How to deploy CM Client to Windows 365 Cloud PC Entra ID Joined (no CMG) devices “without Cloud Management Gateway”?
If you’re here it means you’re tracking the main deck for Windows 365 Cloud PC Healthcare Series
This article is directly associated with Management Design options for Windows 365 Cloud PC (Intune & Co-Management) but solely focused on Windows 365 Cloud PC Architecture Design Provisioning OPTION 2 (Cloud PC Entra ID Joined + hosted in Customer Azure Network).
OPTION 2 teach us about Windows 365 provisioning hosting design option for Cloud PCs and recommendations aligned for management of the device, primarily recommended to leverage Intune through Microsoft Intune, your single-pane-of-glass for all your device management needs.
But, what if your MCM (Microsoft Configuration Management) server “aka SCCM” PC management solution is well developed and there’s a need to continue to leverage the solution to manage Entra ID Joined Cloud PCs?
Many of our HLS customers leverage Microsoft Configuration Manager as a PC management solution, with wider development on application delivery, device restrictions, PS scripts, reporting, etc... We often receive requests on “how can we manage Windows 365 Cloud PC Entra ID Joined with MCM servers, do we need a Cloud Management Gateway (CMG)?”
“Entra ID Joined devices are considered internet-based devices because they don’t have a direct connection to an on-premises environment. CMG is leveraged to deliver that PC management needs from MCM servers to manage the Entra ID Joined devices, this gives line-of-sight to MCM on-prem environment” … You can read here for more information.
Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs
Luckily, OPTION 2 has it benefits!
You could deploy CM clients to Windows 365 Cloud PC Entra ID Joined by MCM servers “without a Cloud Management Gateway (CMG)” by leveraging the existing Windows 365 ANC connector (Azure Network Connection) that could be tailored to give line-of-sight to your on-premises MCM environment.
Let’s dive in!
Deploy CM Client to Windows 365 Cloud PC Entra ID Joined (no CMG)
In this scenario we will deploy the CM client to a Windows 365 Cloud PC Entra ID Joined, without a CMG (Cloud Management Gateway)
- CMG is typically required for Entra ID Joined windows devices outside the network to push the CM client from SCCM
- “OPTION 2” (Cloud PC Entra ID Joined + hosted in Customer Azure Network) can leverage the ANC connector
- ANC connector can be tailored to give line-of-sight to the on-premises environment (including DCs and SCCM servers)
- With this option we can push the CM client from Intune without CMG
Available guidance!
Scoping the Entra ID Joined Cloud PCs through Microsoft Configuration Manager "aka SCCM" is not a simple task, if you’re looking for documentation on how to achieve that, we have created this blog as a technical guidance for our HLS customers with existing (MCM) environments to help Deploy Co-Management Collections for Windows 365 Cloud PC, enjoy!
Choose the Deployment Design
There are multiple ways to deploy the CM client to a Windows 365 Cloud PC, following scenario OPTION 2 we'll focus on three options to deliver the application to the Cloud PC device.
CLOUD: Deploy the CM client with Cloud Co-Management policy
CLOUD delivers a simplified flow for the application
CLOUD deploys the CM client application directly from the cloud
CLOUD takes away the additional effort of build, maintain and deploy a LOB or WIN32 application
You can define the application installation using "command-line arguments"
If you want to learn more about this, click Cloud Co-Management Authority policy
LOB: Deploy the CM client as a LOB app
LOB delivers a standard flow for the application
LOB is limited to the number of controls it has over the application
You can define the application installation using "command-line arguments"
Win32: Deploy the CM client as a Win32 app
Win32 gives you more control of the application (install and uninstall)
You can add Return codes for a troubleshooting event
You can add Requirements for OS architecture
You can have Dependencies or Supersedence rules
You can have Detection Rules (custom and based of the MSI file)
Either approach is very much suitable to be aligned within your business use case (you only need to select one approach!).
Build the Cloud PC Subnet Boundaries
1. First, we need to capture the Cloud PC Subnet address
Azure Portal (https://portal.azure.com) > “Cloud PC” Virtual Network > “Cloud PC” Subnet
2. Now we go to MCM server to configure the Cloud PC subnet boundaries
Administration > Boundaries > Add the Cloud PC Subnet (e.g., based on my lab is 10.0.4.0)
Deploy the CM client with CLOUD
1. Intune Cloud Co-Management Authority policy
From Intune console https://intune.microsoft.com/ > Devices | Windows > Enrollment > Co-Management policy > Create
Let’s briefly discuss the available parameters/switches within the policy on what they do and how you should configure.
In Autopilot when you deploy the CM client a registry key gets added to the Autopilot computer:
“HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server”
Where the values represent the Source of MDM Authority of the device
Intune: 1
Configuration Manager: 2
With Cloud Co-Management policy you can deploy a CM client for a Windows 365 Cloud PC device and use these values to target the Source of MDM Authority:
If you leave the “Advanced” configuration to “NO” the value is set to 2.
If you move the “Advanced” configuration to “YES” the value never changes because it was already set to 1 by default.
Depending on your environment (if you have or not a CMG) you’ll have to define the installation “command-line arguments” parameters accordantly. Here’s an example:
Without CMG (you need ANC connection for line-of-sight of MCM environment):
CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"
/mp <<<this is the FQDN of your SCCM server>>>
/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>
/SMSMP <<<this is the FQDN of your SCCM server>>>
/DNSSUFFIX <<<this is your local DOMAIN name>>>
With CMG:
CCMSETUPCMD="CCMHOSTNAME=mecm.contoso.com/CCM_Proxy_MutualAuth72039348756593736448 SMSSITECODE=MEC"
Assign your device group (e.g., Cloud PCs that you want them to become Co-Managed) and Create policy.
Deploy the CM client as a LOB app
1. Intune LOB App
From Intune console https://intune.microsoft.com/ > Apps > Windows > Add a LOB app
Select the MSI file for CM client
App information named "Win10 - CM Client (MECM) LOB"
Command-line arguments
INSTALL command:
CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"
/mp <<<this is the FQDN of your SCCM server>>>
/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>
/SMSMP <<<this is the FQDN of your SCCM server>>>
/DNSSUFFIX <<<this is your local DOMAIN name>>>
Assign and Create the Win32 app to the Cloud PC device group where the CM client will be installed
Note: you should assign it AFTER the Cloud PC has completed provisioning
Deploy the CM client as a Win32 app
1. Intune WIM file
Create a directory where you will package the script as an Intune WIM file
DIRECTORY = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client"
Create two folders Source and Target
SOURCE = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client\Source"
TARGET = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client\Target"
Copy the CM Client MSI application to the Source folder from the SCCM server
PATH "C:\Program Files\Microsoft Configuration Manager\bin\i386\ccmsetup.msi"
APPLICATION = "ccmsetup.msi"
Create a folder for the IntuneWinAppUtil tool
TOOLS = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Tools"
Download IntuneWinAppUtil and copy to the Tools folder
From the folder run Terminal and execute the IntuneWinAppUtil tool
Follow the prompts to copy the SOURCE, APPLICATION and TARGET
The new Intune WIM file will be created
2. Intune Win32 app
From Intune console https://intune.microsoft.com/ > Apps > Windows > Add a Win32 App
Select the WIM file we created
App information named "Win10 - CM Client (MECM)"
Program details
INSTALL command:
msiexec /i "ccmsetup.msi" /q CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"
UNINSTALL command:
msiexec /x "{CDF935DE-3234-4472-BE04-9CC468EC5E0D}" /q
/mp <<<this is the FQDN of your SCCM server>>>
/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>
/SMSMP <<<this is the FQDN of your SCCM server>>>
/DNSSUFFIX <<<this is your local DOMAIN name>>>
Detection Rules
Option1:
Use the existing MSI rule that gets automatically populated from the MSI client package
MSI product code = {CDF935DE-3234-4472-BE04-9CC468EC5E0D}
Option2:
Create a detection PS script and save the file as "CMclientDetectionScript.ps1":
Get-WmiObject Win32_Product | Where-Object {$_.Name -eq “Configuration Manager Client”}
Save the PS script to the folder SOURCE
Upload the PS script to Intune Detection rule, keep the defaults
Option3:
Create a detection path to validate if the CM client was previously installed
PATH = C:\Windows\ccmsetup
FILE = ccmsetup.exe
Assign and create the Win32 app to the Cloud PC device group where the CM client will be installed
Note: you should assign it AFTER the Cloud PC has completed provisioning
Logs
Important logs location under the Cloud PC device to help troubleshoot
C:\Windows\CCMsetup\Logs
C:\Windows\CCM\Logs\ClientLocation.log
C:\Windows\CCM\Logs\LocationServices.log
Discover CM Client manual installs
Regardless of the OPTION you choose to deploy the CM Client (e.g., Cloud, LOB, Win32) the MCM server won't automatically approve the CM client installation, you'll have to manually approve it (create a collection "Not Approved" to make it easier to find them)
1. Create a Collection “Not Approved”
To help find the Entra ID Joined CPCs after you install the CM client
Assets and Compliance > Device Collections > create collection named "Not Approved" > Limit collection to "All Systems"
Create query for "Look up Not Approved clients" > Edit query > Show query language:
select SYSTEM.ResourceID,SYSTEM.ResourceType,SYSTEM.Name,SYSTEM.SMSUniqueIdentifier,SYSTEM.ResourceDomainORWorkgroup,SYSTEM.Client from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0
<<<collection.IsApproved=0 = the value 0 represents all computers where the CM client has not been approved yet>>>
Add columns "Approved" and "Domain" to help identify them
2. Approve the CM client
The CM client will be missing some of the MCM configuration actions until you approve the installation
After Approve, the device will pick up the missing actions from MCM server
From Microsoft Intune portal, the device will change from (Intune) to (Co-Managed)
Now you will notice the Co-Management workloads are enabled for the Co-Managed Entra ID Joined Cloud PC device
Resources
If you want to learn more about deploying the CM client based on different business scenarios to allow the MCM (Microsoft Configuration Manager) “aka SCCM” server to manage Entra ID Windows devices (Hybrid Domain Joined or Entra ID Joined), please see the articles below.
Cloud connecting with co-management - Configuration Manager | Microsoft Learn
Deploy clients to Windows - Configuration Manager | Microsoft Docs
Client installation parameters and properties - Configuration Manager | Microsoft Docs
Bookmark: Windows 365 Cloud PC Healthcare Series (aka.ms/W365HealthcareBlog)
Thank you for stopping by; Juan Sifuentes | CETS | Healthcare.