This tutorial will guide you to deploy task sequence over internet via SCCM CMG (Cloud Management Gateway). Using the Allow task sequence to run for client on the Internet feature, we will deploy OS over ConfigMgr CMG.
According to Microsoft, you can now use bootable media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won’t start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.
Most of all, there are lot of prerequisites before you deploy the task sequence over internet. If you follow the prerequisites, I am sure the OSD via CMG will work fine.
In my lab I am currently running Configuration Manager 2010. Make sure you have installed hotfix KB4594176 that applies only to ConfigMgr 2010 early update ring.
I have also setup PKI and management point and distribution points are configured to use HTTPS. If you haven’t setup PKI, refer my PKI step-by-step guides.
Set up a Cloud Management Gateway
Setting up a cloud management gateway is the first prerequisite. CMG provides a simple way to manage Configuration Manager clients on the internet.
When you deploy the CMG as a cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure. If you haven’t setup the cloud management you can use the following guide – https://www.prajwaldesai.com/setup-sccm-cloud-management-gateway/
A working CMG is a must and you must ensure the CMG is working fine in your setup. You can RDP your ConfigMgr CMG to ensure it’s up and running.
You can run the cloud management gateway connection analyzer. The analyzer results should show errors (if any). If all the results show green checks, you are good to proceed to next step.
In addition, if you need log files for troubleshooting you can refer the CMG Log Files.
Distribute Task Sequence to a Content-Enabled CMG
When a remote client uses boot media, it connects to CMG distribution point to download the content. If the CMG doesn’t have the content, your task sequence will fail. Hence it is important that you distribute the task sequence content to CMG.
Distributing the content to CMG is very similar to how you distribute the content to your internal distribution points. Right click the task sequence and select Distribute Content. On the Content Destination window, select CMG and distribute the TS content.
To verify if the content is distributed to CMG, go to Monitoring\Distribution Status\Distribution Point Configuration Status. Select your CMG and at the bottom look at completion stats.
Allow access to Cloud Distribution Point
Under you client agent settings, you must allow access to cloud distribution point. In the Configuration Manager console, go to Administration\Overview\Client Settings.
Select Cloud Services. Under Device/User Settings, set the option Allow access to cloud distribution point to Yes for clients to obtain content from a cloud distribution point.
Enable clients to use a cloud management gateway
In addition to allowing access to Cloud DP, you must also enable clients to use a cloud management gateway. In the Configuration Manager console, go to Administration\Overview\Client Settings.
Select Cloud Services. Under Device/User Settings, set the option Enable clients to use a cloud management gateway to Yes.
Click OK to close the client settings window.
Configure the Apply Network Settings Task Sequence step to join a workgroup
When you deploy the Task Sequence over internet via SCCM CMG, the remote device can’t join the on-premises Active Directory domain. That’s because it doesn’t have connectivity to a domain controller to join the domain.
Therefore we need to make a change under the Apply Network Settings step in task sequence. Edit the task sequence and click Apply Network Settings step.
Select Join a workgroup and specify the workgroup name. If it’s a new task sequence, ensure you select Join a workgroup instead of Join a domain.
Allow task sequence to run for client on the internet
When you deploy the task sequence over internet, on the User Experience tab, select Allow task sequence to run for client on the internet. This applies even while you create a new task sequence. It’s a prerequisite and this option applies for internet based clients only.
Deployment settings – Make available to an option that includes media
When you deploy this task sequence, under the deployment settings you need to specify the following. Select make available to the following to only media and PXE.
Download content locally when needed by the running task sequence
You also need to make another change on the task sequence deployment properties. On the Distribution Points tab, under Deployment Options, select Download content locally when needed by the running task sequence.
With this option selected, you specify that clients download content from the distribution point as it’s needed by the task sequence. The client starts the task sequence. When a step in the task sequence requires content, it’s downloaded before the step runs.
No Wireless Support – Only Wired Network Connection
When you deploy an OS over CMG using bootable media, make sure the device has a constant internet connection while the task sequence runs. Windows PE doesn’t support wireless networks, so the device needs a wired network connection.
PKI Prerequisites for bootable media
For version 2010 early update ring, if you use a PKI-based certificate for the boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. For later releases, including globally available version 2010, this certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate.
For the boundary group that the client is in :-
- Associate the content-enabled CMG or cloud distribution point site systems.
- Enable the following option: Prefer cloud based sources over on-premise sources.
Create Certificate for Boot Media
Before you create a bootable media, let’s create a certificate. This certificate is required while creating the we finalize boot media.
Login to the server running the Certification Authority role. Right click Certificate Templates and click Manage.
Right click Workstation Authentication template and click Duplicate Template.
On the new template properties, select General tab and specify the Template Name such as SCCM Boot Media Cert.
On the Request Handling tab, make sure you enable Allow private key to be exported.
On the Cryptography tab, under providers select Microsoft Enhanced RSA and AES provider. Click Apply and OK.
Right click Certificate Templates and click New > Certificate Template to Issue. Select the boot media certificate and click OK.
Before we export the certificate, we must first import it.
On your site server, launch certificates console (run certlm.msc). Expand Personal and right click Certificates and click All Tasks > Import. Select the SCCM Boot Media Cert and click Enroll.
Now right click the boot media cert and export it.
Select Yes, export the private key.
Set a password for this certificate. Click Next.
Export the certificate.
Create a Task Sequence bootable media to use CMG
To create a new task sequence media.
- In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
- On the top ribbon click Create Task Sequence Media.
On the Select Media Type window, select the Bootable Media. Click Next.
You must select how media finds a management point. Select Site-based media. Click Next.
Specify the Media File. The file should have .iso as extension. Click Next.
Specify a password to protect the task sequence media. Under import PKI certificate, click browse and specify the boot media certificate and enter the password. Click Next.
Specify the following on Boot Image page.
- Boot Image – Specify the x64 boot image.
- Distribution Point – This is your distribution point that’s on-prem.
- Management Point – This should be your CMG.
You may customize the task sequence media. Click Next.
Close the create task sequence media wizard.
Finally we have our bootable media file.
Deploy Task Sequence over Internet via CMG
First of all, you have boot your device with the boot media. In my lab, I have a new blank VM and I am going to mount the boot media.
The VM boots from the media and in no time your should find the Task Sequence wizard. Enter the boot media password and click Next.
Select the task sequence and click Next.
You must patiently wait until all the task sequence dependencies are resolved.
If you are not sure about the smsts.log file location, read Location of SMSTS log during SCCM OSD.
Note that the Windows 10 .wim file may take significant amount to time to download. If you don’t see any errors, wait until the download completes.
Finally we see the Configuration Manager agent is being installed.
We have successfully deployed OS over CMG.