ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG

0
ConfigMgr Client Deployment Using Intune

Let’s understand the workflow of ConfigMgr Client Deployment Using Intune. In this post, we will analyze the sequence of events that occur in the back-end when we deploy the ConfigMgr client from Intune. Understanding this workflow may help in troubleshooting ConfigMgr client deployment using CMG.

In autopilot deployments, Windows 10 devices are managed by Intune. But I have seen many customers still need ConfigMgr for many reasons. As we all know that Intune can deploy the ConfigMgr client via CMG.

Scenario Summary

  • Win 10 provisioned via Windows Autopilot process.
  • Windows 10 enrolled to Intune.
  • Intune deploy the ConfigMgr client via CMG
  • ConfigMgr agent communicate with ConfigMgr server via CMG
  • Computer becomes co-managed ( ConfigMgr + Intune )

To implement above scenario, you need a CMG infrastructure, Autopilot and ConfigMgr Bootstrap executable deployed from Intune.

  • Refer here, for more details on how to configure CMG
  • Refer here, for more details on how to configure ConfigMgr client deployment in Intune console

Flow Diagram – Client Deployment Using Intune

The below diagrams describe sequence of events after triggering ConfigMgr agent installation via CMG. Sequence of events are numbered and described in detail.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM
CMG ConfigMgr agent workflow sccm CMG cloud management gateway
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

The following are the steps that help you to understand the ConfigMgr Client Deployment Using Intune process.

  • Create CCMSetup Service
    • 1. Intune Deploy ConfigMgr bootstrap to create CCMsetup installation service
  • Authenticate to get ConfigMgr agent binary 
    • 2. Win 10 Request AAD token validation to Azure AD
    • 3. Win 10 Request CCM token to CMG
    • 4. CMG connection point receive the CCM Token request from CMG
    • 5. CMG connection point redirect CCM Token request to Management Point
  • ConfigMgr agent download and install
    • 6. Win 10 receive CCM token and then request for ConfigMgr client binary
    • 7. ConfigMgr agent binary download from Azure Blog and install on Win 10
  • ConfigMgr client registration and policy download
    • 8. The ConfigMgr client sent AAD token validation request to Azure AD
    • 9. Management point register the ConfigMgr client after validating AAD Token
    • 10. The ConfigMgr client sent CCM token request to CMG
    • 11. CMG connection point receive CCM Token request from CMG
    • 12. CMG connection point redirect CCM Token validation request to Management point
    • 13. ConfigMgr client receive CCM token and cache locally
  • ConfigMgr client is now co-managed and functional to receive ConfigMgr Policies and apps

In the above workflow, you can see the importance of authentication (Token). CMG will allow communication with ConfigMgr servers only for devices with a valid Token.

Based on your scenario, please make sure your Windows 10 have the necessary Token /certificates like User AD discovery, Root certificate, Client auth certificate, Device Token.

Let us go through the sequence.

Step 1. Intune Deploy ConfigMgr bootstrap and create CCMsetup installation service

The CCMsetup.exe bootstrap process creates CCMsetup service as shown below. This is a temporary service that starts the ConfigMgr client install and registration process.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCMConfigMgr Client Deployment Using Intune | Workflow | SCCM
  • We can verify CCMSetup service created from ccmsetup.log.
  • The installation command line is constructed based on what you have configured in Intune. CCMSetup.log helps to verify whether command line is proper
ccmsetup service - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

CMG also acts as Cloud DP which provides ConfigMgr client binaries to win 10. CMG and your internal ConfigMgr servers communicate with Win 10 which has a valid Auth token.

Let us discuss the sequence of events required authenticate and download ConfigMgr agent.

Step 2. Win 10 Request AAD token validation to Azure AD

The CCMsetup bootstrap service requests Azure AD device token. An alternate option is Azure AD user token. In my scenario, win 10 was Azure AD joined device. This means I have a valid Azure AD Device token. Let us discuss how this AAD token gets validated next

Windows 10 communicate with CMG cloud for Authentication via the Server App Resource URL. This URL is created automatically as part of the CMG configuration.

Note: if there is any issue in Getting AAD (device) token, then you will see some error in the after below entry.

C:\windows\Ccmsetup.log (ADALOperationprovider)  

Getting AAD (device) token with: ClientId = 558f4694-0ac9-401f-b6a5-2086ce5938f7, ResourceUrl = https://ConfigMgrServicecochii, AccountId = https://login.microsoftonline.com/common/oauth2/token, AllowInteractive = 0

Log snippet

Only AAD token is not enough to download the ConfigMgr binaries. CCM token is also required. Let us discuss the CCM token validation process next.

Step 3. Win 10 Request CCM token to ConfgiMgr via CMG

After validating AAD token, next Win 10 will request for ConfigMgr client (CCM) token. As shown below, the Windows 10 device requests CCM token to CMG via the Security Token Service communication channel (CCM_STS).

You can confirm this request event from Ccmsetup.log (ConfigMgr client logs).

Getting CCM Token from https://cochii.cloudapp.net/CCM_Proxy_ServerAuth/72057594037927951/CCM_STS

CCM_STS ccmsetup.log - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

Step 4. CMG connection point receive the CCM Token request from CMG

CMG receives CCM token requests and redirects to the ConfigMgr CMG connection point. CMG acts as a proxy or mediator between Win 10 device and ConfigMgr server.

You can verify this event from CMGService.log (CMG Azure server: E:\approot\logs).

CMGService.log

ConfigMgr server receives the CCM Token validation requests from CMG. Below log in ConfigMgr server logs these events.

  • CMG-<CMGname>-ProxyService_IN_0-CMGService.log
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927951/CCM_STS  RequestCount: 1  RequestSize: 1893 Bytes  ResponseCount: 1  ResponseSize: 1567 Bytes  AverageElapsedTime: 390 ms
CMGService.log CCM Token
  • Below log indicate the communication between your CMG and ConfigMgr server (CMG connection point server).
  • SMS_CLOUD_PROXYCONNECTOR.log (CMG connection point server)
SMS_CLOUD_PROXYCONNECTOR.log - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

Step 5. CMG connection point redirect CCM Token request to Management Point

CMG connection point transforms CCM Token request to management point client request. Management Point to issue CCM token.

From the below log, you can see an incoming request to Management Point. AAD token validated first. If AAD token is valid, then MP verifies in the ConfigMgr database. If all goes well then you should MP issues CCM token to Win 10 (Via CMG). It seems Microsoft still use the term “ SCCM” … J

CCM_STS.log ( CMG connection point server)

CCM_STS.log CMG connection point server
CCM_STS.log
  • Now Windows 10 device got the valid CCM token to download ConfigMgr client binaries!!!!

Let’s proceed to next events…

Step 6. Win 10 received CCM token and request for ConfigMgr client content

Win 10 append this CCM token to its request header and request ConfigMgr binary from CMG.

ccmsetup token

Win 10 gets the reply from CMG with details like ConfigMgr site, Boundary and ConfigMgr agent content location.

ccmsetup cmg

Now win 10 have a valid AAD + CCM token + ConfigMgr Site details to download agent. 😊.

Let’s proceed to next events…

Step 7. Azure Blob provide ConfigMgr agent binary download and installs

As seen below, CMG (Content service) respond to the Win 10 request. Then Win 10 start downloading ConfigMgr agent.

CMG act as Cloud DP as well. Cloud DP response logged in CMGContentService.log (E:\approot\logs)

CMGContentService.log - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

ConfigMgr agent downloads from Azure DP (Blob storage) using BITS

CMGContentService.log

Once download completes, then agent install in below folder path

C:\Windows\CCM\

Now win 10 got ConfigMgr agent installed 😊. But this does not mean ConfigMgr client is functional to receive policy and apps. ConfigMgr client needs to authenticate and register with the ConfigMgr server.

This is the required, irrespective of any scenario. Let us discuss these sequence of events to get ConfigMgr client registered.

Step 8. ConfigMgr client sent AAD token request to Azure AD

ConfigMgr Client request for AAD token. You can see below the AAD token retrieved and cached. In my scenario, I have enabled Azure AD user discovery enabled.

 ADALOperationProvider.log

ADALOperationProvider.log

Step 9. Management Point register the ConfigMgr client after validating AAD Token

ConfigMgr agent communicate with MP via CMG. MP registers the client after successful AAD Auth token validation.

ClientIDManager.log indicate registration and approval status as shown below.

ClientIDManager.log

MP_RegistrationManager log is useful while troubleshooting. This log helps to track a ConfigMgr client using its GUID. This log also shows the DDR creation and device registration process.

After few minutes, you can see new DDR record in SCCM console.

MP_RegistrationManager - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

Now ConfigMgr client registered. We are half way through now. Next Win 10 need CCM token to get Policy and apps. Let’s discuss those events next.

Step 10. ConfigMgr client sent CCM token request to CMG

ConfigMgr agent installed and CCM token requested via STS channel to CMG.

ClientLocation.log ( ConfigMgr agent client logs )

ClientLocation.log

Step 11. CMG connection point receive CCM Token request from CMG

CMG receive the CCM token request and redirect the request to CMG connection point. You can verify these events from CMGService log (CMG server).

CMGService.log - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

Step 12. CMG connection point redirect CCM Token validation request to Management Point

Management point validate AAD token in ConfigMgr site database first and then issues CCM token.

CCM_Token AAD Token

Step 13. ConfigMgr client receive CCM token and cache locally

Win 10 will receive the CCM token and will cache. ConfigMgr client use this token to communicate with ConfigMgr server and download policies, apps, etc. This token is valid only for 8 hr. ConfigMgr client will renew the CCM token.

ClientIDManagerStartup.log ( ConfigMgr client logs )

ClientIDManagerStartup.log

You can see the token renewal from ClientMangerStartup and ccmmessaging logs.

Step 14. ConfigMgr client is co-managed and ready to receive ConfigMgr Policies and apps

Finally, we got ConfigMgr client registered and trusted by ConfigMgr server. Now you can start seeing ConfigMgr client getting policies or deployments.

Policyagent.log CMG cloud management gateway - ConfigMgr Client Deployment Using Intune | Workflow | SCCM
ConfigMgr Client Deployment Using Intune | Workflow | SCCM

Resources

References: https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/azure-ccmsetup

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.