SCCM

Deploy Task Sequence over Internet via SCCM CMG

This tutorial will guide you to deploy task sequence over internet via SCCM CMG (Cloud Management Gateway). Using the Allow task sequence to run for client on the Internet feature, we will deploy OS over ConfigMgr CMG.

One of the new features of Configuration Manager 2010 was deploy an OS over CMG using bootable media. This feature was also introduced first in technical preview 2009 version.

According to Microsoft, you can now use bootable media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won’t start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.

Most of all, there are lot of prerequisites before you deploy the task sequence over internet. If you follow the prerequisites, I am sure the OSD via CMG will work fine.

In my lab I am currently running Configuration Manager 2010. Make sure you have installed hotfix KB4594176 that applies only to ConfigMgr 2010 early update ring.

I have also setup PKI and management point and distribution points are configured to use HTTPS. If you haven’t setup PKI, refer my PKI step-by-step guides.

Set up a Cloud Management Gateway

Setting up a cloud management gateway is the first prerequisite. CMG provides a simple way to manage Configuration Manager clients on the internet.

When you deploy the CMG as a cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure. If you haven’t setup the cloud management you can use the following guide – https://www.prajwaldesai.com/setup-sccm-cloud-management-gateway/

A working CMG is a must and you must ensure the CMG is working fine in your setup. You can RDP your ConfigMgr CMG to ensure it’s up and running.

You can run the cloud management gateway connection analyzer. The analyzer results should show errors (if any). If all the results show green checks, you are good to proceed to next step.

In addition, if you need log files for troubleshooting you can refer the CMG Log Files.

CMG Connection Analyzer
CMG Connection Analyzer

Distribute Task Sequence to a Content-Enabled CMG

When a remote client uses boot media, it connects to CMG distribution point to download the content. If the CMG doesn’t have the content, your task sequence will fail. Hence it is important that you distribute the task sequence content to CMG.

Distributing the content to CMG is very similar to how you distribute the content to your internal distribution points. Right click the task sequence and select Distribute Content. On the Content Destination window, select CMG and distribute the TS content.

To verify if the content is distributed to CMG, go to Monitoring\Distribution Status\Distribution Point Configuration Status. Select your CMG and at the bottom look at completion stats.

Distribute Task Sequence to a Content-Enabled CMG
Distribute Task Sequence to a Content-Enabled CMG

Allow access to Cloud Distribution Point

Under you client agent settings, you must allow access to cloud distribution point. In the Configuration Manager console, go to Administration\Overview\Client Settings.

Select Cloud Services. Under Device/User Settings, set the option Allow access to cloud distribution point to Yes for clients to obtain content from a cloud distribution point.

Allow access to Cloud Distribution Point
Allow access to Cloud Distribution Point

Enable clients to use a cloud management gateway

In addition to allowing access to Cloud DP, you must also enable clients to use a cloud management gateway. In the Configuration Manager console, go to Administration\Overview\Client Settings.

Select Cloud Services. Under Device/User Settings, set the option Enable clients to use a cloud management gateway to Yes.

Click OK to close the client settings window.

Enable clients to use a cloud management gateway
Enable clients to use a cloud management gateway

Configure the Apply Network Settings Task Sequence step to join a workgroup

When you deploy the Task Sequence over internet via SCCM CMG, the remote device can’t join the on-premises Active Directory domain. That’s because it doesn’t have connectivity to a domain controller to join the domain.

Therefore we need to make a change under the Apply Network Settings step in task sequence. Edit the task sequence and click Apply Network Settings step.

Select Join a workgroup and specify the workgroup name. If it’s a new task sequence, ensure you select Join a workgroup instead of Join a domain.

Configure the Apply Network Settings Task Sequence step to join a workgroup
Configure the Apply Network Settings Task Sequence step to join a workgroup

Allow task sequence to run for client on the internet

When you deploy the task sequence over internet, on the User Experience tab, select Allow task sequence to run for client on the internet. This applies even while you create a new task sequence. It’s a prerequisite and this option applies for internet based clients only.

Allow task sequence to run for client on the internet
Allow task sequence to run for client on the internet

Deployment settings – Make available to an option that includes media

When you deploy this task sequence, under the deployment settings you need to specify the following. Select make available to the following to only media and PXE.

Deployment settings - Make available to an option that includes media
Deployment settings – Make available to an option that includes media

 

Download content locally when needed by the running task sequence

You also need to make another change on the task sequence deployment properties. On the Distribution Points tab, under Deployment Options, select Download content locally when needed by the running task sequence.

With this option selected, you specify that clients download content from the distribution point as it’s needed by the task sequence. The client starts the task sequence. When a step in the task sequence requires content, it’s downloaded before the step runs.

Download content locally when needed by the running task sequence
Download content locally when needed by the running task sequence

No Wireless Support – Only Wired Network Connection

When you deploy an OS over CMG using bootable media, make sure the device has a constant internet connection while the task sequence runs. Windows PE doesn’t support wireless networks, so the device needs a wired network connection.

PKI Prerequisites for bootable media

For version 2010 early update ring, if you use a PKI-based certificate for the boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. For later releases, including globally available version 2010, this certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate.

PKI Prerequisites for bootable media
PKI Prerequisites for bootable media

For the boundary group that the client is in :-

  • Associate the content-enabled CMG or cloud distribution point site systems.
  • Enable the following option: Prefer cloud based sources over on-premise sources.

Create Certificate for Boot Media

Before you create a bootable media, let’s create a certificate. This certificate is required while creating the we finalize boot media.

Login to the server running the Certification Authority role. Right click Certificate Templates and click Manage.

Manage Certificate Templates
Manage Certificate Templates

Right click Workstation Authentication template and click Duplicate Template.

Duplicate Workstation Authentication Template
Duplicate Workstation Authentication Template

On the new template properties, select General tab and specify the Template Name such as SCCM Boot Media Cert.

Specify Template Name
Specify Template Name

On the Request Handling tab, make sure you enable Allow private key to be exported.

Allow private key to be exported
Allow private key to be exported

On the Cryptography tab, under providers select Microsoft Enhanced RSA and AES provider. Click Apply and OK.

Microsoft Enhanced RSA and AES provider
Microsoft Enhanced RSA and AES provider

Right click Certificate Templates and click New > Certificate Template to Issue. Select the boot media certificate and click OK.

Enable the SCCM Boot Media Certificate
Enable the SCCM Boot Media Certificate

Before we export the certificate, we must first import it.

On your site server, launch certificates console (run certlm.msc). Expand Personal and right click Certificates and click All Tasks > Import. Select the SCCM Boot Media Cert and click Enroll.

Issue the SCCM Boot Media Certificate
Issue the SCCM Boot Media Certificate

Now right click the boot media cert and export it.

Export the Certificate
Export the Certificate

Select Yes, export the private key.

Export the Certificate - Private Key
Export the Certificate – Private Key

Click Next.

Export the Certificate - Private Key
Export the Certificate – Private Key

Set a password for this certificate. Click Next.

Specify the Certificate Password
Specify the Certificate Password

Export the certificate.

Create Certificate for Boot Media
Create Certificate for Boot Media

Create a Task Sequence bootable media to use CMG

To create a new task sequence media.

  • In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
  • On the top ribbon click Create Task Sequence Media.
Create a Task Sequence bootable media to use CMG
Create a Task Sequence bootable media to use CMG

On the Select Media Type window, select the Bootable Media. Click Next.

Create a Task Sequence bootable media to use CMG
Create a Task Sequence bootable media to use CMG

You must select how media finds a management point. Select Site-based media. Click Next.

Select Site Based Media
Select Site Based Media

Specify the Media File. The file should have .iso as extension. Click Next.

Specify the Media File
Specify the Media File

Specify a password to protect the task sequence media. Under import PKI certificate, click browse and specify the boot media certificate and enter the password. Click Next.

Import PKI Certificate
Import PKI Certificate

Specify the following on Boot Image page.

  • Boot Image – Specify the x64 boot image.
  • Distribution Point – This is your distribution point that’s on-prem.
  • Management Point – This should be your CMG.

Click Next.

Select the boot image for Media
Select the boot image for Media

You may customize the task sequence media. Click Next.

Deploy Task Sequence over Internet via SCCM CMG
Deploy Task Sequence over Internet via SCCM CMG

Close the create task sequence media wizard.

deploy OS over CMG
deploy OS over CMG

Finally we have our bootable media file.

Task Sequence bootable media to use CMG
Task Sequence bootable media to use CMG

Deploy Task Sequence over Internet via CMG

First of all, you have boot your device with the boot media. In my lab, I have a new blank VM and I am going to mount the boot media.

Mount the Bootable Media
Mount the Bootable Media

The VM boots from the media and in no time your should find the Task Sequence wizard. Enter the boot media password and click Next.

Enter the boot media password
Enter the boot media password

Select the task sequence and click Next.

Select the Task Sequence
Select the Task Sequence

You must patiently wait until all the task sequence dependencies are resolved.

Resolving Selected Task Sequence Dependencies
Resolving Selected Task Sequence Dependencies

The task sequence deployment over internet begins. Furthermore, you can launch command prompt and use the CMTrace log file viewer tool to view smsts.log.

If you are not sure about the smsts.log file location, read Location of SMSTS log during SCCM OSD.

Deploy Task Sequence over Internet via SCCM CMG
Deploy Task Sequence over Internet via SCCM CMG

Note that the Windows 10 .wim file may take significant amount to time to download. If you don’t see any errors, wait until the download completes.

Deploy Task Sequence over Internet via SCCM CMG
Deploy Task Sequence over Internet via SCCM CMG

Finally we see the Configuration Manager agent is being installed.

Configuration Manager Agent Setup
Configuration Manager Agent Setup

We have successfully deployed OS over CMG.

Windows 10 Deployed over CMG
Windows 10 Deployed over CMG

Prajwal Desai

Hi, I am Prajwal Desai. For last few years I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Azure, Security etc. I created this site so that I can share valuable information with everyone.

Related Articles

8 Comments

  1. Thank you for this guide,
    I would raise your attention that is to request a new certificate instead of import it from Active directory Enrollment policy.

  2. Is there a way to temporary pause the task sequence after image deployment and wait for a tech to bind to domain and then continue on the from a point in the task sequence to fully setup a system?

  3. Is there a way to temporary pause the task sequence after image deployment and wait for a tech to bind to domain and then continue on the from a point in the task sequence to fully setup a system?

  4. I see that you have it set up with PKI Cert, so long as the machine has a cert that meets the requirements, could you use that cert to make the connection through the CMG? Like A SCEP/NDES Certificate?

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button