SCCM in Azure: Setup and Deployment Guide

To set up SCCM in Azure, you'll first need to create a new Azure subscription. This will give you access to the necessary resources and tools to deploy and manage your SCCM environment.

Azure provides a variety of regions to choose from, each with its own set of benefits and requirements. For example, the West US region is a popular choice for many organizations due to its proximity to the US West Coast.

Creating a new Azure subscription is a straightforward process that can be completed in just a few minutes. Simply navigate to the Azure portal, click on "Create a resource", and follow the prompts to set up your subscription.

As part of the setup process, you'll need to choose a pricing model that suits your organization's needs. Azure offers a variety of pricing tiers, including Pay-As-You-Go, Reserved Instances, and Spot Instances.

To set up and configure SCCM in Azure, start by utilizing the Azure Services Wizard to streamline the configuration of your Azure cloud services with SCCM. This wizard helps you deploy and configure Azure services through SCCM.

Navigate to \Administration\Overview\Cloud Services\Azure Services and click on the Configure Azure Services button from the ribbon menu. Select an Azure service and specify the name and description.

To deploy and configure Azure services, select an Azure service and specify the name, description, and Azure environment. You can choose between AzurePublicCloud and Azure China Cloud, among others. The Azure environment determines the deployment method for the cloud service.

To create a new web app in Azure for authentication, specify application details and sign in with AAD admin credentials to create an application in the Azure Active Directory. You'll need to provide an application name, homepage URL, app ID URI, and secret key validity period.

Create a native client app by specifying application details and signing in with AAD admin credentials to create an application in the Azure Active Directory. You'll need to provide an application name, reply URL, and Azure AD admin account.

To enable Azure AD discovery, click on the Settings button to check and configure the advanced options of AAD Discovery. This is necessary to allow the AAD authentication scenario in SCCM.

Here is a list of Azure services and their corresponding Azure environments:

To set up Co-management CMG, ensure all prerequisites and certs are available. Navigate to \Administration\Overview\Cloud Services\Cloud Management Gateway and click on the Create Cloud Management Gateway icon in the ribbon menu. Select Azure Environment as AzurePublicCloud on the Specify details of this cloud service page.

Specify the Azure environment and the deployment method for the cloud service. Provide Azure subscription ID, the management certificate, or Azure AD administrator credentials to proceed. You can choose between Azure Resource Manager (ARM) deployment and Azure Classic deployment.

To enable Azure AD user discovery, click on the Settings button to check and configure the advanced options of AAD Discovery. This is necessary to allow the AAD authentication scenario in SCCM.

The Cloud Management Gateway will show as Provisioning for about 10 minutes after creating it. The cloud management gateway resources are also visible in the Azure portal.

To configure the Azure Service – Cloud Management, go to \Administration\Cloud Services\Azure Services and select Configure Azure Services. In this step, the Azure Administrator will be required to create the web app and native client app.

To implement SCCM in Azure, you'll need an active Azure subscription that creates the necessary virtual machines. You'll need at least 2 Standard_B2s virtual machines for a domain controller, management point, and distribution point, and 1 Standard_B2ms virtual machine for a primary site server and SQL Server database server.

To determine potential costs, you can use the Azure pricing calculator. You'll also need to create a Standard_LRS storage account. If you choose to create a hierarchy, you'll need an additional Standard_B2ms virtual machine for the central administration site.

Here are the specific virtual machine requirements:

To set up the Cloud Management Gateway with SCCM, you'll need a few things. You'll need an Azure subscription with Azure Admin access to host the CMG.

Having a valid Azure subscription is a must, as it will be used to host the Cloud Management Gateway. Azure administrators rights are also required, although the official documentation isn't clear on which level of Administrator is needed.

SCCM Current Branch 1806 or higher is required to configure the Cloud Management Gateway. You'll also need an on-prem server to host the Cloud management gateway connection point.

To summarize, here are the requirements:

To set up a Configuration Manager lab in Azure, you'll need an active subscription that can create specific virtual machines. You'll need two Standard_B2s virtual machines for a domain controller, management point, and distribution point combined on one server.

You'll also need a Standard_B2ms virtual machine for the primary site server and SQL Server database server. If you choose to create a hierarchy, you'll need another Standard_B2ms virtual machine for the central administration site. Additionally, you'll need zero to three virtual machines for client devices.

A Standard_LRS storage account is also required. To help determine potential costs, you can use the Azure pricing calculator.

Here are the specific virtual machines you'll need to create:

Note that you'll need to pay for the instances running on Azure, including storage and server license costs.

To configure your SCCM Cloud Management Gateway, you'll need to sign in with Azure Administrator rights. The Azure AD App name should be auto-populated, so just click Next.

You'll need to replace the asterisk in the Service name field with the globally unique deployment name prefix for your CMG if you're using a wildcard certificate.

The Cloud Management Gateway will show as Provisioning for about 10 minutes after you create it.

You can also view your cloud management gateway resources in the Azure portal.

Here are the steps to create a cloud management gateway in SCCM:

Certificate management is a crucial aspect of SCCM in Azure, and it's essential to understand the requirements for certificates in this environment.

A certificate is needed between the SCCM server and the Cloud Management Gateway, and you have two choices: use a certificate from a public trusted provider or use a certificate from an enterprise CA.

The CMG server authentication certificate supports wildcards, which can be a convenient option for some certificate authorities.

To request a custom web server certificate on the Primary Site Server, you'll need to run MMC, add the Certificates snap-in, and then select the SCD SCCM Cloud Management Gateway from the list of available certificates.

A valid example of a certificate name is CMGSCD.cloudapp.net, while an invalid example is CMG-SCD.cloudApp.Net.

A client authentication certificate is required on any computer that will be managed via the Cloud Management Gateway, and it's also required on the server that will host the Cloud Management Gateway connection point.

Here are the steps to create a Client authentication certificate on an Enterprise CA:

A server certificate is required for the Cloud Management Gateway, and it's a bit of a complex process, but I'll break it down for you.

You have two options for obtaining a server certificate: use a public trusted provider or an enterprise CA.

The certificate must be between the SCCM server and the Cloud Management Gateway, and it supports wildcards. For example, a certificate from a public trusted provider might have a wildcard character for the service name prefix, such as *.scd.com.

To configure the settings for the CMG server authentication certificate, you'll need to select More information is required to enroll for this certificate and choose here to configure settings on the Request Certificates page.

Here are the specific certificate requirements for the Cloud Management Gateway:

A valid example of a custom web server certificate is CMGSCD.cloudapp.net, while an invalid example is CMG-SCD.cloudApp.Net.

To request a custom web server certificate, you'll need to run MMC on the SCCM server, add the Certificates snap-in, and then select the SCD SCCM Cloud Management Gateway from the list of available certificates.

To create a custom web server certificate template, you'll need to start by duplicating the Web Server template in the Certificate Templates management console. Right-click the Web Server template and select Duplicate Template.

Ensure that Windows 2003 Server, Enterprise Edition is selected in the Certification Authority. This is a crucial step, as it will determine the settings for your new template.

In the General tab, enter a template name, such as SCD SCCM Cloud Management Gateway. You should also consider changing the validity period, but be aware that a longer validity period can compromise security.

Choose OK to close the Certificate Templates Console. Next, navigate to the Certification Authority console and right-click Certificate Templates, selecting New / Certificate Template to Issue.

Select the new template you just created, SCD SCCM Cloud Management Gateway, and click OK. You'll then be prompted to manage certificates for a Computer Account, so select that option and click Next.

Here are the steps summarized:

The deployment process in SCCM in Azure can take some time, so be patient and allow some time to get this completed. This is an automated process that might go through multiple reboots and configuration setting changes may happen during the setup.

The status of the deployment can be checked in the PS01.json file, where you'll see a list of components with their respective status. For example, the status might show as InstallSCCM, and for other components, it might show as “not started”.

After waiting for a while (approximately 1 hr 30 minutes), you can see the status in the PS01.json file showing success for all the components. Here's a list of the components that are typically deployed:

If all steps are completed, the process is done.

Deploying a template in Azure is a crucial step in the deployment process. You can deploy the Configuration Manager template by navigating to Install Configuration Manager Current Branch in Azure and clicking on Deploy on Azure.

This template is available on Github as well. To get started, you'll need to log in with your credentials to launch the Azure quickstart template.

You'll then be prompted to fill out the Project details. Here's what you need to know:

Be aware of the following:

If you encounter issues with VM size limitations, you can use the following PowerShell command to resolve the issue.

The deployment status can be checked by looking at the status showing in the system.

This might take some time to complete, so be patient and allow the automated process to run its course.

Multiple reboots and configuration setting changes may happen during the setup.

If the status shows all steps as completed, the process is done.

After waiting for a while, you can see the status in the PS01.json file showing success for all the components.

Here are the components that should be showing as successful:

DPMP01 is a crucial component in the deployment process. It's a server that serves as a distribution point and management point.

The DPMP01 server is equipped with Standard_B2s hardware, which includes two processors and 4 GB of memory. This configuration is suitable for handling multiple roles.

Windows Server 2019 Datacenter edition is the operating system running on the DPMP01 server. This edition provides the necessary features for a reliable and secure deployment.

The DPMP01 server has two key roles: distribution point and management point. A distribution point is responsible for hosting and distributing software packages, while a management point is responsible for collecting and processing data from client devices.