You are browsing the archive for ConfigMgr 2012.

Hybrid scenarios with System Center Configuration Manager 2012 R2 – Windows Intune – ADFS – WAP – NDES – Workplace Join: Hotfixes you really need in your environment.

8:26 pm in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, hybrid, intune, Intune Standalone, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAP by Kenny Buntinx [MVP]


To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:


1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:


1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:


1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.


Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ITDevconnections session wrap-up : Managing Your Hybrid Mobile Cloud Workforce with System Center 2012 R2 Configuration Manager

7:56 pm in ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Devconnections, ECM, extensions, intune, profile, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]


A big thanks to all who attended at our sessions that where delivered by Tim De Keukelaere and myself. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!


All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, but there isn’t much changed. I’ll start updating them as soon as I find time for it :-) .

Find them here :

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at

CM12 Extensions for Windows Intune: Resources and gotcha’s at

Deny Windows Phone Apps with Configuration Manager \ Intune at

Sysctr Configmgr 2012 and Intune : Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad. At

How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager at

Collecting IMEI from devices enrolled in Windows Intune with System Center 2012 R2 Configuration Manager at

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

SCCM 2012 : “Another Installation is already in Progress” when deploying Applications thru OSD deployment.

11:26 am in agent, Application Model, applications, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, OSD, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]


At one of my current customers, I have been stuck for two days now, that one or two randomly selected applications where failing If we looked in the ‘Status Messages’ and dig al little deeper , we saw in there that :

‘Another installation is already in progress.Complete that installation before proceeding with this install.’


Knowing this is a highly secured environment , my first guess would be policies. However I overruled this thinking strategy because during the OSD process , GPO’s aren’t applied …—> That is a fact , except for one scenario I already blogged about it as described here  ‘’ , but that was not the issue…

Back to the drawing board and digging deeper in the smstslog file … Suddenly when hitting the F8 button a popup arrived that I needed a reboot to complete the “Kaspersky Antimalware Client”  … WTF is that doing in my task sequence.

Apparently someone at the customer decided to set a policy at the Kaspersky management server , to Push / Install a Kaspersky client when he detects and scans the network for computers that did not had a Kaspersky mgmt. agent installed. That little process hijacked my Task sequence installation process and jumped in the middle to install that Kaspersky agent .

Case Closed …My advise – before troubleshooting Configmgr , just start asking questions who did changes on other parts of the environment Emoticon die tong uitsteekt

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What?

12:15 pm in ADFS, ADFS 2.1, ADFS 3.0, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, intune, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, sso, Windows Intune, Windows Intune Extensions, windows inune by Kenny Buntinx [MVP]


This morning at a customer , I received the following mail in my mailbox , saying that my ADFS token would expire.

AD FS 2.0 or 2.1 and probably 3.0 generates each year by default a new self- signed certificate for token signing 20 days before the certificate expires . Rollover of the certificate , or generate a new certificate when the existing certificate is about to expire , and make them the primary certificate , applies only to self-signed certificates that are generated by AD FS 2.x . The token signing certificate is essential for the stability of the Federation Service . If this is changed, the change must be reported to Windows Azure AD . Otherwise fail applications for cloud services such as my Windows Intune Service.


When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 or Windows Intune that require updating the metadata, a similar issue arises. The “Microsoft Office 365 Federation Metadata Update Automation Installation Tool” script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

You must have the Microsoft Federation Metadata Update Automation Installation Tool download and configure your primary federation server or another recordable federation server, the Windows Azure AD Federation Metadata regularly automatically checks and updates so that changes in the certificate token-signing in the AD FS 2.1 Federation service will be copied automatically onto Windows Azure AD.

You can download the script here :

The script is called : O365-Fed-MetaData-Update-Task-Installation.ps1

To execute this tool successfully:

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell 
  • You need to have a functioning AD FS 2.0 Federation Service (execute this on your primary ADFS server)
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from

When running the tool and you comply with the above prerequisites , the following screenshot appears as shown below :


It’s worth bearing in mind that the password policy will render the script unusable in the event of a password change on either the Windows Intune side with the MSOL account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet.

For example:  Set-MSOLUser –identity –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information and you would be in trouble big time!

To verify the scheduled task is executed correctly , open task scheduler and verify that the task is there :


That’s again an automated task , without worrying that your infrastructure is in danger :-)

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configuration Manager 2012 OSD : Only import the Intel chipset drivers you really need for your brand/model !

6:31 pm in ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, Deployment, Drivers, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, sccm RTM, sccm2007 by Kenny Buntinx [MVP]


Yesterday I wrote a blogpost about the reason to keep your “Driver DB” and “driver packages” as clean as possible and that you do not need to import all the junk they provide in those so called “enterprise driver packages” for multiple models.

As a first tip for helping you accomplish that , we show you in this blog post how we can limit the number of *.inf files we need to import from Intel(R) Chipset Device Software . When downloading and extracting that Intel(R) Chipset Device Software package you will see that originally there are about  98 inf files present :


Now reduce the number of INF files :

Two override command switches for setup.exe from Intel(R) Chipset Device Software that will help us to reduce the *.inf files we need to import into our “Driver Package” :

-AONLY Extracts the needed INF files to install on the current system. If the install has been run once successfully, ‘-AONLY’ will not return any INFs when used in conjunction with ‘-OVERALL’ switch, all the needed INFs for the system will be extracted.

-P <Installation Path> Specifies the hard disk location to which the INF program files are copied. If this flag is not specified at the command line, the <Installation Path> directory is as follows: C:\Program Files\Intel\INFInst .

If this flag is used without the ‘-A’ option, only the Readme will be copied to <Installation Path>. The directory name can include spaces, but then a pair of double quotes (") must enclose the directory name. There should not be any space between the switch ‘-p’ and the directory name. This flag works in either Silent Mode or Interactive Mode.

Lets execute on the local brand/model that contains an intel chipset :

The result of running the setup with those parameters:

And then the result after running the tool on your local brand/model , you will see that the number of *.inf files are reduced to five (5) items ! isn’t that great ? Now copy those drivers to your regular driver import process and you reduced the number of bloat in your ConfigMgr driver database by 80% at least !




Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

ConfigMgr 2012 SP1 R2 Intune: CloudUserSync – delta sync to cloud failed

5:14 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, intune, MDM, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, Windows Intune by Kenny Buntinx [MVP]



After configuring a trial intune subscription I got a funny error in the CloudUserSync log:

ERROR: SetLicensedUsers exception The Dmp Connector cannot connect to Windows Intune. Verify that you are connected to the Internet,….
UserSync: Failed to perform delta sync. error = Unknown error 0x8013150C, 0x8013150C

further down in the log file :

ERROR: GetServiceAddresses – LSU cannot be reached: System.ServiceModel.ProtocolException: The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly


If you search for this error you can see this happening with other services as well (Azure) and it is where the binding from your local server doesn’t match the endpoint (in this case intune/Azure)

Turned out that the customer provide me with a demo lab environment and it was still sitting on System Center Configuration Manager R2 Preview Smile

#Notetomyself : Check all components on the correct versioning before you start . Never take it for granted Smile with tongue out


Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Sysctr Configmgr 2012 and Intune : Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad.

7:39 pm in CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, email Profile, email Profiles, intune by Kenny Buntinx [MVP]


Hi All,

The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update. New extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices.

Now my colleague MVP Nico Sienaert ( and some other MVP’s including myself had issues around the provisioning of email profiles. Sometimes they never showed up on an iPad.

Nico did some investigation with the product team back in Redmond and found some interesting details , that can potentially block an email profile being delivered to the device

Problem description: Mail Profile not being provisioned through on iOS devices such as Ipad

Problem solution: They discovered that my mail property in AD was empty. Apparently this is required for email profiles. Once filled in that field in AD and made sure this was value was populated in the CM DB (User Discovery) the profile arrived almost immediately.

Anyway, lessons learned make sure you have ALWAYS a mail property filled in on your AD User. Currently this is not documented yet but it will be in the future.

When to need the AD mail attribute? :

  • IF you are using UPN for email addresses, then no AD attribute is needed. For Office 365, we already know the UPN and mail address, so not needed.
  • IF you are using SMTP, then you do need the mail attribute in AD.

Hope that Helps ,

Kenny Buntinx

Enterprise Client Management MVP

CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file

7:18 am in Apple, CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, deployment types, intune, iOS, ipa, Ipad, plist by Kenny Buntinx [MVP]


To side load an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well.

You cannot side load an app that you have downloaded and paid for in ITunes, that would be wrong in terms of license agreements. For those applications ,you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

Volume Purchase Program

The Volume Purchase Program (VPP) allows businesses to purchase iOS apps and books in volume and distribute them to employees. You can also get custom B2B apps for iOS that are built uniquely for you by third-party developers and procured privately through the VPP store. MDM solutions integrate with VPP and can be used to assign apps and books to users. When apps are no longer needed, MDM can be used to revoke and reassign them to a different user. Each app is automatically available for download on all the user’s devices, with no additional effort or cost to you. Redemption codes can also be purchased through VPP for use with Apple Configurator, or in situations where MDM is not applicable. To learn more about the Volume Purchase Program at


GOTCHA: The Volume Purchase Program (VPP) isn’t available in Belgium or Benelux. Up till now, European companies can only subscribe to the VPP program if they are resident in the UK or Germany. This isn’t really helping with our MDM solution, but later in this blog post we show you that we found an alternate solution (unfortunately NOT supported).

Enterprise in-house apps

Develop iOS apps for use by your company using the iOS Developer Enterprise Program. This program offers a complete and integrated process for developing,testing, and distributing your iOS apps to employees within your organization. Distributing in-house apps can be done either by hosting your app on a simple web-server you create internally, or by using a third-party MDM or app management solution. The benefits of managing in-house apps with MDM include the ability to configure apps remotely, manage versions, configure single sign on, set policies for network access such as per app VPN, and control which apps can export documents.

Distributing the app with your MDM solution such as Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal.


Creating a Manifest (plist) File from just an App File

All you need to do is find out the bundle-identifier and bundle-version for your app, then fill in in the template below.

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread and currently CM12 with Intune is not supporting it !

Getting the bundle-identifier and bundle-version from IPCU (iPhone Configuration Utility).

Unfortunately, the app’s bundle-identifier and bundle-version will not be directly readable because an .ipa file is usually signed. However, the data you need is made available through Apple’s iPhone Configuration Utility.

First, download and install the iPhone Configuration Utility (IPCU).


After opening IPCU, click the "Applications" library item, and drag your .ipa file into the list. You should see the following page. The "Identifier" and "Version" columns are the bundle-identifier and bundle-version values respectively.

Now you can create the manifest file. Just copy manifest file contents below and replace the three highlighted values in the metadata dictionary with your own.

1. Replace the bundle-identifier to your identifier..

2. Replace the bundle-version to your version.

3. Replace the app’s name with your custom display name. This will be displayed to the user in an alert asking for permission to install the app.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">

<plist version="1.0">























<string>Citrix Reciever</string>







Save the *.Plist file with the same name as the *.Ipa file in the same source folder and you would be able to import your Ipa DT (Deployment type) without any errors. However, I am not taking any responsibility here and this post is AS-IS with no liability what so ever.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Multicast-enabled Distribution Points Stop Working after Upgrading to System Center 2012 R2 Configuration Manager

11:23 am in CM12, CM12 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, multicast, R2 by Kenny Buntinx [MVP]


If you upgrade your hierarchy  to System Center 2012 R2 Configuration Manager and you have distribution points that are enabled for multicast stop working, look for entries similar to the following in the mcsexec.log: Error finding namespace: 0xc1210106

Make sure that before you upgrade the site or hierarchy, to make sure that Cumulative Update 3 or later is installed.

However, if you have already upgraded the site to System Center 2012 R2 Configuration Manager and multicast is not working on distribution points, perform the following procedure on each distribution point that is enabled for multicast:

  1. Edit the properties of the distribution point, and click the Multicast tab.
  2. Clear the Enable multicast to simultaneously send data to multiple clients option, and click Apply.
  3. Wait for the multicast configuration to be removed from the distribution point. You can verify removal by checking the MCSSetup.log file.
  4. Select the Enable multicast to simultaneously send data to multiple clients option, and click OK.
  5. Wait for at least one hour to make sure that Hierarchy Manager has reinstalled the multicast server.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configuration Manager 2012 SP1 and R2 : Send Ctrl-Alt-Del remotely is randomly not working in Remote Tools

7:15 pm in CM12 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Remote, Remote Tools, tools by Kenny Buntinx [MVP]


Earlier this week, A customer of mine was trying to use the Remote Tools feature. Fancy feature , except that the helpdesk has connected to a computer via Remote Tools, chosen Ctrl-Alt-Del from the drop down menu, and nothing happens remotely. No problems on XP machines , but on some remote Windows 7 and windows 8 machines it would work and on others it won’t .

Before going deeper , I checked the following settings :

  • The workstation was in a “Logged Off” state.
  • Default Client policy is set to request permission to connect.
  • The user has the permission to use and take over the remote machines.

Again, this is a random occurrence.The worst that can happen and the logs look green like a golf court Smile with tongue out

Solution :

It took me a while figuring this out , but finally found the root cause . It was a group policy preventing doing this kind of stuff .

There is a group policy option for this simulation of keys… Look under Computer policies -> Admin Templates -> Windows Components / Windows Logon Options and then  set “Disable or enable software secure attention sequence” to ‘enabled’  You must then change “Set which software is allowed to generate the secure attention sequence”  to “Services and Ease of Access applications”.



Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management