Silently remove SCCM client and enroll device in Intune

This article will describe how to silently remove SCCM client and enroll device in Intune.

Situation:

• Customer using SCCM for client management but going to hybrid-joined devices, Intune managed

Target:

• Silently (without bothering the end user) remove SCCM client from devices and enroll them in Intune – manual procedure

There are many ways to remove the SCCM client from devices. I’ll show you how I’ve done it at a client.

I didn’t want the end user to notice anything, but still be able to do everything myself, device per device as testing phase before going big bang.

This is what we’ll go through in this blog post:

• Make sure your end users have the correct licenses for enrolling devices in Intune (Microsoft 365 E5, Microsoft 365 E3, EMS E5, EMS E3, Microsoft 365 Business, Microsoft 365 F1, Microsoft 365 Education A5 or Microsoft 365 Education A3) – we’ll do this with an automatic licensing group
• Create a GPO for Intune enrollment
• Remove SCCM client from end user his device (silently from the end user’s perspective)
• Enroll the device in Intune & follow up

1. Create an automatic licensing group

In our case we worked with more than one group as we used different licensing models for some end users.

You just create an assigned group (if you use multiple) and assign your users to the correct group. On that group you can assign you license so the end users in that exact group get the correct licenses automatically and you don’t have to assign them directly anymore.

You can use the ‘Reprocess’ button to speed up the assigning licenses process if you add more users.

In case you have an organisation where everyone has the same license, you can even go further and create a dynamic group, targeting all enabled users and assigning the correct licenses to that group. That way if a new user starts, he’ll be in that group automatically and get the right licenses. If a user exits or leaves the company, his user will be disabled or deleted and removed from the group automatically, this way freeing up licenses also.

2. Create a GPO for Intune enrollment

Requirements for the GPO to work:

• AD-joined PC running Windows 10, version 1709 or later
• The enterprise has configured a mobile device management (MDM) service
• The enterprise AD must be registered with Azure Active Directory (Azure AD)
• The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with error 0x80180026)
• The minimum Windows Server version requirement is based on the Hybrid AAD join requirement.

Open the Group Policy Editor

In Local Computer Policy, click Administrative Templates > Windows Components > MDM

Double-click Enable Automatic MDM enrollment using default Azure AD credentials.

Click enable, choose ‘User Credential’, and click on ‘OK’.

In the end it will look like this:

3. Remove the SCCM client silently (without the need for interaction from the end user’s perspective)

Download the PSTools, we’ll be using PSExec to achieve this: https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Download ccmclean.exe, be aware that removing/uninstalling SCCM clients with ccmclean is not supported by Microsoft! In my experience it’s the best tool to remove the client, as it also cleans out the registry, scheduled tasks, etc.

How can we achieve it?

• Navigate in cmd to your PSTools folder
• Use the following command: psexec.exe \\targetpc -c ‘ccmclean.exe path’
  
• You can do a check by verifying remotely (\\targetpc\c$) if the folders are cleaned up under C:\Windows\ccm, C:\Windows\ccmcache and C:\Windows\ccmsetup.
• The other thing you can check is in Task Scheduler, remotely connect to the target device
  
• The scheduled task under Microsoft – Configuration Manager should be empty
  

3. Enroll the device in Intune and follow up

Move your device to the OU on which you enabled your GPO

To speed up the process you can use PSExec also to remotely open a cmd prompt on the target computer, this is the command: psexec.exe \\targetpc cmd

You can verify that the cmd prompt is on the target computer by typing ‘hostname’. Afterwards you can trigger a ‘gpupdate /force’ to make the GPO apply faster.

Now you can check in the Intune – devices blade if your device is enrolled correctly:

So this is how we remove sccm client and enroll device in Intune.

In one of my next blog posts I’ll dive deeper into troubleshooting this whole scenario.

Happy testing!

More articles on Intune:

• Get device hashes from HP for Autopilot pre-production testing
• Run as admin gives black screen in Quick Assist/TeamViewer – Intune fix
• Intune – change Primary User of a device
• Ransomware protection (Controlled Folder Access) setup with Intune
• Windows Hello for Business multi-factor unlock with Intune