We have a special domain that is only used for contractors, and they have strict network rules, so I set up SCCM internet-only client by our CMG via Group Policy and Powershell.
You may think that just use a default group policy to install SCCM agent will be fine, right? It turned out that the parameter is so long that the default way of installation won’t work. So I have to use a scheduled task runs daily to install the SCCM internet-only client via Powershell.
Here is the Powershell Script to install SCCM internet-only client:
### SCCM CMG Client Install
### Rui Qiu
### 10/29/2020
### v1.1 added script to force client in always internet mode
### 08/31/2022
$result = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\CCM' -Name "HttpsState"
$result = $result.HttpsState
$result2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\CCM\Security' -Name "ClientAlwaysOnInternet"
$result2 = $result2.ClientAlwaysOnInternet
$source = "\\yourdomain.lan\sysvol\yourdomain.lan\scripts\sccm"
$path = "C:\Temp"
### Check if SCCM Client is installed
If($result -eq "31")
{
Write-Host "Sccm installed"
$MachinePolicyRetrievalEvaluation = "{00000000-0000-0000-0000-000000000021}"
### $SoftwareUpdatesScan = "{00000000-0000-0000-0000-000000000113}"
### $SoftwareUpdatesDeployment = "{00000000-0000-0000-0000-000000000108}"
}else
{
If(!(test-path $path))
{
New-Item -ItemType Directory -Force -Path $path
}
Copy-Item -Path $Source\ccmsetup.exe -Destination $path\ccmsetup.exe -Force
CD $path
.\ccmsetup.exe /nocrlcheck /UsePkiCert CCMHOSTNAME=HTTPS://yours.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx SMSSiteCode=XXX CCMFIRSTCERT=1 /mp:HTTPS://yours.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx CCMALWAYSINF=1 SMSMP=HTTPS://yours.CLOUDAPP.NET/CCM_Proxy_MutualAuth/xxx
}
### Check if Client is always on internet
If($result2 -eq "0")
{
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\CCM\Security -Name "ClientAlwaysOnInternet" -Value "1"
Restart-service -name CcmExec
}
What it does is first to check if the SCCM client has been installed or not. If it does, it will just run machine policy update and software update. If not, it will first copy the sccm installation files to client’s local C:\Temp, and then run the installation.
Here is the parameters that I found can make it work to do the SCCM internet-only client install, for your envrionment, you may have to tweet it a little bit.
ccmsetup.exe /nocrlcheck /UsePkiCert CCMHOSTNAME=HTTPS://yourdomain.CLOUDAPP.NET/CCM_Proxy_MutualAuth/yourID SMSSiteCode=AMH CCMFIRSTCERT=1 /mp:HTTPS://yourdomain.CLOUDAPP.NET/CCM_Proxy_MutualAuth/YourID CCMALWAYSINF=1 SMSMP=HTTPS://yourdomain.CLOUDAPP.NET/CCM_Proxy_MutualAuth/YourID
Since we own the special domain, so we are using the internal CA to issue a certificate to each machine, that’s why I use “/UsePkiCert” this parameter.
Here is the GPO I setup to do the SCCM client install.
The “Add arguments” is as follows:
-ExecutionPolicy Bypass -File "\\yourdomain\sysvol\yourdomain\scripts\sccm\q.ps1"