Deploy a task sequence over the internet
Applies to: Configuration Manager (current branch)
Configuration Manager supports various methods to deploy a task sequence to remote clients over the internet. You can deploy a Windows upgrade, use bootable media, or start it from Software Center. This article covers the particular configurations for these scenarios. First use Deploy a task sequence to create the basic deployment. Then use the configurations in this article to customize it for internet-based clients.
You can manage the behavior for high-risk task sequence deployments. A high-risk deployment is a deployment that is automatically installed and has the potential to cause unwanted results. For example, a task sequence that has a purpose of Required that deploys an OS is considered a high-risk deployment. For more information, see Settings to manage high-risk deployments.
Allow task sequence to run on internet
On the User Experience page of the Deploy Software Wizard, you can configure the deployment to Allow task sequence to run for client on the Internet. This setting is required for all internet-based client scenarios. The following sections cover the main scenarios when you enable this setting.
The task sequence advanced setting to Run another program first doesn't apply to task sequences that run on clients that communicate via a cloud management gateway (CMG). This option uses the UNC network path of the package, which isn't accessible via CMG.
Windows in-place upgrade
Use this setting for deployments of a Windows in-place upgrade task sequence to internet-based clients through the cloud management gateway (CMG). All supported versions of Configuration Manager support this scenario. For more information, see Deploy Windows in-place upgrade via CMG.
Install a Windows imaging task sequence from Software Center
Starting in version 2006, you can deploy a task sequence with a boot image to a device that communicates through the CMG. The user needs to start the task sequence from Software Center.
When an Azure Active Directory (Azure AD)-joined client runs an OS deployment task sequence, the client in the new OS won't automatically join Azure AD. Even though it's not Azure AD-joined, the client is still managed.
When you run an OS deployment task sequence on an internet-based client, that's either Azure AD-joined or uses token-based authentication, you need to specify the CCMHOSTNAME property in the Setup Windows and ConfigMgr step.
Use bootable media to install a Windows imaging task sequence
Starting in version 2010, you can use bootable media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won't start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows. For more information, see Deploy an OS over CMG using bootable media.
In version 2002 and earlier, operations that require a boot media aren't supported with this setting. Allow a task sequence to run on the internet only for generic software installations or script-based task sequences that run operations in the standard OS.
For all internet-based task sequence scenarios in version 2002 and earlier, start the task sequence from Software Center. They don't support Windows PE, PXE, or task sequence media.
Deploy Windows in-place upgrade via CMG
The Windows in-place upgrade task sequence supports deployment to internet-based clients managed through the cloud management gateway (CMG). This ability allows remote users to more easily upgrade to Windows without needing to connect to the intranet.
Make sure all of the content referenced by the in-place upgrade task sequence is distributed to a content-enabled CMG. Enable the CMG setting: Allow CMG to function as a cloud distribution point and serve content from Azure storage. Otherwise devices can't run the task sequence.
When you deploy an upgrade task sequence, use the following settings:
Allow task sequence to run for client on the Internet, on the User Experience tab of the deployment.
Choose one of the following options on the Distribution Points tab of the deployment:
Download content locally when needed by the running task sequence. The task sequence engine can download packages on-demand from a content-enabled CMG. This option provides additional flexibility with your Windows in-place upgrade deployments to internet-based devices.
Download all content locally before starting task sequence. With this option, the Configuration Manager client downloads the content from the cloud source before starting the task sequence.
(Optional) Pre-download content for this task sequence, on the General tab of the deployment. For more information, see Configure pre-cache content.
Start the task sequence from Software Center. This scenario doesn't support Windows PE, PXE, or task sequence media.
Bootable media support for cloud-based content
Starting in version 2010, bootable media can download cloud-based content. For example, you send a USB key to a user at a remote office to reimage their device. Or an office that has a local PXE server, but you want devices to prioritize cloud services as much as possible. Instead of further taxing the WAN to download large OS deployment content, boot media and PXE deployments can now get content from cloud-based sources. For example, a cloud management gateway (CMG) that you enable to share content.
The device still needs an intranet connection to the management point.
When the task sequence runs, it downloads content from the cloud-based sources. Review smsts.log on the client.
Prerequisites for bootable media
Enable the following client setting in the Cloud Services group: Allow access to cloud distribution point. Make sure the client setting is deployed to the target clients. For more information, see About client settings - Cloud services.
For the boundary group that the client is in:
Distribute the content referenced by the task sequence to the content-enabled CMG.
Deploy an OS over CMG using bootable media
Starting in version 2010, you can use boot media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won't start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.
Prerequisites for boot media via CMG
For all content referenced in the task sequence, distribute it to a content-enabled CMG. For more information, see Distribute content.
Enable the following client settings in the Cloud services group:
Allow access to cloud distribution point
Enable clients to use a cloud management gateway
Configure the Apply Network Settings task sequence step to join a workgroup. During the task sequence, the device can't join the on-premises Active Directory domain. It doesn't have connectivity to a domain controller to join the domain.
When you deploy the task sequence to a collection, configure the following settings:
User experience page: Allow task sequence to run for client on the internet
Deployment settings page: Make available to an option that includes media.
Distribution points page, deployment options: Download content locally when needed by the running task sequence. For more information, see Deployment options.
Make sure the device has a constant internet connection while the task sequence runs. Windows PE doesn't support wireless networks, so the device needs a wired network connection.
If you use a PKI-based certificate for the boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. This certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate.
In versions 2010 and 2103, if you configure the management point to Allow internet-only connections, then you can't use boot media over a CMG. To work around this issue, configure the management point to Allow intranet and internet connections.
If your CMG uses a PKI-based certificate, you need to add the trusted root certificate to the boot image. Otherwise, Windows PE can't communicate with the CMG because it doesn't trust the CMG's certificate. For more information, see Add a trusted root certificate to a boot image.
Create boot media to use a CMG
Start the create task sequence media wizard for bootable media. For more information, see Create bootable media. Modify the standard process using the following steps:
On the Media Management page of the wizard, select the option for Site-based media.
On the Security page, set a strong password to protect this media.
On the Boot Image page, under Management point select the Cloud management gateway from the Add Management Points dialog.
When you boot an internet-connected device using this media, it communicates with the specified CMG. The boot media downloads the policy for the task sequence deployment via the CMG. As the task sequence runs, it downloads any additional content and policies over the internet.
After the task sequence runs, the client uses token-based authentication.
Add a trusted root certificate to a boot image
If your CMG uses a PKI-based certificate, you need to add the trusted root certificate to the boot image. Otherwise, Windows PE can't communicate with the CMG because it doesn't trust the CMG's certificate.
Step 1: Export the certificate registry blob
On a system that has the trusted root certificate installed:
Open the Start menu. Type
runto open the Run window. Open
From the File menu, choose Add/Remove Snap-in....
In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.
In the Certificates snap-in dialog box, select Computer account, then select Next.
In the Select Computer dialog box, select Local computer, then select Finish.
In the Add or Remove Snap-ins dialog box, select OK.
Expand Certificates, expand Trusted Root Certification Authorities, and select Certificates.
Select the root certificate. On the Action menu, select Open.
Switch to the Details tab.
Copy the value for the certificate's thumbprint. For example,
From the Start menu, run
Browse to the following registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates. For more information about this registry key, see System Store Locations.
Select the registry key that matches the root certificate's thumbprint.
On the File menu, select Export. Specify a file name, and save the
Edit the file in Notepad. In the key path, change
winpe-offline, and save the file. For example:
Copy this file to a location that you can access for the next step.
Step 2: Import the certificate registry blob to the offline boot image
On a system that has the boot image file:
Mount the WIM file. For example,
DISM /Mount-image /imagefile:"C:\Sources\boot.wim" /Index:1 /MountDir:C:\Mount.
From the Start menu, run
Select HKEY_LOCAL_MACHINE. On the File menu, select Load Hive.
C:\Mount\Windows\System32\configand select SOFTWARE. This file is the offline registry hive for the Windows PE image mounted to
Make sure this path is to the mounted Windows PE image, not the default Windows OS path.
Name the key for the loaded hive
On the File menu, select Import. Browse to the modified
.regfile that you previously exported and modified. Select Open.
Browse to the following registry key:
Computer\HKEY_LOCAL_MACHINE\winpe-offline\Microsoft\SystemCertificates\AuthRoot\Certificatesand confirm that the new key is added.
Select the following registry key:
Computer\HKEY_LOCAL_MACHINE\winpe-offline. On the File menu, select Unload Hive, and select Yes.
Close the registry editor and any other windows that reference files in
Unmount the boot image and commit the changes. For example,
DISM /Unmount-image /Commit /MountDir:C:\Mount
The boot image now includes the trusted root certificate.