click Next

  • Select Local Computer and then click Finish

  • Click OK to close the Add/Remove Snap-ins form

SCCM Cloud Distribution Point

  • In the Certificate console
  • Go to Certificates (Local Computer) / Personal / Certificates.
  • You should find a Server Authentication certificate there with the name of your server in the Issued To column. In our example, it’s the first one listed (CM01.SCDLab.org)

SCCM Cloud Distribution Point

We will export this certificate twice:

  • One to get a .Cer file that we’ll upload to Windows Azure as the management certificate
  • The other to create a password-protected .Pfx file that we’ll use to configure the connection from our Primary Server to create the SCCM cloud distribution point.

Export the .CER file:

  • In the Certificates (Local Computer) console
  • Right-click your Server Authentification certificate (In our case: CM01.SCDLab.org)
  • Choose All Tasks / Export
  • In the Certificates Export Wizard, choose Next

  • On the Export Private Key page, choose No do not export the private key, click Next

  • On the Export file format, select DER encoded binary X.509 (.CER), click Next

  • Save your certificate in a folder and close the Certificate Export Wizard

Export the .PFX file

  • On the Export Private Key page, choose Yes, export the private key, click Next

  • On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX), click Next

  • On the Password page, specify a strong password to protect the exported certificate with its private key, click Next

  • On the File to Export page, specify the name of the file that you want to export, click Next

  • To close the wizard, click Finish in the Certificate Export Wizard page, click OK

  • Close Certificates (Local Computer)

The certificate is now ready to be imported to create an SCCM cloud distribution point. You can jump to the Azure Subscription section if you are not using a PKI server

Create and Issue a Custom Web Server Certificate Template on the Certification Authority (If using PKI only)

If you just created a self-signed certificate, jump to the Azure Subscription section.

This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud distribution point and the private key must be exportable as it will be asked during installation.

Create and issue the custom web server certificate template on the certification authority

  • In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
  • On the server that is running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage

  • The Certificate Templates management console opens
  • Right-click the Web Server template and then select Duplicate Template

  • In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority

  • In the General tab, enter a template name, like SCD SCCM Cloud DP. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate

  • In the Request Handling tab, select Allow private key to be exported

  • In the Security tab, remove the Enroll permission from the Enterprise Admins security group

  • Choose Add, enter SCCM Site Servers in the text box, and then choose OK
  • Select the Enroll and Read permission for this group

  • Choose OK, close Certificate Templates Console
  • Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue

  • In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud DP, click OK

Request the custom web server certificate on the Primary Site Server

This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud distribution point installation

  • Open MMC
  • On the File Menu, choose Add/Remove Snap-in…  select Certificates, and click Add

  • When prompted for what you want to manage certificates for, select Computer Account, click Next

  • Select Local Computer and then click Finish

  • Click OK to close the Add/Remove Snap-ins

SCCM Cloud Distribution Point

  • In the Add or Remove Snap-ins dialog box, choose OK.
  • In the console, expand Certificates (Local Computer) / Personal / Certificates
  • Right-click Certificates, select All Tasks / Request New Certificate
  • On the Before You Begin page, click Next

SCCM Cloud Distribution Point

  • If you see the Select Certificate Enrollment Policy page, choose Next

  • On the Request Certificates page, identify the SCD SCCM Cloud DP from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings

  • In the Certificate Properties dialog box, in the Subject tab
    • Subject name: in Type choose Common name
    • Value:  Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add
    • Alternative name: in Type choose DNS
    • Value: Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add

  • Click OK to close the Certificate Properties dialog box

  • On the Request Certificates page, select SCD SCCM Cloud DP from the list of available certificates, click Enroll

  • On the Certificates Installation Results page, wait until the certificate is installed, click Finish

Export the custom web server certificate for cloud distribution points

This procedure exports the custom web server certificate to file. We will export it as a .Cer file for the Azure Management Certificate and in a .Pfx format for the cloud distribution point creation

.Cer Export

  • In the Certificates (Local Computer) console, right-click the SCD SCCM Cloud DP certificate that you just created, select All Tasks / Export

  • In the Certificates Export Wizard, choose Next

  • On the Export Private Key page, select No do not export the private key and click Next

  • On the Export file format, select CER and click Next

  • Save your certificate in a folder and close the wizard

  • To close the wizard, click Finish in the Certificate Export Wizard page

.PFX Export

  • On the Export Private Key page, choose Yes, export the private key, click Next

  • On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected

  • On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next

  • On the File to Export page, specify the name of the file that you want to export

  • To close the wizard, click Finish in the Certificate Export Wizard page

  • Close Certificates (Local Computer).

The certificate is now ready to be imported to create an SCCM cloud distribution point.

Upload the certificate to your Azure Subscription

If your company is already using Windows Azure, there is a very good chance that a management certificate was already created and uploaded. In that case you will only need to get the .pfx file and its password. If not, follow theses instructions to upload the management certificate (.Cer file) into the Azure classic portal. At the time of this writing, you can’t use the new Azure Portal for this.

  • Press the Management Certificates tab

  • Click Upload a management certificate, select the .cer file that you exported earlier, and then click the checkbox at the right

  • The management certificate is now created and ready to use

  • Copy the value of Subscription ID for your certificate. It will be needed to create the cloud management point.

Create the SCCM Cloud Distribution Point

  • Open the SCCM Console
  • Click Administration / Cloud Services / Cloud Distribution Points
  • Right-Click Cloud Distribution Points and click on Create Cloud Distribution Point

  • On the Specify details for this cloud service page, paste your Subscription ID that you copied in the previous step
    • If you forgot to copy it, log to your Azure portal and get it in the Subscription section

  • In Management Certificate field, click Browse. Navigate to and select the .pfx file that you saved earlier.  After you select it and click Open, you’ll be prompted for the password you used to protect it.  Enter the password and click Ok

  • On the Specify additional details for this distribution point form, select the regions where you want to host your cloud distribution point
  • Enter a Description if desired
  • All other values should be auto-filled, click Next

  • On the Configure alerts for this distribution point page, we’ll leave the defaults and click Next

  • On the Summary page, review the Details, click Next

  • On the Completion tab, click Close

  • The Cloud Distribution Point will now be listed, it will have a status of Provisioning. That status will change to Ready when provisioning is completed. You can also monitor the CloudMgr.log file on the primary site server. This process can take up to 10 minutes so be patient.
  • There’s a known bug in SCCM 1702 which leaves the status in Provisioning. If you’re affected by this bug, apply the following hotfix

  • Cloud Distribution Point ready!

In your Windows Azure portal page, you can see that the storage space has been created. This is the storage space that will hold content that you’ll distribute to your cloud distribution point.

  • In the Azure Portal, go to Storage Accounts section on the left
  • You will see a new cloud service with a GUID

SCCM Cloud Distribution Point

We will now distribute a package to our new cloud distribution point.  We will send the Configuration Manager Client Package to the cloud distribution point.

  • In the SCCM Console
  • Click Software Library / Application Management / Packages
  • Right-click Configuration Manager Client Package, select Distribute Content
  • On the Review selected content page, click Next
  • On the Specify the content destination page, click Add.  In the resulting drop-down list, click Distribution Point
  • In the Add Distribution Points list of available distribution points, check the box next to your cloud distribution point.  Click OK, and then click Next
  • On the Summary page, click Next.  The distribution should complete successfully, so click Close

Let’s see if that package is distributed.

  • Click Monitoring / Distribution Status / Content Status
  • In the details pane, select your Configuration Manager Client Package, and note the completion status. The yellow circle will turn to green when the distribution is complete as a “normal” DP
  • Your cloud distribution point should be listed in the Success section when completed

  • In the PkgXferMgr.log file, you can see that content is sent to the cloud distribution point

Let check under the hood in our Azure Storage account if the content is there:

  • In your Windows Azure administration page
  • Click on Storage Accounts
  • Click onyour storage account GUID

SCCM Cloud Distribution Point

  • In the Overview section, click on Blobs

SCCM Cloud Distribution Point

  • You can see our content based on their packageID, click on a name

SCCM Cloud Distribution Point

  • You can see that the files match the content of the package that we just distributed

SCCM Cloud Distribution Point

Setup Name Resolution for Cloud Distribution Points

  • In the Azure Portal
  • Go to Cloud Services (classic)
  • Click the Columns button on the top, and add the URL column
  • On the right, the URL value will be YourServiceName.cloudapp.net this is the DNS name that your clients will use for connecting to the cloud distribution point and getting their content

SCCM Cloud Distribution Point

Configure DNS

In order for the clients to download content from a cloud distribution point, they must be able to resolve scdclouddp01.cloudapp.net to the cloud distribution point IP address. This is done by creating a CNAME record in DNS with the FQDN of the Windows Azure service URL that you just noted in prior steps.

  • Open the DNS Manager Console
  • On your DNS server, open the DNS console and create a new CNAME record in your domain Forward Lookup Zones
  • Select New Alias (CNAME)

SCCM Cloud Distribution Point

  • For Alias name, type your cloud distribution point name (Ex: scdclouddp01)
  • In Fully qualified domain name (FQDN) for target host paste your Site URL (In our example: c940eea9c9954f038b69101c.cloudapp.net)  and click OK

SCCM Cloud Distribution Point

Clients Configuration

We now need to configure client settings on our SCCM client for them to access the cloud distribution point.

  • Open the SCCM console
  • Go to Administration / Client Settings
  • Right-click your client settings and click Properties
  • Select Cloud Services and select Yes on Allow access to cloud distribution point

SCCM Cloud Distribution Point

Adjust Boundary Groups

The last step is to setup our boundary groups to include our cloud distribution point

  • In the SCCM Console
  • Go to Administration / Hierarchy Configuration / Boundary Groups
  • Right-click you boundary group, select Properties

SCCM Cloud Distribution Point

  • On the Reference tab, click Add

SCCM Cloud Distribution Point

  • Select your cloud distribution point and click Ok twice

SCCM Cloud Distribution Point

You are now ready to use your new cloud distribution point for your deployments.

Comments (14)

Dave

11.05.2018 AT 08:49 AM
I was banging my head when I enabled Cloud DP from CMG. Adding the cloud site system as part of my workstation boundary group worked like a charm. As far as I can tell, MS has not made this apart of their documentation.

Jon

06.22.2018 AT 08:54 AM
I have the same issue as Sada123.

soumitra

05.02.2018 AT 08:38 AM
here is some confusion

soumitra

05.02.2018 AT 08:42 AM
you created the service name as scdclouddp1.cloudapp.net, but cname you are creating in scdclouddp1.scdlab.org also you are creating the certificate with cn=scdclouddp1.cloudapp.net, then service will be created in sccm like scdclouddp1.cloudapp.net. Then where is the scdclouddp1.scdlab.org? Could you please help me to understand?

dex5o5

05.24.2018 AT 12:46 AM
There's a mistake in the documentation. In the section where he creates the cloud based distribution point in SCCM. In the "Specify additional fields for this cloud service" (after the management certificate), the certificate that he used to create the service should have had the FQDN of scdclouddp1.scdlab.org and not scdclouddp1.cloudapp.net. The reason for that is when the service is provisioned in Azure the url will end up in the format of https://{guid}.cloudapp.net/ anyway. The Azure service is not going to use the FQDN specified in the certificate but that would be what's passed to the SCCM client. So, in this case the CNAME entry is also incorrect. It should be scdclouddp1.sclab.org pointed to {guid}.cloudapp.net. Hope this helps.

Florian

01.04.2018 AT 09:38 AM
Hi, which Azure services to i need to suscribe and with which cots do I have to calculate?

Jonathan Abramson

11.07.2017 AT 10:39 AM
Is this possible to do by building your own server outside the network in the DMZ instead of using Azure with 1706? You have this which is similar to what I am trying to do but it was written for 2012. Would like to do this without the reoccurring costs of Azure if possible. https://systemcenterdudes.com/internet-based-client-management/

Benoit Lecours

02.01.2018 AT 07:31 AM
Yes, this is the second option if you don't want to use Azure services.

ryan

10.25.2017 AT 10:46 AM
I get the same as above

John Bryntze

08.24.2017 AT 11:30 AM
Thanks a lot Benoit, this was really good step by step tutorial to make it done. You cannot use the Classic Azure Portal now, but if you try you get link to howto reach the same for certificate in the modern Azure portal. Once the Cloud DP is up, next step (or before this step) is to setup a Cloud Management Point, it is in pre-release on SCCM 1702 and probably prod in 1706. again thanks, this was really useful for me setting this up.

Benoit Lecours

02.01.2018 AT 07:35 AM
Hi John, Yes, you're right the classic portal is redirecting you to the new portal. You can now go to Subscription / Management Certificate to do so. I'm writing a guide for Cloud Management Gateway now, it will be out this week. 😉

Sada123

08.23.2017 AT 08:36 PM
Hi Benoit, - Followed the same steps expect that the Azure service URL has http://.cloudapp.net/ So when creating internal CNAME record i used the same. - When i try to download the application, it is stuck at 0% downloading in software Center. - DataTransferService.log gives following error, UpdateURLWithTransportSettings(): NEW URL - https://xxxxxxxx.cloudapp.net:443/downloadrestservice.svc/getcontentxmlsecure?pid=P0100007&cid=CONTENT_9F54C00A-841A-4413-BFC8-7428A43480A8.1&tid=GUID:068B5B1B-FD04-4AEE-B45F-117B1CE85982&iss=xxxxx.CORP.xxxxxx.COM&alg=1.2.840.113549.1.1.11&st=2017-08-24T01:06:16&et=2017-08-24T09:06:16 DTSJob {3F3647DF-D3FB-4391-B882-3CD4D4F0BF96} created to download from 'xxxxxxxx.cloudapp.net:443/downloadrestservice.svc/getcontentxmlsecure?pid=P0100007&cid=CONTENT_9F54C00A-841A-4413-BFC8-7428A43480A8.1&tid=GUID:068B5B1B-FD04-4AEE-B45F-117B1CE85982&iss=xxxxxx.CORP.xxxx.COM&alg=1.2.840.113549.1.1.11&st=2017-08-24T01:06:16&et=2017-08-24T09:06:16' to 'C:\Windows\ccmcache\cn'. DTSJob {3F3647DF-D3FB-4391-B882-3CD4D4F0BF96} in state 'DownloadingManifest'. Error sending DAV request. HTTP code 600, status '' GetDirectoryList_HTTP('https://xxxxxxxx.cloudapp.net:443/downloadrestservice.svc/getcontentxmlsecure?pid=P0100007&cid=CONTENT_9F54C00A-841A-4413-BFC8-7428A43480A8.1&tid=GUID:068B5B1B-FD04-4AEE-B45F-117B1CE85982&iss=SCCM-LAB.CORP.xxxxxx.COM&alg=1.2.840.113549.1.1.11&st=2017-08-24T01:06:16&et=2017-08-24T09:06:16') failed with code 0x87d00215. Error retrieving manifest (0x87d00215). Will attempt retry 1 in 30 seconds. - Verified CAS.log, ContnetTransferManager.log, CIAgent.log, CIStore.log - I have tested application installation on the same client from a normal DP. It works - Cloud DP added to boundary group. - Application is set to download and install. - Microsoft support says, CNAME should be available in public DNS, is that true?