In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

In part 2, we will prepare and create all the required certificates, the steps are long and boring but very important!

Create Azure Management certificate

An Azure management certificate is required to deploy Azure services by authenticating with service management APIs. For each service you deploy, you should create a new Azure management certificate for it. In this case I use only one Azure Management certificate for cloud management gateway and cloud distribution point, because I think they are both part of ConfigMgr service. Of course you could create two separate Azure management certificates for them, as each in its own right is a service.

  1. User PowerShell create a self-signed cert.
    $cert = New-SelfSignedCertificate -DnsName "smsbootConfigMgr.cloudapp.net" -CertStoreLocation "cert:\LocalMachine\My"
    $password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
    if (!(Test-Path "D:\ConfigMgr")) {
     New-Item -Path "D:\ConfigMgr" -ItemType Directory -Verbose
    }
    Export-PfxCertificate -Cert $cert -FilePath "D:\ConfigMgr\AzureManagement.pfx" -Password $password
    Export-Certificate -Type CERT -Cert $cert -FilePath "D:\ConfigMgr\AzureManagement.cer"
  2. You should able to see two certificates are exported.
  3. Upload AzureMangement.cer to Azure. Log on https://portal.azure.com
  4. Go to Subscriptions, choose your subscriptions.
    In my case, I have Pay-As-You-Go. Choose Management certificates

  5. Click on Upload, browse the location where you exported those Azure management certificates. Choose AzureManagement.cer, then click upload

  6. You should see your certificate is uploaded to Azure.

Create certificate templates

Create ConfigMgr Web server certificate template for server authentication (IIS)

This is for setup process for the Management Point and Software Update point certificates.

  1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
  2. Right-click Web Server, then click Duplicate Template

  3. Make sure use Windows Server 2003, not Server 2008 (if you have Certificate Services installed in Server 2008)

  4. Click on General tab, input Template display name ConfigMgr Web Server Certificate.
  5. Change Validity period as your wish

  6. Click on tab Security, click Add.
  7. Add your ConfigMgr servers or ConfigMgr server AD group (if you created one), give permissions Allow Read, Enroll.
    In my case, I added CM01 and CM02

  8. Click OK close the dialog.
Create ConfigMgr Cloud Management Gateway certificate template
  1. Create a Duplicate Template of the ConfigMgr Web Server Certificate we just created. (Remember choose Windows server 2003)

  2. In General tab, change the template display name to ConfigMgr Cloud Services Certificate

    You don’t need to create separate cert template for cloud management gateway and cloud distribution point.

  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported

  5. Click OK close the dialog.
Create client authentication certificate template
  1. Right-click on Workstation Authentication and click Duplicate Template.
  2. In General tab, change display name to ConfigMgr Client Certificate
  3. Change Validity period as your wish

  4. Click on tab Security, click Add.
  5. Add Domain Computers, give permissions Allow Read, Enroll, Autoenroll

  6. Click OK to close the dialog.
Create ConfigMgr Client certificate template for Distribution point
  1. Right-click on Workstation Authentication and click duplicate template.
  2. In General tab, change display name to ConfigMgr Distribution Point certificate
  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported
  5. Click on tab Security, click Add.
  6. Add your distribution point server, give permissions Allow Read, Enroll
  7. Click OK to close the dialog.

Now we should see four ConfigMgr certificate templates created. Close certificate template console.

 Enable Certificates to be issued
  1. Right-click on Certificate Templates, then New Certificate Template to Issue

  2. Choose the four certificate templates we just created
  3. You should able to see something like this

  4. Close Certification Authority

 

Request certificates

Request certificate for Cloud management gateway
  1. You need to have a unique dns name in your Azure subscription for cloud services, so go to your Azure portal https://portal.azure.com
    Click New and type Cloud Service. Click on Cloud Service and click Create

  2. In DNS name input the name that you wish to use, and check it’s availability. In my case, I will use smsbootCMG.cloudapp.net as my Cloud management gateway address.
    IMPORTANT: Do not create the cloud service, this is step is only for check DNS name availability. 

  3. Open MMC as administrator
  4. Clock on FileAdd/Remove snap-in…
  5. In Available snap-ins list, choose certificates
  6. In Certificates snap-in, choose Computer account

  7. Click NextFinishOK
  8. Open Certificates (Local Computer) – Personal – Certificates
  9. Right-click on Certificates, choose All Tasks- Request New Certificate…

  10. Click Next, Next. You should able to see available templates for enroll

  11. Check the checkbox on ConfigMgr Cloud Services Certificate
  12. Click on “More information is required to enroll for this certificate. Click here to configure settings.”
  13. In the Subject tab under Subject Name Type drop-down choose Common Name
  14. Input Value: smsbootCMG.cloudapp.net (See step 2), Click Add >

  15. On the General tab, input Friendly name and Description as ConfigMgr CMG

    Tip: I always put some text on Friendly name and Description, it is easier to find those certificates for later use. This is especially true when you have many ConfigMgr roles on same server.

  16. Click on OK, then Enroll..Finish.

  17. Now you have requested your cloud management gateway certificate

Request certificate for cloud distribution point

This is almost the same process as request certificate for cloud management gateway

  1. Use ConfigMgr Cloud Services Certificate template to request certificate
  2. In the Subject name, select Common name and type CloudDP001.domain.com and click Add

    Domain.com is the name of your public domain, not your internal domain. In my case, I have internal domain name ZIT.local, I register my public domain name smsboot.com in Azure, so my cloud distribution point certificate subject name is CloudDP001.smsboot.com

  3. Add also Alternative name Type: DNS

  4. In General tab, input Friendly name and Description as ConfigMgr Cloud DP
  5. Click OK, then Enroll.

Request Web certificate (IIS) for MP, SUP, DP

We need to request a web certificate for the Management Point, Software Update point and Distribution point. Then we will need to assign these certificates in IIS.

  1. Logon servers that hosts MP, SUP and DP roles
  2. Use ConfigMgr Web Server certificate template to request certificate
  3. Don’t change anything on Subject name Type
  4. In Alternative name type, choose DNS
  5. Input Value, put both FQDN and NETBIOS name of your MP, or SUP or DP

  6. In General tab, input Friendly name and Description: ConfigMgr CM01 Web Server

Request certificate for Distribution point

  1. Use ConfigMgr Distribution Point certificate template to request certificate
  2. Click on Enroll

You should see now at least four certificates. Next we need to export those certificates

Export certificates

You will need to export all of the certificates you have just created.

Export Cloud management point certificates
  1. Right-Click on ConfigMgr CMG certificate, choose All TasksExport, go thought the wizard

  2. Choose No, do not export the private key, save it as CMG.cer

  3. Export ConfigMgr CMG certificate again, this time choose Yes, export private key

  • Add password to protect you private certificate

  • Next, Save it as CMG.pfx

Export Cloud distribution point certificates

  1. Right-Click on ConfigMgr Cloud DP certificate. Repeat the same steps as the export ConfigMgr CMG certificate, with and without private key
  2. Save them as CloudDP001.cer and CloudDP001.pfx

Export Distribution point certificates

Note: This has nothing to do with Co-management. Since most of ConfigMgr roles are using SSL however, I wanted to use SSL on the distribution point too.

  1. Right-Click on ConfigMgr Distribution point certificate. Repeat the same steps as the export ConfigMgr CMG certificate, export only the private key
  2. Save it as CM01DP.pfx

Export Root certificate

  1. Open any of those certificates, example ConfigMgr CM01 Web Server

  2. Choose Certification Path tab, Click on View Certificate

  3. Click on Details, then click on Copy to File…

  4. Save it as RootCA.cer
  5. If you have subordinate CA, you need to export that as well.

Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy

  1. Create a new GPO name Autoenroll Certificate

  2. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
  3. Open Certificate Services ClientAuto-Enrollment, Choose configuration Model: Enabled
  4. Right-Click on Trusted Root Certification Authorities, choose Import…

  5. Import the RootCA.cer we just created, using the default settings

  6. Link this GPO to your domain, so that domain joined computer will automatic get ConfigMgr Client certificate
  7. Logon to a domain joined machine, run gpupdate /force (So that it apply the auto-enroll certificate policy that we just created, or you can restart the computer)
  8. After auto-enroll certificate GPO is applied, you should see it like this, Certificate Template column shows ConfigMgr Client Certificate

When you are finished all these steps, you should have 8 certificates in total.

Next we will start Part 3 – setup cloud management gateway.

(767)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Spotter
    Posted at 03:04 December 2, 2017
    Spotter
    Reply
    Author

    Hi,

    Thanks for the informative blog. With the certificate creations, which server do we use? Does it matter? For example, the Azure certificates, do we generate that from the web server or any server is fine.

    I am looking at setting this up for a corporate customer. They have a strict security policy and not liking the idea of auto provisioning the Azure VM instance when creating the CMG. They want to set one up prior with the proper subnet etc, and security settings. My question is, after the creation of CMG on the console, can we point it to the Azure VM we want?

    Thanks.

    • Zeng Yinghua
      Posted at 12:16 December 5, 2017
      Zeng Yinghua
      Reply
      Author

      Hi, If you are making self-singed Azure Management Certificates, you can do that in any server. For you second question, I don’t have answer for that, I didn’t test multiple VM instances. Based on this article ( https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management-gateway ), support client number per CMG VM instance is 6k in the 1702 release, if your customer don’t have 6k internet client, perhaps one VM instance is enough.

      • Spotter
        Posted at 01:08 December 6, 2017
        Spotter
        Reply
        Author

        Thanks for your reply. Appreciate it.

  • Leave a Reply