You are browsing the archive for 2015 June.

HCIDKIDT ever since CM12 R2 SP1 : Software update groups additional data available in the console

6:09 pm in 2012R2, CM12 R2, CM12 R2 SP1, CM12 SP2, SCCM 2012 R2, SCCM 2012 R2 SP1, Software updates by Kenny Buntinx [MVP]

 

Hello Folks ,

I didn’t realize that one of my personal wishes has been granted in CM12R2 sp1. I always wanted a quick overview at my software group on how much updates it contained , how many expired and to how many collection I deployed it too …and now it is reality . Good work PG !

Non R2 SP1 :

image

With R2 SP1 :

image

 

Hope it Helps ,

Kenny Buntinx

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]

 

As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a *.demolabs.be) . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :

image

 

Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate

image

 

  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ConfigMgr 2012 NDES Site Role not healthy anymore after R2 SP1 upgrade

8:06 am in configmgr 2012 R2, ConfigMgr 2012 R2 SP1, EMS, ndes, R2 SP1, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SP1, Windows Intune, windows inune by Kenny Buntinx [MVP]

 

A key feature of the mobile device management capabilities provided by System Center 2012 R2 Configuration Manager with Windows Intune is the ability to provision client certificates to managed devices.  Organizations that use an enterprise PKI for client authentication to resources like WiFi and VPN can use this feature to provision certificates to Windows, Windows Phone, iOS, and Android devices managed through Windows Intune.  This article provides an in-depth look at how this feature works, and where you can go to find out all of the information you need to get up and running.

For those customers that are using NDES and did an upgrade from System center Configuration Manager 2012 R2 to System center Configuration Manager 2012 R2 SP1  they will notice that their NDES Server hosting the NDES Site Server role will fail to reinstall as shown below in the screenshot :

image

Investigating the issue a little further and going to look at the logging (CRPSetup.log) on the NDES server hosting the NDES Site Server role , we got the error message “Enabling WCF 40 returned code 50. Please enable WCF HTTP Activation. “

image

The question is why it would complain now as it worked before . After investigation it turns out that System Center Configuration Manager 2012 R2 Sp1 supports now  the provisioning of  personal information exchange (.pfx) files to user’s devices including Windows 10, iOS, and Android devices. Devices can use PFX files to support encrypted data exchange.

In the Supported Configurations for Configuration Manager ( https://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SiteSystemRolePrereqs ) , we found out that now “Http activation is required”

image

After enabling the feature , the role started to reinstall itself .

image

Looking at the log file it seems that is is installed :

image

Looks like the role installed itself and thus problem solved.

Hope it helps ,

Kenny Buntinx

MVP Enterprise Client Management