How to Deploy SCCM Client via Intune Co-Management

Let’s discuss How to Deploy SCCM Client via Intune Co-Management. We can install the SCCM client using Intune in a co-management scenario.

You can create a Mobile app in Intune with the latest SCCM client package and deploy the app to Windows 10 devices that you want to co-manage. This post will cover the SCCM Client via Intune.

Update: From SCCM 1810 onwards, SCCM client installation from the internet via CMG is made easy. The SCCM site publishes additional Azure Active Directory (Azure AD) information to the cloud management gateway (CMG).

With SCCM 1810 onwards, the only two required ccmsetup properties are CCMHOSTNAME and SMSSiteCode. Microsoft documentation provides more details.

Video Tutorial How to Deploy SCCM Client via Intune Co-Management

In this video, you will learn How to Deploy the SCCM Client from Intune Co-Management.

Prerequisites to SCCM Client via Intune?

This post explains installing the SCCM client via Intune in a co-management scenario. I have documented the Co-management prerequisites, and I recommend reading the post.

• The logged-on user must be an Azure AD identity.
• If the user has a federated or synchronized identity (using AAD Sync)), you must use SCCM and Azure AD user discovery.
• Enable ASP.NET 4.5 on this server for the management point site system role. When enabling ASP.NET 4.5, you should also include any other automatically selected options.
• Cloud Management Gateway (CMG) to deploy Internet-based clients. On-premises clients who authenticate with Azure AD don’t need a CMG.

• All in One – How to Setup Co-Management Eight(8) Video Tutorials

How to Configure Client Settings for Co-Managed Devices?

Setting the SCCM client policies for co-managed Windows 10 devices is important. You must configure the following SCCM client settings in the Cloud Services section.

Enable Allow access to cloud distribution point - Yes
Automatically register new Windows 10 domain joined devices with Azure AD(AAD) - Yes
Enable clients to use a cloud management gateway - Yes

TIP: To confirm the device is joined to Azure AD (This is NOT applicable for Azure AD registered devices), run dsregcmd. exe /status in a command prompt. The AzureAdjoined field in the results shows YES if the device is Azure AD-joined.

How to Install SCCM Client Manually on Intune Managed Devices?

You can install the SCCM client manually with the following command line, even if Intune already manages your Windows 10 device. Another method to install the SCCM clients is to automate the client install using Azure AD identity via Microsoft Intune (this is explained in the next section of this post).

The following example shows the general structure of the command line:

ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSiteCode=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

More details about command-line properties.

The /mp and CCMHOSTNAME properties specify one of the following, depending upon the scenario:-
– On-premises management point. Only specify the /mp property. The CCMHOSTNAME isn’t required.
– Cloud management gateway
– Internet-based management point The SMSMP property specifies either the on-premises or Internet-based management point.

This example uses a cloud management gateway. It substitutes sample values for each property:-

ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC SMSMP=https://mp1.contoso.com AADTENANTID=daf4a1c2-3a0c-401b-966f-0b855d3abd1a AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97 AADRESOURCEURI=https://contososerver

How to Automatically Install or Deploy SCCM Client via Intune?

For Windows 10 (1709 or later) devices that are enrolled in Intune and don’t have the SCCM client, you can create an app in Intune to deploy the SCCM client. The command line for this SCCM client installation is very important in this section.

The SCCM team continuously reduces the complexity of the command line used to install SCCM clients via Intune. The following blog about SCCM TP 1806 explains the latest updates in the CMG command line.

The following steps are explained in the video tutorial on How to deploy an SCCM client from Intune.

1. Login to Azure portal https://portal.azure.com
2. Navigate via Microsoft Intune – Mobile Apps – Apps
3. Click on +Add to add a new Intune application for SCCM client installation
4. Select Line-of-Business app – App Type drop-down menu from Add app blade
5. Click on App Package File to upload the SCCM client CCMSetup.MSI (use the latest version of the SCCM client) file to Intune

On the App package file blade, check the following settings  Name: ConfigMgr Client Setup Bootstrap

• Platform: Windows
• App version: 5.00.8634.1000    (1802 production version without hotfix)
• Size: 4.85 MiB
• MAM Enabled: No
• Execution Context: Per-Machine

Click on the OK button on the App Package file blade.

Click on the App Information option from the Add App blade.

• Fill the following information details in the App Information blade Name:-ConfigMgr Client Setup Bootstrap (Any useful name is fine)
• Description:- SCCM Client Install from Intune (Any useful description is fine)
• Publisher:- Microsoft
• Ignore App Version:- No
• Category: Computer Management
• Display this as a featured app in the Company Portal – NO
• Information URL:- Optional (I kept it blank)
• Privacy URL:- Optional (I kept it blank)
• Command-line Argument:- Command-Line is explained below
• Developer:- Optional (I kept it blank)
• Owner:- Optional (I kept it blank)
• Notes:- Optional (I kept it blank)
• Logo:- Optional (I kept it blank)

Click OK and Add to start uploading the CCMSetup.msi to Intune. This upload is going to take 10 minutes to complete. Wait for the following message to go away. Your app is not ready yet. Check back again soon

Click on the Add Group button on the Assignment tab of the mobile application that you created.

Select groups from the Add Group Blade where you want to assign this app. There are 3 (three) Assignment types – Select one assignment type. In the co-management scenario, I would like to deploy this SCCM client app to some group of devices as a REQUIRED app. Available for Enrolled Devices Required Uninstall.

Click on Included Groups from the Add Group blade

Select the groups where you want to make this app required from Assign blade
Select the following options underneath – All Users and Devices
Make this app required for all users – No
Make this app required on all devices – No

Click on Select Groups to select a Group for the required assignment from the Assign blade

Search the Device Group (co-managed devices as per your requirement) in the search option in the Select Groups blade and select the DEVICE group that you want to deploy

Click Select to save and close the Select Groups blade. Click OK to save and close the Assign blade. Click OK to save and close the Add Group blade. Click SAVE to save the Assignment blade.

Command Line – SCCM Client Application Installation

The command line I used in the lab environment to test the SCCM client install from Intune is below. Some modifications may be required in your production deployments or scenarios. I recommend reading Microsoft documentation for more guidance on this topic. How to Deploy SCCM Client via Intune Co-Management

CCMSETUPCMD (MSI installation?) – Specifies command-line parameters and properties that are passed to ccmsetup. exe after ccmsetup.msi installs it. Use this property when bootstrapping the SCCM client using the Intune MDM installation method.  Microsoft Intune limits the command line to 1024 characters.

You can get the command line details of your environment from SCCM co-management configuration properties. However, I recommend adding some additional parameters like NOCRLCHECK for your lab environment.

CCMSETUPCMD="/nocrlcheck /mp:https://ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/7278792237927944 CCMHTTPSSTATE=31 CCMHOSTNAME=ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927944 SMSSiteCode=PR3 SMSMP=https://SCCM_PROD.INTUNE.COM AADTENANTID=67BB8C6D-23466-4FAA-A290-5DHFGFLC2210 AADCLIENTAPPID=046cb662-0208-4adb-8118-4be4bc132bc2 AADRESOURCEURI=https://ConfigMgrService1 SMSPublicRootKey=0602000000A400005253413662EE6389AE91CD393D138517092EE5502855B1549BD4"

Azure AD client app ID: 046cb662-0208-4adb-8118-4be4bc132bc2
AAD Resource ID URI: https://ConfigMgrService1
SMSPUBLICROOTKEY: Specifies the SCCM trusted root key when it cannot be retrieved from AD Domain Services

From where will the SCCM Client get downloaded?

The SCCM client will be downloaded from Cloud DP in the above-mentioned scenario. This behavior changes; check out my latest TP blog for more details. In future versions of SCCM, there won’t be any requirement for a separate cloud DP.

If the content isn’t available on the Cloud DP, devices can retrieve it from the CMG. The client installation bootstrap retries the cloud distribution point for four hours before returning to the CMG. More details are here.

Co-Management Related Posts

All Co-Management Video tutorials are in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9 (This Post)
End User Experience of Windows 10 Co-Management - Part 10

Resources

• Co-Management Command line to install SCCM client 
• SCCM Client (Manual) Install for Azure AD Joined devices
• SCCM Client installation parameters and properties

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.