Deploy the Cisco Secure Client with Umbrella Module via Intune

A few months back, I shared a guide on deploying the Cisco Umbrella Roaming client using Intune. Recently, Cisco announced the end-of-life schedule for the Umbrella Roaming Client, with April 2, 2025, marking the end of servicing and support (End-of-Life Announcement for the Cisco Umbrella Roaming Client). The Cisco Secure Client with the Umbrella module is the recommended replacement (How do I install Cisco Secure Client with the Umbrella Module? – Cisco Umbrella). This post will guide you through installing all three recommended application components as a single Win32 app. If you are still using the Cisco Umbrella Roaming client, it’s time to switch to the Secure Client with the Umbrella module. Additionally, as mentioned in the Cisco documentation above, the secure client will automatically identify if the Roaming Client is present, migrate those settings to the Secure Client Umbrella Module, and uninstall the Roaming Client. Thus, this guide is applicable for both fresh installations and for environments transitioning from the Roaming Client to the Secure Client.

Step 1 – Deploy the Umbrella Root Cert

Using Intune to deploy the Umbrella Root Certificate is a straightforward process. Besides Intune, I have also created a script here that can be pushed through an RMM for devices not under Intune management. This script checks if the root cert exists on the device; if it’s absent, it downloads and installs the cert in the appropriate store. To deploy via Intune, follow these steps:

1. Download the Umbrella Root Cert from this link – https://d36u8deuxga9bo.cloudfront.net/certificates/Cisco_Umbrella_Root_CA.cer 
2. In Intune, go to Devices > Windows > Configuration Profiles. Create a new profile for Windows 10 and later, choosing the Trusted Certificate Template under profile type.

3. Assign a name to the profile and, under configuration settings, select the certificate downloaded in step 1, designating Computer Certificate store – Root as the destination store.

4. Add your assignments and finalize the profile creation. Once the profile is deployed, the Umbrella certificate will automatically be added to the local machine’s trusted store.

That’s it! Now that the root certificate is installed on our machines, we can proceed to install the Secure Client apps with the Umbrella Module.

Step 2 – Install the Secure Client Apps

Cisco recommends deploying three essential applications for Umbrella functionality (Umbrella Module for Cisco Secure Client – Command Line installation and RMM reference – Cisco Umbrella):

1. core-vpn-predeploy-k9.msi
2. umbrella-predeploy-k9.msi
3. dart-predeploy-k9.msi

In addition to these three MSI files, we need to copy the OrgInfo.json file to the %ProgramData%\Cisco\Cisco Secure Client\Umbrella directory. This json file holds the tenant information for Umbrella, enabling the client to properly report to its designated tenant. All necessary files can be downloaded from the Umbrella tenant. The installation and detection scripts for Intune can be found on GitHub:

The installation script will install all three MSI applications, copy the json file to the required directory, and restart the Umbrella service. The detection script ensures that both the Umbrella and VPN services are installed, and that the OrgInfo.json file is located in the %ProgramData%\Cisco\Cisco Secure Client\Umbrella directory.

1. First, we need to prepare the Intune package. Prior to building the installer, check that the MSI file names are properly reflected in the install.ps1 script. Open the install.ps1 script and modify the file names to match those of the downloaded MSI installers for coreVPN, Umbrella, and dart. Refer to the screenshot below for correct naming. Make any necessary changes and save the file.

2. Place the install.ps1 script, the three MSI installers, and the OrgInfo.json file into a folder containing no other files. Open the Win32 Content Prep tool (if you don’t have it, download here). Specify the directory where your files are located. Choose install.ps1 as the setup file and designate an output file for the package (in this example, we’re using the same directory). When prompted about specifying a catalog, answer N. After a few moments, an “install.intunewin” file will be generated in the output directory.

3. Log into Intune (https://intune.microsoft.com). Go to Apps > Windows and click the +Add button at the top to create a new app. Select the Windows app Win32 option.

4. You’ll need to select an app package file. Click the link and choose the install.intunewin file we created in the previous step. Fill out the required fields for Name, Description, and Publisher. Click Next to continue.

5. For the program configuration, select the settings shown in the screenshot. You can copy the install command from the string below. Click Next to proceed when done.
   • Powershell.exe -executionpolicy bypass .\install.ps1 

6. Under requirements, specify 64-bit architecture, and set a Minimum version of Windows 10. Click Next to proceed.

7. To set up the detection rule, choose to use a custom detection script. Browse for the detection.ps1 file downloaded earlier (which is also available here). Refer to the screenshot for guidance.

8. Proceed through the remaining sections until you reach assignments. When you get to the assignments section, assign it to your desired group, which usually encompasses all devices. If these are going to existing devices, you might want to suppress user notifications by selecting “Hide all toast notifications.” Finally, click Save to finalize the app setup.

9. After about an hour or so, you should begin seeing successful installations, and those devices should properly check in with your Umbrella tenant.