You are browsing the archive for CM12 R2.

CM12 OSD : HP Zbook 17 is failing during OSD and is giving bluescreens all the way.

8:45 am in CM12, CM12 R2, CM12 SP1, OSD, wdf, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]

 

Today we had a failing HP Zbook 17 and we where not able to do OSD staging on it . It remembered me at a blog post 6 months ago on an update called KB2685811 at http://support.microsoft.com/kb/2685811 to update the Kernel-Mode Driver Framework to v1.11

What it is – The Windows Driver Frameworks (WDF) is a set of libraries that you can use to write device drivers that run on the Windows operating system. WDF defines a single driver model that is supported by two frameworks: Kernel-Mode Driver Kernel Mode Driver Framework (KMDF) and User-Mode Driver Framework (UMDF). KMDF\UMDF are provided by Microsoft to allow component drivers to leverage the framework to minimize what is needed to be included with the driver.  This is great for the IT Professional until a driver is written to a specific version of the KMDF\UMDF which your system may not currently support.  This happened previously with Windows Vista and is now being seen on some Windows 7 systems that do not have the 1.11 version of KMDF and the 1.11 version of UMDF

Why you need them – Without these there is a potential of experiencing a failure in you Windows 7 OS Deployment process\ seeing devices in Device Manager that you know have drivers available to them, but aren’t properly installed. To ensure this does not happen you should update your base image with KMDF 1.11 and UMDF 1.11 to make sure that current and future drivers will be installed properly. Dell – HP – Lenovo are delivering more and more drivers released on the latest WDF framework !

Now here is the “gotcha”, in order for this to work for OS Deployments, you have 2 options based on Dustin Hedges blog called http://deploymentramblings.wordpress.com

– Build a brand new WIM file and inject the hotfix (using DISM). Then import that WIM back into SCCM for deployment, test, retest, retest, deploy to production. Apply the update using DISM: cmd.exe /c X:\windows\system32\dism.exe /ScratchDir:%OSDisk%\Scratch /Image:%OSDisk%\ /Add-Package /PackagePath:%_SMSTSMDataPath%\Packages\\Windows6.1-KB2685811-x64.cab

– Package it up and inject it offline during your existing deployments, see the following blog post at  http://deploymentramblings.wordpress.com/2013/10/24/osd-injecting-the-windows-7-kernel-mode-driver-framework-kmdf/

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client management

ITDevconnections session wrap-up : System Center 2012 R2 Configuration Manager and Intune: Setup and Deployment Notes from the Field, with a Focus on Single Sign-On

1:24 pm in ADFS, ADFS 2.1, ADFS 3.0, CM12, CM12 R2, CM12 SP1, Devconnections, ECM, intune, ITDevconnections, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that Tim De Keukelaere and myself presented. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

 

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, like the ADFS 2.1 blogs , but there isn’t much changed. I’ll start updating them as soon as I find time for it :-)

Find them here :

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I at http://scug.be/sccm/2014/01/09/conquering-byod-with-implementing-configmgr-2012-r2-and-windows-intuneadfs-wap-workplace-join-and-work-folders-part-i/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1 at http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2 at http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server at http://scug.be/sccm/2014/08/21/adfs-workplace-join-intune-profile-installation-failed-error-when-ios-device-is-workplace-joined-by-using-drs-on-a-windows-server-2012-r2-based-server/

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0×5 at http://scug.be/sccm/2014/01/22/adfs-2-1-in-combo-with-windows-intune-stops-working-with-error-15404-state-19-could-not-obtain-information-about-windows-nt-groupuser-domainadfs_srvc-error-code-0x5/

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot at http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What? At http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager) at http://scug.be/sccm/2013/07/18/windows-intune-dirsync-error-message-stopped-server-down-fim-synchronization-service-manager/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server

4:59 am in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, intune, MDM, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, UDM, Workplace Join by Kenny Buntinx [MVP]

Hi,

We’ve got in our lab environment our 2012 R2 Workplace Join environment up & running with one Windows 8.1 client successfully browsing the claims app. When we tried to workplace join an IPAD device, it could go as far as the Workplace Join screen.

If you want to know what ‘Workplace join’ is and how to manage it, please visit my earlier blog post at  http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Attempt to install the profile resulted in two different errors:

– On the Ipad you should see the profile install fail on the iPad. Assuming that the Apple iOS device is configured by using the over-the-air enrollment. An Apple certificate for the IOS device is expired. In this situation, you receive an error message that resembles the following: ‘Profile Installation Failed the server certificate for federation server name/otaprofile/profile?operation=enroll is invalid.’

– If I look on the ADFS WAP server , I see the following issue in the eventvwr

clip_image001

There are two main places you can start when troubleshooting an iOS-specific issue. 

1) The DRS event logs on the AD FS server.  May shed some light as to what is wrong.
2) The iOS device logs.  You’ll need to download the iPhone Configuration Utility (works with iPads as well).  http://support.apple.com/kb/DL1466

Microsoft has released a Hotfix for this http://support.microsoft.com/kb/2970746. Make sure to download and install it !

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment

4:00 pm in BYOD, Cloud, CM12, CM12 R2, configmgr 2012 R2, ConfigMgr 2012 SP1, ECM, email Profile, email Profiles, intune, iOS, ipa, Ipad, ITPROceed, MDM, OMA-DM, OMA-URI, personal, plist, policy, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, windows 8.1, Windows Intune, Windows Intune Extensions, Windows Phone 8.1, Windws Intune, Work Folders, WP 8.1 by Kenny Buntinx [MVP]

 

Today there isn’t much hands on information about managing mobile devices such as Windows Phone , iPhone or Android using the MDM solution with Windows Intune and System Center Configuration Manager 2012 R2. This blog post is intended to give you better knowledge and to consolidate the earlier blogs I have been writing. Troubleshoot MDM in Intune / ConfigMgr

The big challenge is troubleshooting mobile device management in general, but particularly using ConfigMgr and Intune because a current Configmgr is a product that is known for its extensive logging.

With Windows Intune connected to System Center Configuration Manager 2012 R2, you have 6 log files on premise where you can look into:

  • ConnectorSetup.log (Records details of connector role installation)
  • FeatureExtensionInstaller.log (Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console)
  • CertMgr.log (Records certificate and proxy account information)
  • Cloudusersync.log (Records license enablement for users)
  • DMPuploader.log (Records details for uploading database changes to Windows Intune)
  • DMPdownloader.log (Records details on downloads from Windows Intune)

1. Enrolling the mobile devices

  • OMA-DM and OMA-URI:

First of all, you will need to know what OMA-DM is. OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here.

Microsoft has released together with WP 8.1, a comprehensive guide called; ‘Windows Phone 8.1 MDM protocol documentation’. You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here.

If enrollment does not work, please verify that the right platform is selected in your “windows Intune Subscription”, otherwise you will get these kind of errors:

ERROR: Service health log: User ‘******************************32ad82′ is not eligible to enroll a device of type ‘WindowsPhone’. Reason ‘DeviceTypeNotSupported’.

clip_image002[4]

  • Enrollment for Windows Phone 8 or 8.1:

Enrollment for Windows Phone happens does not have the same experience like IOS or Android. With Windows Phone 8 or 8.1 you will need to go to the settings page and search for either ‘company portal’ or ‘workplace join’. Don’t you love Microsoft’s consistency here?

  • Trouble enrolling your Windows Phone?

SSP portal software Certificate Signing :

Make sure that your SSP portal software is signed with either your personal ‘Symantec Certificate’ you need to buy or you use the “support tool for Windows Intune”. Download the company portal at Windows Intune Company Portal for Windows Phone.

If the SSP Portal is not signed correctly or the certificate expired, your phones will stop enrolling and you’ll never get any error message. It just shows you on the phone it can’t find the server…

Read the release notes for sure :

Read here: http://technet.microsoft.com/en-us/library/jj662694.aspx

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in AD FS 2012 R2 (aka 3.0) called ‘Workplace Join’.

Issue: When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).

Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.

  • Your phone is enrolled and you want to protect it from enrollment?

You have corporate owned Windows Phones and you want the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic to me, we couldn’t do it out of the box with windows phone 8 or 8.1 and Windows Intune. Missed opportunity, I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

Read the complete blog post on how to do it here:

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

  • Enrollment for IOS or Android :

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps. Once installed, open the application and ‘Click’ on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

There are no specific requirements for enrolling Android devices except enrolling thru the Self Service Portal.

2. Debugging on the mobile devices

There really are not that much you can see in terms of what is going on between the Intune tenants in the cloud and the mobile device itself. There is no real interface to push or pull stuff so you are pretty much left in the dark many times.

However most of the changes made in ConfigMgr are replicated up to the Intune Cloud service every 5 minutes. Apart from that you just will have to wait for things to happen.

  • WP 8 / 8.1: Really nothing you can see on the device. No log file that you can find, retrieve or view. Microsoft should really do something about this.

 

  • IOS: Shake it, shake it hard! There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the iPhone or iPad. Shake the phone and you will see options to send the log file via email for further analysis.

Funny Note: The shake action is disable-able from iOS / Settings area.  For a fun practical joke on a colleague you can disable the shake action and see how long they shake the device before giving up!

  • Android: No specific experiences , but honestly , I don’t think there is something that Microsoft provides out of the box

If you get the UserLicenseTypeInvalid error message when trying to enroll an iOS/Andriod device , most likely this is due to users not being synced or having an issue with the Configmgr AD user discovery or if the ConfigMgr connector to the Intune service didn’t sync properly as than they are missing from the “Intune users” collection.

3. Targeting the mobile devices

Divide Mobile devices into different collections for Windows Phones, Windows RT, Android, iPads and iPhones if you for instance want to target different compliance settings to different sets of devices.

Create your collections based on the class “Mobile Device Computer System” where the “Device Model” is your key identifier.

  • The query to list all Windows Phone 8 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.0%"

  • The query to list all Windows Phone 8.1 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"

  • The query to list all Windows Phone RT in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "Surface%"

  • The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

  • The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

  • The query to list all Android in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "Android%"

4. Targeting Applications on the mobile devices

WP 8 / 8.1:

You first need to join the Windows Phone Dev Center before you can request a code-signing certificate from Symantec. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec. If you are not in a hurry and want to do a POC or for a trial certificate, see Support tool for Windows Phone trial management .

This Symantec certificate is needed to deploy the company portal app. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows Phone 8.1 can handle *.xap, *.appx, *.appxbundle while windows phone 8.0 can only handle *.xap

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. It will silently install the application.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. It will silently install the application.

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Windows RT devices :

This post contains the steps which you, as an IT administrator, can perform to troubleshoot and investigate software distribution (download and install) issues on the Windows RT client

http://blogs.technet.com/b/configmgrteam/archive/2013/03/13/troubleshooting-windows-rt-client-software-distribution-issues.aspx

IOS:

To sideload an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, which would be wrong in terms of license agreements. For those applications, you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

When deploying an IPA you have three options:

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

I have written a blog post to clarify the support around CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file at http://scug.be/sccm/2014/03/18/cm12-and-intune-deploying-windows-ipa-ios-applications-requires-a-plist-file/

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Android:

As I have not deployed any software to android devices so far, I am going to exclude this section from any comment.

5. Providing Company Resource Access the mobile devices

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

As a cloud service, The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update roughly every quarter. The product team is currently rolling out those updates to ConfigMgr thru the so called “Windows Intune extensions or ‘W.E.A.V.E’ feature which provides additional support for additional released Windows Intune features for Unified Device Management.

I have written a blog post that explains it into detail about those so called CM12 Intune extensions:

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

On the other hand we have:

Email Profiles:

Extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices

The ConfigMgr administrator can now configure email profiles that supply both email server information and related policies.However sometimes the profile doesn’t come down and therefore I have written the following blob that explains into detail:

Configmgr 2012 and Intune: Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad at http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Certificate Profiles:

Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role to provision authentication certificates for managed devices so that users can seamlessly access company resources.

For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Configuration Manager provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

TIP: Be aware that this profile can be deployed to ‘User based Collections’ or ‘Device based Collections’

VPN Profiles:

VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

When a VPN profile deployment is removed, the VPN profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Wi-Fi Profiles:

Wi-Fi profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

When a Wi-Fi profile deployment is removed, the Wi-Fi profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

6. Calling Microsoft (Intune) Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

They will need the following information to help you solving the case swiftly, please collect that information before calling Microsoft PSS/CSS

Search criteria

  • LSU, MSU, account id, user id(last 6 digits)
  • email domain or other feature specific keyword
  • Time of incident (time zone)
  • Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Example

  • AccountId : 21c26ac1……29b40f
  • LsuId           : LSUA01
  • MsuId         : MSUA01
  • UserID : ……d7facc
  • Domain : contoso.onmicrosoft.com

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Configuration Manager 2012 and the need of keeping your Driver database lean and clean !

8:03 pm in CM12, CM12 R2, CM12 SP1, Deployment, Drivers, OSD, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, sccm RTM, Task Sequence by Kenny Buntinx [MVP]

 

Hi ,

Lately we had an issue on a CM2012 R2  production environment when exporting a “task sequence” from our Acceptance environment and importing that exported “task sequence” into production , and ran into an error where our task sequence import would fail with out of memory message.

The exact message was : “System.OutOfMemoryException , Exception of type ‘System.OutOfMemoryException’ was thrown” as shown in the picture below:

clip_image002

Several people recommended me to increase the WMI memory allocation by doing this : http://anoopcnair.com/2011/05/06/configmgr-sccm-how-to-increase-wmi-default-memory-allocation/ . Anoop links to the “_providerhostquotaconfiguration” class in his article. Anoop’s advice is not uncommon, although supportability of the matter is questionable without PSS/CSS support , it’s a common test/fix giving on PSS/CSS calls related to slow or underperforming console issues.

My advice : DON’T DO THIS BLINDLY or without PSS/CSS support . You’d be crazy doing anything to WMI on a ConfigMgr production environment that you don’t understand the impact off. And if it’s to a component as critical as WMI is to ConfigMgr than you’d better do your homework before implementing it in production.

And this blog post explains what the impact is: http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx

We increased the WMI memory allocation with PSS support until 8Gb memory (Server having 16 Gb physical memory) , but no luck at all.

A little recap and issue definition:

  1. 1. We created a OSD Task sequence deployment in our acceptance environment.
    2. Once validated , we exported the TS without content (Content is located on a shared UNC storage path) but with dependencies.
    3. We tried to import the exported TS into production, the import fails both trough the GUI and via the powershell cmdlts. The import in production of the exported tasksequence fails with an out of memory error as shown in the screenshot above
    4. We tested both on the Primary site server itself as via remote console –> same result
    5. We have sufficient memory available on the server. I saw that the PowerShell session on the primary site server used up to 1.5Gb ram during the import. (memory was not maxed out (74% used))

Further investigation leads us to the size of the exported Task Sequence , which was about 235 Mb ( without content , go figure ! ) . Probably you would say : “What the hell did you put into that task sequence ????? ”. Well , the customer needs to support 55 different hardware models because of the way they need to buy there hardware. Crazy , I know and the fact is that they know that as well , however they can’t change this purchase behavior.

That being said , they have 55 HW driver packs and they have around 4800 drivers imported in there CM12 Driver DB .

After testing , we discovered that if the imported task sequence is more or less bigger then 135Mb in size , it will fail to import with the error displayed above. Once we lowered the number of drivers being referenced in the driver packages and therefore also in the CM12 driver database itself and the exported TS would be below 135mb in size , the import succeeded. However we could never pinpoint the exact size of the task sequence when it would fail as this was between 135 and 145 Mb.

What I recommend you to do:

  • One of the biggest mistakes customers make is to go the manufacturer website and grab every driver with those so called “enterprise driver packs” that contain drivers for multiple models…. Hell no , mostly the drivers are out dated, full of additional crap…
  • Use common sense and  only import drivers that are applicable to machines in your environment. I do not recommend that drivers are blindly imported into ConfigMgr where there is no actual benefit. This will just cause the database to bloat and the task sequences to become unwieldy. I recommend that any unused drivers/driver packages are removed from ConfigMgr
  • If you have a large number of Manufacturers and models or you run into conflicts, you can apply the driver package based on category or apply a specific package, especially when exporting / importing task sequences .
  • Typically graphic cards , Intel Vpro , Soundcard drivers or custom “hotkey” drivers are “bad” drivers. Those should be installed with applications from the setup.exe or msi.

To give you an idea , we went for a Lenovo C30 desktop model from +_ 400 drivers to 22 drivers. Keep it clean and tight . It will cost you more energy in the beginning , but will save you a lot of time when you need to debug. That’s the message I am trying to give you !

Hope it helps ,

Kenny Buntinx

MVP Enterprise Client Management

ConfigMgr 2012 SP1 R2 Intune: CloudUserSync – delta sync to cloud failed

5:14 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, intune, MDM, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, Windows Intune by Kenny Buntinx [MVP]

 

Hi,

After configuring a trial intune subscription I got a funny error in the CloudUserSync log:

ERROR: SetLicensedUsers exception The Dmp Connector cannot connect to Windows Intune. Verify that you are connected to the Internet,….
UserSync: Failed to perform delta sync. error = Unknown error 0x8013150C, 0x8013150C

further down in the log file :

ERROR: GetServiceAddresses – LSU cannot be reached: System.ServiceModel.ProtocolException: The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly

 

If you search for this error you can see this happening with other services as well (Azure) and it is where the binding from your local server doesn’t match the endpoint (in this case intune/Azure)

Turned out that the customer provide me with a demo lab environment and it was still sitting on System Center Configuration Manager R2 Preview Smile

#Notetomyself : Check all components on the correct versioning before you start . Never take it for granted Smile with tongue out

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Sysctr Configmgr 2012 and Intune : Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad.

7:39 pm in CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, email Profile, email Profiles, intune by Kenny Buntinx [MVP]

 

Hi All,

The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update. New extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices.

Now my colleague MVP Nico Sienaert (http://www.linkedin.com/profile/view?id=19113864&locale=en_US&trk=tyah&trkInfo=tas%3Anico%20%2Cidx%3A1-1-1) and some other MVP’s including myself had issues around the provisioning of email profiles. Sometimes they never showed up on an iPad.

Nico did some investigation with the product team back in Redmond and found some interesting details , that can potentially block an email profile being delivered to the device

Problem description: Mail Profile not being provisioned through on iOS devices such as Ipad

Problem solution: They discovered that my mail property in AD was empty. Apparently this is required for email profiles. Once filled in that field in AD and made sure this was value was populated in the CM DB (User Discovery) the profile arrived almost immediately.

Anyway, lessons learned make sure you have ALWAYS a mail property filled in on your AD User. Currently this is not documented yet but it will be in the future.

When to need the AD mail attribute? :

  • IF you are using UPN for email addresses, then no AD attribute is needed. For Office 365, we already know the UPN and mail address, so not needed.
  • IF you are using SMTP, then you do need the mail attribute in AD.

Hope that Helps ,

Kenny Buntinx

Enterprise Client Management MVP

CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file

7:18 am in Apple, CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, deployment types, intune, iOS, ipa, Ipad, plist by Kenny Buntinx [MVP]

 

To side load an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, that would be wrong in terms of license agreements. For those applications ,you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

Volume Purchase Program

The Volume Purchase Program (VPP) allows businesses to purchase iOS apps and books in volume and distribute them to employees. You can also get custom B2B apps for iOS that are built uniquely for you by third-party developers and procured privately through the VPP store. MDM solutions integrate with VPP and can be used to assign apps and books to users. When apps are no longer needed, MDM can be used to revoke and reassign them to a different user. Each app is automatically available for download on all the user’s devices, with no additional effort or cost to you. Redemption codes can also be purchased through VPP for use with Apple Configurator, or in situations where MDM is not applicable. To learn more about the Volume Purchase Program at http://www.apple.com/business/vpp

 

GOTCHA: The Volume Purchase Program (VPP) isn’t available in Belgium or Benelux. Up till now, European companies can only subscribe to the VPP program if they are resident in the UK or Germany. This isn’t really helping with our MDM solution, but later in this blog post we show you that we found an alternate solution (unfortunately NOT supported).

Enterprise in-house apps

Develop iOS apps for use by your company using the iOS Developer Enterprise Program. This program offers a complete and integrated process for developing,testing, and distributing your iOS apps to employees within your organization. Distributing in-house apps can be done either by hosting your app on a simple web-server you create internally, or by using a third-party MDM or app management solution. The benefits of managing in-house apps with MDM include the ability to configure apps remotely, manage versions, configure single sign on, set policies for network access such as per app VPN, and control which apps can export documents.

Distributing the app with your MDM solution such as Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal.

 

Creating a Manifest (plist) File from just an App File

All you need to do is find out the bundle-identifier and bundle-version for your app, then fill in in the template below.

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread http://hints.macworld.com/article.php?story=20121101064200135 and currently CM12 with Intune is not supporting it !

Getting the bundle-identifier and bundle-version from IPCU (iPhone Configuration Utility).

Unfortunately, the app’s bundle-identifier and bundle-version will not be directly readable because an .ipa file is usually signed. However, the data you need is made available through Apple’s iPhone Configuration Utility.

First, download and install the iPhone Configuration Utility (IPCU).

clip_image002

After opening IPCU, click the "Applications" library item, and drag your .ipa file into the list. You should see the following page. The "Identifier" and "Version" columns are the bundle-identifier and bundle-version values respectively.

Now you can create the manifest file. Just copy manifest file contents below and replace the three highlighted values in the metadata dictionary with your own.

1. Replace the bundle-identifier to your identifier..

2. Replace the bundle-version to your version.

3. Replace the app’s name with your custom display name. This will be displayed to the user in an alert asking for permission to install the app.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>items</key>

<array>

<dict>

<key>assets</key>

<array>

<dict>

<key>kind</key>

<string>software-package</string>

<key>url</key>

<string>http://placeholder/url/for/app.ipa</string>

</dict>

</array>

<key>metadata</key>

<dict>

<key>bundle-identifier</key>

<string>com.citrix.RecieverIpad</string>

<key>bundle-version</key>

<string>166</string>

<key>kind</key>

<string>software</string>

<key>title</key>

<string>Citrix Reciever</string>

</dict>

</dict>

</array>

</dict>

</plist>

 

Save the *.Plist file with the same name as the *.Ipa file in the same source folder and you would be able to import your Ipa DT (Deployment type) without any errors. However, I am not taking any responsibility here and this post is AS-IS with no liability what so ever.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

CM12 Extensions for Windows Intune: Resources and gotcha’s

2:43 pm in CM12 R2, email Profiles, intune, SCCM 2012 R2, Windows Intune Extensions, Windws Intune by Kenny Buntinx [MVP]

 

Hi ,

Last week a feature of System Center 2012 R2 Configuration Manager called “Extensions for Windows Intune” was released. This capability enables new features in Windows Intune to be available within your Configuration Manager console alongside the existing features without any on premises upgrade.

Enabling the exchange ActiveSync email profiles to mobile devices

Nico Sienaert wrote a blog post on that already that you could find over here : http://scug.be/nico/2014/02/08/configuration-manager-windows-intune-console-extensions-in-action/

Be careful when enabling “Intune Extensions” as they will be installed automatically. As soon as you enabled the intune extension , the next time someone opens a console , a message pops up to tell you that you need to install the console extensions. Great idea , but not in every scenario as :

– Local install : You will need local admin rights to update them (Helpdesk resources aren’t always local admin )

– Citrix : All your users are having a shared console open. This means that all users need to have the console closed and when launching the console update the user needs to have administrator rights to perform the update. Otherwise you are in an indefinably loop. There is currently no supported way to push the console extensions via applications / SCUP or other methods.

*** Workaround and NOT supported – You are on your own here ***

You can automate the steps below , however this is the manual process.

After enabling certain “Intune Extensions” , go to your primary site server and grab the following under downloads and copy it to your citrix server or local install where an admin has no rights :

image

Make sure you’re Configmgr Consoles are closed and execute all extensions with following syntax

FeatureExtensionInstaller.exe  with following options <Install>  / <Uninstall> / <Validate> / <Repair>

clip_image001

Go to your primary site server and grab  the following file from D:\Microsoft Configuration Manager\AdminConsole\XmlStorage\Other\ and save it to your citrix server or local install where an admin has no rights.

SNAGHTML1145b60 

You’re console will not complain again about the extensions that needs to be installed .

*** Workaround and NOT supported – You are on your own here ***

Using  the exchange ActiveSync email profiles to mobile devices

One of the first features to be available as an extension for Windows Intune is the ability to provision Exchange ActiveSync email profiles to mobile devices. This feature allows enterprises to deploy email profiles and restrictions so that workers can access corporate email on their personal devices without any required setup.

This is a great feature on provisioning corporate mailboxes on corporate owned devices and I like it , however Microsoft needs to catch up fast on the “Company data – selective wipe” of resources including email because when a user’s mobile device is lost or stolen, the administrator or the end user can initiate a ‘selective wipe’ of corporate data including their corporate email.

Be aware that this is currently supported by the iOS native email client app, but not the Windows Phone 8 EAS mail app. I hope that will be fixed soon with the upcoming free Enterprise Feature Pack for Windows Phone 8 sometime in 2014.

This update is due in the first half of 2014 and will add the following features to Windows Phone 8:

  • S/MIME to sign and encrypt email
  • Access to corporate resources behind the firewall with app aware, auto-triggered VPN
  • Enterprise Wi-Fi support with EAP-TLS
  • Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps
  • Certificate management to enroll, update, and revoke certificates for user authentication

More information on Provision ActiveSync email profiles to mobile devices using System Center 2012 R2 Configuration Manager and Windows Intune see this blog post or following resources below :

https://blogs.technet.com/b/configmgrteam/archive/2014/01/29/provision-activesync-email-profiles-to-mobile-devices-using-configmgr-and-windows-intune.aspx

Here are some updates and added TechNet information about email profiles

Configuration Manager 2012

Planning to Use Extensions in Configuration Manager (http://technet.microsoft.com/en-us/library/dn574730.aspx)

Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554227.aspx )

Introduction to Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554226.aspx )

Planning for Email Profiles in Configuration Manager (http://technet.mnicrosoft.com/en-us/library/dn554232.aspx )

Prerequisites for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554229.aspx )

Configuring Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554233.aspx )

Operations and Maintenance for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554231.aspx )

How to Create Exchange ActiveSync Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554236.aspx )

How to Deploy Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554228.aspx )

How to Monitor Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554225.aspx )

Security and Privacy for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554235.aspx )

Technical Reference for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554230.aspx )

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

OSD Capture fails on a HP Gen8 Hyper-V cluster

12:12 pm in 2012R2, capture, CM12, CM12 R2, CM12 SP1, hyper-V, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

 

I’ve seen lots of people saying to use VMs to create images and my customer decided to do it using Hyper-V as they see the Hyper-V scenario as possible replacement for Vmware. We did it on Hyper-V 2012 R2.

However, I am having a problem capturing the image with the Build & Capture Task Sequence. I have the VM (running Windows 7 x64 Enterprise) . The VM ran through Sysprep and rebooted into WinPE, but then the problem starts. I checked the Captures folder to see if it started creating the WIM file,  only written 1KB and then fails with “Exiting with return code 0x80004005”. That’s right, 1 freaky’ KB.

I do have the Legacy Network adapter installed so I can perform PXE boots on the VMs that I have created.

This was the first time I’ve worked with Hyper-V 2012 R2 so I wasn’t sure what to expect as I had experiences with Hyper-V 2008 R2 and 2012 . I’ve looked at all the threads that mention "Hyper-V’ but none have said they are having any problems.

I’ll have tried a few things to see what happens, and to figure out what was wrong here. Finally we found out the issue :

We immediately thought at networking issues and not to a share or permission issue as we could write a file of 1kb.

1.When the VM started in Winpe to start capturing the image , we checked for an IP (F8 command prompt) . We saw the correct IP , but suddenly 5 seconds later , it changed back to an auto assign IP , short term APIPA (Automatic Private IP Addressing) . That was weird and we blamed it to the Networking team Smile . ( for once we thought we had a reason as the DHCP server was a linux box )

2. After ruling out the network ( giving it a fixed ip , MAC reservation ) , we start to search a little deeper . Maybe it was the Hyper-V cluster or the virtual switch ?

3. To rule out any virtual switch issues , we started to create a VM on the Hyper-V Host itself and BINGO ! The creation of the WIM file succeeded .

4. To make sure it was the Hyper-V cluster , we created a VM and tried it again . Same problem, The VM ran through Sysprep and rebooted into WinPE, but then the problem starts. I checked the Captures folder to see if it started creating the WIM file,  only written 1KB and then fails with “Exiting with return code 0x80004005”. That’s right, 1 freaky’ KB.  .

The solution:

Ok , The problem is related to the Hyper-V cluster . After a little investigation , we discovered that people had reported issues with networking drops on HP Generation 8 hardware. I’ve got answer with my connectivity issue.

Our case is the same as described on the Hyper-V.nu blog:

http://www.hyper-v.nu/archives/marcve/2013/11/vnics-and-vms-loose-connectivity-at-random-on-windows-server-2012-r2/

http://www.hyper-v.nu/archives/pnoorderijk/2013/11/the-story-continues-vnics-and-vms-loose-connectivity-at-random-on-windows-server-2012-r2/

As a workaround , disabling VMQ works . More info what VMQ does : http://blogs.technet.com/b/networking/archive/2013/09/10/vmq-deep-dive-1-of-3.aspx

The issue has been reported to HP support. We are awaiting feedback . In the meanwhile we will try this hotfix http://support.microsoft.com/kb/2913659 It seems that after patching our cluster nodes with the hotfix, we haven’t had a VM guest lose network connectivity for over 24 hours. It was happening quit regularly with several VM’s that are sending/recieving lots of network traffic . If you haven’t applied this hotfix and you are experience this issue and/or others with your virtual switches, do it before opening a case at HP

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management .