Blog
SCCM Cloud Distribution Point
- April 21, 2022
- Posted by: Pavithra
- Category: End User Computing
SCCM Cloud Distribution Point
SCCM CLOUD DISTRIBUTION POINT : HOW TO INSTALL AN SCCM CLOUD DISTRIBUTION POINT

A cloud distribution point is an SCCM distribution point that is hosted in Microsoft Azure. The client will access it as a normal distribution point using port 443 (SSL). Some benefits of using cloud distribution points are for clients on the internet, fallback scenario or to quickly provision a distribution point if extra bandwidth is needed for a limited time. The whole process should take about an hour, a bit more if you’re not familiar with certificates which are a big part of this guide.
PLAN
If you’re unsure if the cloud distribution point is the right choice for your organization, read the following Microsoft documentation which explains in detail the features and benefits. The article also lists what features are supported or not.
COST
We also suggest reading the Microsoft article explaining the cost of using a cloud distribution point as this could be a show stopper for a small size business.
PREREQUISITES FOR SCCM CLOUD DISTRIBUTION POINT
- An Azure Subscription
- Your Windows Azure Subscription ID
- A self-signed or public key infrastructure (PKI) management certificate for communication from your primary site server to the Azure service (.cer file)
- A service certificate (PKI) that Configuration Manager clients use to connect to cloud distribution points and download content from them by using HTTPS
- DNS alias and a CNAME record in your DNS namespace for clients to resolve the name of the cloud service
- Client Settings configured correctly
- The client must have internet access
- Boundary group must be configured
We will cover all those requirements in this post.
CERTIFICATES REQUIREMENTS
To make an authenticated, secured (SSL) connection between your Primary Site installation and your Windows Azure subscription, you need to create your own management certificates, which can be self-signed or issued by a certification authority (CA). We recommend using a certification authority in a production environment. For testing (or lab) purposes you can use the self-sign certificate which is easier to implement.
The high-level certificate requirements:
- Provide the .cer file of the management certificate to Azure. You must upload this certificate to Azure before you install a cloud distribution point. This certificate enables SCCM to access the Azure API.
- Provide the .pfx file of the management certificate to SCCM when you install the cloud distribution point. SCCM will store this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into SCCM.
- If you use a self-signed certificate, you must first export a certificate as a .cer file and then export it again as a .pfx file
CREATE A SELF-SIGNED CERTIFICATE
Only follow this section if you are using a self-signed certificate. If you’ll be using a certificate from your certification authority (CA), jump to the next section.
- Open MMC
- On the File menu, choose Add/Remove Snap-in… select Certificates, and click Add




· Go to Certificates (Local Computer) / Personal / Certificates.
· You should find a Server Authentication certificate there with the name of your server in the Issued To column. In our example, it’s the first one listed (CM01.SCDLab.org)

· One to get a .Cer file that we’ll upload to Windows Azure as the management certificate
· The other to create a password-protected .Pfx file that we’ll use to configure the connection from our Primary Server to create the SCCM cloud distribution point.
EXPORT THE .CER FILE:
· In the Certificates (Local Computer) console
· Right-click your Server Authentification certificate (In our case: CM01.SCDLab.org)
· Choose All Tasks / Export
· In the Certificates Export Wizard, choose Next





· On the Export Private Key page, choose Yes, export the private key, click Next





The certificate is now ready to be imported to create an SCCM cloud distribution point. You can jump to the Azure Subscription section if you are not using a PKI server
CREATE AND ISSUE A CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY (IF USING PKI ONLY)
If you just created a self-signed certificate, jump to the Azure Subscription section.
This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud distribution point and the private key must be exportable as it will be asked during installation.
CREATE AND ISSUE THE CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY
- In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
- On the server that is running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage

· Right-click the Web Server template and then select Duplicate Template





· Select the Enroll and Read permission for this group

· Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue


REQUEST THE CUSTOM WEB SERVER CERTIFICATE ON THE PRIMARY SITE SERVER
This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud distribution point installation
- Open MMC
- On the File Menu, choose Add/Remove Snap-in… select Certificates, and click Add




· In the console, expand Certificates (Local Computer) / Personal / Certificates
· Right-click Certificates, select All Tasks / Request New Certificate
· On the Before You Begin page, click Next



o Subject name: in Type choose Common name
o Value: Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add
o Alternative name: in Type choose DNS
o Value: Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add




EXPORT THE CUSTOM WEB SERVER CERTIFICATE FOR CLOUD DISTRIBUTION POINTS
This procedure exports the custom web server certificate to file. We will export it as a .Cer file for the Azure Management Certificate and in a .Pfx format for the cloud distribution point creation
.CER EXPORT
- In the Certificates (Local Computer) console, right-click the SCD SCCM Cloud DP certificate that you just created, select All Tasks / Export






· On the Export Private Key page, choose Yes, export the private key, click Next





The certificate is now ready to be imported to create an SCCM cloud distribution point.
UPLOAD THE CERTIFICATE TO YOUR AZURE SUBSCRIPTION
If your company is already using Windows Azure, there is a very good chance that a management certificate was already created and uploaded. In that case you will only need to get the .pfx file and its password. If not, follow theses instructions to upload the management certificate (.Cer file) into the Azure classic portal. At the time of this writing, you can’t use the new Azure Portal for this.
- Log into the Azure classic portal
- Click Settings on the left side (all the way down)




CREATE THE SCCM CLOUD DISTRIBUTION POINT
- Open the SCCM Console
- Click Administration / Cloud Services / Cloud Distribution Points
- Right-Click Cloud Distribution Points and click on Create Cloud Distribution Point

o If you forgot to copy it, log to your Azure portal and get it in the Subscription section


· Enter a Description if desired
· All other values should be auto-filled, click Next




· There’s a known bug in SCCM 1702 which leaves the status in Provisioning. If you’re affected by this bug, apply the following hotfix


In your Windows Azure portal page, you can see that the storage space has been created. This is the storage space that will hold content that you’ll distribute to your cloud distribution point.
- In the Azure Portal, go to Storage Accounts section on the left
- You will see a new cloud service with a GUID

We will now distribute a package to our new cloud distribution point. We will send the Configuration Manager Client Package to the cloud distribution point.
- In the SCCM Console
- Click Software Library / Application Management / Packages
- Right-click Configuration Manager Client Package, select Distribute Content
- On the Review selected content page, click Next
- On the Specify the content destination page, click Add. In the resulting drop-down list, click Distribution Point
- In the Add Distribution Points list of available distribution points, check the box next to your cloud distribution point. Click OK, and then click Next
- On the Summary page, click Next. The distribution should complete successfully, so click Close
Let’s see if that package is distributed.
- Click Monitoring / Distribution Status / Content Status
- In the details pane, select your Configuration Manager Client Package, and note the completion status. The yellow circle will turn to green when the distribution is complete as a “normal” DP
- Your cloud distribution point should be listed in the Success section when completed


· In your Windows Azure administration page
· Click on Storage Accounts
· Click onyour storage account GUID



SETUP NAME RESOLUTION FOR CLOUD DISTRIBUTION POINTS
- In the Azure Portal
- Go to Cloud Services (classic)
- Click the Columns button on the top, and add the URL column
- On the right, the URL value will be YourServiceName.cloudapp.net this is the DNS name that your clients will use for connecting to the cloud distribution point and getting their content

In order for the clients to download content from a cloud distribution point, they must be able to resolve scdclouddp01.cloudapp.net to the cloud distribution point IP address. This is done by creating a CNAME record in DNS with the FQDN of the Windows Azure service URL that you just noted in prior steps.
· Open the DNS Manager Console
· On your DNS server, open the DNS console and create a new CNAME record in your domain Forward Lookup Zones
· Select New Alias (CNAME)

· In Fully qualified domain name (FQDN) for target host paste your Site URL (In our example: c940eea9c9954f038b69101c.cloudapp.net) and click OK

We now need to configure client settings on our SCCM client for them to access the cloud distribution point.
· Open the SCCM console
· Go to Administration / Client Settings
· Right-click your client settings and click Properties
· Select Cloud Services and select Yes on Allow access to cloud distribution point

ADJUST BOUNDARY GROUPS
The last step is to setup our boundary groups to include our cloud distribution point
- In the SCCM Console
- Go to Administration / Hierarchy Configuration / Boundary Groups
- Right-click you boundary group, select Properties



SCCM Training
Live Instructor-led Online Training
Click here for SCCM Course Content