Recently announced is the ability to deploy the Configuration Manager Client through Intune without going through the process of packaging the MSI. The process involves going into the Co-management Settings tile under Devices -> Enroll Devices in Intune, and configuring the installation parameters (all those CCMSETUP switches).
That’s nice enough, but what’s really cool is you can include a Task Sequence Deployment ID in the installation parameters, and the Enrollment Status Page will then monitor all tasks in that sequence and ensure they install before the user arrives at the desktop.
Unfortunately, there’s a massive limitation with this. Devices can only be joined to Azure Active Directory. That’s right…no Hybrid join. Now, I don’t know about your environment, but there’s nobody else that I know of that has transitioned to AAD-only workstations and are still managing them in ConfigMgr. If they’ve done the work to get rid of Domain Join, they’ve fully transitioned to Intune.
But I do know folks that are co-managing their workstations, transitioned the Software Updates workload, are still doing Domain Join, but want to finish dealing with drivers and patches by eliminating OSD. There’s WAY too many apps being deployed for Autopilot to complete it in an acceptable timeframe, so what’s the option?
Assuming you’ve already created your Autopilot Deployment Profile, Domain Join Configuration Profile, Enrollment Status Page, and packaged the CCMClient, the following process will integrate a Task Sequence to perform application installation and device configuration:
Step 1: In Configuration Manager, create an empty Custom Task Sequence. Call it Autopilot Apps.
Step 2: Take a copy of your production Task Sequence, then right click on it and choose Edit. Move it to one side of your screen, and edit the Autopilot Apps sequence and move it to the other side.
Step 3: Copy every application and device setting that’s listed in the production copy, and paste it in the Autopilot Apps sequence. Essentially everything that’s not related to applying the OS, updates, drivers, or MDT steps. If restarts are required to install an app, include the restarts in the sequence as well.
Step 4: Deploy the task sequence, as Required, to a built-in collection called All Provisioning Devices (you should see 1 generic device in that collection).
Step 5: On the Deployment Tab of the Task Sequence, note the Deployment ID. If not visible, you may have to right-click on the columns to select the Deployment ID column.
Step 6: Launch Edge Chromium and log into https://intune.microsoft.com.
Step 7: Navigate to Apps -> Windows -> Configuration Manager Client (or whatever it’s called in your environment).
Step 8: Edit the Command Line in the App Information section and add the following statement, replacing PS12002E for your Deployment ID (there’s no hyphen, just a space in between the commands): PROVISIONTS=PS12002E
Step 9: Click Save.
Using this, the Configuration Manager client will get installed while Enrollment Status Page is up. Remember, at this point there is no resource in SCCM, so there isn’t a workload setting controlling where apps get installed. As soon as the client is fully installed, it will initiate the task sequence. In my testing, this has consistently occurred within 5 minutes of the actual client installation, and occurs whether or not a user has logged into the device after the ESP.
Anyone familiar with CM Client Installs will know that this isn’t enough time for hardware inventory to upload and process, so there will be issues for any applications that rely on collection variables or policy information being already present.
Either way, for a device that required a large amount of software installs (over 25GB in this case), this process reduced the time to reach a usable desktop by half over Intune alone.
Hello,
Just like to add that using Co-Management Settings to install Configuration Manager Client works even in Hybrid Azure AD + Co-Management scenario. Just select the option to “Automatically install ConfigMgr Client” and “Override all workloads to Intune” to No in order to correctely use the Task Sequence process. It works in intranet or internet with a CMG configured, and also with Pre-Provisioned Deployment.
Hi,
Just to report that Hybrid Join with Co-Managements Settings configured to auto install Configuration Manager and set a PROVISITIONTS works perfectly, but it’s not supported by Microsoft. I’m currently using it to install Hybrid Azure AD Join devices, with Autopilot from anywhere in the Internet (without VPN). The device is imported to Intune, the profile is applied, then ConfigMgr agent is installed, and then apps and configs are applied with the provisioned task sequence. After that it receives one or more Intune only apps (Company Portal, and others), and restarts (User phase must be disabled in the Enrollment Status Page). After restart it’s a fully domain joined device, just waiting to login in your corporate network, or through VPN.