Deploy the SCCM Client using Microsoft Intune and the Cloud Management Gateway (CMG without PKI certificates)


Last week I blogged about how to get properly started with Windows AutoPilot. This week I’m continuing on the topic, and going into details on how you can deploy the SCCM (System Center Configuration Manager) client as a part of the Windows AutoPilot enrollment and thus achieve Co-management with SCCM and Microsoft Intune.

I have previously blogged a lot about Co-management. Focus here has been enrolling devices already managed by SCCM into Intune MDM.

This post is the opposite. This time we are deploying a device through Windows AutoPilot, enrolling it into Microsoft Intune and then deploying the SCCM client through the Cloud Management Gateway. Sounds interesting? Read on 🙂

  • Find all my Co-management posts here:
    • My post about setting up the Cloud Management Gateway without PKI certificates is especially of interest if pursuing Co-management

Installing the SCCM Client

Today and at the time of writing, we have two methods in Microsoft Intune that enables us to deploy the SCCM client. We have the ability to use the new Win32 app deployment capability as well as create a SCCM client boot strap using a line of business app. In this post I will walk through my preferred option and ultimately explain why this is my preferred option.

Win32 App Deployment

  • In order for you to deploy Win32 apps using Microsoft Intune, you will need to download the Intune App32 Packaging Tool:
  • Copy down the SCCM client locally (the entire folder from the SCCM site server: \\YourSiteServer\SMS_SiteCode\Client)
    • In my example, I copied the Client folder down locally to C:\Temp
  • Run the App32 Packaging Tool. See below two illustration of the exact process:

  • Take notice of the newly created file ccmsetup.intunewin
  • Open up your favorite browser and head into the Microsoft 365 Device Management portal:
  • Browse your way into Client apps -> Apps and Click Add

  • Select Windows app (Win32) preview from the drop down menu

  • Browse to the ccmsetup.intunewin created by the packaging tool earlier. See below.

  • Next, a quick peak into the SCCM console, where you will find the install command needed in the following step. In the Administration work space-> in the Cloud Services node and Co-management menu. Copy out the command line

  • On the Program blade, fill out the Install command and Uninstall command
  • Install command will be ccmsetup.exe followed by your command line from the Cloud Management Gateway (without CCMSETUPCMD=)
  • Uninstall command: ccmsetup.exe /uninstall

  • Configure the Detection rule. I went with the MSI product code for the SCCM client. Use whatever suit your needs.


For this scenario, I have a Dynamic group in Azure consisting of all my Windows AutoPilot devices. You can create similar group with following dynamic membership rule: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”)

  • Assign it to the group. I’m going with a Required assignment, which will result in an automatic installation on all Windows AutoPilot devices

Final notes

To sum up: The order in how to eventually reach Co-management through Windows AutoPilot is essentially this: Windows AutoPilot -> Azure AD Join -> Intune MDM Enrollment -> SCCM Client installation from the Cloud Management Gateway.

Now, when having the Cloud Management Gateway (CMG) configured without PKI, the trust and authentication happens through Azure. This essentially means that assigning the SCCM client to the device and thus allow the SCCM client to potentially install before the user has logged on, might result in an initial failure. This happens because a part of the authentication lies in the logged on user being an Azure identity. To completely avoid this, the SCCM client installation can be assigned to the user instead.

The alternative to using the new preview feature Win32 application deployment, is to use ConfigMgr Client Setup Bootstrap as a line of business (LOB) app. If you choose to use a LOB, do note that the Enrollment Status Page might keep the user at the AutoPilot deployment screen, while the SCCM client tries to be installed in the background. For reasons mentioned above, this is not desirable in this scenario.

Enjoy 🙂

9 thoughts on “Deploy the SCCM Client using Microsoft Intune and the Cloud Management Gateway (CMG without PKI certificates)”

  1. Hi,

    When I try this method it always comes back as failed, even though the client eventually appears. Is this still the best way to deploy the ConfigMgr client?


  2. Hi Martin,

    Would you know if any update has been done on the ConfigMgr topic since you posted that article ?
    I am trying to have ConfigMgr Client installed during Autopilot and most of the time it will switch the workload to MECM and break the autopilot installation.

    Thanks , Maya

    • Hm, are you assigning the CM client to the device or user? I’ve seen a lot issues occurring when the assignment is done to the device.

    • Start-Transcript -Path “C:\Windows\Logs\CcmSetup.msi.ps1.log”
      Write-Host (Get-Date)
      #region Install
      Start-Process msiexec -Wait -ArgumentList ‘/i ccmsetup.msi /q CCMSETUPCMD=”CCMHOSTNAME=CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/ SMSSiteCode=P01 AADTENANTID=11111111-1111-1111-1111-111111111111 AADCLIENTAPPID=22222222-2222-2222-2222-222222222222 AADRESOURCEURI=https://ConfigMgr /nocrlcheck”‘

      Do {timeout 10} While ((Get-Service -Name ccmsetup -ErrorAction SilentlyContinue) -ne $null)
      Write-Host (Get-Date)
      timeout 10
      #endregion install

      #region Parselogs
      #Filter the log to get only exit entries
      $string = “CcmSetup is exiting with return code ”

      #Get the log content
      $log = get-content “C:\Windows\ccmsetup\Logs\ccmsetup.log” | select-string $string

      #Select last entry
      $exitlog = $log.Item(($log.Count)-1)

      #split to extract the exit code
      $split = (($exitlog -split “]”).Item(0)).split(” “)
      $ccmsetup_exitcode = $split.item(($split.Count)-1)
      #endregion parselogs

      #region stopccmexec
      # Stop CcmExec to prevent conflict between Intune and SCCM Deployments
      Write-Host (Get-Date)
      if (($ccmsetup_exitcode -eq “0”) -or ($ccmsetup_exitcode -eq “7”))
      stop-Service -Name CcmExec -Verbose
      #move workloads to Intune
      reg add HKLM\SOFTWARE\Microsoft\CCM /v CoManagementFlags /t REG_QWORD /f /d 255
      $ErrorActionPreference = “SilentlyContinue”
      $arguments = @(
      ‘Do {timeout 60} While ((Get-Process -Name WWAHost).Responding -eq $true) Start-Service -Name CcmExec -verbose; Timeout 240; Invoke-WMIMethod -ComputerName $env:computername -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule “{00000000-0000-0000-0000-000000000021}”; timeout 1200; reg add HKLM\SOFTWARE\Microsoft\CCM /v CoManagementFlags /t REG_QWORD /f /d 255 >> C:\Windows\Logs\CcmSetup.msi.ps1.log’)
      # Restart CCMExec Once the ESP has ended
      $ErrorActionPreference = “Continue”
      Start-Process -FilePath “c:\windows\sysnative\windowspowershell\v1.0\powershell.exe” -ArgumentList $arguments
      #endregion stopccmexec

      Write-Host $ccmsetup_exitcode
      Write-Host (Get-Date)

      exit $ccmsetup_exitcode

      this will help


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.