Freigeben über

Client Installation over Internet

  • Artikel

System Center Configuration Manager 1706 simplified the capability to install (bootstrap) the client over internet, this blog post walks through two scenarios -

  1. AAD joined device – Modern management of Windows 10 devices leveraging Azure.
  2. Workgroup device – Servers on DMZ without corporate network access

Prerequisites

The table below lists the requirements for each scenario -

Scenario

Client PKI

Cloud DP

CMG

HTTPS MP

Sync AAD Users

Azure Web/Client Apps

Intune

AAD Joined Device

No

Yes

Yes

Yes

Yes

Yes

Yes (Optional)

Workgroup Device

Yes

Yes

Yes

No

No

No

No

Client PKI -

For AAD Joined devices you don't need one as ConfigMgr leverages Azure authentication

For Workgroup devices, we need a PKI certificate from an internal CA or Public CA.

Cloud DP –

Required for both the scenarios to provide content.

Instructions to setup a Cloud DP - https://social.technet.microsoft.com/wiki/contents/articles/37914.cloud-distribution-point-part-1.aspx

Additional Reference -

/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point /en-us/sccm/core/servers/deploy/configure/install-cloud-based-distribution-points-in-microsoft-azure

CMG –

Required for both the scenarios.

Instructions to setup a CMG - https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/

Additional Reference -

/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

HTTPS MP –

Required only for AAD Joined Devices to authenticate in an absence of a PKI certificate.

Its optional for Workgroup Devices but recommended.

Sync AAD Users & Azure Web/Client Apps

Required only for AAD Joined Devices.

Instructions to create Azure Web & Client Apps and sync AAD Users - https://blogs.technet.microsoft.com/arnabm/2017/06/10/modern-management-of-internet-clients/

Intune –

For AAD Joined devices to push the ConfigMgr agent (CCMSetup.MSI), the source files will be downloaded from the CMG. Refer the above blog post for instructions to deploy applications via Intune.

If you don't have Intune, leverage an alternate tool to push CCMSetup.exe/msi [Refer the command lines below]

Command Line –

#AAD Command Line

ccmsetup.exe /nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSMP=https://remote1.contoso.net SMSSiteCode=CS1 AADTENANTID=256ed977-4388-a224-3d441dfb0def AADTENANTNAME=Contoso AADCLIENTAPPID=45b4c32c-89f9-4770-8a8b-a37d34fd2632 AADRESOURCEURI=https://contoso.onmicrosoft.com/d098acfa-8874-4ef6-a610-07440fb52c7c

#AAD Command Line for Intune [uses CCMSetup.MSI, below are parameters for the MSI]

CCMSETUPCMD="/nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSMP=https://remote1.contoso.net SMSSiteCode=CS1 AADTENANTID=256ed977-4388-a224-3d441dfb0def AADTENANTNAME=Contoso AADCLIENTAPPID=45b4c32c-89f9-4770-8a8b-a37d34fd2632 AADRESOURCEURI=https://contoso.onmicrosoft.com/d098acfa-8874-4ef6-a610-07440fb52c7c"

#Workgroup Command Line

ccmsetup.exe /nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSSiteCode=CS1 /UsePKICert CCMALWAYSINF=1

Table reference for command line switch –

Thanks,

Arnab Mitra

Comments

  • Anonymous
    October 16, 2017
    Hi Arnab, thanks a lot for these details. I setup all these based on your steps, it works perfectly with Windows 10 Enterprise 1703. However, ConfigMgr client failed to install in Insider Preview 16299.15 AAD joined. Let's hope it will work with 1709 when it is published.
    • Anonymous
      October 28, 2017
      I recently tested it successfully on a 1709 client.
      • Anonymous
        October 28, 2017
        Which ConfigMgr are you using? I am using TP 1709, because I don't have CB license for my own test. I tried push ConfigMgr client from Intune, it failed every time (Windows 1703 and 1709), Log said it found three certificates, but none of them can use for ConfigMgr, cannot use Pki or AAD authentication contact ConfigMgr. Gateway log has only one error, complain cannot find one ConfigMgr dll file (I don't remember what is the file name), it just couldn't download client source from gateway.If I copy the source files and manually install the client, it works then ok. I believe some bugs with ConfigMgr TP 1709, because my setup hasn't changed, tested that based on your guidance, and it was working with earlier TP. I am going to wait next TP and test again. Thank you Arnab Mitra.
        • Anonymous
          November 01, 2017
          Just upgrade to ConfigMgr TP 1710, deploy ConfigMgr client from Intune to Azure AD joined device works without any issues. :D
  • Anonymous
    March 26, 2018
    The comment has been removed
    • Anonymous
      March 27, 2018
      This requires deeper investigation and i will recommend you opening a support case.