UPDATE: This is no longer needed if you are using CB1806 and up. With CB1806, a CMG can now also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. To enable this feature, enable the new option to Allow CMG to function as a cloud distribution point and serve content from Azure storage on the Settings tab of the CMG properties.


In order to walk you through the entire process of setting up the co-management feature, I am going to break this down into a number of parts;

A cloud-based distribution point is a ConfigMgr distribution point that is hosted in Microsoft Azure. The cloud distribution point will allow clients to download content from the internet public interface of the CDP when client in not in the corporate network.

Setup Cloud Distribution Point is not prerequisite for Co-Management, but if you want to deploy ConfigMgr client to AAD Devices from Intune and use ConfigMgr functionality for AAD devices, you will need setup Cloud Distribution Point.

This post is for Scenario 1: Use Co-Management for Azure AD joined machines

IMPORTANT: before you continue this, please sure you have created all the certificates what is needed in part 2

  1. Right-click Cloud Distribution Points, click Create Cloud Distribution Point

  2. Azure environment: AzurePublicCloud
    Subscription ID: Your Azure subscription ID
    Management certificate: Choose AzureManaement.pfx that we created on part 2

  3. Click on Next
    Region: The Azure region where the cloud service will be hosted
    Certificate file: Choose CloudDP001.pfx that we exported on part 2
    You will see Service FQDN is automatic generated, write down the cloud service name.

  4. Continue the wizard to complete installation.
  5. Go to your public DNS provider website, and add CNAME of your cloud distribution point map to that service name. My example:
    CNAME is clouddp001.smsboot.com, and the service name is ae510985b7d6461d9a4a057d.cloudapp.net

  6. To view the status, open CloudMgr.log or from Admin console. It took about 20 minutes to finish installation in my test
  7. Once the Cloud Distribution Point is ready, a status message ID 9409 is sent for the SMS_CLOUD_SERVICES_MANAGER component


  8. Admin console should shows cloud distribution point status is Ready.
  9. Distribute an Application to Cloud distribution point, monitor distmgr.log, I see my package is distributed .

Configure client settings to allow cloud services.

If you have not setup client settings yet, follow steps from part 4

Verify client can download content from cloud distribution point

  1. On your test device (device must be added to Pilot Co-Management collection), run a refresh of both the machine and user policies
  2. After the policies are applied, connect the device to an internet connection
  3. Check if client can communicate with cloud management gateway. See part 4
  4. Install an application from Software Center, check status from DataTransferService.log, You should see contents are downloaded from cloud distribution point

We will continue to Part 6 (Configure Co-management feature)


  • Marcel
    Posted at 16:35 April 17, 2018

    Just wondering, in Part 2, for the cloud DP certificates, you used ConfigMgrCDP001.cloudapp.net as common and alternative DNS name, in the CloudDP Wizard, the Service FQDN in your screenshot resolved to CloudDP001.smsboot.com, is this a blog inconsistency? as the CloudDP certificate i exported resolved the service FQDN to xxxxxx.cloudapp.net as said in part 2?

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.