MVP Award Renewal for 2015-2016: Enterprise Client Management

July 2, 2015 at 7:28 pm in MVP by Kenny Buntinx [MVP]


I’m very proud to inform you that my MVP award got renewed for the year 2015 – 2016 on Enterprise Client Management. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Kenny Buntinx

Enterprise Client Management MVP


HCIDKIDT ever since CM12 R2 SP1 : Software update groups additional data available in the console

June 25, 2015 at 6:09 pm in 2012R2, CM12 R2, CM12 R2 SP1, CM12 SP2, SCCM 2012 R2, SCCM 2012 R2 SP1, Software updates by Kenny Buntinx [MVP]


Hello Folks ,

I didn’t realize that one of my personal wishes has been granted in CM12R2 sp1. I always wanted a quick overview at my software group on how much updates it contained , how many expired and to how many collection I deployed it too …and now it is reality . Good work PG !

Non R2 SP1 :


With R2 SP1 :



Hope it Helps ,

Kenny Buntinx

How to replace expired certificates on ADFS 3.0 the right way

June 4, 2015 at 1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]


As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a * . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :



Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate



  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ConfigMgr 2012 NDES Site Role not healthy anymore after R2 SP1 upgrade

June 2, 2015 at 8:06 am in configmgr 2012 R2, ConfigMgr 2012 R2 SP1, EMS, ndes, R2 SP1, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SP1, Windows Intune, windows inune by Kenny Buntinx [MVP]


A key feature of the mobile device management capabilities provided by System Center 2012 R2 Configuration Manager with Windows Intune is the ability to provision client certificates to managed devices.  Organizations that use an enterprise PKI for client authentication to resources like WiFi and VPN can use this feature to provision certificates to Windows, Windows Phone, iOS, and Android devices managed through Windows Intune.  This article provides an in-depth look at how this feature works, and where you can go to find out all of the information you need to get up and running.

For those customers that are using NDES and did an upgrade from System center Configuration Manager 2012 R2 to System center Configuration Manager 2012 R2 SP1  they will notice that their NDES Server hosting the NDES Site Server role will fail to reinstall as shown below in the screenshot :


Investigating the issue a little further and going to look at the logging (CRPSetup.log) on the NDES server hosting the NDES Site Server role , we got the error message “Enabling WCF 40 returned code 50. Please enable WCF HTTP Activation. “


The question is why it would complain now as it worked before . After investigation it turns out that System Center Configuration Manager 2012 R2 Sp1 supports now  the provisioning of  personal information exchange (.pfx) files to user’s devices including Windows 10, iOS, and Android devices. Devices can use PFX files to support encrypted data exchange.

In the Supported Configurations for Configuration Manager ( ) , we found out that now “Http activation is required”


After enabling the feature , the role started to reinstall itself .


Looking at the log file it seems that is is installed :


Looks like the role installed itself and thus problem solved.

Hope it helps ,

Kenny Buntinx

MVP Enterprise Client Management

Announcing the availability of System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2

May 14, 2015 at 4:11 pm in CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]


Following the announcements made at the Microsoft Ignite conference last week, I am happy to let you know that System Center 2012 R2 Configuration Manager SP1 and System Center 2012 Configuration Manager SP2 are now generally available and can be downloaded on the Microsoft Evaluation Center. These service packs deliver full compatibility with existing features for Windows 10 deployment, upgrade, and management.

Also included in these service packs are new hybrid features for customers using System Center Configuration Manager integrated with Microsoft Intune to manage devices. Some of the hybrid features that you can expect to see are conditional access policy, mobile application management, and support for Apple Device Enrollment Program (DEP). You can view the full list of hybrid features included in these service packs here.

As a side note : To be absolutely sure that there will be no bear on the road during deployment for SP2 , please install CU5 first before upgrading to SP2 as there is one issue fixed in CU5 that could affect R2 SP1 installation:

– if you have over 10,000 deployments for legacy software distribution packages the R2 SP1 upgrade could stall. Installing CU5 beforehand will prevent this. This does not make CU5 an official pre-req though, as the given scenario should be rare but it doesn’t hurt to install CU5 first on the site servers , before upgrading to CM12 R2 SP1 or CM12 SP2 , without upgrading you’re clients.

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Ignite keynote summary from an ECM perspective

May 4, 2015 at 7:27 pm in ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr, EMS, Enterprise Mobility Suite, hybrid, Ignite, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM v.Next, System Center, System Center 2016 by Kenny Buntinx [MVP]


For me this was the best keynote ever for all Microsoft’s events I’ve been at, virtually or physically. Wrapped up after three hours, I want to give you guys a heads up for what is happening in my area of expertise, Enterprise Client Management.

The conference is being held in Chicago and has over 20K people in the house. If you want you can watch a replay of this morning’s keynote on demand at

Most Important Ignite Keynote Announcements from an enterprise Client Management perspective

Windows Update for Business – This is an advanced version of what you already know today and it’s called WSUS. Together with Windows 10 it will allow you to control which machines get Windows Updates or even feature updates. Integration with your existing tools like System Center and the Enterprise Mobility Suite – so that these tools can continue to be that ‘single pane of glass’ for all of your systems management.

Office 2016 Public Preview – Available for Office 365 subscribers and those who want to run the full standalone install.  This version will really kick down the #EMS offering on IOS , Android or Windows. Office will be the key in the whole mobility story.

Windows Server 2016 – A second technical preview is now available for download and testing and will allow you to unlock some additional Hybrid functionallity , such as updates for Hyper-V ,ADFS , Workfolders , etc .

System Center 2016 – Has new provisioning, monitoring and automation abilities for your data center. A new preview will be available soon online

· New technical preview for ConfigMgr 2016 for Windows10 available for a trial at

New features in today’s Technical Preview includes:

          • Support for Windows 10 upgrade with OS deployment task sequence
          • Support for installing Configuration Manager on Azure Virtual Machines
          • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure

· New service packs for Configuration Manager 2012 and 2012 R2 (They will be released somewhere next week)

These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

          • App-V publishing performance
          • Scalability improvements
          • Content distribution improvements
          • Native support for SQL Server 2014
          • Hybrid Parity (Intune) and new features

Microsoft Advanced Threat Analytics – Brings on premise Azure AD level security monitoring and threat detection.  This software/service is the result of Microsoft’s acquisition last November of Aorato and it’s a great add-on for EMS and AD premium. The preview is available now from here.


During Brad Anderson’s piece of the keynote, his team showed 11 different technologies on stage and here are links to all of those services and programs:

I hope that you are as thrilled and exited as myself and that we can show you all these cool things in our own lab and we hope that we can see you at one of our events.

Hope it helps,

Kenny Buntinx

MVP Enterprise Client Management MVP

CM12 R2 TS after upgrade: Failed to resume task sequence (0x800700EA) error

April 28, 2015 at 2:15 pm in 2012R2, bootimages, capture, CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Cumulative Update, Deployment, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]


I upgraded one of my customers site from SP1 to R2 on a Monday morning and have hit a number of hurdles. I have discovered that my customers OSD Task sequences were not functioning correctly. Everything seems to go fine, until it reaches the Setup Windows and ConfigMgr, and then once that step is complete, it reboots and I’m left on the ctrl+alt+del screen, with the computer joined to domain but no additional steps performed.

The TS does end with an error “Failed to resume task sequence (0x800700EA) error” , as if the new client gets installed and it just ends the TS!

**** Remember **** –> Support for Windows PE 3.1 boot images above of Windows ADK 8.1 is there as feature when upgraded to R2 !! **** Remember ****

I looked at my boot images and it looked good, but frankly the x64 boot image didn’t upgrade well and stayed to version 6.2.x instead of 6.3.x. I had a script to manually update it , but it didn’t like it so it failed again.

Created a new bootimage (x64) from scratch , updated my TaskSequence  to use the new bootimage and *BAM* , it worked again

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management  

Work Folders app for Iphone finally released

April 10, 2015 at 1:15 pm in EMS, intune, iOS, Iphone, IT-Dev Connections, IT/Dev Connections, ITDevconnections, Work Folders, Workplace Join by Kenny Buntinx [MVP]


We are happy to announce that an iPhone app for Work Folders has been released into the Apple AppStore® and is available as a free download.

( There also is a Work Folders app for iPad released a few months ago.)


Work Folders is a Windows Server feature that allows individual employees to access their files securely from inside and outside the corporate environment. This app connects to it and enables file access on an Apple iPhone and iPad. Work Folders enables this while allowing the organization’s IT department to fully secure that data.

This app for iOS features an intuitive UI, selective sync, end-to-end encryption, search and in-app file viewing.
It also integrates well with Windows Intune to fully complete the most important mobile device management scenarios around corporate data on mobile devices.

You will learn more about it on our session “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices’ at


Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Enterprise Mobility Suite: Steps to add your O365 infrastructure when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure at your company.

April 9, 2015 at 1:03 pm in 0365, azure, configmgr 2012 R2, ECM, EMS, Enterprise Mobility Suite, intune, Intune Standalone, o365, office 365, SCCM 2012, sccm 2012 R2, WAAD, Windows Azure Active Directory by Kenny Buntinx [MVP]


Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

Most customers starting with EMS will likely already have an Office 365 infrastructure in place . From that direction it is easy to add your EMS components to the existing o365 WAAD (Windows Azure Active Directory) 

The most common way that WAAD directories where created before any O365 components existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “” (you can add your domain names to this WAAD account later, but you will always have the original domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

Scenario :

The customer has already the Windows Intune subscribtion in place and wants to add a fresh Office 365 tenant to it using the same ( name .

How ?:


1. Select “Free Trial”


2. Sign up for new account


3. <IMPORTANT> Login again with your account that you used for registering your previous Windows Intune account !!. <IMPORTANT>


4. Don’t forget to hit the try button :-)



5. When you click “Domains” (1) , you will see that your validated domain ( in our case is attached and validated (2) . Now the last step is to go thru the wizard “Complete Setup” (3) to complete it .

6. You’re done . Now you can start to assign O365 licenses to your users and play with “Conditional access” as explained in this nice blog post from our colleague MVP Peter Daalmans

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Speaker at IT/Dev Connections – September 14-17

April 9, 2015 at 8:55 am in Devconnections, meetthebelgians, speaking, vegas by Kenny Buntinx [MVP]




I am proud to announce that the magic duo on mobility “Tim De Keukelaere”  and myself, will be delivering two sessions entitled :

-  “Armoring your mobile workforce for the 21st century”.

– “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices”

Together with “Peter Daalmans” , I will deliver a session about managing Citrix with CM12 :

– “How to Extend the App Model to Support Your User-Centric XenDesktop in the Data Center”

During this event we are joined by other top quality speakers who will be delivering multiple sessions on a wide range of topics , but also be prepared to #meetthebelgians

More information and registration details can be found here.

Something to look forward to as it also is in the warm and sunny Vegas . Make sure to join us if you are around!

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management