ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG

Let’s understand the workflow of ConfigMgr Client Deployment Using Intune. In this post, we will analyze the sequence of events that occur in the back-end when we deploy the ConfigMgr client from Intune. Understanding this workflow may help troubleshoot ConfigMgr client deployment using CMG.

In autopilot deployments, Windows 10 devices are managed by Intune. However, many customers still need ConfigMgr for many reasons. As we all know, Intune can deploy the ConfigMgr client via CMG.

In this scenario, Windows 10 is provisioned using the Windows Autopilot process and then enrolled into Intune. Subsequently, Intune deploys the ConfigMgr client via CMG, allowing the ConfigMgr agent to communicate with the ConfigMgr server through CMG. As a result, the computer becomes co-managed, integrating ConfigMgr and Intune for enhanced management capabilities.

To implement the above scenario, you need a CMG infrastructure, Autopilot, and ConfigMgr Bootstrap executable deployed from Intune.

Patch My PC
Index
Flow Diagram – Client Deployment Using Intune
Step 1. Intune Deploy ConfigMgr bootstrap and create CCMsetup installation service
Step 2. Win 10 Request AAD Token Validation to Azure AD
Step 3. Win 10 Request CCM Token to ConfigMgr via CMG
Step 4. CMG Connection Point Receives the CCM Token Request from CMG
Step 5. CMG Connection Point Redirects CCM Token Request to Management Point
Step 6. Win 10 Received the CCM Token and Request for ConfigMgr Client Content
Step 7. Azure Blob Provides ConfigMgr Agent Binary Download and Installs
Step 8. ConfigMgr Client Sent an AAD Token Request to Azure AD
Step 9. Management Point Registers the ConfigMgr Client after Validating the AAD Token
Step 8. ConfigMgr Client Sent an AAD Token Request to Azure AD
Step 11. CMG Connection Point Receives CCM Token Request from CMG
Step 12. CMG Connection Point Redirects CCM Token Validation Request to the Management Point
Step 13. ConfigMgr Clients Receive CCM Tokens and Cache Locally
Step 14. The ConfigMgr Client is Co-managed and Ready to Receive ConfigMgr Policies and Apps
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Table 1

Flow Diagram – Client Deployment Using Intune

The diagrams below describe the sequence of events after triggering the ConfigMgr agent installation via CMG. The events are numbered and described in detail.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.1
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.1
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.2
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.2

The following steps will help you understand the ConfigMgr Client Deployment Using the Intune process.

Adaptiva
  • Create CCMSetup Service
    • 1. Intune Deploy ConfigMgr bootstrap to create CCMsetup installation service
  • Authenticate to get ConfigMgr agent binary 
    • 2. Win 10 Request AAD token validation to Azure AD
    • 3. Win 10 Request CCM token to CMG
    • 4. CMG connection point receives the CCM Token request from CMG
    • 5. The CMG connection point redirects the CCM Token request to the Management Point
  • ConfigMgr agent download and install
    • 6. Win 10 receives the CCM token and then requests for ConfigMgr client binary
    • 7. ConfigMgr agent binary download from Azure Blog and install on Win 10
  • ConfigMgr client registration and policy download
    • 8. The ConfigMgr client sent an AAD token validation request to Azure AD
    • 9. Management point register the ConfigMgr client after validating the AAD Token
    • 10. The ConfigMgr client sent a CCM token request to CMG
    • 11. CMG connection point receives CCM Token request from CMG
    • 12. The CMG connection point redirects the CCM Token validation request to the Management point
    • 13. ConfigMgr Client receives CCM token and cache locally
  • The ConfigMgr client is now co-managed and functional to receive ConfigMgr Policies and apps

In the above workflow, you can see the importance of authentication (Token). CMG will only allow communication with ConfigMgr servers for devices with a valid Token.

Based on your scenario, please ensure your Windows 10 has the necessary Tokens/certificates, such as User AD discovery, Root certificate, Client auth certificate, and Device Token.

Let us go through the sequence.

Step 1. Intune Deploy ConfigMgr bootstrap and create CCMsetup installation service

The CCMsetup.exe bootstrap process creates the CCMsetup service, as shown below. This temporary service starts the ConfigMgr client install and registration process.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.3
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.3

We can verify the CCMSetup service created from ccmsetup.log.

The installation command line is constructed based on what you have configured in Intune. CCMSetup.log helps to verify whether the command line is proper.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.4
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.4

CMG also acts as Cloud DP, which provides ConfigMgr client binaries for Windows 10. CMG and your internal ConfigMgr servers communicate with Windows 10 using a valid Auth token.

Let us discuss the sequence of events required to authenticate and download the ConfigMgr agent.

Step 2. Win 10 Request AAD Token Validation to Azure AD

The CCMsetup bootstrap service requests an Azure AD device token. An alternate option is the Azure AD user token. In my scenario, Win 10 was the Azure AD joined device. This means I have a valid Azure AD Device token. Let us discuss how this AAD token gets validated next

Windows 10 communicate with CMG cloud for authentication via the Server App Resource URL. This URL is created automatically as part of the CMG configuration.

Note: If you have issues getting the AAD (device) token, you will see an error after the below entry.

C:\windows\Ccmsetup.log (ADALOperationprovider)  

Getting AAD (device) token with: ClientId = 558f4694-0ac9-401f-b6a5-2086ce5938f7, ResourceUrl = https://ConfigMgrServicecochii, AccountId = https://login.microsoftonline.com/common/oauth2/token, AllowInteractive = 0 Log snippet

Only the AAD token is not enough to download the ConfigMgr binaries. A CCM token is also required. Let’s discuss the CCM token validation process next.

Step 3. Win 10 Request CCM Token to ConfigMgr via CMG

After validating the AAD token, Win 10 will request a ConfigMgr client (CCM) token. The Windows 10 device requests a CCM token to CMG via the Security Token Service communication channel (CCM_STS).

You can confirm this request event from Ccmsetup.log (ConfigMgr client logs).

Getting CCM Token from https://cochii.cloudapp.net/CCM_Proxy_ServerAuth/72057594037927951/CCM_STS

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.6
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.6

Step 4. CMG Connection Point Receives the CCM Token Request from CMG

CMG receives CCM token requests and redirects to the ConfigMgr CMG connection point. CMG is a proxy or mediator between the Win 10 device and the ConfigMgr server.

You can verify this event from CMGService.log (CMG Azure server: E:\approot\logs).

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.7
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.7

ConfigMgr server receives the CCM Token validation requests from CMG. Below, the log-in ConfigMgr server logs these events.

  • CMG-<CMGname>-ProxyService_IN_0-CMGService.log
RequestUri: /CCM_PROXY_SERVERAUTH/72057594037927951/CCM_STS  RequestCount: 1  RequestSize: 1893 Bytes  ResponseCount: 1  ResponseSize: 1567 Bytes  AverageElapsedTime: 390 ms
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.8
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.8

The below log indicates the communication between your CMG and ConfigMgr server (CMG connection point server).

  • SMS_CLOUD_PROXYCONNECTOR.log (CMG connection point server)
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.9
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.9

Step 5. CMG Connection Point Redirects CCM Token Request to Management Point

CMG connection point transforms CCM Token request to management point client request. Management Point to issue CCM token.

You can see an incoming request to Management Point from the log below. AAD token validated first. If the AAD token is valid, MP verifies it in the ConfigMgr database. If all goes well, you should MP issue a CCM token to Win 10 (Via CMG). It seems Microsoft still uses the term “SCCM.”

CCM_STS.log ( CMG connection point server)

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.10
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.10
  • Now Windows 10 devices have the valid CCM token to download ConfigMgr client binaries!!!!

Let’s proceed to the following events…

Step 6. Win 10 Received the CCM Token and Request for ConfigMgr Client Content

Win 10 append this CCM token to its request header and request ConfigMgr binary from CMG.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.11
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.11

Win 10 gets the reply from CMG with details like ConfigMgr site, Boundary, and ConfigMgr agent content location.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.12
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.12

Now Win 10 has a valid AAD + CCM token + ConfigMgr Site details to download the agent.

Step 7. Azure Blob Provides ConfigMgr Agent Binary Download and Installs

As seen below, CMG (Content service) responded to the Win 10 request. Then Win 10 starts downloading the ConfigMgr agent.

CMG acts as Cloud DP as well. Cloud DP response logged in CMGContentService.log (E:\approot\logs)

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.13
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.13

ConfigMgr agent downloads from Azure DP (Blob storage) using BITS

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.14
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.14

Once the download completes, the agent installs in the below folder path

C:\Windows\CCM\

Now, Windows 10 has the ConfigMgr agent installed. But this does not mean the ConfigMgr client is functional to receive policies and apps. The ConfigMgr client needs to authenticate and register with the ConfigMgr server.

This is required regardless of any scenario. Let’s discuss this sequence of events to register the ConfigMgr client.

Step 8. ConfigMgr Client Sent an AAD Token Request to Azure AD

ConfigMgr Client request for AAD token. You can see below the AAD token that was retrieved and cached. In my scenario, I have enabled Azure AD user discovery enabled.

 ADALOperationProvider.log

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.15
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.15

Step 9. Management Point Registers the ConfigMgr Client after Validating the AAD Token

The configMgr agent communicates with MP via CMG. MP registers the Client after successful AAD Auth token validation.

ClientIDManager.log indicate registration and approval status as shown below.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.16
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.16

MP_RegistrationManager log is useful while troubleshooting. This log helps to track a ConfigMgr client using its GUID. This log also shows the DDR creation and device registration process.

After a few minutes, you can see a new DDR record in the SCCM console.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.17
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.17

Now, the ConfigMgr Client is registered. We are halfway through now. Next, Win 10 needs a CCM token to get Policy and apps. Let’s discuss those events next.

Step 10. ConfigMgr Client Sent a CCM Token Request to CMG

The configMgr agent was installed, and the CCM token was requested via the STS channel to CMG.

ClientLocation.log ( ConfigMgr agent-client logs )

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.11
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.11

Step 11. CMG Connection Point Receives CCM Token Request from CMG

CMG receives the CCM token request and redirects the request to the CMG connection point. You can verify these events from the CMGService log (CMG server).

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.12
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.12

Step 12. CMG Connection Point Redirects CCM Token Validation Request to the Management Point

Management point validates AAD token in ConfigMgr site database first and then issues CCM token.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.13
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.13

Step 13. ConfigMgr Clients Receive CCM Tokens and Cache Locally

Win 10 will receive the CCM token and will cache. ConfigMgr clients use this token to communicate with the ConfigMgr server and download policies, apps, etc. This token is valid only for eight hr. ConfigMgr Client will renew the CCM token.

ClientIDManagerStartup.log ( ConfigMgr client logs )

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.14
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.14

You can see the token renewal from ClientMangerStartup and ccm messaging logs.

Step 14. The ConfigMgr Client is Co-managed and Ready to Receive ConfigMgr Policies and Apps

Finally, we got the ConfigMgr client registered and trusted by the ConfigMgr server. Now, you can start seeing ConfigMgr clients getting policies or deployments.

ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG - Fig.15
ConfigMgr Client Deployment Using Intune | Workflow | SCCM | CMG – Fig.15

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Vimal Das has over ten years of experience in SCCM device management solutions. His primary focus is Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about SCCM, Windows 10, Microsoft Intune, and MDT.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.