Nomad now supports the following Configuration Manager on Azure scenarios: IaaS (Infrastructure as a Service) scenario where you host your Configuration Manager infrastructure servers in Azure virtual machines; cloud-based distribution points, where System Center Configuration Manager distribution points are hosted in Microsoft Azure as a cloud service; Cloud Management Gateways, where Configuration Manager management points are hosted in the cloud.

On this page

Configuration Manager running under Azure configured in Infrastructure as a Service (IaaS) mode

Nomad 6.3 has been tested to show integration with Configuration Manager and Active Directory infrastructure servers in Azure virtual machines (Infrastructure as a Service). This is where CM and AD are being run in Azure, managing local clients network on organization's premises and this local network is connected to Azure using Microsoft Azure Site-to-Site Connectivity. ActiveEfficiency server may be hosted on a virtual machine hosted in the Azure cloud or locally on the on-premises network, with Nomad as usual installed on all client devices.

Cloud-based Distribution Points

System Center Configuration Manager now supports Distribution Points (DP) that are hosted in Microsoft Azure. The DP Site system role hosted on Windows Azure is referred to as a site system cloud service. The site system cloud service contrasts to a site system server, which refers to an on-premises computer that is managed in the local network environment. Nomad also support Cloud Management Gateway for management point roles to manage Configuration Manager clients on the Internet.

When a Configuration Manager Client (ContentTransferManager) requests Nomad to download the content from a cloud-based Distribution Point, Nomad performs the following tasks:

  1. Downloads the encrypted content
  2. Decrypts the content before copying it to its own cache
  3. When the download is complete, Nomad encrypts the content and copies it to the Configuration Manager cache. 
  4. Nomad peers looking for the original content in the subnet, perform an election for the decrypted content and then copy it from an elected master
  5. When the peer copy is complete, the peer Nomad encrypts the content and copies it to the Configuration Manager cache. 
Nomad does not create any hard links between the Nomad cache content and the Configuration Manager cache - but the Nomad cache cleaner is able to delete the content from both the Nomad cache and the Configuration Manager cache.

Cloud-based DP content and LSZ/LST file generation

Nomad content distribution relies on having access to an LSZ file that provides metadata regarding the download content. With on-premises Distribution Points, the LSZ file is normally generated by a local Nomad service. That option is not available for cloud-based DP as they run as a service in Azure, and a Nomad service cannot be installed. Instead the LSZ file is generated locally by mimicking the process used by Configuration Manager agent, which queries the content's metadata from the DP directly.


  1. Cloud-based Distribution Points are not currently supported for Office 365 updates
  2. RDC is not supported on cloud-based Distribution Points
  3. If content is marked to be delivered as 1 (Compressed) or 2 (Encrypted) under Nomad SECure and needs to be downloaded to the client from a cloud-based distribution point, these settings are ignored and content is downloaded in the original format. For the same reason, Ahead Of Time (AOT) LSZ generation is also not supported for cloud-based distribution points.

Cloud Management Gateway 

From Configuration Manager version 1610 and above, the cloud management gateway provides a simple way to manage Configuration Manager clients on the internet. The cloud management gateway service is deployed to Microsoft Azure and requires an Azure subscription. It connects to your on-premises Configuration Manager infrastructure using a new role called the cloud management gateway connector point. Once deployed and configured, clients will be able to access on-premises Configuration Manager site system roles regardless of whether they're on the internal private network or on the Internet. Currently, cloud management gateway only supports management point and software update point roles, and Nomad has only been tested with management points.

When a client is on the Internet, the Configuration Manager Client requests Nomad to download the content from a cloud-based distribution point. Nomad gets the management point list (including cloud management gateway enabled internet management points) from WMI and uses those to determine the appropriate distribution points. The rest works as usual.