clouds on mountain top

Configuration Manager 2012 Cloud Distribution Point

Q: How do I add a System Center Configuration Manager 2012 cloud distribution point?

A: System Center Configuration Manager 2012 SP1 introduced the ability to add Azure-based distribution points to Configuration Manager, which is very useful for Internet-based clients to obtain software while not connected to the corporate network. To configure a cloud distribution point, you need an Azure management certificate. (For information about creating an Azure management certificate, see "Q: How do I create a certificate to enable System Center App Controller to manage Windows Azure?") Note that the exact folder that contains makecert.exe might be different, and you might need to search for it. You'll also need to create a certificate with an exportable private key for the name the cloud distribution point will be known as to clients. This name will need to be resolvable to the clients and will actually point to the name of the Azure storage account that will be created automatically (e.g.,

To create the certificate for the cloud distribution point, you can use your enterprise certification authority (CA). You'll need to create a custom certificate template. Use the Microsoft Management Console (MMC) Certificate Authority snap-in to copy the Web Server template; right-click Certificate Templates and select Manager, then select the Duplicate Template context menu item. In the new template, on the Request Handling tab, make sure the Allow private key to be exported check box is selected. Under Security, ensure the required users have the Read and Enroll permission. In addition, on the Subject Name tab, select the Supply in the request option. Give the certificate template a new name on the General tab. After the certificate template is created, go back to the Certificate Authority snap-in and right-click Certificate Templates, select New, Certificate Template to Issue, and select your new certificate template. The certificate template is now available to be requested.

On the Configuration Manager machine, launch MMC, add the Certificates snap-in, and select Local Computer as the target. Navigate to Certificates, Personal, Certificates, and select the All Tasks, Request New Certificate action. Select your new template and click the More information is required to enroll for this certificate link, as the following figure shows.

On the Subject tab of the dialog box that displays, add the name for the distribution point as the Common Name (e.g., In addition, add the name as the DNS name under Alternative name, as the following figure shows.

Click OK, Enroll to create the certificate. Right-click the new certificate and select All Tasks, Export. Click Next, select the Yes, export the private key option, and click Next. Accept the defaults. On the Security page, select the options to use a password and to enter a password to secure the private key. Click Next. Enter a filename and click Next to finish the export.

Next, you need to add the cloud distribution point:

  1. Launch the Configuration Manager management tool.
  2. Select the Administration workspace.
  3. Navigate to Cloud Services, Cloud Distribution Points.
  4. Select the Create Cloud Distribution Point action.
  5. Enter your subscription ID (found on the Subscriptions tab of the Azure management portal) and your Azure management certificate (not the cloud distribution point certificate but the Azure management certificate I referenced in "Q: How do I create a certificate to enable System Center App Controller to manage Windows Azure?"). Click Next.
  6. Enter an Azure region and then the certificate file export for the cloud distribution point and its password, as the following figure shows. Click Next.

  7. Specify alerts related to storage size and amount of transfer, then click Next.
  8. Click Next, then Finish.

The Cloud distribution point will show as Provisioning started. You can view the full progress in the CloudMgr.log file, at C:\Program Files\Microsoft Configuration Manager\Logs. You'll also be able to see the Cloud Service Name that will be used in Azure.

In the Windows Azure portal, go to the Storage workspace. Once the cloud distribution point is provisioned, a new storage account will show; if you select it, you'll see containers for each package and other containers related to the cloud distribution point functionality, as the following figure shows. 

Select the Dashboard view to see the names for the storage account. Take note of the Blob service name (e.g., Create an alias (CNAME) in your DNS domain (e.g., for the name you gave the cloud distribution point (e.g., clouddp01) that points to the Azure Blob name, as the following figure shows.

Clients can now resolve the cloud distribution point name to the correct Azure storage account. You can then upload packages to the cloud distribution point via the Distribute Content action of an application or package and select the new cloud distribution point.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.