Deploy Task Sequence over Internet via SCCM CMG
This tutorial will guide you to deploy task sequence over internet via SCCM CMG (Cloud Management Gateway). Using the Allow task sequence to run for client on the Internet feature, we will deploy OS over ConfigMgr CMG.
One of the new features of Configuration Manager 2010 was deploy an OS over CMG using bootable media. The feature to deploy task sequence over internet was also introduced first in technical preview 2009 version.
According to Microsoft, you can now use bootable media to re-image internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won’t start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.
Most of all, there are lot of prerequisites before you deploy the task sequence over internet. If you follow the prerequisites, I am sure the OSD via CMG will work fine.
In my lab I am currently running Configuration Manager 2010. Make sure you have installed hotfix KB4594176 that applies only to ConfigMgr 2010 early update ring.
I have also setup PKI certificates and management point and distribution points are configured to use HTTPS. If you haven’t setup PKI, refer my PKI step-by-step guides.
Table of Contents
Set up a Cloud Management Gateway
Setting up a cloud management gateway is the first prerequisite. CMG provides a simple way to manage Configuration Manager clients on the internet.
When you deploy the CMG as a cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure. If you haven’t setup the cloud management you can use the following guide – https://www.prajwaldesai.com/setup-sccm-cloud-management-gateway/
A working CMG is a must and you must ensure the CMG is working fine in your setup. You can RDP your ConfigMgr CMG to ensure it’s up and running.
You can run the cloud management gateway connection analyzer. The analyzer results should show errors (if any). If all the results show green checks, you are good to proceed to next step.
In addition, if you need log files for troubleshooting you can refer the CMG Log Files.
Distribute Task Sequence to a Content-Enabled CMG
When a remote client uses boot media, it connects to CMG distribution point to download the content. If the CMG doesn’t have the content, your task sequence will fail. Hence it is important that you distribute the task sequence content to CMG.
Distributing the content to CMG is very similar to how you distribute the content to your internal distribution points. Right click the task sequence and select Distribute Content. On the Content Destination window, select CMG and distribute the TS content.
To verify if the content is distributed to CMG, go to Monitoring\Distribution Status\Distribution Point Configuration Status. Select your CMG and at the bottom look at completion stats.
Allow access to Cloud Distribution Point
Under you client agent settings, you must allow access to cloud distribution point. In the Configuration Manager console, go to Administration\Overview\Client Settings. Select Cloud Services. Under Device/User Settings, set the option Allow access to cloud distribution point to Yes for clients to obtain content from a cloud distribution point.
Enable clients to use a cloud management gateway
In addition to allowing access to Cloud DP, you must also enable clients to use a cloud management gateway. In the Configuration Manager console, go to Administration\Overview\Client Settings.
Select Cloud Services. Under Device/User Settings, set the option Enable clients to use a cloud management gateway to Yes.
Click OK to close the client settings window.
Configure the Apply Network Settings Task Sequence step to join a workgroup
When you deploy the Task Sequence over internet via SCCM CMG, the remote device can’t join the on-premises Active Directory domain. That’s because it doesn’t have connectivity to a domain controller to join the domain.
Therefore we need to make a change under the Apply Network Settings step in task sequence. Edit the task sequence and click Apply Network Settings step.
Select Join a workgroup and specify the workgroup name. If it’s a new task sequence, ensure you select Join a workgroup instead of Join a domain.
Allow task sequence to run for client on the internet
When you deploy the task sequence over internet, on the User Experience tab, select Allow task sequence to run for client on the internet. This applies even while you create a new task sequence. It’s a prerequisite and this option applies for internet based clients only.
Deployment settings – Make available to an option that includes media
When you deploy this task sequence, under the deployment settings you need to specify the following. Select make available to the following to only media and PXE.
Download content locally when needed by the running task sequence
You also need to make another change on the task sequence deployment properties. On the Distribution Points tab, under Deployment Options, select Download content locally when needed by the running task sequence.
With this option selected, you specify that clients download content from the distribution point as it’s needed by the task sequence. The client starts the task sequence. When a step in the task sequence requires content, it’s downloaded before the step runs.
No Wireless Support – Only Wired Network Connection
When you deploy an OS over CMG using bootable media, make sure the device has a constant internet connection while the task sequence runs. Windows PE doesn’t support wireless networks, so the device needs a wired network connection.
PKI Prerequisites for bootable media
For version 2010 early update ring, if you use a PKI-based certificate for the boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. For later releases, including globally available version 2010, this certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate.
For the boundary group that the client is in :-
- Associate the content-enabled CMG or cloud distribution point site systems.
- Enable the following option: Prefer cloud based sources over on-premise sources.
Create Certificate for Boot Media
Before you create a bootable media, let’s create a certificate. This certificate is required while creating the we finalize boot media.
Login to the server running the Certification Authority role. Right click Certificate Templates and click Manage.
Right click Workstation Authentication template and click Duplicate Template.
On the new template properties, select General tab and specify the Template Name such as SCCM Boot Media Cert.
On the Request Handling tab, make sure you enable Allow private key to be exported.
On the Cryptography tab, under providers select Microsoft Enhanced RSA and AES provider. Click Apply and OK.
Right click Certificate Templates and click New > Certificate Template to Issue. Select the boot media certificate and click OK.
Before we export the certificate, we must first import it.
On your site server, launch certificates console (run certlm.msc). Expand Personal and right click Certificates and click All Tasks > Import. Select the SCCM Boot Media Cert and click Enroll.
Now right click the boot media cert and export it.
Select Yes, export the private key.
Click Next.
Set a password for this certificate. Click Next.
Export the certificate.
Create a Task Sequence bootable media to use CMG
Use the below steps to create a new task sequence media in SCCM.
- In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
- On the top ribbon click Create Task Sequence Media.
On the Select Media Type window, select the Bootable Media. Click Next.
You must select how media finds a management point. Select Site-based media. Click Next.
Specify the Media File. The file should have .iso as extension. Click Next.
Specify a password to protect the task sequence media. Under import PKI certificate, click Browse and specify the boot media certificate and enter the password. Click Next.
Specify the following on Boot Image page.
- Boot Image – Specify the x64 boot image.
- Distribution Point – This is your distribution point that’s on-prem.
- Management Point – This should be your CMG.
Click Next.
You may customize the task sequence media. Click Next.
Close the create task sequence media wizard.
Finally we have our bootable media file ready.
Deploy Task Sequence over Internet via CMG
We will now deploy Task sequence over internet via SCCM CMG. First of all, you have boot your device with the boot media. In my lab, I have a new blank VM and I am going to mount the boot media.
The VM boots from the media and in no time your should find the Task Sequence wizard. Enter the boot media password and click Next.
Select the task sequence and click Next.
You must patiently wait until all the task sequence dependencies are resolved.
The task sequence deployment over internet begins. Furthermore, you can launch command prompt and use the CMTrace log file viewer tool to view smsts.log.
If you are not sure about the smsts.log file location, read Location of SMSTS log during SCCM OSD.
Note that the Windows 10 .wim file may take significant amount to time to download. If you don’t see any errors, wait until the download completes.
Finally we see the Configuration Manager agent is being installed.
This completes the steps to deploy task sequence over Internet via SCCM CMG. We have successfully deployed Windows 10 and it’s ready to use.
When I go to “specify settings to control this deployment” I’m not able to change from “Only Config Manager Clients”. The option is greyed out.
I face this same issue. After the TS completes and the system boots, the logs seem to show that the client cannot send the TS completion status to SCCM. I understand that the user is likely no longer at the system, so they are not logged in and likely on wifi if at home with a laptop.
I wonder if there is a way to adjust the status message timeout for the TS so that it tries to send the status message for even hours after the reboot.
The log seems to indicate an attempt to communicate the status but after only 5 or so minutes, it gives up and discontinues the effort to try.
The result is the monitoring of the deployment shows systems as not compliant that actually are compliant because they gave up on sending the TS completion status.
Hi ,
Thank you for this great guide .
Wondering is there is any way for my Teleworkers using their own Internet connections to get the w10 machines logged into my company domain .
Thanks
I followed the guide and I can boot to my media, resolve dependencies and the TS begins. Once I get to the Applying OS stage and the first download begins in the SMSTSLog I see an Error. Status 300 – (Bad Request) returned. Followed by:
Http Result: 400
SendResourceRequest() Failed. 80190190
Any ideas why my content downloads can’t start?
Did you find the solution? I’m going through with the same issue, if you have a solution please update it here.
Thanks
Satish
When creating the Boot Media I am unable to select the CMG as the Management Point. We are using the CMG as a DP only, does this mean we need to Management Point role to CMG?
When you deploy Task sequence deployment to the compters over the internet by CMG, How status messages are getting back updated to SCCM site?
I have been doing Win10 Upgrade task sequence over CMG but not getting Tasksequence status message.
My SCCM env is 2103.. any idea?
Have you tried to make it works using WIFI? It should be possible using custom WinPE (WinRE) made by OSDCloud module.
Boot media that supports WIFI can be made like:
Install-Module OSD -Force
Import-Module OSD -Force
# winre to support WIFI
New-OSDCloud.template -WinRE -Verbose
$WorkspacePath = “C:\temp\OSDCloud”
New-OSDCloud.workspace -WorkspacePath $WorkspacePath
Edit-OSDCloud.winpe -CloudDriver Dell, HP, Nutanix, VMware, WiFi
# create ISO (than use boot.wim from it and import it to SCCM)
New-OSDCloud.iso
But the hard part is to make wifi connection before the TS starts…
Thank you for this guide,
I would raise your attention that is to request a new certificate instead of import it from Active directory Enrollment policy.
Is there a way to temporary pause the task sequence after image deployment and wait for a tech to bind to domain and then continue on the from a point in the task sequence to fully setup a system?
I agree.. Not much good this is if the machine can’t join the domain..
Late here but why not create a secondary task sequence that you can deploy to these machines or a device collection that you can run within Windows that takes care of domain joining and steps that requires a connection to the domain? All you would need to do is send communication out to the users that informs them to connect to the VPN and then run the following task sequence from software center.
Is there a way to temporary pause the task sequence after image deployment and wait for a tech to bind to domain and then continue on the from a point in the task sequence to fully setup a system?
Hi Prajwal, Is a certificate mandatory for boot media if u wanna deploy OS over CMG ? Thanks
Yes it is mandatory.
Thanks.
I see that you have it set up with PKI Cert, so long as the machine has a cert that meets the requirements, could you use that cert to make the connection through the CMG? Like A SCEP/NDES Certificate?