How to Deploy SCCM Client from Intune – Co-Management

We can install SCCM client using Intune in a co-management scenario. You can Create a “Mobile app” in Intune with the latest SCCM client package and deploy the app to Windows 10 devices that you want to co-manage. SCCM Client via Intune is the topic we are going to cover in this post.

Update – SCCM 1810 onwards the SCCM client installation from internat via CMG made easy. The SCCM site publishes additional Azure Active Directory (Azure AD) information to the cloud management gateway (CMG). With SCCM 1810 onwards, the only two required ccmsetup properties are CCMHOSTNAME and SMSSiteCode. More details available in Microsoft documentation.

All in One – How to Setup Co-Management Eight(8) Video Tutorials

Patch My PC

Prerequisites to SCCM Client via Intune?

In this post, you can see how to install SCCM client via Intune in a co-management scenario. I have documented the Co-management prerequisites, and I would recommend reading the post.

  • The logged on user must be an Azure AD identity.
  • If the user is a federated or synchronized identity (using AAD Sync), you must use SCCM AD user discovery as well as Azure AD user discovery.
  • For the management point site system role, also enable ASP.NET 4.5 on this server. You should also include any other options that are automatically selected when enabling ASP.NET 4.5.
  • Cloud Management Gateway (CMG) to deploy Internet-based clients. For on-premises clients that authenticate with Azure AD, you don’t need a CMG.

Video Tutorial Deploy SCCM Client via Intune

Watch this video on YouTube.

How to Configure Client Settings for Co-Managed Devices?

It’s important to set the SCCM client policies for co-managed Windows 10 devices. You need to configure the following SCCM client settings in the Cloud Services section.

Enable Allow access to cloud distribution point - Yes
Automatically register new Windows 10 domain joined devices with Azure AD(AAD) - Yes
Enable clients to use a cloud management gateway - Yes

TIP: To confirm the device is joined to Azure AD (This is NOT applicable for Azure AD registered devices), run dsregcmd.exe /status in a command prompt. The AzureAdjoined field in the results shows YES if the device is Azure AD-joined.

1E Nomad

How to Install SCCM Client Manually on Intune Managed Devices?

You can install SCCM client manually with following command line even if Intune already manages your Windows 10 device. Another method to install SCCM client is to automate the client install using Azure AD identity via Microsoft Intune (this is explained in the next section of this post).

The following example shows the general structure of the command line:

ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSiteCode=<site code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

More details about command line properties.

The /mp and CCMHOSTNAME properties specify one of the following, depending upon the scenario:-
– On-premises management point. Only specify the /mp property. The CCMHOSTNAME isn’t required.
– Cloud management gateway
– Internet-based management point The SMSMP property specifies either the on-premises or Internet-based management point.

This example uses a cloud management gateway. It substitutes sample values for each property:-

ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC SMSMP= AADTENANTID=daf4a1c2-3a0c-401b-966f-0b855d3abd1a AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97 AADRESOURCEURI=https://contososerver

How to Automatically Install or Deploy SCCM Client via Intune?

For Windows 10 (1709 or later) devices that are enrolled in Intune and don’t have the SCCM client, you can create an app in Intune to deploy the SCCM client. The command line of this installation of SCCM client is very important in this section.

SCCM team is continuously reducing the complexity of the command line used for installing SCCM client via Intune. The latest updates in the command line using CMG is explained in the following blog about SCCM TP 1806.

Following steps are explained in the video tutorial How to deploy SCCM client from Intune.

  1. Login to Azure portal
  2. Navigate via Microsoft IntuneMobile AppsApps
  3. Click on +Add to add new Intune application for SCCM client installation
  4. Select Line-of-Business appApp Type drop down menu from Add app blade
  5. Click on App Package File to upload SCCM client CCMSetup.MSI (use the latest version of SCCM client) file to Intune
  6. On the App package file blade checkout the following settings  Name: ConfigMgr Client Setup Bootstrap
    Platform: Windows
    App version: 5.00.8634.1000    (1802 production version without hotfix)
    Size: 4.85 MiB
    MAM Enabled: No
    Execution Context: Per-Machine
  7. Click on OK button on App Package file blade
  8. Click on App Information option from Add App blade
  9. Fill the following information details in App Information blade Name:-ConfigMgr Client Setup Bootstrap (Any useful name is fine)
    Description:- SCCM Client Install from Intune (Any useful description is fine)
    Publisher:- Microsoft
    Ignore App Version:- No
    Category: Computer Management
    Display this as a featured app in the Company Portal – NO
    Information URL:- Optional (I kept it blank)
    Privacy URL:- Optional (I kept it blank)
    Command-line Argument:- <Command Line explained below>
    Developer:- Optional (I kept it blank)
    Owner:- Optional (I kept it blank)
    Notes:- Optional (I kept it blank)
    Logo:- Optional (I kept it blank)
  10. Click OK and Click Add to start the upload the CCMSetup.msi to Intune. This upload is going to take 10 minutes to complete. Wait for following message to go away 😉 Your app is not ready yet. Check back again soon
  11. Click on Add Group button on Assignment tab of the mobile application which you created.
  12. Select groups where you want to assign this app from Add Group blade There are 3 (three) Assignment types –  Select one assignment type. In the co-management scenario, I would like to deploy this SCCM client app to some group of devices as REQUIRED app. Available for Enrolled Devices Required Uninstall
  13. Click on Included groups from Add Group blade
  14. Select the groups where you want to make this app required from Assign blade
    Select following options underneath – All Users and Devices
    Make this app required for all users – No
    Make this app required on all devices – No
  15. Click on Select Groups to to select a Group for required assignment from Assign blade
  16. Search the Device Group (co-managed devices as per your requirement) in the search option in Select Groups blade and select the DEVICE group which you want to deploy
  17. Click Select to save and close the Select Groups blade
  18. Click OK to save and close Assign blade
  19. Click OK to save and close Add Group blade
  20. Click SAVE to save Assignment blade

Command Line – SCCM Client Application Installation

Command Line which I used in the lab environment to test the SCCM client install from Intune is below. It may require some modifications in your production deployments or scenarios. I would recommend reading Microsoft documentation to have more guidance on this topic.

CCMSETUPCMD (MSI installation?) –  Specifies command-line parameters and properties that are passed to ccmsetup.exe after ccmsetup.msi installs it. Use this property when bootstrapping the SCCM client using the Intune MDM installation method.  Microsoft Intune limits the command line to 1024 characters.

You can get the command line details of your environment from SCCM co-management configuration properties. But I recommend adding some additional parameters like NOCRLCHECK for your lab environment.

CCMSETUPCMD="/nocrlcheck /mp:https://ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/7278792237927944 CCMHTTPSSTATE=31 CCMHOSTNAME=ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927944 SMSSiteCode=PR3 SMSMP=https://SCCM_PROD.INTUNE.COM AADTENANTID=67BB8C6D-23466-4FAA-A290-5DHFGFLC2210 AADCLIENTAPPID=046cb662-0208-4adb-8118-4be4bc132bc2 AADRESOURCEURI=https://ConfigMgrService1 SMSPublicRootKey=0602000000A400005253413662EE6389AE91CD393D138517092EE5502855B1549BD4"
mp - <URL of cloud management gateway mutual auth endpoint> - https://ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/7278792237927944
/nocrlcheck - (Not recommended for production environment) - When you don't PKI CRL published to internet
CCMHTTPSSTATE=31 (Not recommended for production environment) value to the properties. The 31 value state is HTTPS enabled with no CRL checking. But I don't recommend to use this step in production environment without proper testing.
CCMHOSTNAME =<URL of cloud management gateway mutual auth endpoint> ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927944
SMSSiteCode =<Sitecode> -> PR3
Azure AD tenant ID: 67BB8C6D-23466-4FAA-A290-5DHFGFLC2210
Azure AD client app ID: 046cb662-0208-4adb-8118-4be4bc132bc2
AAD Resource ID URI: https://ConfigMgrService1
SMSPUBLICROOTKEY: Specifies the SCCM trusted root key when it cannot be retrieved from AD Domain Services

From where the SCCM Client will get Downloaded?

In the above mentioned scenario the SCCM client will get downloaded from Cloud DP. This behaviour is changing checkout the latest TP blog from me for more details. There won’t any requirement of a separate cloud DP in the future versions of SCCM.

If the content isn’t available on the Cloud DP, devices can retrieve the content from the CMG. The client installation bootstrap retries the cloud distribution point for four hours before it falls back to the CMG. More details here.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9 (This Post)
End User Experience of Windows 10 Co-Management - Part 10


Co-Management ==> Command line to install SCCM client 

SCCM Client (Manual) Install for Azure AD Joined devices

SCCM Client installation parameters and properties