Close Menu
    Facebook X (Twitter) Instagram
    Sunday, July 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»Conditional Access»How to uninstall SCCM client using Intune Win32 app management

    How to uninstall SCCM client using Intune Win32 app management

    Eswar KonetiBy Eswar KonetiOctober 11, 8:09 pm5 Mins Read Conditional Access 10,840 Views
    Share
    Facebook Twitter LinkedIn Reddit

    About an year ago (Sep 2018),Microsoft announced the support for Win32 app management capabilities using Intune. Intune-only customers can now leverage management capabilities for their Win32 line-of-business (LOB) apps .

    For more information about Intune Standalone - Win32 app management read here.

    Microsoft Win32 Content Prep Tool to pre-process Windows Classic apps. The packaging tool converts application installation files into the .intunewin format. The packaging tool also detects the parameters required by Intune to determine the application installation state. After you use this tool on your apps, you will be able to upload and assign the apps in the Microsoft Intune console. For more information about win32 content prep tool ,please refer here.

    Customer had SCCM+CMG ,co-management and Autopilot setup .While doing autopilot one of the task is installation of SCCM client on these Azure AD joined devices through intune ,so that ,they can manage patching ,apps deployments through SCCM .It is just extending the SCCM operations from on-prem to cloud connected devices.

    One thing which was lately noticed was that ,all these Azure AD joined devices have turned to co-managed devices because of SCCM agent+Intune enrolled. When the devices are co-managed ,the compliance policies by default are handed over to ConfigMgr unless you move the workload 'compliance policies' to Intune.

    Device status for co-managed devices:

    image

    Co-management workloads:

    image

    At this point of time ,the compliance is always taken care by SCCM and not intune device compliance policies due to the workloads.

    If you have any conditional access policies with grant control is set to require compliant or hybrid azure AD join ,these devices will always be compliant unless you have any compliance policies created in SCCM.

    In order to fix this gap , we have two options

    1) Move the workloads for compliance policies to intune

    2) Create device compliance policies in Configmgr.

    I tried 2nd option to create device compliance policy in SCCM however i cannot find all compliance settings that are available in Intune. The most preferred method is to move the compliance policies to Intune.

    Should we move slider to Intune ? Not at the moment for customer as the co-management is still in evaluation phase hence the only option for us to move forward is to uninstall Configmgr client on all Azure AD joined devices using intune

    After the SCCM agent is removed from these AAD joined devices ,intune will manage these devices for all device management capabilities such as apps deployment ,compliance,device configuration ,patching etc.

    How to uninstall SCCM agent on these Azure AD joined devices (ONLY) using Intune ?

    we all know that,sccm client can be uninstalled with ccmsetup.exe /uninstall and we will use win32 content tool to prepare package and deploy using Intune.

    1. Download the IntuneWinAppUtil.exe from https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool

    2.Copy ccmsetup.exe from your SCCM site or any windows client that has sccm client installed to your local drive (C:\temp\sccmclient). ccmsetup.exe located in C:\windows\ccmsetup folder on the device.

    2.Open cmd and run the following command

    IntuneWinAppUtil -c "C:\Temp\SCCMclient" -s ccmsetup.exe -o "C:\Temp\Intune Packages\Win32_apps"

    image

    Once this is done ,you will see intunewin app created in the destination directory "C:\Temp\Intune Packages\Win32_apps"

    image

    We will now use this file to create win32 app in intune and deploy to Azure AD joined device only.

    Login into Azure portal or device management ,click on apps https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/1/selectedMenuItem/Overview

    choose windows app (win32)

    image

    Upload the intunewin file that we generated

    image

    Program:

    install command: ccmsetup.exe

    Uninstall command: ccmsetup.exe /uninstall (we will use this to remove the agent)

    image

    Requirements: choose what is applicable to you.

    Requirements :

    image

    Detection Rule:

    I usually go with registry key as it is easier to identify the agent installation status instead of going with MSI or file/folder. You can also choose script to detect if SMS agent host service is running or not.

    Uninstall command will run only on devices that have the following registry key.

    Rule type: Registry

    Key Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client

    Value Name: ProductVersion

    Detection method: Value exists

    image

    Save the Add to create the app .It takes few min to upload the content and ready to assign to groups.

    image

    Once the app is created, you need to create Azure AD group to get list of Azure AD devices only and not any other devices as per the request.  Refer to this post to create AAD group using powershell http://eskonr.com/2019/10/use-powershell-to-create-azure-ad-dynamic-security-group-for-azure-ad-joined-aadj-devices-only/

    Once the group is ready ,we can now target the sccm uninstall app to this group.

    Assignment type:Uninstall

    image

    image

    Once the assignment is done ,it takes few hours depends on the sync policy and ccmsetup.exe will start uninstall the client agent on the device.

    End user experience/status:

    In the next MDM sync policy ,device will receive this policy and uninstall the client. Read this article on how to force MDM sync policy on windows 10 https://oofhours.com/2019/09/28/forcing-an-mdm-sync-from-a-windows-10-client/

    Troubleshooting intune win32 app installation issues https://docs.microsoft.com/en-us/intune/apps/troubleshoot-app-install

    on the device ,ccmsetup.log located at C:\windows\ccmsetup\logs has the following information about client uninstallation.

    image

    When the SCCM agent remove from the device , you will see the device names with status Not installed which means ,SCCM agent is removed or these devices do not have have SCCM agent currently .

    image

    Below snapshot shows the uninstall status (29 uninstalled).

    image

    Hope you find this useful!

    Ccmsetup.exe /uninstall co-management configmgr device compliane intune intunewinapputil.exe Remove SCCM client uninstall sccm agent using intune win32 apps
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.