MDM with Configuration Manager \ Windows Intune: Troubleshooting

April 16, 2014 at 7:29 am in Uncategorized by nsienaert

Hi All,

This blog will explain you some tips and tricks to troubleshoot your MDM capability with ConfigMgr\Intune.

Configuration Manager has a few logs for you available once you have installed the Windows Intune Subscription and the Intune Connector server role.

Let’s have a look.

The Intune Connector establishes the connection between ConfigMgr and Intune related to that 2 log files (dmpuploader and dmpdownloader) might be useful.

dmpuploader.log

This uploads changes from the On-Prem DB to Intune, for instance a new application which looks like this:

Capture

Errors that I have seen:

ERROR 1: LSU cannot be reached… There was no endpoint listening

ROOT CAUSE: Network Connectivity, Proxy issues,…

ERROR 2: LSU cannot be reached…The HTTP was forbidden with Client Authentication

ROOT CAUSE: The certificate that the connector is using to talk to Intune is invalid

ERROR 3: GetMessages CommunicationException (the HTTP service located at https://…)

ROOT CAUSE: most probably there is an issue in the MSFT datacenter

dmpdownloader.log

Downloader retrieves registration, inventory, status messages from devices send to Intune and forwards them to the corresponding on premise components

Cloudusersync.log

Here you can see if the users that are allowed to enroll devices (part of the Collection that you have configured during the Intune Subscription) are synced correctly into Intune.

Here is how a normal message looks like once you have added a new user to the Collection.

Capture

It might happen that users are failed, mostly this is because the user not exists in Intune because of the DirSync has not happend yet.

This should solve itself automatically as DirSync is scheduled (default each 3 hours) and CloudUserSync will sync each 5 minutes.

Capture2

Another way to troubleshoot issues with users, is checking the CM database directly. More in particular the CloudUserID column of the USER_DISC table.

Capture

NULL: User is not licensed to enroll a device

GUID: User is licensed to enroll device

If you have 000000000-0000-0000-0000-000000000000000 it means that the user previously was licensed but is not a member of device management collection anymore.

 

Outgoingcontentmanager.log

If you distribute an Application that you want to target to Mobile Devices you need to select the Cloud DP in ConfigMgr (manage.microsoft.com)

If you experience problems to distribute your content to the cloud Outgoingcontentmanager.log might be an interesting log to check.

In Distrmgr.log you can see that the distribution gets prepared. (DMP)

Capture

In Outgoingcontentmanager.log you can see the actual progress to the cloud.

Capture3 

That’s all for now. Till next time!

Nico Sienaert (@nsienaert)

8637_Microsoft_MVP_logo imagesCAIOYXPP

Windows Intune and Windows Azure Multi Factor Authentication

February 20, 2014 at 10:06 am in Uncategorized by nsienaert

 

Hi All,

Microsoft acquired Phone Factor and added this service into Windows Azure.

This is a great feature to activate MFA on a quick and easy way. Mostly MFA is linked to certificates, smart cards,… which are for some companies a challenge to roll out. Well Windows Azure MFA can be an opportunity to accelerate MFA within these kind of environments.

Let’s have a high-level look on how this needs to be configured and how it can leverage Mobile Device Management.

First you need to create a Directory into Windows Azure and make sure it’s synced with your Windows Intune Tenant so these users are known in Azure.

capture

Configure a MFA provider

capture1.5

Enable the users that you need to have MFA enabled.

capture2

And actually…. that’s all!

Go now to your device that you want to enroll in Windows Intune. In this case it’s a Windows RT.

Once I have typed my Intune password, you will notice that I will receive a phone call. Azure MFA is calling me (=2nd authentication method)

I need to hit the pound button for authentication.

capture4

Once I have done that my devices will be enrolled in Intune.

Interesting to see \ hear was that the call was in Dutch. The system is intelligent enough based on your IE settings in which language you need to be called.

Also note, that you can customize these message by uploading WAV files into Azure.

capture5

During the setup of the MFA provider I need to choose how I need to be billed. You have the choice between “per user” or “per authentication”.

When I check my bill I can see now an extra entry which specifies my MFA cost.

capture3

Till next time!

Nico Sienaert (@nsienaert)

imagesCA18FG24 imagesCAIOYXPP

Configuration Manager: Windows Intune Console Extensions in action

February 8, 2014 at 9:26 am in Uncategorized by nsienaert

 

Hi All,

Recently Brad Anderson announced some important changes in Windows Intune and Configuration Manager.

As a cloud service Intune is able to provide quickly new features without the need of upgrading your environment.

Typically each 6 months Intune released some updates and new features. To even accelerate this pace the Product Team introduced Windows Intune Console Exentsions in Configuration Manager 2012 R2. Well this week the first Console Extensions arrived.

Let’s elaborate on the look and feel:

If you open your console you will see a message that new Console Extensions are available for you.

Capture

Now you can decide to enable them, also a short description is provided.

capture2

You accept the UELA

capture3

Close now your console and open the console again with “Run as Administrator”

ConfigMgr will inform you now that it will download the extensions that you have enabled.

capture4

A download progress bar is showed.

Capture5

Once the download is finished, the console will open and you can start to discover the new add-ins.

Ex.: Email Profiles

Capture6

Ex.: New iOS Settings

Capture7

This is such a great improvement to have quickly all these new and future settings available!

Happy Mobile Device Management!

Till next time!

Nico Sienaert

8637_Microsoft_MVP_logo imagesCAIOYXPP

System Center Configuration Manager Company Portal App

October 29, 2013 at 8:03 pm in Uncategorized by nsienaert

 

Hi All,

Recently Microsoft released a new Self-Service Portal for Windows 8 devices.

This new SSP App is the equivalent of the web-based Company Portal that was introduced with ConfigMgr 2012.

The biggest difference is that this new portal is a created to embrace touch.

Note that this is only supported with ConfigMgr 2012 R2 and on Windows 8 client devices.

The APPX file can be downloaded here.

If you read the instructions on the page you will notice that following Registry key is required on each client PC.
You can deploy this key for instance with GPO Preferences.

Key = [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\CCM]

Value Name = PortalPackageFamily

Type = REG_SZ

Value = Microsoft.CorporateAppCenter_8wekyb3d8bbwe

Typically with Windows 8 side-loading you need to make sure of course that the AllowAllTrusedApp reg key is existing as well. Also this can be pushed via GPOs.

Once the APPX is side-loaded to your client machines you will notice a new tile:

Portal 

It can take a few minutes before your portal is ready for first use.

This is how the portal looks like. Also notice the customizations like a Company Logo that can be added since the R2 release.

newportal

As matter of completeness, here you have once again the web-based Company Portal equivalent.

oldportal

Till next time!

imagesCA18FG24 imagesCAIOYXPP MVP Small meet_logo

Windows 8.1: A Closer Look

October 25, 2013 at 9:27 am in Uncategorized by nsienaert

 

Hi All,

A few weeks ago I have presented a TechNet Livemeeting about all the new features in Windows 8.1.

This webcast was a great success with + 150 attendees unfortunately there were some issues with the recording.

Therefore we have done a Take 2 and that one is now online!

Do you want to know:

– How you control the UX in an enterprise environment?

– What your options are to upgrade to Windows 8.1?

– What’s new about closing Applications?

– …

Do you want to see new-feature-demos like:

– Work Folders

– Workplace Join

-…

Long story short, a complete Windows 8.1 session. Enjoy!

 

Till next time!

 

Nico Sienaert

 

imagesCA18FG24 imagesCAIOYXPP 8637_Microsoft_MVP_logo meet_logo

Manage Work Folders with Configuration Manager 2012 R2

September 13, 2013 at 9:41 am in Uncategorized by nsienaert

 

Hi All,

 

You probably have seen already some information about Work Folders, one of the new BYOD features that are shipped with Windows Server 2012 R2.

So very short what are Work Folders? Work Folders is a new role for File Servers which offers you the possibility to sync your Business Folders along your different (personal) devices. So just to be clear, Work Folders is not a mechanism to share your data with colleagues, it’s a way to have your business data available on your different devices. (Windows 8.1, iOS, Android,…)

With Configuration Manager 2012 R2, which will be released soon, you will be able to control and configure these Work Folders.

Via Compliancy Settings you can push the configuration under the Mobile Devices Settings

capture1

You need to specify the URL to auto-discover Work Folders and decide if you want to enable auto-configuration.

By selecting this you prevent users not to use Work Folders and you avoid that they can manipulate the default local path which is %userprofile\Work Folders%

capture2 

Capture3

If you want to see Work Folders in action just register for the next TechNet LiveMeeting that I will present on What’s new in Windows 8.1.

Till next time!

8637_Microsoft_MVP_logo imagesCA18FG24 imagesCAIOYXPP meet_logo

Deleting Applications in ConfigMgr 2012 – a hard knock life

May 6, 2013 at 9:37 am in Uncategorized by nsienaert

 

Hi All,

If you have worked with the new App Model in ConfigMgr 2012 you might have noticed the following already.
It can be a pain to delete applications.

Long story short, you cannot delete any application as long that particular App has references to other Apps.

Capture

Typical a message you get when ConfigMgr is not able to delete an Application:

Capture2 

Sounds logic, but it might take some time before you figure out some stuff.

The required steps, that you need to take:

– Retire the App

– Delete involved Deployments

– Remove References to other Deployments

– Delete all its revisions

On top of this procedure (and you better respect the order) some tricky scenarios can pop-up.

The following I discovered recently:

IF you rename an application, the revision level of the application increases. If you try to delete later on an app that is depending on it, you will not see the new name of the app that you need to clean up the revision levels on, instead you will see the old name of the app. So pay some attention here.

The story becomes more complicated if there is also bug in the chain like with ConfigMgr SP1 CU1:

For instance,

If you create an App with 2 DT’s making DT1 depending on DT2.

Next you retire the App, Delete DT1 and delete all revisions besides the latest one

Reinstate the App and try to delete DT2, it will pop-up telling you that it refers to DT1 which does not exist anymore.
So currently there is no way to delete an Application in such scenario.

This is already reported so if you encounter this, please be patient.

Till next time!

Nico Sienaert

imagesCA18FG24 imagesCAIOYXPP

Windows RT in the Enterprise: Recording

March 26, 2013 at 1:02 pm in Uncategorized by nsienaert

 

Hi All,

During the last TechDays in Belgium I have presented a session around Windows RT and how you deal with these devices in an enterprise.

Here you can find the recording. When watching this video you will have a good idea about:

 

– Positioning of Windows RT between other Windows 8 tablets

– Technical specifics about Windows RT OS

– How do you manage these devices

– How you deploy Applications to these devices and how do you troubleshoot App Deployment

– a lot of tips, gotcha’s,…

 

After this session WIndows RT has no secrets anymore for you!

Don’t forget to watch the other great sessions as well!

http://technet.microsoft.com/en-US/video/ff832960?Category=TechDays%20Belgium%202013

 

Hope you like it!

 

imagesCA18FG24 imagesCAIOYXPP

TechDays 2013 Belgium: My personal top 5 session list

February 11, 2013 at 8:44 am in Uncategorized by nsienaert

 

techdays

Hi all,

5, 6 and 7 March another Techdays will be organized in Belgium, Antwerp.

If you ask me, each ambitious IT Pro \ Dev needs to attend this event. It’s an excellent opportunity to learn about the latest Microsoft technology, network with your peers, speakers, industry experts and MVPs. And last but not least having a good time of course!

To warm you up a bit up I have made a selection of my Top 5 “Must See” sessions. It was hard to make a selection, but hey, someone has to make it.

Windows Azure: where are we today?

Windows 8 Client Part 1 “The OS internals for IT-Pro’s”

Hyper-V Dynamic Memory in Depth

VDI in Windows Server 2012, with and without Citrix.

What’s new in Windows Server 2012 Active Directory?

Some members of our SCUG team will also host a session talking about System Center SP1.

What’s new and improved in Service Pack 1 for the System Center 2012 suite

I have the honor to host one of the closing session on Thursday evening. In this session I will talk about Windows RT

So if you haven’t done it yet, put your registration on number 1 of your TO DO list.

Register now! https://techdays.onetec.be/techdays/(S(r5ofsz45g2gcxq454qyq5amo))/en/registration.aspx

See you there!

imagesCA18FG24 imagesCAIOYXPP

Enroll and Deploy Apps to WP8 and Windows RT with ConfigMgr/Intune

January 31, 2013 at 3:31 pm in Uncategorized by nsienaert

 

 

Hi all,

In my previous blog I showed you the user experience regarding iOS management with ConfigMigr\Intune.

So what do you need to manage WP8 and RT?

You need a Subscription ID on the Windows Dev center. With that ID you can request a Mobile Device Signing Certificate a Symantec.

To Enroll WP8, you need to upload the Company Portal that you can download from the Microsoft website.

This Portal you need to sign with the certificate from Symantec and as from now you can upload the App into ConfigMgr.

BTW Signing tools are part of the Windows Phone SDK.

I added an WP8 App (*.XAP) and signed it as well with Cert from Symantec.

1

Once that is done you need to specify some Intune Settings in ConfigMgr.

2

As from now you can enroll your devices.

Go to your WP8 device, log on with your Intune or AD credentials (depending if you have AD FS enabled) and install the “Company Hub”.

As from now your device is enrolled and manageable.

image

When opening the portal the user can access his Apps.

image

Also, Settings are coming in. Configured Compliancy Settings in ConfigMgr (similar like iOS)

image

Now let me show the User Experience on Windows RT.

The way to configure is completely the same as with WP8. You need to link the Cert in ConfigMgr and you need to sign your Apps.

On the RT device, search after “Company Applications”, to enroll your device.

image

Once that’s done you will have your Company Portal installed

image

As from now you can access your Apps and also devices.

Note that I can see all my devices that are linked to my UserID (in this case iPhone, WP8 and Windows RT).

As from here for instance I can remote wipe a device in the event I lost one.

image

That’s all for now. Till next time!

 

Nico Sienaert

imagesCA18FG24 imagesCAIOYXPP