You are browsing the archive for intune.

CM12 Extensions for Windows Intune: Resources and gotcha’s

2:43 pm in CM12 R2, email Profiles, intune, SCCM 2012 R2, Windows Intune Extensions, Windws Intune by Kenny Buntinx [MVP]

 

Hi ,

Last week a feature of System Center 2012 R2 Configuration Manager called “Extensions for Windows Intune” was released. This capability enables new features in Windows Intune to be available within your Configuration Manager console alongside the existing features without any on premises upgrade.

Enabling the exchange ActiveSync email profiles to mobile devices

Nico Sienaert wrote a blog post on that already that you could find over here : http://scug.be/nico/2014/02/08/configuration-manager-windows-intune-console-extensions-in-action/

Be careful when enabling “Intune Extensions” as they will be installed automatically. As soon as you enabled the intune extension , the next time someone opens a console , a message pops up to tell you that you need to install the console extensions. Great idea , but not in every scenario as :

– Local install : You will need local admin rights to update them (Helpdesk resources aren’t always local admin )

– Citrix : All your users are having a shared console open. This means that all users need to have the console closed and when launching the console update the user needs to have administrator rights to perform the update. Otherwise you are in an indefinably loop. There is currently no supported way to push the console extensions via applications / SCUP or other methods.

*** Workaround and NOT supported – You are on your own here ***

You can automate the steps below , however this is the manual process.

After enabling certain “Intune Extensions” , go to your primary site server and grab the following under downloads and copy it to your citrix server or local install where an admin has no rights :

image

Make sure you’re Configmgr Consoles are closed and execute all extensions with following syntax

FeatureExtensionInstaller.exe  with following options <Install>  / <Uninstall> / <Validate> / <Repair>

clip_image001

Go to your primary site server and grab  the following file from D:\Microsoft Configuration Manager\AdminConsole\XmlStorage\Other\ and save it to your citrix server or local install where an admin has no rights.

SNAGHTML1145b60 

You’re console will not complain again about the extensions that needs to be installed .

*** Workaround and NOT supported – You are on your own here ***

Using  the exchange ActiveSync email profiles to mobile devices

One of the first features to be available as an extension for Windows Intune is the ability to provision Exchange ActiveSync email profiles to mobile devices. This feature allows enterprises to deploy email profiles and restrictions so that workers can access corporate email on their personal devices without any required setup.

This is a great feature on provisioning corporate mailboxes on corporate owned devices and I like it , however Microsoft needs to catch up fast on the “Company data – selective wipe” of resources including email because when a user’s mobile device is lost or stolen, the administrator or the end user can initiate a ‘selective wipe’ of corporate data including their corporate email.

Be aware that this is currently supported by the iOS native email client app, but not the Windows Phone 8 EAS mail app. I hope that will be fixed soon with the upcoming free Enterprise Feature Pack for Windows Phone 8 sometime in 2014.

This update is due in the first half of 2014 and will add the following features to Windows Phone 8:

  • S/MIME to sign and encrypt email
  • Access to corporate resources behind the firewall with app aware, auto-triggered VPN
  • Enterprise Wi-Fi support with EAP-TLS
  • Enhanced MDM policies to lock down functionality on the phone for more enterprise control, in addition to richer application management such as allowing or denying installation of certain apps
  • Certificate management to enroll, update, and revoke certificates for user authentication

More information on Provision ActiveSync email profiles to mobile devices using System Center 2012 R2 Configuration Manager and Windows Intune see this blog post or following resources below :

https://blogs.technet.com/b/configmgrteam/archive/2014/01/29/provision-activesync-email-profiles-to-mobile-devices-using-configmgr-and-windows-intune.aspx

Here are some updates and added TechNet information about email profiles

Configuration Manager 2012

Planning to Use Extensions in Configuration Manager (http://technet.microsoft.com/en-us/library/dn574730.aspx)

Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554227.aspx )

Introduction to Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554226.aspx )

Planning for Email Profiles in Configuration Manager (http://technet.mnicrosoft.com/en-us/library/dn554232.aspx )

Prerequisites for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554229.aspx )

Configuring Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554233.aspx )

Operations and Maintenance for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554231.aspx )

How to Create Exchange ActiveSync Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554236.aspx )

How to Deploy Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554228.aspx )

How to Monitor Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554225.aspx )

Security and Privacy for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554235.aspx )

Technical Reference for Email Profiles in Configuration Manager (http://technet.microsoft.com/en-us/library/dn554230.aspx )

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0x5

12:17 pm in ADFS, ADFS 2.1, CM12, CM12 R2, CM12 SP1, intune, sso by Kenny Buntinx [MVP]

 

One day my ADFS authentication for Configmgr 2012 R2 and Windows Intune suddenly stopped. I  came across the following on the Active Directory Federation Services farm which uses WID (Windows internal Database) to store its configuration.

image

In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘<Domain>\ADFS_srvc’, error code 0x5.

The solution: is to give the “Authenticated Users”  “Read Permissions” on the ADFS service account.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot

8:48 pm in ADFS, ADFS 3.0, Global Managed Service Account, gmsa, intune, MDM, UDM, Windows Server 2012 R2, Windws Intune by Kenny Buntinx [MVP]

 

Background :

With the arrival of ADFS 3.0 in Windows Server 2012 R2 the use of IIS with AD FS in Windows Server 2012 R2 has been eschewed in favour of a move to kernel-mode (HTTP.SYS). The motive is to improve performance, provide greater sign-in customization options and to be able for co-locating ADFS and AD Domain Services on the same server (IIS on domain controllers is from a security perspective a big no-no).

As the use of federation services goes more mainstream in everyday use with Windows 8.1, office 365 , intune , azure and whatever cloud service they come up with , this shift is understandable and an important design consideration.  With the new kernel-mode approach, support for running under server core also appears as an option in the new release.

Problem :

In my lab , I Installed and configured ADFS 3.0 om my domain controller with a global managed service account (gmsa). This is a new feature since ADDS 2012 was introduced. After a server reboot , the ADFS services cannot start anymore and it always stay in "starting" state , making your DC unusable.

This issue appears to be gMSA related, when you install ADFS 3.0 on a 2012R2 running AD DS, than after the reboot (not always) gMSA fails to authenticate on behalf of the ADFS Service under which the service is configured to run.

Solution:

After investigation, I found an unacceptable workaround, which is to :

1. Reboot the ADDS/ADFS3.0 server, logon and immediately set the ADFS Service from Automatic (Delayed) to Manual.

2. Change the Microsoft Key Distribution Service (kdssvc) service to auto (instead of manual trigger) and restart the DC.

3. Logon and start the ADFS service (starts successfully)

4. Set the ADFS Service from Manual to Automatic (Delayed) .

5. Done.

Keep it coming. We’re all learning ADFS 3.0 for Windows Intune  :-)

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8”

8:47 am in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

At a customer and integrating/managing Windows Phone 8 with Windows Intune and System Center Configuration Manager 2012 SP1 ? Using the Support Tool for Windows Intune Trial Management of Window Phone 8 (can be downloaded at http://www.microsoft.com/en-sg/download/details.aspx?id=39079) ?

The Support Tool for Windows Intune Trial Management of Window Phone 8 facilitates Microsoft System Center 2012 Configuration Manager admins to try out Windows Phone 8 software distribution scenarios during the Trial period.

However we couldn’t get our Windows phone 8 enrolled. It always came back with the following error on the phone : “We weren’t able to set up this company account on your phone”.

Verify the following before going forward :

  • If Are you using ADFS , check my previous blog post “Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)”.
  • Have you synced your AD accounts to Azure AD? Is dirsync working correctly ? Check from Azure AD that you see your local AD users there.
  • Make sure the UPN is set correctly to your Domain ( SCUG.be instead of scug.onmicrosoft.com)
  • Set CNAME to manage.microsoft.com

SNAGHTMLfb3cfe6

  • Reset your Users password. Because the user must reset the password after the first logon, logon to e.g. portal.manage.microsoft.com with the user account, before enrolling the device.
  • It is important that you first synchronize your AD users to Azure and after that add the user account to user collection that is allowed to enroll the devices. If you first add the user to the collection and the new user is not in Azure AD, you need to wait up to 24 h. (Tnx to my fellow MVP Panu Sauko!)
  • If you get the latter error message, change the language & regional settings of your mobile phone to en-US and try to enroll again. (Tnx to my fellow MVP Panu Sauko!)

Going down in the logs , by the way very difficult on a Windows phone 8 or Windows Intune side , the only option was to look into the System Center Configuration Manager Log files .

Looking in the dmpdownloader.log and found the following line appearing every time I tried to enroll the WP8 device . Strange .

ERROR: Service health log: WP appStoreURI is missing for account 73dab792-979c-40be-947b-b7c8040e725b and userId ******************************33d16d

image

Solution :

Apparently to that message , it seems that we have Certificate issues on the Company portal . After re-registering the steps below , it works . Before it executed also successfully ,and I thought everything was OK , but I was wrong. So if you have the above error message “ Service health log: WP appStoreURI is missing for account “ , it means there is something wrong with your company portal and signed certificates.

  • Step 1 : Disable the Windows Phone 8 support on the intune connector :

image

1.  Create your application “Company portal” that is included in the toolkit.

2. The first step to enable the management of Windows Phone 8 devices is to run the script that is included  cscript ConfigureWP8Settings.vbs <server> QuerySSPModelName . It is important to notate the Scope_ID<GUID> information as it will be used in the next step.

3.  Next we need to run the script again but this time in Save mode with the SSP name to populate the necessary certificate information that enables Windows Phone 8 Management.  The command will will use this time is: cscript ConfigureWP8Settings.vbs <server> SaveSettings <Company Portal name> where <Company Portal name> is the output for Model Name from the earlier step.

4.  After completion of the steps above, you can now verify that Windows Phone 8 device management is enabled.  

image

Now you can enroll your Windows Phone 8 devices in your Windows Intune Unified Trial Account. It works like a charm now .

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager)

11:24 am in ADFS, dirsync, FIM, intune by Kenny Buntinx [MVP]

 

In Windows Intune , you need dirsync to synchronize your users between on-premise AD and Azure AD. Already a few days we received a mail that states ": There was no AD synchronization with Azure AD” … Weird .

Running Dirsync for Windows Intune (same as Office 365) , which is actually a special version of FIM 2010 (Forefront Identity Manager).When installing Dirsync , by default it is set to synchronize your on premise Active Directory with Azure Active Directory for every 3 hours.

At first sight , Dirsync looks like a big black box .Event viewer is around , but doesn’t tell you much :

image

You won’t find any shortcut to the Synchronization Service Manager but you will find it here  "C:Program FilesMicrosoft Online Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe".

If you launch the Synchronization Service Manager , you will find the same information :

image

This error message doesn’t really tell you much, but if you look closely , “TargetWebService” is the connection to Azure AD and as you can see the status of “stopped-server-down”.

Digging deeper in to the event viewer , we found : “An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult: (0×80048831)”.Looking this up on the internet , this error message actually means is that the service account that you use to connect to Windows Intune has an expired password.

To fix this, open the “Windows Azure Active Directory Module for Windows PowerShell” and set a new password for the service account and to avoid it in the future add the parameter “–passwordneverexpires”

Set-MsolUserPassword –userPrincipalName dummy@intune.com -NewPassword "pa$$word"

Set-MsolUser –UserPricipalName dummy@intune.com –passwordneverexpires $true

Now go in to the Management Agents tab in Synchronization Service Manager, right-click on TargetWebService and click on Properties.Change your new password here

image

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2

12:09 pm in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Server 2012, WaveD, windows inune by Kenny Buntinx [MVP]

 

In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” I explained the genaeral design and concept for setting up SSO with ADFS  at “http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

This article takes it step-by-step through initializing a new domain in Windows Intune WaveD , its verification, and configuration for single sign-on. This guide will show how to perform these steps on Windows Server 2012 with AD FS 2.1.

Again our design we are going to follow :

SNAG-0333

Determine the ADFS Farm Name

We really need to get this information sorted first, because our certificate requests will be based on the FQDN of the farm name, and it isn’t possible to install ADFS services without a certificate.

We’ll use “Federation.scug.be” – this name will be used by by Windows Intune federation services. This certificate absolutely must be issued by a public CA.

Request a Certificate

Really quick overview of ADFS certificates: there are three certificates used by ADFS; one is used for server authentication and the remaining two certificates are used for ADFS token signing and verification

For best practice and supportability this certificate should NOT a wildcard certificate. However my wildcard certificates were working flawless, but if you go that way and something does not work later down the road, your support options may be limited at this time.

Service Account for ADFS Federation Service

Next, we will create a service account for the purpose of installing and running ADFS Federation Service. This service account will be used to perform initial installation of the service as well as the WID SQL databases. During this initial installation, the service creates certificate containers in Active Directory, as well as SPN records for the shared IIS pool identity. To perform these tasks, the service account must be at least a Domain Admin.

Install ADFS Service on the First Windows Server 2012 Server (FED1PRD.SCUG.BE)

Prerequisites :

  • Make sure that you installed the ADFS Services thru “Add Roles and Features”.
  • Make sure you have copied your *.SCUG.be certificate on your ADFS Servers
  • Make sure they are added to the domain
  • Your Active Directory Domain must be in Windows 2003 mixed or native mode.

1. Open the wizard and select “Create a new Federation Wizard” …

image

2. Provide your SSL certificate and Federation Service Name …

image

3. Provide your Service Account and password …

ADFS_3

4. Click Next tot continue after reviewing…

image

5. When everything is ok , click close to close the wizard.

clip_image002

Install ADFS Service on the Second Windows Server 2012 Server (FED2PRD.SCUG.BE)

1. Open the wizard and select “Add a federation server to an existing Federation Service” …

clip_image002[5]

2. Specify your primary federation Server name and your ADFS service account .

image

3. Click next to install and finish

clip_image002[7]

Important :

Create a host file on the FED1PRD.SCUG.BE and FED2PRD.SCUG.BE with the following line:

image

Now your ADFS Farm is installed and configured correctly.Now let’s show you how to introduce an AD FS Proxy Server.

In addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second hardware Network Load Balancing host. The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name (federation.SCUG.be) setting as the previous NLB cluster that you configured on the corporate network (Federation.scug.be). The federation server proxies should also be configured with Internet-accessible IP addresses.

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE

After that , Import your *.SCUG.BE certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

Install ADFS Proxy Servers on Windows Server 2012 Server (ADFSPROXY01 – ADFSPROXY02)

1. Select “ADFS Federation Services Proxy” thru “Add Roles and Features”.

clip_image002[9]

2. Leave the defaults selected and select “Next”

clip_image002[11]

3.Hit “install” button.

clip_image002[13]

Important :

Create a host file on the ADFSPROXY01 and ADFSPROXY with the following line:

 image

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on ADFSPROXY01 and ADFSPROXY02

After that , Import your *.SCUG.BE certificate on ADFSPROXY01 and ADFSPROXY02 in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

DNS Configuration

  • Configure internal DNS to point to the federation hosts cluster (NLB) IP
  • Set up a host (A) record for the domain (federation.scug.be) on a public-facing DNS server for external name resolution to point to the proxy servers cluster (NLB)

Optional – in case the proxy servers doesn’t have DNS connectivity to the internal DNS server, you can configure the host file (see above topic) on each server to resolve the AD FS host servers name

 

The end

Now your ADFS Farm is completely installed and configured correctly.

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and troubleshooting steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1

1:42 pm in ADFS, best practices, con, ConfigMgr 2012 SP1, intune, scc, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

With the SP1 release of System Center 2012 Configuration Manager, we now have the ability to connect to Windows Intune to manage mobile devices via the Internet. This allows you to use the Configuration Manager console to provision mobile devices, apply policy, and target apps to mobile devices even when those devices are not connected to the corporate network.

To provide users with an integrated sign-on experience (and reduce the need for administrators to manage two passwords for users) it is highly recommended that you deploy ADFS. ADFS provides the capability for a cloud server to leverage on-premise Active Directory credentials.

To deploy and configure ADFS 2.1 (server 2012) , follow the steps outlined below. This blog will cover the configuration and deployment work needed to successfully connect their device with corporate credentials . Before you install ADFS 2.1 on Windows Server 2012, you have to think through some of the requirements.

The benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all “Windows Intune" or “Office 365” services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

Based on a lot of TechNet articles , this was my design :

image

 

  • Will feature two ADFS farm servers (For redundancy reasons)
  • Will have two ADFS proxy servers (For redundancy reasons)
  • Will have one DirSync server (separate VM for preformance)
  • Will use a HW load balancer (Cisco , F5 , Citrix Netscaler) instead of Microsoft multicast NLB ( It doesn’t really work that well – or call it bad experiences) on both ADFS farm and ADFS proxy servers
  • Due to the size of the environment (Less than 50,000), WID (Windows Internal Database) server will have to be used
  • This WID SQL server will be running SQL Express edition.

In addition, we need to determine a few things upfront, as it will speed up the installation work. My personal experience is that you really need one of the internal Network guys from the customer to make this happen. We as “configmgr” guy’s are not familiar on how a customers network is organized and who is responsible for what part of the network)

  • External IP address of the federation service (In my example 212.x.x.x)
  • DMZ IP address of the federation service (which will be assigned to NLB as a shared virtual IP address , in my example 192.168.x.20)
  • DMZ server dedicated IP addresses (In my example 192.168.x.1 and 192.168.x.2) , they also reside in workgroup (not domain joined)
  • Internal ADFS farm shared virtual IP address assigned to the ADFS farm NLB (in my example 10.x.x.20)
  • Internal ADFS server dedicated IP addresses (in my example 10.x.x.1 and 10.x.x.2)
  • Fully qualified DNS name of the federation service, or ADFS FQDN (in my example Federation.SCUG.be) 
  • Service accounts used for various purposes in the setup
  • Public SSL certificate to secure traffic associated with ADFS. Certificates used for server authentication and token signing. Try to order a *.<yourdomainname> certificate.This will make your life much easier. (in my example *.SCUG.be) 
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • Necessary firewall ports are open from the Internet to Dirsync server and visa versa (port 443)

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and installation steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP