About an year ago (Sep 2018),Microsoft announced the support for Win32 app management capabilities using Intune. Intune-only customers can now leverage management capabilities for their Win32 line-of-business (LOB) apps .
For more information about Intune Standalone - Win32 app management read here.
Microsoft Win32 Content Prep Tool to pre-process Windows Classic apps. The packaging tool converts application installation files into the .intunewin format. The packaging tool also detects the parameters required by Intune to determine the application installation state. After you use this tool on your apps, you will be able to upload and assign the apps in the Microsoft Intune console. For more information about win32 content prep tool ,please refer here.
Customer had SCCM+CMG ,co-management and Autopilot setup .While doing autopilot one of the task is installation of SCCM client on these Azure AD joined devices through intune ,so that ,they can manage patching ,apps deployments through SCCM .It is just extending the SCCM operations from on-prem to cloud connected devices.
One thing which was lately noticed was that ,all these Azure AD joined devices have turned to co-managed devices because of SCCM agent+Intune enrolled. When the devices are co-managed ,the compliance policies by default are handed over to ConfigMgr unless you move the workload 'compliance policies' to Intune.
Device status for co-managed devices:
Co-management workloads:
At this point of time ,the compliance is always taken care by SCCM and not intune device compliance policies due to the workloads.
If you have any conditional access policies with grant control is set to require compliant or hybrid azure AD join ,these devices will always be compliant unless you have any compliance policies created in SCCM.
In order to fix this gap , we have two options
1) Move the workloads for compliance policies to intune
2) Create device compliance policies in Configmgr.
I tried 2nd option to create device compliance policy in SCCM however i cannot find all compliance settings that are available in Intune. The most preferred method is to move the compliance policies to Intune.
Should we move slider to Intune ? Not at the moment for customer as the co-management is still in evaluation phase hence the only option for us to move forward is to uninstall Configmgr client on all Azure AD joined devices using intune
After the SCCM agent is removed from these AAD joined devices ,intune will manage these devices for all device management capabilities such as apps deployment ,compliance,device configuration ,patching etc.
How to uninstall SCCM agent on these Azure AD joined devices (ONLY) using Intune ?
we all know that,sccm client can be uninstalled with ccmsetup.exe /uninstall and we will use win32 content tool to prepare package and deploy using Intune.
1. Download the IntuneWinAppUtil.exe from https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool
2.Copy ccmsetup.exe from your SCCM site or any windows client that has sccm client installed to your local drive (C:\temp\sccmclient). ccmsetup.exe located in C:\windows\ccmsetup folder on the device.
2.Open cmd and run the following command
IntuneWinAppUtil -c "C:\Temp\SCCMclient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps"
Once this is done ,you will see intunewin app created in the destination directory "C:\Temp\Intune Packages\Win32_apps"
We will now use this file to create win32 app in intune and deploy to Azure AD joined device only.
Login into Azure portal or device management ,click on apps https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/1/selectedMenuItem/Overview
choose windows app (win32)
Upload the intunewin file that we generated
Program:
install command: ccmsetup.exe
Uninstall command: ccmsetup.exe /uninstall (we will use this to remove the agent)
Requirements: choose what is applicable to you.
Requirements :
Detection Rule:
I usually go with registry key as it is easier to identify the agent installation status instead of going with MSI or file/folder. You can also choose script to detect if SMS agent host service is running or not.
Uninstall command will run only on devices that have the following registry key.
Rule type: Registry
Key Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
Value Name: ProductVersion
Detection method: Value exists
Save the Add to create the app .It takes few min to upload the content and ready to assign to groups.
Once the app is created, you need to create Azure AD group to get list of Azure AD devices only and not any other devices as per the request. Refer to this post to create AAD group using powershell http://eskonr.com/2019/10/use-powershell-to-create-azure-ad-dynamic-security-group-for-azure-ad-joined-aadj-devices-only/
Once the group is ready ,we can now target the sccm uninstall app to this group.
Assignment type:Uninstall
Once the assignment is done ,it takes few hours depends on the sync policy and ccmsetup.exe will start uninstall the client agent on the device.
End user experience/status:
In the next MDM sync policy ,device will receive this policy and uninstall the client. Read this article on how to force MDM sync policy on windows 10 https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/
Troubleshooting intune win32 app installation issues https://docs.microsoft.com/en-us/intune/apps/troubleshoot-app-install
on the device ,ccmsetup.log located at C:\windows\ccmsetup\logs has the following information about client uninstallation.
When the SCCM agent remove from the device , you will see the device names with status Not installed which means ,SCCM agent is removed or these devices do not have have SCCM agent currently .
Below snapshot shows the uninstall status (29 uninstalled).
Hope you find this useful!