I don’t explain what is co-management in my post, because you can read all about those from Microsoft doc and videos. These series posts are not just about co-management, it actually includes how to setup cloud management gateway, cloud distribution point, use PKI etc. Microsoft ConfigMgr team has done really great job develop these features and make them better and easier to setup during last year, so if you are not using PKI or not planning to use PKI in ConfigMgr environment, stop here, this is not for you.  You can read another post from Jan Ketil Skanke https://www.scconfigmgr.com/2019/01/08/how-to-setup-cloud-management-gateway-with-enhanced-http/

If you are using PKI or plan use PKI which is still recommended, then these posts are for you.

More details about Co-management, see here:
https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

 

Prerequisites

  • You will need to have ConfigMgr 1710 and Windows 10 1709 to support Co-management. The setup of the co-management feature itself is very easy, however we will need to build up other necessary features to fully support it’s functionality.
  • Azure AD
  • You also need to setup AD connector, but I won’t cover those details in this time.
  • Azure AD automatic enrollment enabled. https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment
  • EMS or Intune license for all users
  • Intune standalone (MDM authority in Intune set to Intune)

In my test lab, I setup one Primary Site (CM01.zit.local) and one site system server (CM02.zit.local).

  • CM01.zit.local (Primary Site):
    This server is for support internal connection clients and whereas it is not required to use SSL, it is recommended.Roles:

    • Management Point (https)
    • Distribution Point (https)
    • Software Update Point (https)
  • CM02.zit.local (site system server):
    This server is for support internet-based connection clientsRoles:

    • Cloud management gateway connection point
    • Management Point (https, use gateway)
    • Software Update Point (https, use gateway)

Co-Management Setup

There are two scenarios of Co-Management, and requirements are different:

  • Scenario 1: Use Co-Management for Azure AD joined machines
    In this scenario, you will need setup these features in ConfigMgr:

    • Cloud Management service – Azure AD user discovery
    • Cloud Management Gateway
    • Cloud Distribution point (NOTE: this is no longer needed in CB1806 and up. With CB1806, a CMG can now also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. To enable this feature, enable the new option to Allow CMG to function as a cloud distribution point and serve content from Azure storage on the Settings tab of the CMG properties)
    • Enable Co-Management feature
  • Scenario 2: Use Co-Management for domain joined machines
    In this scenario, you only need enable Co-Management feature.

In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

Setup – Roles & Certificates

Cloud Management Gateway (feature)

Devices communicate over the internet to ConfigMgr via the Cloud Management Gateway. Certificates are required.

  1.  Azure Management certificate
  2. Cloud management gateway certificate
  3. Root certificate

Cloud Distribution Point (feature)

  • NOTE: this is no longer needed in CB1806 and up. With CB1806, a CMG can now also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. To enable this feature, enable the new option to Allow CMG to function as a cloud distribution point and serve content from Azure storage on the Settings tab of the CMG properties

A cloud-based distribution point is ConfigMgr distribution point that is hosted in Microsoft Azure. Clients that are on internet connection can download contents from cloud distribution point without any need for a VPN connection back to their corporate network. Certificates are required.

  1. Azure Management certificate
  2. Cloud Distribution Point certificate
  3. Client Authentication certificate for domain joined clients

Management Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client Authentication certificate for domain joined clients

Distribution Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients
  3. Certificate for distribution point

Software Update Point (CM01.zit.local, https)

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

Management Point (CM02.zit.local, https)

A certificate is required for HTTPS mode if you want to use Azure AD to authenticate instead of client certificates. If you are using client certificates instead of the Cloud Management Gateway, an HTTPS management point is optional, but recommended.

If you are using Azure AD to authenticate for on premises or internet clients, an HTTPS management point is required.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

Software Update Point (CM02.zit.local, https)

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

 

Next in Part 2, we will create certificates for these roles.

(16721)

comments
  • Ram Lan
    Posted at 16:59 December 16, 2017
    Ram Lan
    Reply
    Author

    Hi – Excellent write-up on CMG and CDP. Followed all the steps and so far completed part 1 – part 5. Everything working as it should. Thanks for sharing your notes.

    Look forward to new topics in the future.

    Thanks

    Ram

    • Zeng Yinghua
      Posted at 17:08 December 16, 2017
      Zeng Yinghua
      Reply
      Author

      Hello Ram, thank you for reading, I am glad they are useful to you.

      Thanks, Sandy

  • Rkast
    Posted at 18:33 March 20, 2018
    Rkast
    Reply
    Author

    Hi Zeng, I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?

    Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?

    • Zeng Yinghua
      Posted at 14:43 March 26, 2018
      Zeng Yinghua
      Reply
      Author

      ConfigMgr client will enroll the device to Intune. Co-Management or ConfigMgr doesn’t functional as VPN, so it won’t help the 30 days computer account password expiration.

  • Leave a Reply to Zeng Yinghua
    Cancel Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.