Windows Desktop MFA - SCCM Silent Deployment

This guide describes how to deploy idemeum desktop client to a fleet of Windows workstations with Microsoft Configuration Manager (SCCM).

Windows Desktop MFA - SCCM Silent Deployment



You can perform the following installation types with Windows Configuration Manager (SCCM):

  1. Base version install - use this installation type when you are deploying idemeum client for the first time to a set of Windows workstations. You will need to use the .exe file for this installation.
  2. Upgrade version install - use this installation type when you already have idemeum desktop client installed, and you need to upgrade the client to a newer version. You will need to use the .msi file for this installation.


Now you will create idemeum client id and client secret required for silent installation.

  • Navigate to your idemeum admin portal. Then click Settings -> Desktop MFA.
  • In the Desktop Installer section click GENERATE to generate client id and client secret for silent installation
  • Note down the client id and secret required for silent installation

Base version install

Please follow the following steps to deploy idemeum desktop client to new Windows workstations.

Download latest .exe client

  • Navigate to idemeum documentation portal and download the latest idemeum desktop client.
You will need to use .exe file for base version silent installation.

Create content package

The content package that you will be pushing to workstations consists of 3 files:

  1. idemeum desktop client, .exe file that you downloaded in the previous section
  2. Configuration file that will include all idemeum configuration parameters
  3. PowerShell installer script that will perform the deployment and installation on each workstation

Here is the configuration file template below. Please fill the information for your idemeum tenant.

For example, here is how configuration file looks for our testing idemeum tenant.

TENANT_DISPLAY_NAME="Healthcare Company"
  • TENANTURL - URL for your idemeum tenant, i.e
  • CORP_EMAIL - (optional) Enter the email of the admin for which the current app needs to be assigned at the time of installation. If not mentioned, please ensure the knob Share with all admins on creation (OWNER role) is enabled in Admin Portal -> Settings -> Desktop MFA.
  • CLIENT_ID and CLIENT_SECRET- enter the copied client id and secret from the previous step
  • AUTH_TYPE - it's either RFID or QRCODE based on the login mode that you want to enable
  • TENANT_DISPLAY_NAME - tenant display name (i.e. Healthcare Company)
  • MASTER_KEY - if you are using password applications and would like extension to auto login user when the badge is tapped, then you need to provide your encryption key that desktop application will use to locally encrypt / decrypt passwords. You can generate the key by navigating to idemeum admin portal -> Settings -> Desktop MFA -> Desktop Master Key Settings

Here is the latest PowerShell script installer below.

Now you can combine these three files (idemeum exe desktop client, configuration file, and installer script) and distribute them to your SCCM distribution point content location. 

Create application in SCCM

  • Navigate to Microsoft Configuration Manager console -> Software library -> Application Management -> Applications
  • Right click on Applications and choose Create Application
  • Choose Manually specify the application information
  • Specify application name as well as additional metadata information
  • Since we are deploying silently we can skip the information entry on the Software Center section
  • Click Add in the deployment type section
  • Choose Script installer in the General information for deployment type
  • Specify name and any additional comments
  • For content location specify the folder location where you saved the content package (desktop client, config file, and installer script)
    - For installation program specify powershell.exe -ExecutionPolicy Bypass -File "installer.ps1"
    - For Uninstall program specify MsiExec.exe /x{71216D26-573B-402B-A3F5-A7CB9F950CFF} /qn
  • On the next section click Add Clause to specify the detection method for client installation
  • Choose the following values:
    -  Registry for Setting Type
    - Specify the following key SOFTWARE\Idemeum Inc\Idemeum Desktop Client
    - Choose value InstallationState, and Data Type String
    - Now you can choose the option This registry setting must satisfy the following rule to indicate presence of this application and choose operator Equals and value of 1.
  • For the user experience choose Install for system, Whether or not a user is logged on and choose the installation time to 15 minutes
  • When you click next you can leave Installation requirements as default
  • Leave Dependencies as default
  • And then you can close the Deployment Type Wizard once the configuration is successful
  • Move to the next summary section, and click Next to complete application creation

Now we will need to specify some additional settings for deployment

  • Right click on your newly created application and choose Properties
  • Navigate to Deployment types, select your deployment type, and click Edit
  • In the Content section choose Download content from distribution point and run locally
  • Click Apply and Ok to save changes for deployment type

Distribute content in SCCM

Now you can distribute content in SCCM to make sure it is available in your distribution point.

  • Right click on your newly created application and click Distribute content
  • Complete the wizard by choosing your boundary group or distribution point

Deploy application in SCCM

Now we can deploy application to target Workstations or collections.

  • Right click on your newly created application and choose Deploy
  • Choose a collection of devices you would want to deploy the application to
  • Make sure you have your distribution points selected
  • For Action choose Install, and for Purpose choose Required to make sure application silently installs on workstations
  • Choose deployment schedule or leave defaults to deploy as soon as possible
  • You can leave all next sections with defaults. Click through the wizard to complete application deployment

Upgrade version install

This installation type is used for desktop client upgrades. Once the base version is installed, you can use the steps below for all subsequent upgrades.

Download latest .msi client

  • Navigate to idemeum documentation portal and download the latest idemeum desktop client.
You will need to use .msi file for base version silent installation.

Create application in SCCM

We will now create an .msi application in SCCM that will be used to update idemeum desktop client on target Windows workstations.

  • Navigate to Software library -> Applications and the right-click in the empty space to create a new application. Click Create application.
  • Specify your path to .msi idemeum client that you downloaded in the previous step
  • Click Next. Specify any additional information about idemeum application.
  • Click Next and complete the wizard to create the application.

Distribute application content

  • Right-click on your newly created application and choose Distribute content
  • Click through the wizard, and make sure you choose proper distribution group or distribution point

Import task sequence into SCCM

In this step we will create a task sequence that will perform necessary steps on target Windows workstations to perform idemeum desktop client upgrade.

  • Download pre-configured task sequence below that you can import into your SCCM instance. Make sure you place the sequence file into your content share from which you can import it into SCCM.
  • Navigate to Software library -> Task sequences, right-click in the empty space and choose Import task sequence
  • Now specify the path to downloaded task sequence .zip file
  • Click Next and choose action to Create new task sequence
  • Click Next and navigate through the wizard to complete task sequence creation

Edit task sequence parameters

  • Right-click on newly imported task sequence and choose Edit
  • Click on Install application step, then choose Options and make sure you uncheck Disable this step checkbox
  • The return back Properties seciton, and click Edit button
  • Choose .msi application that you created in the previous step and click OK
The following step is optional and only applies if you are using admin managed password applications. Meaning, you are leveraging desktop client to capture credentials and encrypt them with your own privat key. For this to work, you will need to provide your key as a configuration parameter. If you are not using admin managed applications, you can skip this step. 
  • Navigate to Client properties update and click Edit script
  • In the script section enter your master key as below
"masterKey=<your key here>"

// for example, our key is entered like this
  • Click OK, then Apply and save your task sequence

Deploy task sequence to target machines

Now when everything is set up you can deploy task sequence to your target machines to upgrade idemeum desktop client.

  • Right-click on your created task sequence and choose Deploy
  • Choose your required collection of devices
  • For deployment settings choose Required as installation type
  • Choose your desired deployment schedule or deploy As soon as possible
  • Click through the settings to finalize the deployment. You can keep the selections as default or edit as necessary.
Table of Contents
Great! Next, complete checkout for full access to idemeum integrations.
Welcome back! You've successfully signed in.
You've successfully subscribed to idemeum integrations.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.