Deploying IE11 the right way with Enterprise mode & Site Discovery thru Configmgr 2012

January 22, 2015 at 10:37 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, enterprise mode, IE11, internet explorer, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

Deploy Internet Explorer 11 today as from January 2016 only the latest version of IE will be supported on the currently supported OS’s such as Windows 7 – 8.1 – 10. You should really deploy IE11 today and start working with compatibility testing for your web applications.


For deploying IE11 you will need a lot of prerequisites fulfilled and you will need to do a lot of work to get it deployed successfully. More or less you will need to do it in four steps:

1. Deploy about 9 prerequisites! You must deploy KB2834140, KB2670838, KB2639308, KB2533623, KB2731771, KB2729094, KB2786081, KB2888049, KB2882822 to be able to install IE11 without any issues. Make sure you download the latest updates!

2. Reboot

3. Deploy IE11 itself. If you need the Google search provider, the only way is to repackage IE11 with IEAK.To customize Internet Explorer 11, first things first: download the Internet Explorer Administration Kit 11 here.

4. Force a reboot here

5. Make sure if you want to use IE11 Enterprise mode, you will need to deploy KB 2929437 after the installation of IE11.

6. Reboot

7. Deploy all security updates thru CM12/WSUS

8. Reboot

Luckily for us we have ConfigMgr 2012 and the fantastic Application model to handle that.

IE11 Enterprise Mode?

Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. Enterprise Mode is turned on by IT Pro using Group Policy settings for specific domains or pages. It’s much like the compatibility view settings, but provides Internet Explorer 8 compatibility. WebPages that work in Internet Explorer 8 work seamlessly in Enterprise Mode.

More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

Using the Internet Explorer Site Discovery Tool?

What do you say ??

Not so long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory can be used for all or only some specific clients. The data is collected via WMI and inventoried with System Center Configuration Manager. There are pre-made reports included that can be imported and used in ConfigMgr.

You will find more information here on Enterprise Site Discovery Toolkit for Internet Explorer 11.


Collect data using Internet Explorer Site Discovery

Internet Explorer Site Discovery overview

You can use Internet Explorer to collect data on computers running Internet Explorer 11 on either Windows 8.1 or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your Internet Explorer deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.

By default, Internet Explorer doesn’t collect data; you have to turn this feature on if you want to use it. You must make sure that using this feature complies with all applicable local laws and regulatory requirements.

What data is collected?

Data is collected on the configuration characteristics of Internet Explorer and the sites it browses, as shown here.

Data point



URL of the browsed site, including any parameters included in the URL.


Top-level domain of the browsed site.

ActiveX GUID

The GUID of the ActiveX controls loaded by the site.

Document mode

Document mode used by Internet Explorer for a site, based on page characteristics.

Document mode reason

The reason why a document mode was set by Internet Explorer.

Browser state reason

Additional information about why the browser is in its current state. Also called, browser mode.

Hang count

Number of visits to the URL when the browser hung.

Crash count

Number of visits to the URL when the browser crashed.

Most recent navigation failure (and count)

Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.

Number of visits

The number of times a site has been visited.


Zone used by Internet Explorer to browse sites, based on browser settings.

Where is the data stored and how do I collect it?

The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file. This file remains on the client computer until it’s collected. To collect the file from your client computers, we recommend using Microsoft System Center 2012 R2 Configuration Manager. However, if you don’t use System Center, you can collect the file using any agent that can read the contents of a WMI class on your computer.


Before you start, you need to make sure you have the following:

Setup and configuration package, including:

    • Configuration-related PowerShell scripts
    • IETelemetry.mof file
    • Sample System Center 2012 report templates

Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts.

Setting up your client computers for data collection

On your test computer, run the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file, update security privileges for the new WMI classes, and to set the registry key.

To set up your computers:

  1. Create a Package/Program in Configmgr 2012 that runs the IETElemetrySetUp.ps1
  2. Restart your computer to start collecting your WMI data.

Using System Center 2012 R2 Configuration Manager to collect your data

After you’ve collected all of the data, you’ll need to get the local files off of your computers. To do this, use the hardware inventory process in System Center Configuration Manager, in one of the following ways.

Collect your hardware inventory using the MOF Editor while connecting to a computer

You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers.

To collect your inventory

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.


2. Click Add, click Connect, and connect to a computer that has completed the setup process and has already existing classes.

3. Change the WMI Namespace to root\cimv2\IETelemetry, and click Connect


4. Select the check boxes next to the following classes, and then click OK:

· IESystemInfo


· IECountInfo

5. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the MOF Editor with a MOF import file

You can collect your hardware inventory using the MOF Editor and a MOF import file.

To collect your inventory:

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

2. Click Import, choose the MOF file from the downloaded package we provided, and click Open.

3. Pick the inventory items to install, and then click Import.

4. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the SMS_DEF.MOF file

You can collect your hardware inventory using the using the Systems Management Server (SMS_DEF.MOF) file.

To collect your inventory:

1. Using a text editor like Notepad, open the SMS_DEF.MOF file, located in your <Config_Manager_install_location>\inboxes\clifiles.src\hinv directory.

2. Add this text to the end of the file:

[SMS_Report (TRUE), SMS_Group_Name ("IESystemInfo"), SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IESystemInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String SystemKey; [SMS_Report (TRUE) ] String IEVer; }; [SMS_Report (TRUE), SMS_Group_Name ("IEURLInfo"), SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IEURLInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String URL; [SMS_Report (TRUE) ] String Domain; [SMS_Report (TRUE) ] UInt32 DocMode; [SMS_Report (TRUE) ] UInt32 DocModeReason; [SMS_Report (TRUE) ] UInt32 Zone; [SMS_Report (TRUE) ] UInt32 BrowserStateReason; [SMS_Report (TRUE) ] String ActiveXGUID[]; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; [SMS_Report (TRUE) ] UInt32 NumberOfVisits; [SMS_Report (TRUE) ] UInt32 MostRecentNavigationFailure; }; [SMS_Report (TRUE), SMS_Group_Name ("IECountInfo"), SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IECountInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String CountKey; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; };

3. Save the file and close it to the same location.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Viewing the sample reports

The sample reports, SCCM Report Sample – ActiveX.rdll and SCCM Report Sample – Site Discovery.rdl, work with System Center 2012, so you can review your collected data.

SCCM Report Sample – ActiveX.rdl

Gives you a list of all of the ActiveX-related sites visited by the client computer.


SCCM Report Sample – Site Discovery.rdl

Gives you a list of all of the sites visited by the client computer.


Turning off data collection on your client computers

After you’ve collected all of your data, you’ll need to turn this functionality off.

To stop collecting data:

On your test computer, start PowerShell in elevated mode and run IETElemetrySetUp.ps1 using this command: powershell .\IETElemetrySetUp.ps1 -IEFeatureOff. clip_image009

Turning off data collection only disables the Internet Explorer Site Discovery feature – all data already written to WMI stays on the client computer.

Deleting already stored data from client computers

You can completely remove the data stored on your client computers.

To delete existing data:

On the client computer, start PowerShell in elevated mode (using admin privileges) and run these commands:

    1. Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo
    2. Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo
    3. Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo
    4. Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Swiss 09/02/2015: CMCE R2 Community Event Speaker

January 21, 2015 at 9:52 pm in CMCE, speak, speaking, Swiss by Kenny Buntinx [MVP]


I am proud to announce that I received an invitation to talk in Zurich at the 9th of February 2015 in Zurich at a community event called CMCE


The magic duo on mobility “Tim De keukelaere”  and myself, will be delivering two sessions entitled “Armoring your mobile workforce for the 21st century”. Focus for both sessions will be on Unified Device Management with Configuration Manager and Microsoft Intune. The first session will be a general overview and during the second session we will deep-dive further into the technical details and demonstrate some more advanced scenarios around managing and deploying Certificates , WIFI and VPN profiles and not so out of the box technical solutions.

During this one day event we are joined by other top quality speakers who will be delivering multiple sessions on a wide range of topics.

More information and registration details can be found here.

Something to look forward to. Make sure to join us if you are around!

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows 7 Configmgr 2012 Balloon tips : Setting it more then 5 sec to display.

January 20, 2015 at 7:06 am in CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Portal, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, Software Center by Kenny Buntinx [MVP]


The balloon tip when System Center configuration manager 2012 SP1 / R2 wants to install  your software is only shown for a few seconds. Often users complain that they can’t read the balloon tip that fast. So we have to increase the display time of the balloon.


Right click and choose New, Registry Item

Key Path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
Value name: Balloontip
Value type: REG_DWORD
Value Data (dec): 00000020

Click OK and you’re all set!

This changes the display time to 20 seconds.

You can handle this with creating a Configuration Item and deploying it thru a Configuration Baseline . Below you will find the steps :

1. Create a configuration Item called “ RegSetting BalloonTip “



2. In the settings , create the regkey to check as specified above in the first section of this blog post .


3. Create the compliance Rule and enter the value you want . In this case it will be 20 seconds.


4. Save your configuration Item. Create a Configuration baseline that contains you Configuration Item and deploy it to your workstations. Make sure to select “Remediate non complaint rules when supported” in your deployment.


Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

The Enterprise Mobility Suite and the 10 reasons why you’re company needs it

January 14, 2015 at 10:58 am in azure, CM12, CM12 R2, ConfigMgr, EMS, hybrid, intune, Intune Standalone, RMS, sccm, sccm 2012 R2, System Center by Kenny Buntinx [MVP]


Together, Windows Server 2012 R2, System Center 2012 R2 Configuration Manager, Microsoft Azure AD Premium , Microsoft Azure RMS and Microsoft Intune , also called the Enterprise Mobility Suite (EMS) help organizations address the consumerization of IT. With Microsoft’s people-centric IT solution, organizations can empower their users, unify their environment, and protect their data, ultimately helping to embrace consumerization and a people- centric IT model, while maintaining corporate compliance.

What can the Microsoft Enterprise Mobility Suite (EMS) bring for you :

· Enabling your end users to work on the device or devices they love and providing them with consistent and secure access to corporate resources from those devices. Part of the way we do that is by providing a hybrid identity solution, enabled by Azure Active Directory Premium.

· Delivering comprehensive application and mobile device management from both your existing on-premises infrastructure, including Microsoft System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. This helps to unify your environment. EMS provides mobile device management, enabled by Windows Intune

· Helping protect your data by protecting corporate information and managing risk. EMS provides data protection, enabled by Azure Rights Management service

Here are the 10 reasons why to consider EMS:

10. The ability to protect corporate information by selectively wiping apps and data. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can selectively and remotely wipe any device, including applications and sensitive company data, management policies and networking profiles.

9. Identification of compromised mobile devices. Jailbreak and root detection enables IT to determine which devices accessing corporate resources are at-risk, so that IT can choose to take appropriate action on those devices, including removing them from the management system and selectively wiping the devices.

8. Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network and email profiles. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can provision certificates, VPN’s, and wi-fi profiles on personal devices within a single administration console.

7. Access on-premises and in-the-cloud resources with common identity. IT can better protect corporate information, manage and control resource access, and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.

6. Simplified, user-centric application management across devices. IT gains efficiency with a single management console, where policies and applications can be applied across groups (user and device types).

5. Enhance end-user productivity with self-service and Single-Sign-On (SSO) experiences. Help users be more productive by providing each with a single identity to use no matter what they access, whether they are working in the office, working remotely, or connecting to a cloud-based Software-as-a-Service (SaaS) application. Access company resources consistently across devices. Users can work from the device of their choice to access corporate resources regardless of location.

4. Protect information anywhere with Microsoft Azure RMS. Protecting information at rest and in transit requires authentication and preventing alteration, both key requirements for protecting sensitive corporate information.

The Microsoft Azure Rights Management Solution (RMS) that can help enterprises transition from a device-centric to a people-centric, consumerized IT environment without compromising compliance on document protection.

3. Single Pane of Glass Mobile device management of on-premises and cloud-based mobile devices. IT can manage mobile devices completely through the cloud with Microsoft Intune or extend its System Center Configuration Manager infrastructure with Microsoft Intune to manage their devices (PCs, Macs, or servers) and publish corporate apps and services, regardless of whether they’re corporate-connected or cloud-based.

2. Simplified registration and enrollment for BYOD. Users can register their devices for access to corporate resources and enroll in the Microsoft Intune management service to manage their devices and install corporate apps through a consistent company portal.

And… Number 1 if you ask me for the Microsoft Enterprise Mobility Suite…

1. Enable users to work on the device of their choice and from where they want. Give your users access to applications, data and resources from any device from virtually everywhere, while ensuring documents are secured and your mobile devices are compliant.

Hope it Helps ,

Kenny Buntinx

Enterprise Mobility Suite: Steps to get to Azure AD Premium when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure.

December 30, 2014 at 9:32 am in azure, CM12, CM12 R2, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, Enterprise Mobility Suite, intune, Intune Standalone, Mobility, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAAD, Windws Intune by Kenny Buntinx [MVP]


Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

While you can create a new WAAD (Windows Azure Active Directory) account directly from the Windows Azure Management Portal, but the most common way that WAAD directories where created before EMS existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “” (you can add your domain names to this WAAD account later, but you will always have the original domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

When you log in with your Windows Intune tenant account into the Windows Azure Management Portal ( you will see a message that there are no associated Azure Subscriptions.

Windows Azure however lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc. The Enterprise Mobility Suite (EMS) feature , Windows Azure AD Premium can only be managed properly when you link your Windows Intune WAAD to your organizational Windows Azure Subscription.

Step 1: How to add your  Existing Windows Azure Active Directories to your Windows Azure Subscription ?


The process to add a WAAD account to your Windows Azure subscription used to be pretty painful , but now you can easily do this by adding an “Existing WAAD account”. The process is as follows:

1. Login to Windows Azure Management Portal with your Microsoft Account.

2. Click on the Active Directory category on the left, and then click the New button.


3. Choose New > App Services > Active Directory > Directory > Custom Create.

4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.


5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.


6. Login with a Global Administrator for the WAAD account.

7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.



8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!



Step 2 : Activate Azure AD Premium  and assign licenses to your users


Now that your previous created Windows Azure Active Directories from Windows Intune are visible within our Azure subscription , we can add the Azure AD Premium features to it .

In the picture below , you will see a newly created WAAD called EMSExperts from the Azure portal . By default the Azure AD Premium  can be found under the licenses tab. Now you can assign licenses to users.


In the other picture below , you will see the previously created WAAD from Windows intune ( added to the azure subscription later ) called MSCloudExperts. By default only the Windows Intune licenses can be found but the Azure AD Premium cannot be found under the licenses tab.


To add the “Azure AD Premium” licenses , you must go to the bottom of the page and hit the “Activate Trial” or “Purchase”  .


Now you will see that there are 2 license plans added to your WAAD . One for Windows Intune and one for Azure AD Premium. Now you can assign licenses to your users accordingly




Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Hybrid scenarios with System Center Configuration Manager 2012 R2 – Windows Intune – ADFS – WAP – NDES – Workplace Join: Hotfixes you really need in your environment.

December 29, 2014 at 8:26 pm in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, hybrid, intune, Intune Standalone, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAP by Kenny Buntinx [MVP]


To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:


1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:


1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:


1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.


Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Apple Volume Purchase Program (VPP) expands but changes nothing around supportability for side loading within Configmgr & Intune hybrid or standalone.

December 18, 2014 at 10:40 am in Apple, EMM, EMS, intune, Intune Standalone, scc, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, VPP by Kenny Buntinx [MVP]


Great news for our customers!

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

As more than an half year ago, when I wrote about the following SCUG acticle : “CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file” , regarding that Apple’s Volume Purchase Program (VPP) was only available in limited countries as Germany and UK . That caused challenges for side loading applications thru your MDM solution such as Configmgr 2012 R2 and Intune on the Hybrid model.

Now Apple has expanded the Volume Purchase Program (VPP) ( ) to a lot of more countries as shown below :

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

This will make our life certainly much easier as we have a “Licensed way” of deploying volume licensed apps on IOS and OSX.

Distributing the app with your MDM solution such as ConfigMgr with Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple, but that is now more or less history. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal however :

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread

Currently Configuration Manager 2012 R2 with Intune hybrid is not supporting the whole VPP Program yet. Hopefully they will change that soon!

Hope it Helps,

Kenny Buntinx

Windows Phone 8.1 Self Service Portal (SSP) changes with Windows Intune’s November Release

November 20, 2014 at 6:20 am in company portal, hybrid, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, SSP, System Center, Windows Intune, windows inune, Windows Phone 8.1, WP 8.1, WP8.1 by Kenny Buntinx [MVP]

Hi ,

As you already probably knew , new Windows Intune capabilities are added as we speak for Windows Intune standalone thru the so called “November Release” as discussed here : 

The Microsoft Intune Company Portal for Windows Phone app helps you search, browse and install apps made available to you by your company, through the Microsoft Intune standalone of Hybrid (Configmgr and Windows Intune). Apps can be installed without requiring a connection to your corporate network. You can also enroll your personal computers and devices in the service and locate contact information for your IT team.

One additional change that was not clearly communicated is a change to how the Intune Company Portal or Self Service Portal (SSP) app for Windows Phone 8.1 is offered and installed.

Before , If you wanted to manage and deploy applications on your Windows phone 8 and 8.1 , the Company Portal app was offered as a deployable download at Microsoft’s Download Center, sign it with a Symantec code signing Certificate and deploy it to the management system infrastructure to enable device enrollment for Windows Phone 8 and 8.1 devices. The download was infused with a Symantec certificate to ensure trustworthiness of the app and to help secure enrollments.

Microsoft has now updated the Windows Intune Company Portal app for Windows Phone 8.1. The Symantec certificate is no longer embedded and no longer required because the app is now only available through the Microsoft Store.

However , there are some things to take into account when doing hybrid or standalone implementations.

Starting this week for Windows Intune standalone only , Microsoft removed the requirement that a company have an AET (Application Enrollment Token) and signed Company Portal app before we let them enroll, but devices must be enrolled for management before they can install sideloaded apps from our MDM, and they must also have the AET.

In short this means that you do not longer need the Symantec certificate to enroll and manage WP8.1 devices ( not WP 8.0! ) , but you will still need the Symantec certificate to sideload any application that doesn’t come thru the app store .

Anything else still requires both cert and signed SSP.xap from download center –> so are Hybrid implementations still today.

My advise for now:

1. Admins who want to stay on the old school ssp.xap for now ( For hybrid deployment this is mandatory !!! )

    • Don’t tell users about store app
    • Add store app to blocked list, for extra insurance, so they can’t run it
    • Just keep doing what you’re doing

Hybrid users could still install the SSP from store if you do not blacklist the application. However , if the do install the SSP from the store , they can’t enroll unless a cert and signed ssp have been uploaded, but they can use the portal in the “unenrolled” scenario.

2. Admins who want to move to appx from app store ( Intune standalone only !! )

    • Create an app that uninstalls ssp.xap
    • Tell users to start by installing store app and using link in app to enroll just like android or IOS


The only new thing you get with the App Store SSP version is the ability to show users “Terms and Conditions” . Period.

If companies want to sideload applications, there’s still no way around having the Symantec cert

The new App Store SSP is taking the version to 4.1.2777.2 and can be found over here :


Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

CM12 OSD : HP Zbook 17 is failing during OSD and is giving bluescreens all the way.

October 16, 2014 at 8:45 am in CM12, CM12 R2, CM12 SP1, OSD, wdf, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]


Today we had a failing HP Zbook 17 and we where not able to do OSD staging on it . It remembered me at a blog post 6 months ago on an update called KB2685811 at to update the Kernel-Mode Driver Framework to v1.11

What it is – The Windows Driver Frameworks (WDF) is a set of libraries that you can use to write device drivers that run on the Windows operating system. WDF defines a single driver model that is supported by two frameworks: Kernel-Mode Driver Kernel Mode Driver Framework (KMDF) and User-Mode Driver Framework (UMDF). KMDF\UMDF are provided by Microsoft to allow component drivers to leverage the framework to minimize what is needed to be included with the driver.  This is great for the IT Professional until a driver is written to a specific version of the KMDF\UMDF which your system may not currently support.  This happened previously with Windows Vista and is now being seen on some Windows 7 systems that do not have the 1.11 version of KMDF and the 1.11 version of UMDF

Why you need them – Without these there is a potential of experiencing a failure in you Windows 7 OS Deployment process\ seeing devices in Device Manager that you know have drivers available to them, but aren’t properly installed. To ensure this does not happen you should update your base image with KMDF 1.11 and UMDF 1.11 to make sure that current and future drivers will be installed properly. Dell – HP – Lenovo are delivering more and more drivers released on the latest WDF framework !

Now here is the “gotcha”, in order for this to work for OS Deployments, you have 2 options based on Dustin Hedges blog called

- Build a brand new WIM file and inject the hotfix (using DISM). Then import that WIM back into SCCM for deployment, test, retest, retest, deploy to production. Apply the update using DISM: cmd.exe /c X:\windows\system32\dism.exe /ScratchDir:%OSDisk%\Scratch /Image:%OSDisk%\ /Add-Package /PackagePath:%_SMSTSMDataPath%\Packages\\

- Package it up and inject it offline during your existing deployments, see the following blog post at

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client management

IOS 8 support now available for System Center 2012 R2 Configuration Manager thru an extension for Windows Intune

September 30, 2014 at 4:18 am in ConfigMgr, configmgr 2012 R2, intune, MDM, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, System Center, UDM by Kenny Buntinx [MVP]


A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management