Blog Post

Healthcare and Life Sciences Blog
8 MIN READ

Deploy CM Client to Windows 365 Cloud PC Entra ID Joined (no CMG)

Juan_Sifuentes's avatar
Mar 15, 2022

How to deploy CM Client to Windows 365 Cloud PC Entra ID Joined (no CMG) devices “without Cloud Management Gateway”?

If you’re here it means you’re tracking the main deck for Windows 365 Cloud PC Healthcare Series

 

This article is directly associated with Management Design options for Windows 365 Cloud PC (Intune & Co-Management) but solely focused on Windows 365 Cloud PC Architecture Design Provisioning OPTION 2 (Cloud PC Entra ID Joined + hosted in Customer Azure Network).

OPTION 2 teach us about Windows 365 provisioning hosting design option for Cloud PCs and recommendations aligned for management of the device, primarily recommended to leverage Intune through Microsoft Intune, your single-pane-of-glass for all your device management needs.

But, what if your MCM (Microsoft Configuration Management) server “aka SCCM” PC management solution is well developed and there’s a need to continue to leverage the solution to manage Entra ID Joined Cloud PCs?

Many of our HLS customers leverage Microsoft Configuration Manager as a PC management solution, with wider development on application delivery, device restrictions, PS scripts, reporting, etc... We often receive requests on “how can we manage Windows 365 Cloud PC Entra ID Joined with MCM servers, do we need a Cloud Management Gateway (CMG)?

“Entra ID Joined devices are considered internet-based devices because they don’t have a direct connection to an on-premises environment. CMG is leveraged to deliver that PC management needs from MCM servers to manage the Entra ID Joined devices, this gives line-of-sight to MCM on-prem environment” … You can read here for more information.
Tutorial - Enable co-management for internet devices - Configuration Manager | Microsoft Docs

 

Luckily, OPTION 2 has it benefits!

You could deploy CM clients to Windows 365 Cloud PC Entra ID Joined by MCM servers “without a Cloud Management Gateway (CMG)” by leveraging the existing Windows 365 ANC connector (Azure Network Connection) that could be tailored to give line-of-sight to your on-premises MCM environment.

Let’s dive in!

 

Deploy CM Client to Windows 365 Cloud PC Entra ID Joined (no CMG)

In this scenario we will deploy the CM client to a Windows 365 Cloud PC Entra ID Joined, without a CMG (Cloud Management Gateway)

  • CMG is typically required for Entra ID Joined windows devices outside the network to push the CM client from SCCM
  • OPTION 2 (Cloud PC Entra ID Joined + hosted in Customer Azure Network) can leverage the ANC connector
  • ANC connector can be tailored to give line-of-sight to the on-premises environment (including DCs and SCCM servers)
  • With this option we can push the CM client from Intune without CMG

Available guidance!

Scoping the Entra ID Joined Cloud PCs through Microsoft Configuration Manager "aka SCCM" is not a simple task, if you’re looking for documentation on how to achieve that, we have created this blog as a technical guidance for our HLS customers with existing (MCM) environments to help Deploy Co-Management Collections for Windows 365 Cloud PC, enjoy!

 

Choose the Deployment Design

There are multiple ways to deploy the CM client to a Windows 365 Cloud PC, following scenario OPTION 2 we'll focus on three options to deliver the application to the Cloud PC device.

CLOUD: Deploy the CM client with Cloud Co-Management policy

CLOUD delivers a simplified flow for the application

CLOUD deploys the CM client application directly from the cloud

CLOUD takes away the additional effort of build, maintain and deploy a LOB or WIN32 application

You can define the application installation using "command-line arguments"

If you want to learn more about this, click Cloud Co-Management Authority policy

LOB: Deploy the CM client as a LOB app

LOB delivers a standard flow for the application

LOB is limited to the number of controls it has over the application

You can define the application installation using "command-line arguments"

Win32: Deploy the CM client as a Win32 app

Win32 gives you more control of the application (install and uninstall)

You can add Return codes for a troubleshooting event

You can add Requirements for OS architecture

You can have Dependencies or Supersedence rules

You can have Detection Rules (custom and based of the MSI file)

Either approach is very much suitable to be aligned within your business use case (you only need to select one approach!).

 

Build the Cloud PC Subnet Boundaries

1. First, we need to capture the Cloud PC Subnet address

Azure Portal (https://portal.azure.com) > “Cloud PC” Virtual Network > “Cloud PC” Subnet

 

2. Now we go to MCM server to configure the Cloud PC subnet boundaries

Administration > Boundaries > Add the Cloud PC Subnet (e.g., based on my lab is 10.0.4.0)

 

Deploy the CM client with CLOUD

1. Intune Cloud Co-Management Authority policy

From Intune console https://intune.microsoft.com/ > Devices | Windows > Enrollment > Co-Management policy > Create

Let’s briefly discuss the available parameters/switches within the policy on what they do and how you should configure.

In Autopilot when you deploy the CM client a registry key gets added to the Autopilot computer:

“HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server”

Where the values represent the Source of MDM Authority of the device

Intune: 1

Configuration Manager: 2

With Cloud Co-Management policy you can deploy a CM client for a Windows 365 Cloud PC device and use these values to target the Source of MDM Authority:

If you leave the “Advanced” configuration to “NO” the value is set to 2.

If you move the “Advanced” configuration to “YES” the value never changes because it was already set to 1 by default.

 

Depending on your environment (if you have or not a CMG) you’ll have to define the installation “command-line arguments” parameters accordantly. Here’s an example:

Without CMG (you need ANC connection for line-of-sight of MCM environment):

CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"

/mp <<<this is the FQDN of your SCCM server>>>

/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>

/SMSMP <<<this is the FQDN of your SCCM server>>>

/DNSSUFFIX <<<this is your local DOMAIN name>>>

 

With CMG:

CCMSETUPCMD="CCMHOSTNAME=mecm.contoso.com/CCM_Proxy_MutualAuth72039348756593736448 SMSSITECODE=MEC"

 

 

Assign your device group (e.g., Cloud PCs that you want them to become Co-Managed) and Create policy.

 

Deploy the CM client as a LOB app

1. Intune LOB App

From Intune console https://intune.microsoft.com/ > Apps > Windows > Add a LOB app

 

Select the MSI file for CM client

 

App information named "Win10 - CM Client (MECM) LOB"

 

Command-line arguments

INSTALL command: 

CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"

/mp <<<this is the FQDN of your SCCM server>>>

/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>

/SMSMP <<<this is the FQDN of your SCCM server>>>

/DNSSUFFIX <<<this is your local DOMAIN name>>>

 

Assign and Create the Win32 app to the Cloud PC device group where the CM client will be installed

Note: you should assign it AFTER the Cloud PC has completed provisioning

 

Deploy the CM client as a Win32 app

1. Intune WIM file

Create a directory where you will package the script as an Intune WIM file

DIRECTORY = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client"

Create two folders Source and Target

SOURCE = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client\Source"

TARGET = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Apps\CM Client\Target"

Copy the CM Client MSI application to the Source folder from the SCCM server

PATH "C:\Program Files\Microsoft Configuration Manager\bin\i386\ccmsetup.msi"

APPLICATION = "ccmsetup.msi"

Create a folder for the IntuneWinAppUtil tool

TOOLS = "C:\Users\jsifuentes\Downloads\IntuneWIMApps\Tools"

Download IntuneWinAppUtil and copy to the Tools folder

From the folder run Terminal and execute the IntuneWinAppUtil tool

Follow the prompts to copy the SOURCE, APPLICATION and TARGET

The new Intune WIM file will be created

 

2. Intune Win32 app

From Intune console https://intune.microsoft.com/ > Apps > Windows > Add a Win32 App

 

Select the WIM file we created

 

App information named "Win10 - CM Client (MECM)"

 

Program details

INSTALL command:

msiexec /i "ccmsetup.msi" /q CCMSETUPCMD="/mp:mecm.contoso.com SMSSITECODE=MEC SMSMP=mecm.contoso.com DNSSUFFIX=contoso.com"

 

UNINSTALL command:

msiexec /x "{CDF935DE-3234-4472-BE04-9CC468EC5E0D}" /q

/mp <<<this is the FQDN of your SCCM server>>>

/SMSSITECODE <<<this is the SITE CODE of your SCCM server, it's 3 letters>>>

/SMSMP <<<this is the FQDN of your SCCM server>>>

/DNSSUFFIX <<<this is your local DOMAIN name>>>

 

Detection Rules

Option1:

Use the existing MSI rule that gets automatically populated from the MSI client package

MSI product code = {CDF935DE-3234-4472-BE04-9CC468EC5E0D}

 

Option2:

Create a detection PS script and save the file as "CMclientDetectionScript.ps1":

Get-WmiObject Win32_Product | Where-Object {$_.Name -eq “Configuration Manager Client”}

 

Save the PS script to the folder SOURCE

 

Upload the PS script to Intune Detection rule, keep the defaults

 

Option3:

Create a detection path to validate if the CM client was previously installed

PATH = C:\Windows\ccmsetup

FILE = ccmsetup.exe

 

Assign and create the Win32 app to the Cloud PC device group where the CM client will be installed

Note: you should assign it AFTER the Cloud PC has completed provisioning

 

Logs

Important logs location under the Cloud PC device to help troubleshoot

C:\Windows\CCMsetup\Logs

C:\Windows\CCM\Logs\ClientLocation.log

C:\Windows\CCM\Logs\LocationServices.log

 

Discover CM Client manual installs

Regardless of the OPTION you choose to deploy the CM Client (e.g., Cloud, LOB, Win32) the MCM server won't automatically approve the CM client installation, you'll have to manually approve it (create a collection "Not Approved" to make it easier to find them)

1. Create a Collection “Not Approved”

To help find the Entra ID Joined CPCs after you install the CM client

Assets and Compliance > Device Collections > create collection named "Not Approved" > Limit collection to "All Systems"

 

Create query for "Look up Not Approved clients" > Edit query > Show query language:

select SYSTEM.ResourceID,SYSTEM.ResourceType,SYSTEM.Name,SYSTEM.SMSUniqueIdentifier,SYSTEM.ResourceDomainORWorkgroup,SYSTEM.Client from SMS_R_System as system join SMS_FullCollectionMembership as collection on system.ResourceID = collection.ResourceID where collection.IsApproved=0

<<<collection.IsApproved=0 = the value 0 represents all computers where the CM client has not been approved yet>>>

 

Add columns "Approved" and "Domain" to help identify them

 

2. Approve the CM client

The CM client will be missing some of the MCM configuration actions until you approve the installation

 

After Approve, the device will pick up the missing actions from MCM server

 

From Microsoft Intune portal, the device will change from (Intune) to (Co-Managed)

 

Now you will notice the Co-Management workloads are enabled for the Co-Managed Entra ID Joined Cloud PC device

 

Resources

If you want to learn more about deploying the CM client based on different business scenarios to allow the MCM (Microsoft Configuration Manager) “aka SCCM” server to manage Entra ID Windows devices (Hybrid Domain Joined or Entra ID Joined), please see the articles below.

Cloud connecting with co-management - Configuration Manager | Microsoft Learn

Deploy clients to Windows - Configuration Manager | Microsoft Docs

Client installation parameters and properties - Configuration Manager | Microsoft Docs

 

Bookmark: Windows 365 Cloud PC Healthcare Series (aka.ms/W365HealthcareBlog)

Thank you for stopping by; Juan Sifuentes | CETS | Healthcare.

 

 

 

Updated Jan 03, 2025
Version 16.0
No CommentsBe the first to comment