ITSM Enrollment through Intune

Is it possible to use PowrShell a script to ‘enroll’ a device manually?

The reason i ask is that i am attempting to build a MS Intune Profile for a new customer that as part of their enrollment in to the MDM element of Intune, automatically deploys the ITSM MSI from the bulk installation wizard. Given that Intune renames the MSI to a random name, removing the token, is it possible to configure the enrollment settings (Host, Port, Token) via a windows script (CMD, PowerShell or Regedit) after the MSI has been deployed?

@curatrix_pl ,

We are going to forward your request to our Script Developers and provide you a response with their output. I believe there is already a previous request related to your query that is currently being worked on by Development Team.

Thanks, this is different to my previous request of integrating C1 with Intune, and this is purely about using the AutoPilot feature within Intune for deploying new machines. The process works as far as it installs the Comodo Agent, but unfortuntely, it doesn’t enrol. If i can update the enrolment settings using PowerShell, then i can get this working through Intune with ease and minimise our efforts moving forward.

@curatrix_pl ,

We thank you for making the picture clearer. We can inform the Product Team and coordinate with their analysis from creating the feature, devising the functionality, staging tests until it reaches fruition. Rest assured, all details that you provided will be helpful.

Thanks @Jimmy

Whilst the product team look to implement, is there a method for enrolling devices automatically either via script of registry edit?

Hi @curatrix_pl ,

Thank you for bringing this to our attention. We will create a support ticket for this inquiry and we’ll get back to you as soon as possible through email.

Firstly, thanks to the C1 guys for their guidance in this. I’m sharing the process here for any others who wish to use Intune to deploy ITSM within their customers:

Install Process
The first step is to make the MSI Available for distribution

  • Go to ITSM > RMM and download the ITSM Communications Client for a client. The MSI is irrelevant at this stage as Intune renames the MSI when deploying.
  • Once downloaded, login into Intune and go to Mobile Apps > Apps > Click Add
  • Select Line of Business App
  • Click App Package File > Upload the MSI > Click OK
  • Click on App Information
  • Make sure that the Name is 'COMODO Client - Communications'. It is important that this name is the same as what it would be if installed Manually as this is what intune checks for initially to see if already installed. Fill in the description and publisher and click 'Yes' to ignore version. This ensures that COMODO can update the client communications when new versions are released. If you leave this as no, you will need to manually update the MSI here upon update.
  • Click OK > Create
  • Wait for the MSI to finish uploading then go to the Assignments tab and add it as a required Application using the groups you desire.

Enrol Process
Now you have added the MSI, you need to enrol your device using a powershell script to create an INI file.

  • In Intune go to Device Configuration > PowerShell Scripts
  • Click Add and enter a name and description. Then upload your PowerShell script (see my below for basic contents).
  • Click configure and make sure that the script is not running as the logged in user and you are not checking the siganutre.
  • Click create
  • Click Assign and select the relevant security groups. I suggest that you use the same groups as for the MSI.
  • Click Save

Now, when users login on an Azure AD Joined and Intune MDM managed device, Comodo ITSM will be automagically deployed and enrolled.

Example content of PowerShell script. Just update with the correct host and token for each client you are deploying to.


$INIText = @"
[General]
host = customername-mspname-msp.cmdm.comodo.com
port = 443
remove_thrid_party = false
suite = 4
token = a12354cfaf234b2b0ff2455d2d62
"@

New-Item "C:\Program Files (x86)\COMODO\Comodo ITSM\enrollment_config.ini" -type file -value $INIText

net stop itsmservice
net start itsmservice

UPDATE - I should point out on this, you need to update the Token every 90 days as you are not able to create persistent tokens on the ITSM platform.

Thank you for posting this @curatrix_pl , this code gives me a good point to work on for an enrollment procedure that I am working on.

I want to point out as well for anyone using this, US based hosts are on itsm-us1.comodo.com so the host would be customername-mspname-msp.itsm-us1.comodo.com. Alternatively, replace the host string with the host name from the manual section on the enrollment instructions page.

Intune Deployment works without any issue if you deploy the MSI as a Windows 32 app in the new INTUNEWIN format.

Guide: https://www.petervanderwoude.nl/post/deploy-customized-win32-apps-via-microsoft-intune/

Any updates on this? I noticed that the name of the enrolment file is enrollment_settings.ini and it only contains three entries. I have another question when I was deploying the client using PDQ Deploy I would only use the command line arguments of msiexec.exe /i “em_RdvmQG2I_installer.msi” ALLUSERS=1 /qn /norestart /log output.log and those clients would auto enroll.

And on my machine in which I deployed at the command line, that file is empty.

@carls ,

See example of an enrollment config file.

[General]
host = subdomain.cmdm.comodo.com
port = 443
remove_third_party = false
suite = 4
token = a5d15fd0dd9d7640fbd830e3f1c40999

msiexec.exe /i “em_RdvmQG2I_installer.msi” here used was a short token. It is resolved upon enrollment config during the installation. Once enrollment is done ITSMService removes enrollment_config

enrollment_settings.ini should be enrollment_config.ini

I used this method, and apparently it is updated as all I had to was re-package the MSI and use the command line when setting it up in intune I did not need to use the install.cmd file and include the command line now you can just utilize the command line that is auto-generated. And it worked like a charm.

Keep in mind Microsoft notes this: “Any Win32 app deployed using Intune will not be automatically removed from the device when the device is retired. The app and the data it contains will remain on the device. If the app is not removed prior to retiring the device, the end user will need to take explicit action on the device to remove the app.”