I had setup SCCM Cloud Management gateway and Co-management for small customer who would like to extend the SCCM operations to windows 10 devices which are connected to internet.
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don't need to expose your on-premises infrastructure to the internet.
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.
Even though ,setting up co-management is just 4 clicks but setting up CMG is lengthy process which involves certificates ,changes to SCCM site etc. For more information on how to setup CMG please refer following blogs.
https://blogs.technet.microsoft.com/arnabm/2018/03/31/step-by-step-cloud-management-gateway-on-arm/ and there could be many on internet.
The customer is running on windows 10 with combination of hybrid Azure AD join and Azure AD join (AAD) device.
Installation of sccm client for on-prem domain join devices can be achieved using client push ,GPO, startup script ,SUP etc. but for internet connected devices, we can use Intune.
In this blog post, i would like to go through the notes from the filed that i encounter while installing SCCM client from intune.
It is always recommended to use win32 apps over LOB because ,win32 apps gives you the flexibility to define custom command line ,detection method ,requirement rule , dependencies and many other.
Windows LOB deployment method cannot deploy exe files and it supports only .msi, .appx, .appxbundle, .msix, and .msixbundle.
If you plan to use line of business (LOB) method ,you need to import ccmsetup.msi (located at <Configmgr Install Dir folder>:\cd.latest\SMSSETUP\BIN\I386) with following command line settings :
The below command line can be obtained from co-management properties (if you have enabled CMG ). If you didn't enable CMG then clients cannot be assigned to SCCM which are connected to internet.
CCMSETUPCMD="/nocrlcheck /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037937951 SMSMP=https://remote1.contoso.net SMSSiteCode=CS1 AADTENANTID=256ed977-4388-a224-3d441dfb0def AADTENANTNAME=Contoso AADCLIENTAPPID=45b4c32c-89f9-4770-8a8b-a37d34fd2632 AADRESOURCEURI=https://contoso.onmicrosoft.com/d098acfa-8874-4ef6-a610-07440fb52c7c"
/nocrlcheck only if you you haven't published the CRL on internet.
we will now see the two options that are listed above.
With LOB method using MSI ,client must connect to to MP (on-prem) or you must enable CMG to download full installation files because you only specify MSI which is not complete source files.
SCCM client installation source file size is over 200mb which include ccmsetup.exe and others.
2nd method that am going to talk about is win32 app. With this , we will convert the entire source files (~200mb) into .intunewin format using IntuneWinAppUtil.exe
How to we convert the source files to supported format?
Copy the SCCM client installation files from your SCCM server (cd.latest\SMSSETUP\CLIENT) to C:\temp\sccmclient
Download the intunewinapputil.exe
Now run the following command line to convert the source files .
IntuneWinAppUtil -c "C:\Temp\SCCMClient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps" –q
This process takes the capture from c:\temp\sccmclient with executable file as ccmsetup.exe and place the intune package into win32_apps folder.
Once the file is ready ,use that to create win32 app in intune.
Following is the information that i have used to create win32 app in intune . with this method ,ccmsetup will not connect to CMG to download the source files and it will recognize that the required source files already exist in local cache that was deployed by win32 app.
This method helps you to reduce the time for downloading the full source files from CMG and also reduce cost .Charges are based on data flowing out of Azure (egress or download).Any data flows into Azure are free (ingress or upload).
Installation command for win32 apps:
ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService
uninstall command: ccmsetup.exe /uninstall
Detection method: Use the MSI product code or registry key to check the client installation.
I have used registry key:
Key path:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
Detection Method: Value exist
Associated with a 32bit app=No
Since i have enabled the co-management and i tried using the command line syntax available in the co-mgmt properties but it didn't give me positive results.
Note: If you only have ccmsetup.exe placed in folder and wrapped intune tool and uploaded, then at the time of client installation ,ccmsetup will still connect to CMG to download the contents files.
When device picks up the intune policies ,it download content ,you can monitor the log (IntuneManagementExtension.log) from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Intune download the content to incoming folder and then move to staging.
Once the content is downloaded and extracted ,installation will start with the command line that is used in win32 app.
Ccmsetup command line: ccmsetup.exe /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01
After a while, you will see that ,client is downloading the content from local folder C:\windows\IMEcache instead of contacting MP or CMG
Downloading file C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1\ccmsetup.exe with source as IMECache (intune management extension cache folder)
Ccmsetup command line: "C:\windows\ccmsetup\ccmsetup.exe" /runservice /source:"C:\windows\IMECache\298c84d0-54c1-4db6-9d1d-0d49778cbd5f_1" /nocrlcheck /mp:https://SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 CCMHTTPSSTATE=31 CCMHOSTNAME=SCCM.CLOUDAPP.NET/CCM_Proxy_MutualAuth/62057594037928694 SMSSiteCode=PS1 AADTENANTID=6007305e-2664-4e6b-b9a4-c4d5ccfd1524 AADCLIENTAPPID=1c5a28b2-9d0a-482d-8553-7cb0d4897512 AADRESOURCEURI=https://ConfigMgrService01"
Once the client installation is succeeded ,client will send registration request to CMG ,forwarded to Primary site to approve the request.
Since these devices are Azure AD join, they will always appear as workgroup in SCCM but they will get auto approve (this is what i found in my testing) even though you set ‘automatically approve computers in trusted domains’ in site hierarchy settings.
Once client get auto approve, you will see the entry like below . Domain is workgroup and client is approved.
If you have any issues getting the sccm client or assigning the client to SCCM site or understanding Azure AD authentication workflow ,please read https://docs.microsoft.com/en-us/sccm/core/clients/manage/azure-ccmsetup
- Root CA not present
- CRL check enabled: publish CRL on internet, or use the /NoCRLcheck option in command line
- WPJ certificate not found: client is registered with Azure AD, but not joined to Azure AD
How to create collection for all Azure AD domain join devices ?
You can either follow this blog post https://blog.hametbenoit.info/2017/09/05/sccm-identify-azure-ad-joined-device/#.XRyOqugzaUk or use the following method to create collection.
This method doesn't require any custom hardware inventory but just use the information available in SCCM for Azure AD joined devices.
Create a collection with criteria TenantID =’6007305E-2664-4E6B-B9A4-C4C5CCFD1524’and resource domain or workgroup=’WORKGROUP’
If you have the domain filed in system properties for these Azure AD joined devices changed to something else other than default value that is ‘WORKGROUP’ ,please look for it in the query.
WQL Query: select * from SMS_R_System where SMS_R_System.AADTenantID = "6007305E-2664-4E6B-B9A4-C4C5CCFD1524" and SMS_R_System.ResourceDomainORWorkgroup = "WORKGROUP"
Overview of win32 app for SCCM client :
Hope you will find this useful!