Modern Management of Internet Clients

The release of ConfigMgr Tech Preview – 1705 introduced new cloud based client management capabilities like on-boarding Azure AD users and deploying ConfigMgr client over Internet.

Common scenarios like BYOD or Un-Managed/Workgroup devices in the field can now join Azure-AD which gets enrolled into Intune & automatically pushes the ConfigMgr agent for full management.

The coolest part is the Azure-AD joined devices won't even require a client auth. certificate for HTTPS communication.


Here's a step by step accomplishing the same –

  • Configure Azure Services in ConfigMgr Console
  • Prepare Azure for Device registration
  • Cloud Management Gateway
  • ConfigMgr Client Package


  1. Configure Azure Services in ConfigMgr Console

The first step is to associate Azure AD with ConfigMgr & discover the AAD users. This piece is critical because the information will be cross-verified when the clients from Internet try to register.

Run the wizard to create a Server App & Client App

The Application Name, HomePage & Identifier URLs can be anything.

Follow the same steps to create Client Application. You can re-use the same URL used above.

Enable Azure AD Discovery.

Click OK and finish the wizard.

You can verify the Server and Client Apps created in Azure and listed in ConfigMgr console.

From Azure console select Server App [CM-ServerApp in my case], click Grant Permissions and click Yes. Although the app is already configured for Read Directory Data, this step is still necessary to activate.

Repeat the above steps for Client App [CM-ClientApp in my case]CM-ClientApp. It's important to follow this order else the discovery will fail.

In case you are wondering where to look for this info. there is a new log file for this component named - SMS_AZUREAD_DISCOVERY_AGENT.log

    ERROR: Error occurred. StatusCode = Forbidden, reason = Forbidden    SMS_AZUREAD_DISCOVERY_AGENT    [Failed]

    Total AAD Users Found: 9. Total AAD User Record Created: 9    SMS_AZUREAD_DISCOVERY_AGENT        [Success]

    Full sync completed successfully at X:XX:XX    SMS_AZUREAD_DISCOVERY_AGENT

    Successfully published UDX for Azure Active Directory users.    SMS_AZUREAD_DISCOVERY_AGENT



  1. Prepare Azure for Device registration

Allow users to join their devices to Azure AD.

Make sure, MDM authority is set to Intune.

This will allow the machine to join to Azure AD and enroll to Intune.



  1. Cloud Management Gateway

In case you haven't already configured one before, follow the step by step blog post.

Since its possible to host CMG on a HTTP-MP, an important requirement in this scenario is to ensure the MP communicating with CMG is on HTTPS mode.

Additionally, install ASP.Net 4.5


  1. ConfigMgr Client Package

Finally, it's time to deploy the client over internet. You can leverage Intune to do this job.

Intune supports deploying .msi files, we will use ccmsetup.msi with command line parameters to install the ConfigMgr agent.

From Azure console, open Intune > Mobile Apps and Add app, choose Line of business app, browse to CCMSetup.msi

The App information has the name auto populated, you can modify and add additional information.

In the Command-line box enter info as the reference table below = CCMSETUPCMD="/NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=CONTOSOCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720575XXXX SMSSiteCode=TP1 AADTENANTID=a2950cba-b6a5-4273-93b8-98e4994f33bb AADCLIENTAPPID=3f5d8103-4dc6-4c84-8b1c-b842XXX AADRESOURCEURI= AADTENANTNAME=Contoso"

Table reference for the command line switches –


Once the app is ready, go to Assignments tab to deploy against a group. The app can be Available/Required


Testing & Validation

Login to an Azure-AD joined device with your Azure AD credentials. Based on the above configuration, the ConfigMgr client will either install automatically or will be available.

In my case I left it as available and logged on to to install.

You can review the CCMSetup.log for troubleshooting. If you don't see any log and wondering if Intune even kicked off the install, you can review the MDM Event logs - Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Here's a screenshot post a successful client registration. The device will be listed in ConfigMgr console


Troubleshooting Tips –

  • Ensure you are logged in with AAD User ID
  • Check ADALOperationProvider.log – To validate successful association of the existing AAD User with ConfigMgr onboarded in Step1.
  • Check CCMMessaging.log – To validate successful connection to gateway.
  • If you didn't use public CA for CMG, you need to ensure the Client Root Cert is added to the Trusted Root CA on client machine.


With the installed client, possibilities are endless with more improvements coming in future releases.




Arnab Mitra

Comments (10)
  1. Raymond says:

    Hi Arnab, what about a current Intune Hybrid setup? I noticed in your blog you mentioned the MDM authority as Intune, but with the hybrid setup it obviously is not intune but ConfigMgr.

    1. Hi Ray, the statement for MDM Intune authority is for the reason i found machines cannot enroll to Intune without setting up an authority which is none for a fresh subscription.
      It shouldn’t matter for Hybrid scenario’s as long as the machine is able to enroll itself, but something i haven’t tried.

      1. Raymond says:

        Excellent news Arnab, we were actually aiming at designing what the preview feature is going to offer in hopefully the next ConfigMgr release (1708?).

        1. Very likely 1706 around July time frame.

  2. Alan Dooley says:

    So, the idea of this is to automatically enroll AAD clients into CM via Intune. After this would you still use any of the InTune functionality for these devices are manage purely by CM? With two different tools overlapping in capabilities I wonder what the best approach will be.

    1. Yes, once you have the ConfigMgr agent, its available for full management. I’d say use the best of both worlds!. I haven’t tested all scenarios 🙂

      1. Jimmy says:

        Hi Arnab,

        Once the ConfigMgr agent is installed via Intune, is the device automatically unenrolled from Intune? I’m trying to confirm if the best of both world scenario is valid? e.g. a device enrolled into Intune AND managed with ConfigMgr. I hear often that this isn’t possible.

        1. Hi Jimmy, its not possible to have both the Intune & ConfigMgr agent on the same machine. This scenario leverages the Windows 10 built-in MDM layer.

          You will hear more about the Modern Management scenarios & future enhancements/capabilities at Ignite. If you are attending, plan for this session –

          1. Jimmy says:

            Thanks for the reply Arnab. Sorry if I confused you! My query was about having a device enrolled into Intune (managed through built in mdm layer) on Azure AND having the ConfigMgr agent installed at the same time. I was not talking about the Intune agent.

            I was very interested to hear that this was possible.

          2. Yes, the agent does stay as a managed device in the Intune portal.

Comments are closed.

Skip to main content