Deploying InTune through SCCM Task Sequence

We’ve been consolidating systems at work and were faced with scrapping our asset management system in favour of our new case management system, Cherwell. Previously we used Alloy for inventory, and Alloy had no problem reporting hardware data during task sequence, even for machines that aren’t going to be connected to our network. We’ve got a few so-called “Open-PC’s” that won’t be on our network, aren’t connected to the domain and thusly won’t be reporting any hardware inventory to SCCM. I spent a long time trying to force a hardware inventory within the task sequence, but it doesn’t seem to be possible. One method would be to create a script and a scheduled task to remove the machine from domain some time after image having been applied, but this would just be annoying on a day-to-day basis. And it wouldn’t be reliable.

Thus my eyes fell to InTune, which doesn’t require a domain connection and will deliver inventory details, which we can pull to our case system. (For insurance reasons.) I tried many different methods of accomplishing this, and kept getting stuck because InTune and SCCM client inherently are incompatible with one another. InTune will simply refuse to be installed where the SCCM already exists.

I ended up creating a task sequence structure that accomplished what was required through scripts and SCCM PostAction.

  • Pre-requisites:
  • Create a package pointing to a directory where you’ll keep your source files. We’ll use this later. Throw your Intune .msi and certificate in this directory.
  • Create Install-IntuneClient.ps1 file containing the following(Thanks to Peter for most of the powershell script.):

    #Define variables
    $NewPath = “C:\Temp”
    $CertificateName = “MicrosoftIntune.accountcert”
    $UninstallPath = “C:\Windows\ccmsetup”
    $UninstallerName = “ccmsetup.exe”
    $UninstallerArguments = “/Uninstall”
    $InstallerName = “Microsoft_Intune_X64.msi”
    $InstallerArguments = “/qb!”
    #SCCM Uninstall
    Start-Process -FilePath “$UninstallPath\$UninstallerName” -ArgumentList $UninstallerArguments -Wait -PassThru
    #Waiting time introduced to ensure that msiexec is ready.
    Start-Sleep -s 160
    #Uninstall of MS Policy Platform, since InTune will think this version will work, but it won’t. You will get the client but it’ll get policy errors if you don’t do this step.
    Start-Process -FilePath “C:\Windows\System32\msiexec.exe” -ArgumentList “/X{6549B04F-E826-4E0A-8C3F-388540F08541} /qn”
    Start-Sleep -s 160
    #Intune Install
    Start-Process -FilePath “$NewPath\$InstallerName” -ArgumentList $InstallerArguments -Wait -PassThru
    #Folder Cleanup.
    Remove-Item $NewPath -Force -Recurse
    #Giving InTune a few minutes to talk to the server.
    Start-Sleep -s 160
    #Optional step – shuts down computer after finishing. Uncomment if you want it.

  • Create .cmd file containing the following:

    @echo off

    md c:\Temp
    copy /Y “%~dp0Microsoft_Intune_X64.msi” c:\Temp
    copy /Y “%~dp0MicrosoftIntune.accountcert” c:\Temp
    copy /Y “%~dp0Install-IntuneClient.ps1” c:\Temp

  • Task Sequence Steps:
  • Run Command Line containing: cmd /c “yourfilenamehere.cmd”
    I chose to point this at the package to pull the file from the server. You can of course do this in other ways, but this is my personal preference.
  • Set Task Sequence Variable: SMSTSPostAction

    PowerShell.exe -ExecutionPolicy ByPass -File “C:\Temp\Install-IntuneClient.ps1”

And you’re done.

Deploying hotfixes during SCCM Task Sequence

It’s been a while since we built our initial Windows 10 image, and it’s fallen quite a bit behind the times. We didn’t want to spend time updating the image until we were ready to go in to production, and WSUS seemed to have issues installing some of the updates, resulting in systems that wouldn’t update properly unless manual update packages were installed.

To fix this I deployed a package to the task sequence containing this script:

$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$folder = $scriptPath
$total = gci $folder *.msu | measure | Select-Object -expand Count
$i = 0
gci $folder *.msu | foreach {
WUSA ""$_.FullName /quiet /norestart""
Write-Progress -activity "Installerer hotfixes" -status "Installerer $_ .. $i af $total" -percentComplete (($i / $total) * 100)
Wait-Process -name wusa

Credit to this fella for the source:

Essentially this will run within the package directory, installing all .msu’s found within. Currently it’s just throwing on kb3213522 – which enables WSUS to take over from there, but it could potentially save people who don’t have WSUS some serious hassle.

Add the package to task sequence and point it at the powershell script and you’re golden. Modify the text displayed within ” ” to your liking.