This week is all about deploying the ConfigMgr client via Microsoft Intune. Like last week, this is also a nice addition in combination with Windows AutoPilot. The idea is to install the ConfigMgr client next to the MDM agent and to create a co-management scenario. The main use case to do something like this is when an organization is making the transition from traditional management to modern management. In that scenario the organization can use co-management to make a phased move to the cloud. For example, use ConfigMgr for patch management and use Microsoft Intune for configurations and compliance. In this post I’ll provide a short introduction to co-management, followed by the prerequisites for the ConfigMgr client installation and the end result.
Starting with Configuration Manager, version 1710, co-management enables organizations to concurrently manage Windows 10, version 1709, devices by using both Configuration Manager and Microsoft Intune. There are two main paths to reach to co-management:
- Configuration Manager provisioned co-management where Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Microsoft Intune;
- Microsoft Intune provisioned devices that are enrolled in Microsoft Intune and then installed the Configuration Manager client to reach a co-management state (focus of this post).
I can continue with a long story about co-management and the capabilities that it provides, or how co-management is the bridge between traditional management and modern management, but the following picture shows close to all of that.
Note: Picture is coming from this co-management overview article.
Now let’s start by having a look at the prerequisites that must be in place to enable the second path to co-management, which is deploying the ConfigMgr client to Microsoft Intune enrolled devices. The following technical prerequisites must be in place:
- MDM authority set to Microsoft Intune;
- Device is Azure AD joined;
- Windows 10, version 1709 or later;
- Configuration Manager, version 1710 or later;
- Cloud Management Gateway (CMG);
- Cloud Distribution Point (CDP);
- Co-management enabled;
- Management Point (MP) set to HTTPS;
- Synchronization of Azure AD users enabled;
Let’s continue by having a look a the configuration. I’ve divided the configuration in three steps. The first step is to get the required command line, the second step is to explain the command line (and add some additional parameters) and the third step is to actually deploy the ConfigMgr client.
Step 1: Get the command line
The first step is to get the required command line. The following three steps walk through the easiest method to get the required command line.
Step 2: Explain the parameters
The second step is to look at the command line and to explain the parameters that are used. The following parameters are used in the command line.
- /mp: The download source, which can be set to CMG, to bootstrap from internet;
- CCMHOSTNAME: The name of the Internet management point, which can be set to CMG;
- SMSSiteCode: The site code of the Configuration Manager site;
- SMSMP: The name of the lookup management point (can be on the intranet);
- AADTENANTID: The ID of the connected Azure AD tenant;
- AADCLIENTAPPID: The ID of the client app in Azure AD;
- AADRESOURCEURI: The URI of the server app in Azure AD;
- SMSPublicRootKey: Specifies the Configuration Manager trusted root key.
Note: As I’m using certificates from my internal PKI-environment, and I’ve not published my CRL on the Internet, I also needed to use the following parameters.
- /nocrlcheck: The client should not check the certificate revocation list;
- CCMHTTPSSTATE: Specify 31 to prevent certificate revocation list check.
Step 3: Deploy the ConfigMgr client
The third step is to actually deploy the ConfigMgr client via Microsoft Intune. Simply follow the next three steps and assign the created app to a group.
|Open the Azure portal and navigate to Intune > Mobile apps > Apps;
|On the Mobile apps – Apps blade, click Add to open the Add app blade;
On the Add app blade, provide the following information and click Add;
Note: ccmsetup.msi is available at %ProgramFiles%\Microsoft Configuration Manager\bin\i386 on the primary site server.
Note: As I’m using certificates from my internal PKI-environment, I also needed to deploy the root certificate of my environment to the Trusted Root Certification Authorities store of the devices. That could be easily achieved by using a Device configuration profile and using the Trusted certificate profile type option.
Now let’s end this post by looking at the end result. The first place to look, after the ConfigMgr client installation, is Microsoft Intune. Below is an overview of my Azure AD joined devices that are managed by MDM and ConfigMgr. By looking at the compliance state, it’s clear that my workload for compliance policies is set to Intune.
The second place to look, after the ConfigMgr client installation, is the Configuration Manager console. Below is an overview of the same devices from a ConfigMgr perspective. By looking at the device online information, it’s clear that those devices are connecting over the Internet via CMG.
For more information about deploying the ConfigMgr client via Microsoft Intune, please refer to the following articles.
- Plan for the cloud management gateway in Configuration Manager: https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management-gateway
For more information about the installation of the prerequisites (CMG, CDP, Co-management) there are some nice step-by-step guides available, see