[ZT] WARP SCCM (cloudflare#22518)

ranbel · sdnts · commit c1b2c28434aa · 2025-07-24T16:06:02.000-04:00
* sccm

* feature description

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx
diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx
@@ -376,3 +376,97 @@ To turn on local network access in the WARP client:
 When `Enabled`, the operating system will register WARP's [local interface IP](#override-local-interface-ip) (CGNAT IP or `172.16.0.2`) with your on-premise DNS server when the DNS server is reachable.
 
 If you use on-premise DNS infrastructure (such as Active Directory), we recommend turning this setting on for remote [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and turning it off for [managed network](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/) device profiles. In this configuration, remote devices will register their WARP interface IP, while on-premise devices will only register their local DHCP address. This allows the on-premise DNS server to resolve device hostnames no matter where the device is located.
+
+### SCCM VPN boundary support <Badge text="Beta" variant="caution"/>
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| <ul><li> Gateway with WARP</li><li> Secure Web Gateway without DNS filtering </li></ul>   | All plans                                                     |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           |  2025.5.735.1        |
+| macOS    | ❌           |                      |
+| Linux    | ❌           |                      |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+Microsoft's [System Center Configuration Manager](https://learn.microsoft.com/en-us/intune/configmgr/) (SCCM) is used to manage software on Windows devices based on the [boundary group](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups), or network location, to which they belong. You can assign WARP clients to a SCCM boundary group based on their [managed network](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/) and other device profile attributes. When **SCCM VPN Boundary Support** is turned on, the WARP client will modify the description field on its [virtual network interface](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/warp-architecture/#ip-traffic). This allows you to define a VPN boundary group that matches on the network interface description.
+
+**Value:**
+
+- `Disabled`: (default) WARP network interface description is `Cloudflare WARP Interface Tunnel`.
+
+- `Enabled`: WARP network interface description is `(SCCM) Cloudflare WARP Interface Tunnel` for devices which have the [SCCM client](https://learn.microsoft.com/en-us/intune/configmgr/core/clients/deploy/deploy-clients-to-windows-computers) installed. Devices without the SCCM client will still use the default `Cloudflare WARP Interface Tunnel` description. WARP checks if the SCCM client is installed by looking for the SMS Agent Host (`ccmexec.exe`) Windows service.
+
+After setting the network interface description, WARP will restart the SMS Agent Host (`ccmexec.exe`) so that changes can propagate to the SCCM server in a timely manner.
+
+#### Example SCCM configuration
+
+Assume you want to push software updates from a cloud based [distribution point](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/boundary-groups-distribution-points) if the device is remote, but use on-prem servers if the device is on the office network. To set up these boundary groups:
+
+1. In Zero Trust:
+
+		a. Turn on **SCCM VPN Boundary Support** for remote [device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/).
+
+		b. Turn off **SCCM VPN Boundary Support** for [on-prem device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/managed-networks/#4-configure-device-profile).
+
+		c. (Optional) Verify device settings:
+
+	<Details header="Verify SCCM VPN Boundary Support">
+
+	To check if **SCCM VPN Boundary Support** is active on a device, run the following command:
+
+	```cmd
+	warp-cli settings | findstr "SCCM VPN Boundary"
+	```
+
+	```cmd output
+	(network policy) SCCM VPN Boundary Support: true
+	```
+
+	You can also verify network interface details for the `CloudflareWARP` adapter:
+
+	```cmd
+	ipconfig /all
+	```
+
+	```cmd output {8}
+	Windows IP Configuration
+
+	...
+
+	Unknown adapter CloudflareWARP:
+
+		Connection-specific DNS Suffix  . :
+		Description . . . . . . . . . . . : (SCCM) Cloudflare WARP Interface Tunnel
+		Physical Address. . . . . . . . . :
+		DHCP Enabled. . . . . . . . . . . : No
+		Autoconfiguration Enabled . . . . : Yes
+		IPv6 Address. . . . . . . . . . . : 2606:4700:110:8f79:145:f180:fc4:8106(Preferred)
+		Link-local IPv6 Address . . . . . : fe80::83b:d647:4bed:d388%49(Preferred)
+		IPv4 Address. . . . . . . . . . . : 172.16.0.2(Preferred)
+		Subnet Mask . . . . . . . . . . . : 255.255.255.255
+		Default Gateway . . . . . . . . . :
+		DNS Servers . . . . . . . . . . . : 127.0.2.2
+																				127.0.2.3
+		NetBIOS over Tcpip. . . . . . . . : Enabled
+	```
+
+	</Details>
+
+2. In Microsoft SCCM:
+
+		a. [Create a boundary](https://learn.microsoft.com/en-us/intune/configmgr/core/servers/deploy/configure/boundaries#create-a-boundary) with the following settings:
+			- **Description**: `Remote WARP clients`
+			- **Type**: _VPN_
+			- **Connection description**: `(SCCM) Cloudflare WARP Interface Tunnel`
+
+  	b. Assign this boundary to one or more boundary groups.
+
+When the device is remote, the WARP interface description changes to `(SCCM) Cloudflare WARP Interface Tunnel` and the SCCM server will determine that the device belongs to the VPN boundary group. The device can now download updates from the distribution point assigned to this boundary group. When a network change occurs and WARP detects a managed network, it will revert the interface description to `Cloudflare WARP Interface Tunnel` and the boundary condition will no longer be satisfied. The device will match your local IP range and be considered as on-prem.
