Silently remove the SCCM client and enroll the device in Intune

SCCM is a great tool for managing your Windows computers. However, if you’re using Intune to manage all your devices, removing the SCCM client and enrolling the device in Intune can be helpful. This article will show you how to silently remove the SCCM client and enroll a device in Intune in three steps:

1. CREATE AN AUTOMATIC LICENSING GROUP

• Create an automatic licensing group
• Set the license to “Auto assign.”

2. CREATE A GPO FOR INTUNE ENROLLMENT

• Create a GPO for enrollment.
• Create a GPO for non-enrollment.
• Please create a new group policy that allows you to enroll devices that have already been enrolled in Intune and then assign it to your users by Active Directory group membership.
• Please create a new group policy that does not allow you to enroll devices (use the same security settings as the one above), add this GPO through Group Policy Management Console (GPMC), and then assign it to your users by Active Directory group membership.

3. REMOVE THE SCCM CLIENT SILENTLY (WITHOUT THE NEED FOR INTERACTION FROM THE END USER’S PERSPECTIVE)

First, import the IntuneManagementShell module:

Import-Module -Name C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\IntuneManagementShell.psd1

Use the Get-CMSoftwareUpdate cmdlet to retrieve the list of all software updates that need to be removed:

Get-CMSoftwareUpdate -Name “*Windows 10*” | Remove-CMSoftwareUpdate

4. ENROLL THE DEVICE IN INTUNE AND FOLLOW UP

Once you’ve removed the client, you’ll want to create a device collection and add the device to that collection. Once it is added, enroll it in Intune by running the following command:

Powershell Copy Copied $DeviceID = “New-MobileDeviceManagementClient -CollectionName “SCCM Client Removal” -EnrollmentType TurnOnAndEnroll -DeviceID $DevicelD -CommandsToExecuteOnCMDevice enumeratedOrder=0,1,2 -CommandTimeoutInSeconds 30 $DeviceID = “Set-CMClientSetting -Action InstallOrUninstall -CollectionName “SCCM Client Removal” ` -ProgramName MicrosoftDeploymentToolkit\Client\Deployment\MicrosoftDeploymentToolkit\Client\binaries\amd64 \msiexec.exe ` -Arguments “/qb!”` -DisableLogging ` -DisableFeedback ` -LogLevel 2 | Out-Null Start-CMClientOperationRestart –CollectionName “SCCM Client Removal” –ProgramName MicrosoftDeploymentToolkit\Client\Deployment\MicrosoftDeploymentToolkit\Client\) I ran into issues enabling logging on my device, so I edited it out of this script since I don’t need it for troubleshooting. Still, you can reenable that if needed by uncommending this line:

$ScriptBlock = {$ScriptBlock = {Start-Transcript; Enable-Transcript;}} You can also choose whether or not to enable feedback on your computer after running through this process, so uncommenting this line will enable feedback (this is useful if any errors occur):

$ScriptBlock = {$ScriptBlock = {Set-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection’ -Name “AllowTelemetry” -value 1}}

Conclusion

When you have all the above in place, it’s time to enroll your devices. The easiest method is the Microsoft Intune service, which allows you to manage devices and users from a single console. Depending on your needs and preferences, you can also use other methods, such as Group Policy deployments or PowerShell scripts (which are more advanced).