Deploy Windows Azure Pack (Express) Step-by-Step

Hello again folks, if you’ve been following this blog since it launched, you’ll be aware that I’ve been writing a series I’m calling the Server 2016 Features Series. Part of this series is exposing the Shielded VM capability to the Windows Azure Pack portal. I’m working on the assumption that some people may never have deployed WAP before, and so decided to put a guide together for it. As this guide isn’t technically part of the above series, I’ll also be including the components required for a successful minimal viable deployment of WAP Express (single server). Here is a high level of the tasks covered:

  • Deploy and configure a SQL Server 2016 VM
  • Deploy and configure a Service Provider Foundation Server
  • Deploy and configure a Windows Azure Pack Server

NOTE:  Deploying a stand-alone SQL server isn’t technically required as you can use SQL Express on the same server as both WAP and SPF, but being that we’re deploying both I thought, why not put all the databases in one place

Here are a few links giving a more detailed overview of each role we’re going to install (it’s worth giving these a quick read before proceeding, especially if you’re completely new to the technology):

Windows Azure Pack:

Service Provider Foundation:

It’s very likely that I’ll be putting together a guide for a distributed deployment of WAP in the not too distant future. A distributed deployment would have its privileged roles on a backend network with its publically available roles on separate servers located in a DMZ, but that’s out of scope for this particular guide.

With no further ado, let’s get to it.


There are a few pieces of software you’ll need before we get going, some of the links I’ve provided are to evaluation ISOs, substitute these with your own as you see fit.

Download to your SQL Server

SQL Server 2016:

SQL Server Management Studio:

Download to your SPF Server

Service Provider Foundation:

System Center Virtual Machine Manager:

Download to your WAP Server

WAP Single Server Installation Executable:

SPF is included as part of the System Center Orchestrator ISO, so download that 🙂
SCVMM ISO is only needed for the console installer

Virtual Machine Specifications

These specifications are completely up to you and the ones below are only meant as a guide 🙂
These servers should be fully patched and joined to your management domain.

Virtual MachinevCPURAM (GB)Storage
DF-LabSQL14820GB Data
20GB Logs
DF-LabSPF124No additional storage required
DF-LabWAP148No additional storage required

Active Directory

Create users/security groups in AD for the following purposes:

  • A SQL Service account
  • A SPF Service Account e.g. “SCSPF_SVC”
  • A security group for the SPF Admin Service e.g. “SCSPF_Admins”
  • A security group for the SPF Provider Service e.g. “SCSPF_Provider”
  • A security group for the SPF VMM Service e.g. “SCSPF_VMM”

Install SQL Server 2016 Step-by-Step

Log onto the SQL VM you deployed earlier, mount your SQL 2016 ISO (downloaded above or using your own) and run “Setup.exe”.


Within the “SQL Server Installation Center”, click on “Installation” and “New SQL Server stand-alone installation…”


If you have a product key, enter it, otherwise select “Specify a free edition” and choose “Evaluation” from the drop-down. Now click “Next”

Accept the license terms and click “Next”


On the “Features Selection” page, choose “Database Engine Services” and any additional features you generally make use of and click “Next”


Choose the default instance name or modify it as desired, for this guide, I’ll leave it at default. Now click “Next”


On the “Server Configuration” screen, enter the SQL Service account you created earlier under “SQL Server Agent” and “SQL Server Database Engine”.

Change the SQL Server Agent “Startup Type” to “Automatic” and click “Next”


Database Engine Configuration

Server Configuration Tab

Select “Mixed Mode” as the Authentication mode and enter a password for the “SQL Server system administrator account (SA)”. Note this password down as you’ll need it during your WAP deployment.

Click “Add Current User” and add any additional users you want as administrators on this SQL instance.


Data Directories Tab

Change the drive letter of “Data root directory” in line with the data drive on this VM
Change the driver letter of “User database log directory” in line with the log drive on this VM

NOTE:  This data layout isn’t best practice as ideally we’d also create a drive for TempDB but will do for the purposes of this guide

Now click “Next” and “Install” and “Close”


All going well, you should now have a SQL Server up and running and ready to receive our SPF and WAP databases

Before moving on though, you’re going to want install SQL Management Studio as we’ll need it later in this guide.

You can download the installer by clicking the link in the prerequisites section at the TOP of this guide.

Install Service Provider Foundation (SPF) Step-by-Step

Now that we’ve got our SQL server up and running, we can move on to deploying our SPF server.

  • Log onto the SPF VM you deployed earlier and mount the Orchestrator ISO you download above in the prerequisites section (or use your own).
  • Run the “SC2016_SCO” application to extract the files to a location of your choice.
  • Browse to the extracted files and run “SetupOrchestrator.exe” and select “Service Provider Foundation”

Now select “Install”


Accept the license agreement and click “Next” till you’re on the “Prerequisites” screen…and OMG there are a few


OK, so let’s turn all those red crosses into green ticks.

Launch an elevated PowerShell console and paste in the following to install IIS and it’s required components:

# Download SPF Prerequisites
$Installers = New-Item C:\Temp\SPFPrereqs\ -ItemType Directory
Set-Location -Path $Installers
Invoke-WebRequest "" -OutFile aspnetmvc.exe
Invoke-WebRequest "" -OutFile wcfdatasvc.exe

# Install IIS and required components
Install-WindowsFeature Web-Server, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, Net-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, ManagementOdata, WAS, WAS-Process-Model, WAS-Config-APIs

# Install AspNetMVC4 and WcfDataServices
Start-Process -FilePath .\aspnetmvc.exe /quiet
Wait-Process aspnetmvc
Start-Process -FilePath .\wcfdatasvc.exe /quiet
Wait-Process wcfdatasvc

The last prerequisite we need to install is the SCVMM console, with that in mind:

  • Mount the SCVMM ISO you download above in the prerequisites section (or use your own).
  • Run the “SC2016_SCVMM” application to extract the files to a location of your choice.
  • Browse to the extracted files and run “Setup.exe”
  • Now click “Install”

Select “VMM Console” and click “Next”


Accept the licence terms and click “Next” 4 times accepting the defaults as you go. Now click “Install”


Once the installer has completed, click “Close” twice.


As promised, all the red is now green Click “Next”


Enter the FQDN of the SQL server you created earlier.
Accept or modify the database name to your liking and click “Next”


Under “Server Certificate” select “Self-Signed” if you’re building this environment for testing purposes or select “Use Existing Certificate” and provide a certificate from a trusted Certification Authority. This certificate is used by SPF as for its IIS site bindings.


On “Configure the Admin web service”, enter the security group you created earlier for “SPF Admins” (See required layout in screenshot).

Under “Application pool credentials” select “Service Account” and enter the details for the “SCSPF_SVC” account you created earlier (See required layout in screenshot)

Now click “Next”


Repeat the above steps for the “Provider”, “VMM” and “Usage” services. Change the security group as required but use the same service account (See screenshots for guidance)

I used the same security group for both the “VMM” and “Usage” web services.


Select your preference for “Microsoft Updates” and click “Next” and “Install”


All going well, you should be met with the following screen, click “Close”


SPF Post Installation Steps

Before moving on to our WAP deployment there are a few things left to do, the first one is to sort out our local permissions.

On your SPF server, open up the “Local Users and Groups MMC” (WinKey+R “lusrmgr.msc”)

Create an account named “SCSPF_REG”

Add the above account and the domain SPF Service account you created earlier to the following local groups on the server (See Screenshot):

  • SPF_Admin
  • SPF_Provider

We also need to add the SPF Service account to the “Administrator” user role in the SCVMM console.

Within your SCVMM console, navigate to “Settings”, “User Roles”, right-click “Administrator” and select “Properties”


On the “Members” tab, click “Add” and search for the domain SPF Service account you created earlier in this guide and click “OK” twice.


The last thing we need to do is to make sure the domain SPF Service account has the “Sysadmin” server role on our SQL server.

Log onto your SQL server and launch “Microsoft SQL Server Management Studio” and connect to your instance.


Navigate to “Security”, “Logins”, right-click on the SPF Service account and select “Properties”


Click “Server Roles”, place a tick in “sysadmin” and click “OK”

…and that should be everything, let’s move on to our WAP deployment

Install Windows Azure Pack (Express) Step-by-Step

The first thing we need to do is install the Microsoft .NET Framework 3.5 SP1 as it’s a requirement for WAP

So, launch an elevated PowerShell console and paste in the following:

Install-WindowsFeature -Name NET-Framework-Core

If the above doesn’t work and gives an error about sources, attach a Server 2016 ISO to the VM and run the PowerShell below instead (changing the drive letter as required):

Install-WindowsFeature -Name NET-Framework-Core -Source <drive>:\sources\sxs

Being that we’re installing WAP as a single server deployment (Express), we can make use of a great tool that Microsoft put out that’ll do most of the work for us. You should have already downloaded this file to your WAP server as per our prerequisites.

Navigate to the download location of the above file named: WAP_SingleMachineInstallation.3f.3f.3fnew.exe, right-click and select “Run as Administrator”

You should now be presented with the following screen:

You can click “Items to be installed” to review exactly what components make up the installation (if you’re interested )


If you want to opt out of the “Customer Experience Improvement Program”, click “Options”, deselect it and click “OK”


Now click “Install” and accept the terms.


All components will now be downloaded and installed, this may take a while as there are 51 steps in total.


When the installer has finished, click “Continue” to launch the WAP configuration site.


On the “Database Server Setup” page, enter the following information:

  • The FQDN of the SQL server you deployed earlier
  • Select “SQL Server Authentication” as the Authentication Type
  • Enter the password you configured for the “SA” account during your SQL deployment
  • Enter a passphrase for your configuration store (See details in screenshot for what this is used for).

Now click the next arrow.


Choose yes or no for joining the CEIP and click the next arrow. Now click the “tick”


Once all items have a green tick next to them, click the “tick” again and the window will be closed.

Now click “Finish” and “Exit”


Fantastic, now that we’ve deployed SQL, SPF and WAP, let’s get it connected up to our compute and storage resources via SCVMM.

WAP and SPF Post Installation Configuration Tasks

The first thing we’ll want to check if what ports our WAP Admin and Tenant sites are listening on. You can find this out by launching IIS on your WAP server and navigating to “Sites”


The sites we’re most interested in at this point are:

  • The Admin Portal – MgmtSvc-AdminSite on port 30091
  • The Admin Authentication Site – MgmtSvc-WindowsAuthSite on port 30072
  • The Tenant Portal – MgmtSvc-TenantSite on port 30081
  • The Tenant Authentication Site – MgmtSvc-AuthSite on port 30071

The first thing you’ll notice are the port numbers that have been used, don’t worry, these can all be set to port 443 and can be configured to use an SSL certificate that’s been issued by a trusted Certification Authority. See my guide HERE on how to do that.

Now that we know the port numbers we can log into the WAP Admin portal and start to configure these resources for use. Before we do that though, let’s go and create a cloud within the SCVMM console.

Create a Cloud in SCVMM

Clouds in SCVMM let us bundle together resources for consumption by tenants from the WAP portal (in our use case anyway). Here are a FEW of the configurable settings on a cloud:

  • What resources it uses, in other words, what host group and by extension what compute clusters VMs can be deployed to within this cloud
  • Which logical networks are exposed to this cloud. This will allow you to then expose specific related VM networks to WAP
  • Which storage to present to this cloud, based on the classifications you’ve set against the different types
  • Which library server can be used with this cloud
  • Allows scoping down of the available resources within the hosts groups configured against this cloud

Let’s crack on and create a test cloud

Navigate to “VMs and Services”, right-click on “Clouds” and select “Create Cloud”


Type a name for your cloud and if you’ve been following my Server 2016 Features Series, select “Supported on this private cloud” from the “Shielded VM support” drop-down. Otherwise select “Not supported on this private cloud” if you’ve not deployed a guarded fabric.

Now click “Next”


Select the host group that contains the Hyper-V cluster you want to deploy your VMs to and click “Next”


Decide which VM networks you want to expose to your cloud and select the Logical Networks they sit on and click “Next”

NOTE:  I’m adding my management logical network here as it’s the only one I currently have set up this a configured static IP address pool


Skip the “Load Balancers”, “VIP Templates” and “Port Classifications” tabs for the time being.

On the Storage tab, select which storage you want to consume from this cloud (these are presented via configured storage classifications) and click “Next”


Under “Read-only library shares” click “Add” and select a library share to attach to your cloud. This is especially imported if you’re going to configure Shielded VMs as it’s a requirement when downloading the Volume Signature Catalogue for signed template disks.


On the Capacity tab, decide how much resource you want to make available to this cloud and click “Next”


Click “Next” through to the end of the wizard and click “Finish”

Connect Service Provider Foundation to SCVMM

Back on your WAP server, launch the WAP admin portal by browsing to the following URL: https://localhost:30091 and log in using the account you used to deploy WAP (additional admin users can be added to the WAP admin group.  See my guide HERE on how to do that.

Now that you’re logged into the portal, click on “VM CLOUDS” and select “First you must register your System Center Service Provider Foundation”


Type in the FQDN of the SPF server we deployed earlier, in the following format: https://ServerFQDN:8090

Enter the username and password for the local “SCSPF_REG” account you created earlier in this guide (See screenshot)


Connect WAP to SCVMM

With WAP connected to SPF, we should now be able to connect WAP to our SCVMM Server.



Type in the FDQN of your SCVMM server and click “Register”


Once the job has completed successfully, you should see your SCVMM server and any cloud you’ve created listed under it


Set up Your First Plan and Tenant

Now that you’ve got everything up and running, you’ll want to make sure that everything is working as expected. To assist with that, lets create a plan and a tenant to add to that plan.

Click “+ NEW”, “PLAN” and “CREATE PLAN”


Type a “Friendly Name” for your plan and click the arrow


Place a tick in “VIRTUAL MACHINE CLOUDS”, click the “right” arrow and the “tick” to complete.


So we’ve now created a plan but need to configure it. This will let us chop up our available resource, assign specific VM networks and templates etc.

Click on the plan you just created to view it’s properties.


Within the plan properties, click on the “Virtual Machine Clouds” link.


Select your SCVMM server from the drop-down named “VMM Management Server”

Select the cloud you created earlier from the drop-down named “Virtual Machine Cloud”

Also, if you’ve used my Server 2016 Features Series to deploy a Guarded Fabric, you’ll notice that shielded VMs are supported on this cloud.

Within this page you can choose how much of your available resource to allocate to this plan, you can also choose which networks, hardware profiles and templates to assign.

Also take a look at the “additional settings” section (choose whatever settings work for you) before clicking “Save” to finish configuring your plan.


OK, now that we have a plan, let’s create a tenant and given them access to it.


  • Enter an email address for your tenant (this should be any valid email address)
  • Enter a password for the tenant (they can change this later within their tenant portal)
  • Choose the plan you just created and click “CREATE”

Once the job completed fully, your new account should look like below:


Now, let’s log into the tenant portal as the user you just created.

On your WAP server, browse to: https://localhost:30081 and login as the user we just created.


All going well, you should be met with a screen that looks like this:


Well, that was a fairly long guide, I’m off for a coffee. Later guys, see you in the next guide

11 Replies to “Deploy Windows Azure Pack (Express) Step-by-Step”

  1. I got the the stage of add the SPF Service account to the “Administrator” user role in the SCVMM console, but I am unable to log into the SCVMM console as my account is not a member of a valid user role.

    Any thoughts as to what I need to do now?

    1. Hi Rodney,

      The only real way round this is to log onto the SCVMM console as a user that IS a member of a valid user role. Are you trying to log onto the SCVMM console AS the SPF Service Account? Quickest fix would be to have a SCVMM administrator jump on and add the account for you.

  2. Hi David,

    Thanks a million for doing such a great job with providing this awesome doc ! I followed it exactly and worked like a charm the first time :). Did you provide other posts where you show how to configure the services ? I am particularly interested in Server Roles. If not, can you provide a site or resource where I can learn this? Again, great job !


    1. Hi there Mike,

      Glad the guide helped out, I appreciated the comment 🙂

      I’ve only ever done one distributed deployment of Azure pack and if I remember correctly I used the following article for guidance.

      Mine was quite a small distributed deployment where I only went as far as separating out the tenant and admin roles (connecting to a dedicated SQL instance). The tenant roles ran in a DMZ with the admin roles sitting on a “production” network. Pretty sure I ended up using Nginx for HA and load balancing between the respective roles…not gonna lie, pretty sure that part was a massive pain in the hoop 🙂

      Hope this helps, good luck Mike.

  3. Thank you for so much this awesome step by step guide! I wasted 2 hours diving through Technet just trying to get the SPF details before giving up and going to google.

  4. Hi David,

    Thanks much for the article.When I try to access the localhost:30091,Im getting the below error.

    The identity provider configuration is not valid. Try to re-configure trust with an identity provider.

    Any idea to fix this issue?

  5. Hi Team,

    We have completed the hyper-V setup with failover clustering.

    On top of that,we did setup SCVMM setup.

    We have 10 clients and our intention is to provide tenant access(customer access) through URL.

    To complete the setup,we have built the below VMs as per the below article

    1) Windows Azure pack(WAP).

    2) Service provide foundation(SPF)

    3) SQL server.

    Everything went good and in the final stage,we are getting the below error while access the port 30091,


    The identity provider configuration is not valid. Try to re-configure trust with an identity provider.

    Please note,we are just using AD server and not using ADFS setup.

    Please help.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.