Configure a Cloud Distribution Point on Windows Azure in Configuration Manager 2012 SP1

Apart from native agent support for Mac OS X, another of the big features of Configuration Manager 2012 SP1 is the ability to deploy “Cloud” Distribution Points on Windows Azure.

Why is this a big deal? Well, if you need to rapidly provision a DP but don’t have the present ability to scale your current environment or can’t provide server infrastructure to remote sites, a Cloud DP will allow you quickly set up a content location accessible from anywhere at a very low cost.  Cloud DPs also allow businesses to service internet-connected clients without having to set up internet-facing Configuration Manager server roles, and also to rapidly provision DPs which are catered for within operational expenditure rather than capital expenditure.  They offer new flexibility to the management story which is quite exciting.


Setting up a Cloud DP is actually very straightforward, and there are only a few things needed before you begin.

  1. A current Windows Azure subscription.  Obviously – otherwise this isn’t going to get off the ground 🙂 If you are an MSDN subscriber (or you have access via a company subscription) then you have access to a limited Azure subscription – activate it via the MSDN Subscriber Benefits page;
  2. Your Windows Azure subscription ID. Once the Azure account is activated, you can get the Subscription ID by logging into the Management Portal and navigating to “Hosted Services, Storage Accounts & CDN”, then “Affinity Groups”.  The Subscription ID is on the right-hand side of the screen;
  3. A Management Certificate.  This is a locally-generated certificate which is uploaded to Windows Azure AND used by Configuration Manager to establish secure communications;
  4. A Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (build 7782) or later.

Management Certificate

There are a number of ways you can create the management certificate.  At present there isn’t much guidance on the best approach, so this section explains how I did it in my own lab environment, which is configured for PKI with an Enterprise CA.

  1. On the CA, open the Certification Authority management snap-in, right-click on Certificate Templates and select Manage;
  2. Right-click the “ConfigMgr Web Server Certificate” template (or whichever template you prefer to use for HTTPS communications) and select “Duplicate Template”;
  3. Give the new template a name like “Windows Azure Authentication Certificate” and make the following changes: In “Request Handling” tick “Allow private key to be exported”, In “Subject Name” select “Supply in the request” and in “Security” ensure that the AD computer account for the primary site server has Read and Enroll permissions, either explicitly or via an AD group;
  4. Save the template, exit the Certificate Templates Console, then right-click on Certificate Templates, select “New” –> “Certificate Template to Issue” and choose the newly-created template for Windows Azure;

    PKI Certificate for Configuration Manager/Windows Azure authentication

  5. Next, go to the Certificates MMC snap-in on the Configuration Manager site server and load the Certificates for the Computer Account;
  6. Expand Personal –> Certificates, then right-click Certificates and select “All Tasks” –> “Request New Certificate”;
  7. Select the Windows Azure certificate from the list of available certificates and click on “More information is required…”;
  8. In the Certificate Properties window, in the “Subject” tab add in the Subject Common Name and the DNS Alternative Name of the name of this hosted service.  For example, if you want to call the Cloud DP “cm12clouddp1” then the full name is “”;

    Certificate Properties – Subject Name and Alternate Name

  9. Finish the enrolment and the certificate will populate the snap-in;
  10. Next, right-click the newly-enrolled certificate and select “All Tasks” –> “Export”;
  11. The Export process needs to be run through twice: the first time select “No, do not export the private key” and then export the certificate as a “DER encoded binary X.509” .CER file. The second time select “Yes, export the private key” and export it as a “Personal Information Exchange” .PFX file.  You will need both exports later.

Upload the Management Certificate

  1. Open the Windows Azure Management Portal and navigate to “Hosted Services, Storage Accounts & CDN”, then “Management Certificates”;
  2. Click on “Add Certificate” and then select the appropriate subscription and browse to the exported CER file created earlier;
  3. Wait for the console to refresh and ensure that the Management Certificate has been uploaded correctly.

    Uploaded Management Certificate in Windows Azure

Creating and Configuring the Cloud DP

Now that the prerequisites are taken care of, we can create the Cloud DP.

  1. Open the CM Console and navigate to Administration –> Hierarchy –> Cloud and then click on “Create Cloud Distribution Point”;
  2. Type in the Windows Azure Subscription ID and browse for the exported PFX;
  3. In Settings, the service name will be automatically created by Azure.  Select the desired Azure global region (eg: Southeast Asia) and which site the Cloud DP is going to be associated with;
  4. In Alerts, specify the quotas in terms of the amount of available storage and the monthly transfer quota;
  5. Complete the wizard (that’s all the information it needs) and open up the CloudMgr.log file located in the Microsoft Configuration ManagerLogs folder;
  6. The SMS_CLOUD_SERVICES_MANAGER component will initially connect to Windows Azure and create a new storage service – you can watch this in action via the “Storage Accounts” section in the Windows Azure Management Portal;
  7. This bit can take some time – the log file will probably show a series of entries like “Skipping safe exception Microsoft.WindowsAzure.StorageClient.StorageServerException. Will check again in 10 seconds.” and “Waiting for check if container exists. Will check again in 10 seconds.”.  Eventually it may time out with an entry “ERROR: Timed out after 00:05:00 minutes waiting for check if container exists.”.  Don’t stress, things are still happening;
  8. In my case, around 15 minutes after the timeout entry (with no further input from me), CloudMgr.log updated with “Uploading file ContentWebRole.cspkg to container deploymentcontainer with blob name xxx”.  Behind the scenes, the storage account has been provisioned and Configuration Manager has taken all the information provided in the Cloud DP wizard and bundled it into a .CSPKG file.  Windows Azure will now use that to provision a full hosted service into production;
  9. Keep following the logfile and within around 20 minutes (approximately) the service will be provisioned.  Refresh the Cloud section in the Configuration Manager console, and the new Cloud DP will have a “Status Description” of “Provisioning Complete”;
  10. Navigate to Administration –> Distribution Points, and the Cloud DP will be there along with your on-premise

    Provisioned Cloud DP on Windows Azure


Distribute Content

Distributing content to a Cloud DP is exactly the same as for a traditional DP.  In the example of using an AppModel-type Application:

  1. Right-click the Application and select “Distribute Content”;
  2. For the content destination, select “Distribution Point” from the Add drop-down (or “Distribution Point Group” if the Cloud DP is a member of a DP Group) and select the Cloud DP from the list of DPs;
  3. Open up the distmgr.log and watch Configuration Manager deploy the content to the Cloud DP;
  4. Navigate back to Administration –> Distribution Points.  Right-click the Cloud DP and select “Content” – the recently-deployed content should now be visible.

If you want to verify that the content really is there, I recommend a free tool called Azure Storage Explorer, which is available here via CodePlex.  To add a Storage Account to view, you will need the name of the Storage Account as well as the Primary Access Key, both of which are accessible in the Windows Azure Management Console under “Storage Accounts”.

Once connected, under the “blobs” section should be a folder called “content-PKGID” where PKGID is the Package ID of the content you just distributed to Azure (eg: S0100001).  Select that and you’ll see the actual files which have been uploaded and are now available for clients.

Content distributed to Windows Azure

So, you now have a Distribution Point up in the cloud ready to distribute content to clients.  In the next blog post, we’ll look at how clients will access that data 🙂

11 comments to Configure a Cloud Distribution Point on Windows Azure in Configuration Manager 2012 SP1

  • Vasu Miriyala

    Hi James,
    Simple but detailed post on Cloud DP of SCCM 2012, good one !!!
    I liked it much, went ahead to see where you work (Dilignet profile) and its offerings, thru your profile. Interesting and impressive work on System Center from you folks…

    –Vasu Miriyala

  • Young

    Hi James,

    Can you clarify something for me?

    As we don’t have PKI infrastructure, we don’t have Internet (Native) Client for SCCM 2007 and we are not planning on having one in the near future. However, there is a 1-way trusted forest/domain with 200 machines and we are managing them via DMZ/firewall which is slowlink.

    With this in mind, can I use Cloud DP for those 200 machines so that all traffic except DP are still happening through DMZ/Firewall while the actual content download can happen through cloud DP?



    • James Bannan

      Hi Young – yes, you can do that. Obviously the clients will have to be upgraded to SCCM 2012 SP1 first. Other than that, you don’t actually need a PKI infrastructure for clients to talk to a cloud DP. I just used one because it’s convenient to do so.

  • David

    Am I right saying that, in order for this to work. I need to setup a VPN connection between Azure and on-premise environment first?

    Thanks for this nice post!

  • Mark

    Hello I want to spend my environment or primary site where he managed 600 clients via http internet LAN; manage computers outside the LAN, I want all documentation and suggestions please;

  • shinub

    hi James

    You told we have to specify “desired Azure global region”

    What i will do for different continent if i configure only one location.

    maximum one DP can make or multiple for different geographical location ?

  • Prem

    how clients which are on internet will be offered cloud DP to download the content?While client is on internet they cant reach to MP and get the package location .
    I am wondering if Azure DP location is already there in the application policy itself and client have it when it gets the application policy for the very first time ?

  • Ginu


    I have setup a Cloud DP however my clients are stuck at 0% downloading from Cloud DP. Do I need to make any changes on client end or any Public Host A is required ?

    Thank You

  • Test

    How internet client machines communicate with Cloud DP ? We need to create a Public Cname or Host A Record ?

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>