chris - Fotolia


Is SCCM in Azure right for your organization?

System Center Configuration Manager still has a long life, which was further underscored by Microsoft supporting deployments of the endpoint management tool to Azure.

You've probably heard a lot of rumors about the inevitable demise of Microsoft System Center Configuration Manager, partly due to its on-premises origins.

A few years ago, this might have had some merit, but things have changed with several cloud options. We can both extend SCCM into Azure-based services (PaaS) or put the whole SCCM infrastructure in Azure (IaaS). The need to use cloud services, such as Microsoft Azure, has become more apparent after the sudden surge of people working remotely, adding strain to existing VPN infrastructures. Some traditional on-premises roles are giving way to the cloud service model for this scalability feature, and extending your SCCM environment into Azure is an excellent way to start experimenting with a hybrid approach.

Before the SCCM current branch update program, if you wanted to move your SCCM in Azure, you could only talk about moving the entire infrastructure to Azure. When Microsoft introduced the SCCM current branch, it updated the product to connect it to the cloud using back-end Azure services. Now, most organizations can pick and choose and switch some of the on-premises services with Azure-based ones. Organizations that want to use a cloud-only tool should consider using Intune, which is packaged with Configuration Manager in the Microsoft Endpoint Management product that was announced in November 2019.

Extending to the cloud essentially means you have a hybrid scenario, with some of your infrastructure on premises with other components in the cloud, to take advantage of the flexibility and other benefits when you move a workload out of your data center. There are three paths you can choose to combine the use of SCCM with Azure: Move update workloads from on premises to Microsoft Update, use the cloud management gateway (CMG) or move the SCCM infrastructure to Azure.

Option 1: Move update workloads from on premises to Microsoft Update

Moving software update binaries from internal servers to Microsoft Update is one of the most common scenarios many administrators have begun using due to the increase of remote work due to COVID-19 and the added stress to the VPN infrastructure. When you think about it, why would you want your internet-facing users to go into your infrastructure for updates when their systems get the same data from the cloud?

If you follow the method below, you still control which software updates to deploy through your SCCM infrastructure, but the binaries come from Microsoft Update. If the content is not found on a distribution point in SCCM, then the client will go to the cloud.

Prerequisite: Split tunneling for the VPN.

Configuration: To force clients to go to Microsoft Update, you need to:

  1. Find out which IP ranges cover your VPN clients.
  2. Create a boundary group in SCCM for the IP ranges. The IP ranges cannot be part of any other boundary groups.
  3. Create a distribution point that contains everything except software updates.
  4. Assign the distribution point to the boundary group.
  5. Go to the deployment settings of each software update deployment and any automatic deployment rules. Go to the Download Settings tab and select the checkbox next to where it says, "If software updates are not available on a distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates."
SCCM download settings
When using Microsoft Update rather than the VPN to update clients, you need to adjust the download settings in SCCM.

Cost: The only additional charge may be setting up a new distribution point. There are no extra charges for using Microsoft Update.

Support: Moving software update workloads to Microsoft Update is fully supported and documented in this blog from Microsoft.

Drawbacks: There are a few risks involved with setting this such as:

  • Incorrect or missing configuration of split tunneling in the VPN will cause unintended behavior.
  • Overlapping boundaries might also cause unexpected behavior.
  • If the clients are on premises and content for the software updates are not found on internal distribution points, then they will go to Microsoft Update. You can prevent this by having multiple deployments, but it adds complexity to the setup.

Option 2: Cloud management gateway

The CMG is a cloud service that simplifies the management of your internet-facing clients by having them contact Azure services instead of going through the VPN. The CMG is a PaaS and requires no management of VMs in Azure.

You can use CMG both as a manage-out client management system as well as a content delivery service from the cloud. The service uses a standard A2 v2 VM. The full configuration of the CMG is done via the SCCM console.

As of SCCM 1810, Microsoft deprecated the cloud distribution point, which is now in the CMG offering.


  • An active Azure subscription
  • Service connection point in online mode (can be colocated with other SCCM roles)
  • Certificates for server authentication
  • CMG management points in HTTPS mode
  • Clients in IPv4 mode
  • Integration with Azure AD
  • A globally unique name

Configuration: The high-level plan to set up CGM is as follows:

  1. Verify prerequisites
  2. Add CGM in the SCCM console
  3. Configure primary site for client certificate authentication
  4. Add a CMG connection point
  5. Configure management point for HTTPS or enhanced HTTPS
  6. Create a boundary group for external clients
  7. Assign the CMG to the new Boundary Group

For more details on setting up the CMG, refer to the documentation on Microsoft's site at this link.

Cost: CMG adds additional charges, including:

  • VMs, which depends on the number of CMGs deployed;
  • storage, where the cost depends on how much content you distribute; and
  • egress, how much outgoing traffic is used.

Johan Arwidmark, the technical fellow at 2Pint Software, has a great blog post on the type of costs you can expect when using CMG. If you would rather do this calculation, use the Azure Pricing Calculator here and the pricing details page for Azure bandwidth on this calculator page.

Since the release of SCCM 1902, you can limit the cost through the SCCM console.

To configure thresholds, you will need to set up outbound traffic alerts. Stopping the CMG will not remove all costs; removing the CMG is the only way to prevent additional fees.

Support: The CMG is one of the focus areas within client management at Microsoft, so expect that the feature will be improved in the future.

Drawbacks: Two distinct downsides to CMG use include additional costs and added complexity with HTTPS.

Option 3: Move the SCCM infrastructure to Azure

Moving the SCCM infrastructure is as it sounds: pushing the servers to Azure instead of hosting them on premises.

Prerequisites: Azure VPN Gateway and Azure ExpressRoute.

Configuration: When setting up SCCM in Azure, you follow the same setup in the cloud as you do for an on-premises environment.

Cost: The costs vary greatly depending on your license agreement.

Because ExpressRoute is the option that makes the most sense for this type of arrangement, if you wish to move all servers to Azure, refer to Microsoft's ExpressRoute pricing site to determine which plan works best for your organization.

Once you determine which servers to move to Azure, you can then use the Azure Pricing Calculator to see what the cost is.

Support: Microsoft fully supports multiple SCCM in Azure configurations, such as Configuration Manager on an Azure VM or using an Azure VM to run different Configuration Manager site system roles with other roles running in the data center.

Drawbacks: If you want to move all SCCM servers to Microsoft Azure, you will need an unlimited data plan and a reliable connection between the on-premises data center and Microsoft Azure.

Also, an unlimited data plan only exists in Azure ExpressRoute, which can be expensive for some organizations. The lowest price for this type of plan is $300 per month for a 50 Mbps standard circuit connection. For a 1 Gbps plan, the monthly cost is $5,700 for the standard circuit and an additional $1,200 for the local circuit price.

What is supported in each scenario?

The following chart compares the areas supported in each of the three Configuration Manager configurations.

Feature Microsoft Update Cloud Management Gateway SCCM in Azure
Operating system deployment No Yes* Yes
Software updates Yes Yes Yes
Application deployment No Yes Yes
Compliance management No Yes Yes
Client management No Yes Yes
Driver management Yes** Yes** Yes

*Announced in Configuration Manager technical preview version in May 2005. The feature will most likely be added as a preproduction feature in the next version of Configuration Manager.
**New driver updates can be delivered through Microsoft Update.

How can I monitor where my content is coming from?

There are a few ways to do this, but two methods are to check the Cloud Management and Client Data Sources dashboards in SCCM, shown below, or check the log files on the client.

SCCM dashboard
The Client Data Sources dashboard in SCCM keeps track the source of client software updates.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop