I had setup SCCM Cloud Management gateway and Co-management for small customer who would like to extend the SCCM operations to windows 10 devices which are connected to internet.
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don't need to expose your on-premises infrastructure to the internet.
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.
Even though ,setting up co-management is just 4 clicks but setting up CMG is lengthy process which involves certificates ,changes to SCCM site etc. For more information on how to setup CMG please refer following blogs.
https://www.systemcenterdudes.com/how-to-configure-sccm-1806-cloud-management-gateway/
https://blogs.technet.microsoft.com/arnabm/2018/03/31/step-by-step-cloud-management-gateway-on-arm/ and there could be many on internet.
The customer is running on windows 10 with combination of hybrid Azure AD join and Azure AD join (AAD) device.
Installation of sccm client for on-prem domain join devices can be achieved using client push ,GPO, startup script ,SUP etc. but for internet connected devices, we can use Intune.
In this blog post, i would like to go through the notes from the filed that i encounter while installing SCCM client from intune.
In order to install SCCM client, we have 2 methods from intune 1)we can use windows LOB apps (using ccmsetup.msi) and 2) win32 apps which now allows greater Win32 app management capabilities.
It is always recommended to use win32 apps over LOB because ,win32 apps gives you the flexibility to define custom command line ,detection method ,requirement rule , dependencies and many other.
Windows LOB deployment method cannot deploy exe files and it supports only .msi, .appx, .appxbundle, .msix, and .msixbundle.
If you plan to use line of business (LOB) method ,you need to import ccmsetup.msi (located at <Configmgr Install Dir folder>:\cd.latest\SMSSETUP\BIN\I386) with following command line settings :
The below command line can be obtained from co-management properties (if you have enabled CMG ). If you didn't enable CMG then clients cannot be assigned to SCCM which are connected to internet.
CCMSETUPCMD="/nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSMP=https://remote1.contoso.net SMSSiteCode=CS1 AADTENANTID=256ed977-4388-a224-3d441dfb0def AADTENANTNAME=Contoso AADCLIENTAPPID=45b4c32c-89f9-4770-8a8b-a37d34fd2632 AADRESOURCEURI=https://contoso.onmicrosoft.com/d098acfa-8874-4ef6-a610-07440fb52c7c"
/nocrlcheck only if you you haven't published the CRL on internet.
we will now see the two options that are listed above.
With LOB method using MSI ,client must connect to to MP (on-prem) or you must enable CMG to download full installation files because you only specify MSI which is not complete source files.
SCCM client installation source file size is over 200mb which include ccmsetup.exe and others.
2nd method that am going to talk about is win32 app. With this , we will convert the entire source files (~200mb) into .intunewin format using IntuneWinAppUtil.exe
How to we convert the source files to supported format?
Copy the SCCM client installation files from your SCCM server (cd.latest\SMSSETUP\CLIENT) to C:\temp\sccmclient
Download the intunewinapputil.exe
Now run the following command line to convert the source files .
IntuneWinAppUtil -c "C:\Temp\SCCMClient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps" –q
This process takes the capture from c:\temp\sccmclient with executable file as ccmsetup.exe and place the intune package into win32_apps folder.
Once the file is ready ,use that to create win32 app in intune.
Following is the information that i have used to create win32 app in intune . with this method ,ccmsetup will not connect to CMG to download the source files and it will recognize that the required source files already exist in local cache that was deployed by win32 app.
This method helps you to reduce the time for downloading the full source files from CMG and also reduce cost .Charges are based on data flowing out of Azure (egress or download).Any data flows into Azure are free (ingress or upload).
Installation command for win32 apps:
ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService
uninstall command: ccmsetup.exe /uninstall
Detection method: Use the MSI product code or registry key to check the client installation.
I have used registry key:
Key path:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
Value name:ProductVersion
Detection Method: Value exist
Associated with a 32bit app=No
Since i have enabled the co-management and i tried using the command line syntax available in the co-mgmt properties but it didn't give me positive results.
Note: If you only have ccmsetup.exe placed in folder and wrapped intune tool and uploaded, then at the time of client installation ,ccmsetup will still connect to CMG to download the contents files.
When device picks up the intune policies ,it download content ,you can monitor the log (IntuneManagementExtension.log) from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Intune download the content to incoming folder and then move to staging.
Once the content is downloaded and extracted ,installation will start with the command line that is used in win32 app.
Ccmsetup command line: ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01
After a while, you will see that ,client is downloading the content from local folder C:\windows\IMEcache instead of contacting MP or CMG
Downloading file C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1\ccmsetup.exe with source as IMECache (intune management extension cache folder)
Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /source:"C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1" /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01"
Once the client installation is succeeded ,client will send registration request to CMG ,forwarded to Primary site to approve the request.
Since these devices are Azure AD join, they will always appear as workgroup in SCCM but they will get auto approve (this is what i found in my testing) even though you set ‘automatically approve computers in trusted domains’ in site hierarchy settings.
Once client get auto approve, you will see the entry like below . Domain is workgroup and client is approved.
If you have any issues getting the sccm client or assigning the client to SCCM site or understanding Azure AD authentication workflow ,please read https://docs.microsoft.com/en-us/sccm/core/clients/manage/azure-ccmsetup
Common issues:
- Root CA not present
- CRL check enabled: publish CRL on internet, or use the /NoCRLcheck option in command line
- WPJ certificate not found: client is registered with Azure AD, but not joined to Azure AD
How to create collection for all Azure AD domain join devices ?
You can either follow this blog post https://blog.hametbenoit.info/2017/09/05/sccm-identify-azure-ad-joined-device/#.XRyOqugzaUk or use the following method to create collection.
This method doesn't require any custom hardware inventory but just use the information available in SCCM for Azure AD joined devices.
Create a collection with criteria TenantID =’6007305E-2664-4E6B-B9A4-C4C5CCFD1524’and resource domain or workgroup=’WORKGROUP’
If you have the domain filed in system properties for these Azure AD joined devices changed to something else other than default value that is ‘WORKGROUP’ ,please look for it in the query.
WQL Query: select * from SMS_R_System where SMS_R_System.AADTenantID = "6007305E-2664-4E6B-B9A4-C4C5CCFD1524" and SMS_R_System.ResourceDomainORWorkgroup = "WORKGROUP"
Overview of win32 app for SCCM client :
Hope you will find this useful!
References:
6 Comments
Hi Eswar,
Thanks for the blog, really handy.
I wanted to know how are you pushing client certs? When I am deploying client, it is getting installed and showing compliant in In-tune portal but on client SC is not working. Error is
ccmmessaging.log ->
RetrieveTokenFromStsServerImpl failed with error 0x80072ee5
Failed to get CCM access token and client doesn't have PKI issued cert to use SSL. Error 0x80072ee5
Hi Rome,
What certificates are you referring to? if it is client authentication, you can deploy the cert from on-prem GPO or use hybrid AAD (if you are) or token based.
What is your SCCM site setup? PKI or self-signed?
what is your CMG setup? is it using public cert or enterprise CA.
Regards,
Eswar
Hi,
Could you share which registry key you check for the detection rule and how to find the correct msi product code for this installation.
Regards,
Peter
Hi Peter,
I have updated the blog post with detection rule.
Thanks,
Eswar
Pingback: How to prepare SCCM CMG Client installation switches for internet based client | All about Microsoft Endpoint Manager
Pingback: Using intune to install ConfigMgr client as win32 app with local source files without downloading from CMG | Eswar Koneti Blog