If something great ends, something greater begins

October 28, 2016 at 11:31 am in Uncategorized by nsienaert


Hi All,

This will be my last blog for the System Center User Group. Why?

Well it’s time for the next step in my career.

Since the beginning of my career, back in 2001, I started to work closely with Microsoft technology. During these years I have done different Microsoft-related jobs like Consultant, Architect, Business Development, Partner Manager,… This was a great period where I have learned a lot and I got really passionated about Microsoft technology.

I’ve got the opportunity to attend and speak on inter(national) Community events like MMS, TechEd, TechDays, SCU Europe, Expertslive, SCUG… and of course the dozens of events organized by Microsoft.

5 years ago I was rewarded as MVP Enterprise Mobility as the category is named today. I don’t have to tell you what a great honor and privilege that was.

But sometimes even more unique opportunities are passing by… and that is what is happening now.

As from now I will start to work for Microsoft Belgium as a Solution Sales Specialist Enterprise Mobility. I will be driving the Enterprise Mobility + Security business on the BeLux market.

Probably a lot of you I will meet again and of course I will stay active on the different social media informing you about the EMS ecosystem.

Take care and all the best!

Nico Sienaert

Azure AD Join: End-to-end User Experience

December 23, 2015 at 10:48 am in Uncategorized by nsienaert


Hi All,

Months ago I wrote a blog about Azure AD Join.

Let’s have a look what the user experience is.

I have a lot of questions why a company should do Azure AD Join. Azure AD Join is typically a solution in CYOD or road warrior scenarios where you want to give your users the best experience.

If you talk about Azure AD Join it’s all about Single Sign-On, let’s have a look.

The user logs in with his AD Password into the machine. As from then he has SSO to its resources that are powerd by Azure AD.

User logs in with his AD Password


The machine is still a WORKGROUP machine


User goes to “myapps.microsoft.com” without entering any password and can hit the titles to open the app of his choice, again without entering any password.


When opening the Store SSO kicks in again, his Company tab is visible and the user can see which Apps are available to him for installation.


Thanks to Azure AD Join the machine is automatically enrolled into Intune, so the machine is managed as a Mobile Device.


As this is a Hybrid Environment the PC is appearing into Configuration Manager.

OMA-DM is your key to do advanced MDM in case you cannot find specific settings in the UI. I think about Patch Management for instance through MDM Channel.

This was a big challenge for Windows 8.1 non-domain joined tablets for instance.

More info about OMA-DM in Windows 10 you can find here:



Other more general MDM Policies are coming in as well, for instance to set a PIN. (Multi-Factor Auth)


Azure AD Join is a solution for people that don’t get often in the office. These kind of users have typically issues regarding user experience and the administrator has challenges to manage these devices. With Azure AD Join and Intune you have an answer for these challanges.

Till next time!


Configuration Manager: Windows-as-a-Service, some stuff explained

December 10, 2015 at 6:04 pm in Uncategorized by nsienaert


Hi All,

Huge milestones are reached regarding Windows 10 and the new version of Configuration Manager.

CM will be THE tool to make sure you can adopt Windows-as-a-service. I receive quite some questions about this new technology and terminology.
So let’s explain some topics.


On the Net you can find already good explanations about the new Deployment Rings so I’m not gonna repeat that. But let me try to summarize them in two sentences each.

Current Branch (CB): 3-4 monthly Windows upgrade deployed to the Consumer landscape. To win some test time it’s advisable that you deploy this ring within your environment, considering it as pre-pilot.

Current Branch for Business (CBB): Typically 3-4 months released after CB, it’s CB made ready for the enterprise. You are allowed to skip one upgrade, if you skip more you will lose support. Taking into account CB test time you have 12 months to upgrade your CBBs.

Long Term Servicing Branch (LTSB): This is the ring you want for systems that you don’t want to upgrade on a cadence as described earlier. Typically Microsoft will release each 2-3 years an LTSB build which offers you 10 year support ( 5 mainstream + 5 extended support)

Moving between branches

You can in-place upgrade LTSB builds to CB or CBB using an upgrade Task Sequence.

If you are on CB\CBB and you want to go to LTSB, you need re-install the machine using typical Bare Metal \ Refresh Task Sequence scenarios.

Updates or Upgrades

This is important to understand well as this might be confusing.

Talking about Updates, we still talk about Security Updates that you deploy through WSUS, as you know if for years.

Upgrades are the 3-4 monthly upgrades that become available to upgrade Windows 10.

These are located in CM under the new Windows 10 Servicing node, notice that they still call it here Windows 10 Updates which can be confusing.

Microsoft has some reasons for that. To reduce confusion though MSFT created a new “Servicing node” and didn’t add these Servicing \ Upgrade under the “Software Updates” node.

In the right pane you can definitely see we are talking about upgrades.


Servicing Plans

Servicing Plans are actually Automatic Deployment Rules (ADRs) that we know from WSUS. Here you determine how your deployment rings will be deployed automatically to your devices. Typically, you will have several Servicing Plans within your environment.

The current situation of your Windows 10 landscape you can monitor through the Deployment Rings.

Important note #1:

Release Ready = Current Branch

Business Ready = Current Branch for Business



Important note #2:

If you want to skip an upgrade you have to set a GPO to Defer Upgrades for a certain period of time. In the future it will be possible to defer this out of the CM console.



Important note #3:

The info of the deployment rings is based on the Hardware Inventory, the Product Group will continue to invest into the visuals around your Windows 10 landscape. (remember CM has also a Servicing mechanism in-place to have these improvements much faster in the near future) In meantime it might be interesting that you also have some custom queries next the deployment rings to give you more insights.

OSBranch and Build are probably interesting properties you want to query. Currently these are not visible yet in the interface, so you cannot create an extra column in your viewing pane yet.


0 = CB, 1 = CBB, 2 = LTSB


e.g. “10.0.10240” or “10.0.10586”


select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.Client, SMS_R_System.OSBranch, SMS_G_System_OPERATING_SYSTEM.BuildNumber, SMS_G_System_OPERATING_SYSTEM.Version,from  SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.OperatingSystemNameandVersion like "%workstation%" and SMS_R_System.OperatingSystemNameandVersion like "%10%"



Task Sequences or Windows Servicing

Task Sequences are your preferred choice if you want to in-place upgrade existing Windows 7 and above machines to Windows 10.

You will continue to use Task Sequences for your typical Bare Metal, Refresh and Replace scenarios. Important change here is that you need to adapt your image process by replacing a new Windows 10 CBB Build so your new installed machines are at least on the latest ring.

Windows Servicing will be the engine (powered by WSUS) to keep your existing Windows 10 machines up-to-date.

The User Experience

The actual User Experience is more in the hands of the Windows team. Huge investments are done and will be done in the future to make sure that there will be less user impact. Today and also for the upcoming rings the User impact will be still there which means you need to plan your upgrades well by working for instance with Maintenance Windows. So yes, currently users will not able to work during the installation of the first rings that are planned and one or two reboots will be required. In the future it will be hopefully possible to upgrade the systems while users can continue to work and without reboots.

Windows Update for Business (WuFB)

WuFB is a SaaS solution that Microsoft offers for free. It’s leveraging Windows Update to upgrade your CBB systems automatically out of the cloud.

WuFB can aslo be used for your traditional deployment of updates.

You will have some configuration options like “Defer Upgrades”, “Pause upgrades”,… through GPOs and Windows 10 has some built-in peer-to-peer capabilities to make sure your systems are getting their upgrade packages on an economical way. This can also be fine-tuned through GPOs.


How does this cope with CM?

The integration with CM will be improved in the future but it’s clear that you can have both next to each other.

You might want to enable WuFB on satellite branches where CM has difficulties to reach because of lack of local DPs for instance.

Or their might be customers that prefer a lightweight mechanism for these upgrades.

I expect WuFB will be more used by customer that don’t have CM and want to keep their Windows 10 devices up-to-date.

Decent compliancy reporting is something that is not yet added to WuFB but that will be added in the future.

Hope that this was useful!


Till next time! (@nsienaert)

MVP Enterprise Mobility – Hackathon

November 9, 2015 at 3:31 pm in Uncategorized by nsienaert


Hi All,

Just back from the MVP Summit.

This was a blast for sure and unfortuantely not much to share because of the NDA rules.

But something I can talk about was the Hackathon we have did.

This was the first time the Hackathon got organized for us Enterprise Mobility MVPs and this was REALLY cool.

So what is this all about?

We could submit upfront some ideas and features that we wanted to see in Configuration Manager.

The Product Group shortlisted a couple of them and assigned some DEV people to each feature request.

We as MVPs could join a group and play to Product Manager during the week to discuss with the DEV people how these features should look like in detail.

This was such a great experience to understand how PMs and DEVs collaborate and how ideas get translated in real features!

At the end of the week, we had to present the first piece of the code and demonstrate the features.

List of Hackathon ideas:

Active Client Info

– Realtime Online \ Offline client activity

– Get insights to which MP \ SUP \ DP a client is connected

– Right mouse click capabilities using the fast Notificiation Channel


Custom Wizards

– Wouldn’t it be great to customize wizards, create a kind of wizard templates?

custom wizard

Server & Client Patching

– Find a way to exclude an update directly from the console

– Remove an update from the Deployment Groups, so the update will be removed automatically

exclude update

Alternate UPN

-Using an Alternate UPN for Intune is highly demanded, so let’s do this!

Better Intune troubleshooting

-Get better in-console troubleshooting logging regarding the Intune Connector and configuration

intune troubleshooting

Compliancy Management and Powershell

-create CMDLets that enable the definition of settings and rules

Online Admin User communication

– real-time, customizable, not-ignorable,… admin-user communication

custom notification

Support of Azure Remote App

-Create a deployment type for Azure Remote App


Nested Task Sequences

– One Instance the TS Engine can process different Task Sequences

nested ts


And the winners are!

1. Active Client info (very coincidently I was part of this :-) together with Garth Jones and Panu Saukko)

2. Online Admin User Communication

3. Support of Azure Remote App


Just to make sure, this does not mean that all these feature will appear in future releases. I was just a nice exercise on how new stuff can be developed.

It might be that some features appear in next releases, it might be that you see none of them.

Can you influence if you want them in the product? Yes you can,go to UserVoice and vote them up!


Hope you like it!

Till next time!

Configuration Manager \ Intune: “Could not enable extension”

September 25, 2015 at 1:52 pm in Uncategorized by nsienaert


Hi All,

As most of you have probably seen there is a new Extension available to offer iOS 9 support in ConfigMgr.


I noticed that I had some problems to enable this extension in one of my test environments.


Typical troubleshooting files regarding Extensions did not show much:

AdminUI.ExtensionInstaller.log: doesn’t say anything

FeatureExtensionInstaller.log: does not exist yet

SmsAdminUI.log: doesn’t say anything

When looking into the database about some details of the extensions thru this query:

select L.Name, F.FeatureID, F.StateID,S.FeatureStateName,F.Flag, F.Error from MDMCFDFeature F join CFDLocalizedMetaData L on F.FeatureID=L.FeatureID join CFDFeatureState S on F.StateID=S.FeatureStateID where L.LocaleID=1033

I noticed the following:


When clicking on the URL I saw that I was missing the latest CU in this environment… DEUH


So if you see a similar issue with Extensions make sure your environment is up-to-date.

Till next time!


Microsoft Intune: Wrapping Android Applications

July 24, 2015 at 3:27 pm in Uncategorized by nsienaert


Hi All,

In May Microsoft released the App Wrapping tool for Android ( https://www.microsoft.com/en-us/download/details.aspx?id=47267 ) which is another great milestone in the MAM capabilities of Microsoft Intune.

I saw already some blogs where the blogger just executes the Powershell Wrapper script to create a new wrapped APK file. So far so good but that’s not enough that will never work… you know why?

Android wrapped Apps need to be signed and that’s a requirement of Android.

If we talk about signing we need a private key that needs to be created. You can do this by executing the following keytool command, which is part of your Java Installer:

keytool -genkey -v -keystore my-release-key.keystore
-alias alias_name -keyalg RSA -keysize 2048 -validity 10000

More info can be found here: http://developer.android.com/tools/publishing/app-signing.html#signing-manually

Once you have generated the private key, it’s time to use the App Wrapper with the following command line:

PS C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool> invoke-appwrappingtool -inputpath <path>\Notepad.apk -outputpath <path>\notepad_wrappedv2.apk -keystorepath "C:\Program Files (x86)\Java\jre1.8.0_45\bin\<keystorename>.keystore" -keyalias <aliasname> –SigAlg SHA1withRSA

If you execute this you will be prompted for the KeyStorePassword and KeyPassword which you have generated during the procedure to create your private key.

If everything goes well you will see after a while (depending on the size of your app) that your app is wrapped successfully.


So now we have a wrapped APK file that we can distribute with Configuration Mananger (CM) or Intune. In this example I use the Hybrid.

You link a MAM policy to your deployment:


You install the App form the SSP and voilà:


Attentive people noticed probably a “strange” switch in the command line: –SigAlg SHA1withRSA

You need this switch if you wrap applications on Android versions earlier than 4.3 Jelly Bean as they do not support apps signed by SHA256 and the App Wrapper is attempting to use the keystore’s default signing which is “SHA256withRSA”.

If you use the parameter “–SigAlg SHA1withRSA” you will be unblocked.


Hope you liked it!

Till next time

Nico Sienaert (@nsienaert)

Azure AD Connection Health: Internal Server error 500

July 8, 2015 at 12:49 pm in Uncategorized by nsienaert


Hi All,

Very recenlty the Product Team announced that the new Azure AD Connection Health is GA.

In a mobility world AD FS plays a very important role regarding Identity and Single SignOn. Thanks to this new Azure AD Premium service you can keep control of your cloud and on-premise identity infrastructure.

The issue:

When installing the agent I saw the following error:


After investigating the install logs I found this self-explaining error: :-)

Looking into the install log file it’s an error 500, meaning that the server could be reached but is sending back an internal error :

System.Net.WebException: The remote server returned an error: (500) Internal Server Error.

   at System.Net.HttpWebRequest.GetResponse()

   at Microsoft.Identity.Health.Common.RestRequest.SendJsonData(HttpMethod httpMethod, String uri, String accessToken, Object content, X509Certificate2 clientCertificate)

   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.RegisterServiceIfNotExist(String serviceTypeName, String serviceSignature)

   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.RegisterADHealthAgent.ProcessRecord()

The solution:

After some trial and error the problem was the following.

As the agent is leveraging the Azure service you need to sign in into Azure service.

I used a Global Admin tenant account with @outlook.com. Despite of the fact the login was succesful I received the above error.

When logging in with a Global Admin account with domain suffix the installation finished successfully.




After some contact with the Product Team it appears indeed that @outlook.com, @hotmail.com,… are not supported. You need to authenticate with a domain account.

They promised to workout a more clear error description in the future.

In meantime you know what to do! :-)

Till next time,

Nico Sienaert (@nsienaert)

Application Black\White Listing with ConfigMgr

July 2, 2015 at 7:16 am in Uncategorized by nsienaert


Hi All,

Since the release of the latest Configuration Manager Service Pack (CM12SP2 or CM12R2SP1) it’s possible to black and white list applications (aka Compliant and non-Compliant applications) on Windows Phone by creating Compliancy Rules through Configuration items.

Before you could already do something similar through OMA-DM but now you have a nice interface within the Configuration Manager Console without the need of looking up and modifying XML code. But that is still supported of course. You can find more info in one of my earlier blogs.

In this blog I’m not gonna go in detail on how you create such application lists other people did that already for you but I will focus more on how they actually work.

My attention was caught since I saw following errors in the Configuration Manager console when deploying such Applications lists.


An important word in the previous sentence is “Lists”. It’s of course supported to create several Lists but it’s not supported to deploy more than one List to a device or user. That can result in such conflicts.

If you send two Lists to a device, the first one that arrives will apply but as soon the second comes into the picture you will see a conflict error as above.

So the best practice if you want to allow (deny) Applications create one list and add software titles to that list or remove titles from the list.


Some detailed behaviour:

1) Application Black List 1 applied –> Apps disabled

2) Application Black List 2 applied –> Apps of list 1 stay disabled but a conflict error appears

3) Remove Deployment Application Black List 1 –> Apps of list 1 become “allowed” again and Apps of list 2 are now “Denied”.

4) Add a new title to Application Black List 2 –> New title will be disabled, all other Apps stay disabled.


But what if you want to Allow certain Applications and Block certain Applications on a device? Can you send two lists to a device in that case? The answer is NO.

The reason behind that is the fact that White lists are more restrictive than black lists. If one device has a white list, all apps outside of that list are blocked. So the Black list becomes redundant.

That’s also the reason why you have a Radio Button choice and not Check Boxes for instance:


To conclude, for Android and iOS you have a similar configuration. The main difference is that today this is only a reporting feature. So the non-compliant apps will not be blocked on the device itself but you will have reporting information.


Hope you liked it! Till next time!

Nico Sienaert (@nsienaert)

Intune Service Notifications

July 1, 2015 at 10:27 pm in Uncategorized by nsienaert


Hi All,

Wouldn’t it be great if you stay up-to-date about the latest Intune Service Notifications directly in the console without “RSS Feeding” you favorite blogs to stay informed about the latest and the greatest? Well, you can!

The configuration described below works for both standalone and hybrid setups.

For Hybrid setups, it’s today not possible to port these Notifications into the Configuration Manager console so you have to go the Intune Cloud console to see the list of Notifications or read the notification mails of course.

So yes, today this goes a bit against the Single-Pane-of-Glass approach but that’s what it is today.

Let’s go through the necessary steps:

Open the Intune console and go to the Admin Section and select “Recipients”.
Add the mail addresses of your choice that should receive NEW alerts.


Then go to the “Notification Rules” under the Admin Section and create a new Rule.

Important is that you select “Notices”.


Select all Device Groups


Select the recipients that should receive the notifications through mail


That’s it! Now you have to wait till you receive NEW notifications.

If you want to consult older notifications go to the Alerts Section and select the name of your Notice Notification rule.


Teaser: One important notification that is coming up, is the official announcement as from when iOS 7.1 will be required for running the Company Portal for all users (i.e. if you’re running an older version, it will prevent you from using the Company Portal until you upgrade to iOS 7.1+)

Till next time!

Nico Sienaert (@nsienaert)

Azure RMS Client acting strange…?

May 26, 2015 at 6:59 pm in Uncategorized by nsienaert


Hi All,

I had a customer who was complaining about his Azure RMS client was not able anymore to share documents outside the company.

Also the Azure RMS client itself did not show the expected interface as some check boxes were missing.

Issue #1

Warning, that no documents can be shared outside the company. This message appears each time entering a UPN other than the one of the company.


Issue #2

Normally you are supposed to see 3 check boxes instead of only one.


So what is going on?

After some investigation it appeared that someone brought online the old AD RMS.

As you might know coexistance of Azure RMS and AD RMS are not supported.


This sounds logic as otherwise the Azure RMS client is getting confused not knowing which templates (Azure or non-Azure) it needs to choose.

Knowing this it explains the first issue.

The second issue was also related to the AD RMS. It’s interesting to see how the Azure RMS client adapts the interface as soon an OnPrem AD RMS is discovered. These two checkboxes are missing:

– “Email me when someone tries to open these documents”

– “Allow me to instantly revoke access to these documents”

Again logic as these features are not working with AD RMS OnPrem.

So if you see this behaviour… red alert! You have AD RMS around! :-)

Till next time.

Nico Sienaert

MVP Small