Utilising Cloud Management Gateway and Cloud DP – Part 3: Cloud DP

With the CMG set up via internal or external certs (see Parts 1 & 2),  we can now use cloud distribution points to get content to our external endpoints.

Three certificates are needed to set up the cloud DP, the client authentication certificate which we have already created in either part 1 or 2, an Azure management certificate  and a web server certificate for the cloud DP.  We can use the same technique for the cloud DP certificate creation as in the previous blogs but for completeness let’s run through that process again.

Creating the cloud DP management cert

The management certificate for the cloud DP service can be created in the same manner as in parts 1 and 2 of this series. However, for part 3 I thought I would show you another way that you can create a management certificate, this time using some PowerShell commands.

Type in the following command into an elevated PowerShell windows

$cert = New-SelfSignedCertificate -DnsName <yourdomain>.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My"
$password = ConvertTo-SecureString -String "<your password>" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\CloudDP-ManagementCert.pfx" -Password $password
Export-Certificate -Type CERT -Cert $cert -FilePath .\CloudDP-ManagementCert.cer

As you can see this quickly generates a pfx and cer management certificate.

2017-11-20 21_38_31-Administrator_ Windows PowerShell.jpg

Creating the cloud DP certificate

Fire up your certificate authority, drill down to Certificates, right click and choose Manage. Note that I am using an old 2008 DC, the process is the same for 2012 and above.

2017-11-18 22_58_44-certsrv - [Certification Authority (Local)_internal-DC-CA_Certificate Templates].jpg

Right click the Web Server template and select Duplicate Template.

2017-11-18 23_00_53-Certificate Templates Console.jpg

Select Windows Server 2003 Enterprise. Click OK.

2017-11-13 20_51_04-Duplicate Template.jpg

Enter a name for the template. I’ve called mine ‘SCCMCMG – Management Certificate’ as I am going to create another template for my Web Server cert.

2017-11-13 20_52_03-Properties of New Template.jpg

In the Request Handling tab choose Allow private key to be exported.

2017-11-13 20_52_09-Properties of New Template.jpg

Set security accordingly so that enrollment can take place, Read and Enroll permissions are required for this.

2017-11-18 23_09_55-Properties of New Template.jpg

With the template in place, we need to issue it so that we can enroll with it.

To do this right click the Certificate Templates folder in the Certificate Authority and choose New>Certificate Template to Issue.

2017-11-13 20_53_09-certsrv - [Certification Authority (Local)_internal-DC-CA_Certificate Templates].jpg

Choose the certificate template, in this instance the cloud DP template and click OK.

2017-11-13 20_53_43-Enable Certificate Templates.jpg

The certificate template will be available for enrollment.

2017-11-13 20_53_50-certsrv - [Certification Authority (Local)_internal-DC-CA_Certificate Templates].jpg

Next up, you need to request the certificates on a computer.

Load up MMC and choose File>Add/Remove Snap-in…

2017-11-18 23_35_02-Console1 - [Console Root].jpg

Select Certificates and then click Add>.

2017-11-18 23_36_56-Add or Remove Snap-ins.jpg

Choose Computer account and click Next.

2017-11-18 23_38_03-Certificates snap-in.jpg

Ensure Local computer is selected and click Finish.

2017-11-18 23_38_06-Select Computer.jpg

Note that Certificates (Local Computer) is in the Selected snap-ins pane. Click OK.

2017-11-18 23_38_14-Add or Remove Snap-ins.jpg

Navigate to the Personal store and right click, choose All Tasks>Request New Certificate.

2017-11-17 20_00_01-Console1 - [Console Root_Certificates (Local Computer)_Personal_Certificates].jpg

Click Next to begin the certificate enrollment.

2017-11-17 20_00_26-Certificate Enrollment.jpg

Go with the defaults here by clicking Next.

2017-11-17 20_00_30-Certificate Enrollment.jpg

Select the cloud DP template that was created earlier. Then click the More information link.

2017-11-13 20_54_35-Certificate Enrollment.jpg

In the Subject tab click the Type drop down and enter a common name for the cloud DP service. For my example, I have used sccmsolcloudp1.sccmsolutions.co.uk. Once done, click Add>.

2017-11-20 22_13_32-Certificate Properties.jpg

Click OK.

2017-11-20 22_15_49-Certificate Properties.jpg

Click the Enroll button to enroll the certificate.

2017-11-13 20_55_10-Certificate Enrollment.jpg

When the process is complete click Finish.

2017-11-13 20_55_20-Certificate Enrollment.jpg

The next step in the certificate process, is to export the certificate so we can import it in with or without a private key. We will use these exports to upload the certificate into Azure and to configure the cloud DP.

In the personal store, if you refresh you will see you the new cert. Right click the cloud dp certificate, you can check the Certificate Template column to ensure you have the correct one, select All Tasks>Export.

2017-11-20 22_16_43-Console1 - [Console Root_Certificates (Local Computer)_Personal_Certificates].jpg

Click Next on the export wizard.

2017-11-17 20_01_38-Certificate Export Wizard.jpg

Choose not to export the private key and click Next.

2017-11-17 20_01_45-Certificate Export Wizard.jpg

Export the DER encoded binary X.509 (.CER) format and click Next.

2017-11-17 20_01_48-Certificate Export Wizard.jpg

Save the certificate as the .cer file. Name it accordingly so you know which cert it is.

2017-11-13 20_57_01-Certificate Export Wizard.jpg

Click Finish to complete the process.

2017-11-13 20_57_07-Certificate Export Wizard.jpg

You will be notified that the export was successful.

2017-11-17 20_02_41-Certificate Export Wizard.jpg

The next step is to create an exported certificate with private keys.

As before, in the MMC>Personal>Certificates store, right click the cloud dp certificate and choose All Tasks>Export.

Click Next.

2017-11-17 20_03_46-Certificate Export Wizard.jpg

This time select Yes, export the private key. Click Next.

2017-11-17 20_04_26-Certificate Export Wizard.jpg

This time the .pfx format is selected. Go with the defaults and click Next.

2017-11-17 20_04_28-Certificate Export Wizard.jpg

Enter a strong password for the pfx file and click Next.

2017-11-17 20_04_38-Certificate Export Wizard.jpg

Save the certificate.

2017-11-13 20_56_31-Certificate Export Wizard.jpg

Click Finish to complete the export.

2017-11-20 17_35_25-Certificate Export Wizard.jpg

Set up Azure for cloud DPs

As with the CMG we need to upload a managment certificate into Azure for the cloud service.

In the Azure Portal , navigate to Subscriptions and then select your subscription.


Select Management Certificates from the list of options.


Click the Upload link.


Next we need to select a .cer file to upload. This will be the management certificate .cer file created earlier.


Click Upload.


Ensure the cert is uploaded successfully. Copy your Subscription ID as you will need this next.


Install the Cloud Distribution Point in ConfigMgr

In the ConfigMgr console navigate to \Administration\Overview\Cloud Services\Cloud Distribution Points. Right click and choose Create Cloud Distribution Point.

2017-11-13 20_31_37-System Center Configuration Manager (Connected to CMR - SCCM 2012 R12 - CMR Netw.jpg

Enter the Subscription ID noted from the Azure portal and click the Browse button.

2017-11-13 20_33_58-Create Cloud Distribution Point Wizard.jpg

Select the pfx export of the management certificate.

2017-11-20 21_58_48-Management Certificate.jpg

Enter the password for the .pfx and click OK.

2017-11-20 22_00_24-Password.jpg

Click Next.

2017-11-20 22_01_14-Create Cloud Distribution Point Wizard.jpg

The cloud service information provided will be validated.


Note that Azure will automatically generate a GUID for the service name. Make a note of this GUID as we will need this later in the set-up. Click the Browse button.

2017-11-20 22_05_08-Create Cloud Distribution Point Wizard.jpg

Choose the cloud DP certificate file.

2017-11-20 22_07_12-Service Certificate.jpg

Enter the password for the .pfx and click OK.

2017-11-20 22_00_24-Password.jpg

Note that the service FQDN is automatically populated. We’ll need to map this address to the <Service name GUID>.cloudapp.net address shortly. Click Next.

2017-11-20 22_18_28-Create Cloud Distribution Point Wizard.jpg

Set any threshold alert levels for the cloud DP at this stage and click Next.

2017-11-20 22_21_20-Create Cloud Distribution Point Wizard.jpg

Click Next.


Click Close to complete the set up wizard.


The cloud DP will be in a provisioning state. It can take a while to build the cloud DP

2017-11-20 22_22_57-System Center Configuration Manager (Connected to CMR - SCCM 2012 R12 - CMR Netw.jpg

The progress can be monitored in the CloudMgr.log file.

2017-11-20 22_24_10-Configuration Manager Trace Log Tool - [C__Program Files_Microsoft Configuration.jpg

When provisioning has completed the cloud DP will report as ready.

2017-11-20 22_41_56-System Center Configuration Manager (Connected to CMR - SCCM 2012 R12 - CMR Netw.jpg

Set up name resolution for the cloud DP

To resolve the cloud DP, you need to map the address of the service FDQN to the <service GUID>.cloudapp.net address.

So for my example, I need to create a CNAME record to cater for this.


Upload content to the cloud DP

At this stage, our cloud DP is ready, configured and raring to go. We can upload content to it in the same way as we do any on-prem DP.

2017-11-20 22_44_46-Add Distribution Points.jpg

2017-11-20 22_47_33-System Center Configuration Manager (Connected to CMR - SCCM 2012 R12 - CMR Netw.jpg

The finale – push software to a client connected via the CMG

So we’ve been building up to this point. We showed in parts 1 and 2 that we could connect clients to the SCCM environment via the CMG, which acts as a proxy to the internal MP and SUP. We need cloud DP since you cannot route internally to non-Internet facing DPs.

So as a test, I am going to publish a 7-Zip installation to the Internet connected client and install the software across the Internet

First up, I have confirmed that my client is still connected via the Internet – note the Domain joined client is in Internet in the ClientLocation.log


A quick check and nothing is assigned to the device for software deployment.


I then created an available deployment for 7-Zip targeted at my Internet based client and on the client ran a policy retrieval – all standard ConfigMgr tasks.

After policy had updated the Software Center showed 7-Zip as an available install.


After kick starting the 7-Zip install, a quick glance at the CAS.log shows the download taking place, and from my cloud DP, sccmsolcloudp1.sccmsolutions.co.uk.


and that the install succeeds.


There’s a lot to take in with the new Cloud Management Gateway and it’s integration with cloud DP and internal MP and SUP. I have show how to get the services up and running but there are plenty of planning considerations that need to be examined prior to doing these installations.

I recommend that you read the following before deploying these services.

Plan for the cloud management gateway in Configuration Manager at https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management-gateway

Use a cloud-based distribution point with System Center Configuration Manager at https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point



  1. Hi Paul – Completed all the steps and my lab CB1710 with CMG and CDP is fully functional.

    For people who are performing this at Home Lab – Please bear in mind the cost involved with CMG and CDP configuration. I looked at Azure and it is costing me around Canadian $ 3 per day. So plan accordingly.

    I would like to ask Paul – How to cut down the cost for Home Lab users? Can, I stop the VM or Disable the Service or is there any other method to reduce the cost?

    Thanks always for detailed notes.


  2. Dear Paul,

    These are probably the most comprehensive notes I have come across in setting up both the CMG and the CDP. Thank you for the time you put into this, especially getting one’s head around the certificates.

    I followed one setup elsewhere for creating the CMG, but it all got muddled up with the CDP that I had to find another source to fix that. Yours brings it all together, rather quite nicely.

    Yes, the cost is one linear upward graph and your tip of removing the CMG connector and Cloud DP would come in use. *Always read the comments.*



  3. Hi Paul,

    Thanks for this incredibly clear tutorial.
    So many certificates can quickly become an headache (it did for me…)

    I just have one issue with the PS script to generate the DP Management certificate.
    When importing the generated pfx, SCCM says that the password for the certificate is not correct.
    I tried different option with the “, without the “, with a complex password, with not complex, from CA server, from the primary server but still doesn’t accept it.
    I even just generated the certificate and export it manually, but no chance.
    Do you have an idea, where this could come from?



    1. Hi Paul,

      I have been spending days on the PS script issue, and just after writing the previous comment, I found the solution. Ahah…

      So actually, I was running the PS script as an admin, but SCCM was running with my own account. So the certificate was stored in the personnal store of the admin account, while SCCM was trying to import it from my own.

      Maybe you can update the PS script part to aware others from that to happen again.
      Thanks for you awesome posts, I hope see more soon.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s