Test

In the quiet dawn of your co-managed fleet, let these scripts breathe new life into devices lost between SCCM’s twilight and Intune’s sunrise. Assign Detection.ps1 as your “snitch” and Remediation.ps1 as your “fighter” in Intune’s Remediations blade.

Detection.ps1

Returns exit code 1 if the SCCM client is present (non-compliant), or 0 if it’s absent (compliant). Intune will trigger remediation when it sees a non-zero exit.

# Detection.ps1
# Checks for the ConfigMgr (SCCM) client via its service and registry key

# 1. Service check
$svc = Get-Service -Name 'CcmExec' -ErrorAction SilentlyContinue

# 2. Registry check
$reg = Get-Item 'HKLM:\SOFTWARE\Microsoft\CCM' -ErrorAction SilentlyContinue

if ($svc -or $reg) {
    Write-Output 'SCCM Client detected'
    Exit 1    # Non-compliant: remediation will run
}
else {
    Write-Output 'SCCM Client not found'
    Exit 0    # Compliant: nothing to do
}

This pattern—exit 0 for success, 1 for remediation—follows the guidance of community experts on Proactive Remediations .

Remediation.ps1

When SCCM is discovered, this script uninstalls the ConfigMgr client, wipes its remnants, and re-enrolls the device in Intune MDM.

# Remediation.ps1
# Remove SCCM completely and re-trigger Intune MDM auto-enrollment

function Uninstall-SCCM {
    $path = "$Env:SystemDrive\Windows\ccmsetup\ccmsetup.exe"
    if (Test-Path $path) {
        Write-Output '→ Stopping SCCM services…'
        Get-Service CcmExec, ccmsetup -ErrorAction SilentlyContinue |
            Stop-Service -Force
        Write-Output '→ Running SCCM uninstaller…'
        Start-Process $path -ArgumentList '/uninstall' -Wait -NoNewWindow
        Write-Output '✓ SCCM uninstalled.'
    }
    else {
        Write-Output '→ No SCCM installer found; skipping graceful uninstall.'
    }
}

function Remove-SCCM {
    Write-Output '→ Forcing removal of leftover SCCM artifacts…'
    # Stop any lingering services
    Get-Service CcmExec, ccmsetup -ErrorAction SilentlyContinue |
        Stop-Service -Force -ErrorAction SilentlyContinue

    # Delete folders
    $folders = @(
        "$Env:WinDir\CCM",
        "$Env:WinDir\CCMSetup",
        "$Env:WinDir\CCMCache"
    )
    foreach ($f in $folders) {
        if (Test-Path $f) {
            Remove-Item $f -Recurse -Force -ErrorAction SilentlyContinue
        }
    }

    # Remove registry keys
    $keys = @(
        'HKLM:\SOFTWARE\Microsoft\CCM',
        'HKLM:\SOFTWARE\Wow6432Node\Microsoft\CCM',
        'HKLM:\SOFTWARE\Microsoft\SMS',
        'HKLM:\SOFTWARE\Wow6432Node\Microsoft\SMS',
        'HKLM:\SOFTWARE\Microsoft\CCMSetup',
        'HKLM:\SOFTWARE\Wow6432Node\Microsoft\CCMSetup',
        'HKLM:\SYSTEM\CurrentControlSet\Services\CcmExec',
        'HKLM:\SYSTEM\CurrentControlSet\Services\ccmsetup'
    )
    foreach ($k in $keys) {
        Remove-Item $k -Recurse -Force -ErrorAction SilentlyContinue
    }

    # Drop WMI namespaces
    foreach ($ns in 'CCM','CCMVDI','SmsDm') {
        Get-CimInstance -Namespace root -Query "SELECT * FROM __Namespace WHERE Name='$ns'" -ErrorAction SilentlyContinue |
            Remove-CimInstance -Confirm:$false -ErrorAction SilentlyContinue
    }
    Get-CimInstance -Namespace root\cimv2 -Query "SELECT * FROM __Namespace WHERE Name='sms'" -ErrorAction SilentlyContinue |
        Remove-CimInstance -Confirm:$false -ErrorAction SilentlyContinue

    # Clean certificates and config file
    Remove-Item "$Env:WinDir\smscfg.ini" -Force -ErrorAction SilentlyContinue
    Remove-Item 'HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\*' -Force -ErrorAction SilentlyContinue

    Write-Output '✓ All SCCM traces removed.'
}

function Reset-IntuneEnrollment {
    Write-Output '→ Clearing stale Intune tasks…'
    $taskPath = '\Microsoft\Windows\EnterpriseMgmt'
    Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue |
        Unregister-ScheduledTask -Confirm:$false -ErrorAction SilentlyContinue

    Write-Output '→ Purging old enrollment registry keys…'
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Enrollments\*',
        'HKLM:\SOFTWARE\Microsoft\Enrollments\Status\*',
        'HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\*',
        'HKLM:\SOFTWARE\Microsoft\PolicyManager\Providers\*',
        'HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\*',
        'HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\*'
    )
    foreach ($p in $paths) {
        Remove-Item $p -Recurse -Force -ErrorAction SilentlyContinue
    }

    Write-Output '→ Removing old Intune MDM certificates…'
    Get-ChildItem Cert:\LocalMachine\My |
        Where-Object { $_.Issuer -match 'Microsoft Intune MDM Device CA' } |
        Remove-Item -Force -ErrorAction SilentlyContinue

    Write-Output '→ Invoking deviceenroller.exe for auto-enroll…'
    Start-Process "$Env:Windir\System32\deviceenroller.exe" `
        -ArgumentList '/c','/AutoEnrollMDM' -Wait -NoNewWindow

    Write-Output '✓ Intune MDM re-enrollment triggered.'
}

# Execute in sequence
Uninstall-SCCM
Remove-SCCM
Reset-IntuneEnrollment

Usage in Intune:

1. Go to Devices > Scripts & remediations > Create script package

2. Upload Detection.ps1 and Remediation.ps1

3. Assign to your device group and set the schedule (e.g. daily)

4. Monitor results: non-compliant devices will flow through remediation until the SCCM client fades into history and Intune stands alone once more.