You are browsing the archive for System Center.

Upgrading from ConfigMgr 1702 to 1706 gives you “Microsoft SQL Server reported SQL message 2627, severity 14” in your status messages

7:58 am in 1702, 1706, ConfigMgr, ConfigMgr CB, Software updates, SQL, System Center by Kenny Buntinx [MVP]

If you upgraded your ConfigMgr 1702 or earlier environment to Configmgr 1706 and in the status messages after the upgrade you get :

Microsoft SQL Server reported SQL message 2627, severity 14: [23000][2627][Microsoft][SQL Server Native Client 11.0][SQL Server]Violation of PRIMARY KEY constraint ‘SUM_DriverUpdates_PK’. Cannot insert duplicate key in object ‘dbo.SUM_DriverUpdates’. The duplicate key value is (d8483f4f-0390-49db-b251-faf884dd8eaf

Be aware that the Product Group are aware of this issue and are on a working on a fix. The result of this problem is that admins cannot see new Surface driver updates.

Other than that, nothing else is impacted so it can be ignored.

Hope it helps ,

Kenny Buntinx

MVP Enterprise Mobility

Ignite keynote summary from an ECM perspective

7:27 pm in ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr, EMS, Enterprise Mobility Suite, hybrid, Ignite, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM v.Next, System Center, System Center 2016 by Kenny Buntinx [MVP]


For me this was the best keynote ever for all Microsoft’s events I’ve been at, virtually or physically. Wrapped up after three hours, I want to give you guys a heads up for what is happening in my area of expertise, Enterprise Client Management.

The conference is being held in Chicago and has over 20K people in the house. If you want you can watch a replay of this morning’s keynote on demand at

Most Important Ignite Keynote Announcements from an enterprise Client Management perspective

Windows Update for Business – This is an advanced version of what you already know today and it’s called WSUS. Together with Windows 10 it will allow you to control which machines get Windows Updates or even feature updates. Integration with your existing tools like System Center and the Enterprise Mobility Suite – so that these tools can continue to be that ‘single pane of glass’ for all of your systems management.

Office 2016 Public Preview – Available for Office 365 subscribers and those who want to run the full standalone install.  This version will really kick down the #EMS offering on IOS , Android or Windows. Office will be the key in the whole mobility story.

Windows Server 2016 – A second technical preview is now available for download and testing and will allow you to unlock some additional Hybrid functionallity , such as updates for Hyper-V ,ADFS , Workfolders , etc .

System Center 2016 – Has new provisioning, monitoring and automation abilities for your data center. A new preview will be available soon online

· New technical preview for ConfigMgr 2016 for Windows10 available for a trial at

New features in today’s Technical Preview includes:

          • Support for Windows 10 upgrade with OS deployment task sequence
          • Support for installing Configuration Manager on Azure Virtual Machines
          • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure

· New service packs for Configuration Manager 2012 and 2012 R2 (They will be released somewhere next week)

These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

          • App-V publishing performance
          • Scalability improvements
          • Content distribution improvements
          • Native support for SQL Server 2014
          • Hybrid Parity (Intune) and new features

Microsoft Advanced Threat Analytics – Brings on premise Azure AD level security monitoring and threat detection.  This software/service is the result of Microsoft’s acquisition last November of Aorato and it’s a great add-on for EMS and AD premium. The preview is available now from here.


During Brad Anderson’s piece of the keynote, his team showed 11 different technologies on stage and here are links to all of those services and programs:

I hope that you are as thrilled and exited as myself and that we can show you all these cool things in our own lab and we hope that we can see you at one of our events.

Hope it helps,

Kenny Buntinx

MVP Enterprise Client Management MVP

The Enterprise Mobility Suite and the 10 reasons why you’re company needs it

10:58 am in azure, CM12, CM12 R2, ConfigMgr, EMS, hybrid, intune, Intune Standalone, RMS, sccm, sccm 2012 R2, System Center by Kenny Buntinx [MVP]


Together, Windows Server 2012 R2, System Center 2012 R2 Configuration Manager, Microsoft Azure AD Premium , Microsoft Azure RMS and Microsoft Intune , also called the Enterprise Mobility Suite (EMS) help organizations address the consumerization of IT. With Microsoft’s people-centric IT solution, organizations can empower their users, unify their environment, and protect their data, ultimately helping to embrace consumerization and a people- centric IT model, while maintaining corporate compliance.

What can the Microsoft Enterprise Mobility Suite (EMS) bring for you :

· Enabling your end users to work on the device or devices they love and providing them with consistent and secure access to corporate resources from those devices. Part of the way we do that is by providing a hybrid identity solution, enabled by Azure Active Directory Premium.

· Delivering comprehensive application and mobile device management from both your existing on-premises infrastructure, including Microsoft System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. This helps to unify your environment. EMS provides mobile device management, enabled by Windows Intune

· Helping protect your data by protecting corporate information and managing risk. EMS provides data protection, enabled by Azure Rights Management service

Here are the 10 reasons why to consider EMS:

10. The ability to protect corporate information by selectively wiping apps and data. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can selectively and remotely wipe any device, including applications and sensitive company data, management policies and networking profiles.

9. Identification of compromised mobile devices. Jailbreak and root detection enables IT to determine which devices accessing corporate resources are at-risk, so that IT can choose to take appropriate action on those devices, including removing them from the management system and selectively wiping the devices.

8. Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network and email profiles. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can provision certificates, VPN’s, and wi-fi profiles on personal devices within a single administration console.

7. Access on-premises and in-the-cloud resources with common identity. IT can better protect corporate information, manage and control resource access, and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.

6. Simplified, user-centric application management across devices. IT gains efficiency with a single management console, where policies and applications can be applied across groups (user and device types).

5. Enhance end-user productivity with self-service and Single-Sign-On (SSO) experiences. Help users be more productive by providing each with a single identity to use no matter what they access, whether they are working in the office, working remotely, or connecting to a cloud-based Software-as-a-Service (SaaS) application. Access company resources consistently across devices. Users can work from the device of their choice to access corporate resources regardless of location.

4. Protect information anywhere with Microsoft Azure RMS. Protecting information at rest and in transit requires authentication and preventing alteration, both key requirements for protecting sensitive corporate information.

The Microsoft Azure Rights Management Solution (RMS) that can help enterprises transition from a device-centric to a people-centric, consumerized IT environment without compromising compliance on document protection.

3. Single Pane of Glass Mobile device management of on-premises and cloud-based mobile devices. IT can manage mobile devices completely through the cloud with Microsoft Intune or extend its System Center Configuration Manager infrastructure with Microsoft Intune to manage their devices (PCs, Macs, or servers) and publish corporate apps and services, regardless of whether they’re corporate-connected or cloud-based.

2. Simplified registration and enrollment for BYOD. Users can register their devices for access to corporate resources and enroll in the Microsoft Intune management service to manage their devices and install corporate apps through a consistent company portal.

And… Number 1 if you ask me for the Microsoft Enterprise Mobility Suite…

1. Enable users to work on the device of their choice and from where they want. Give your users access to applications, data and resources from any device from virtually everywhere, while ensuring documents are secured and your mobile devices are compliant.

Hope it Helps ,

Kenny Buntinx

Windows Phone 8.1 Self Service Portal (SSP) changes with Windows Intune’s November Release

6:20 am in company portal, hybrid, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, SSP, System Center, Windows Intune, windows inune, Windows Phone 8.1, WP 8.1, WP8.1 by Kenny Buntinx [MVP]

Hi ,

As you already probably knew , new Windows Intune capabilities are added as we speak for Windows Intune standalone thru the so called “November Release” as discussed here : 

The Microsoft Intune Company Portal for Windows Phone app helps you search, browse and install apps made available to you by your company, through the Microsoft Intune standalone of Hybrid (Configmgr and Windows Intune). Apps can be installed without requiring a connection to your corporate network. You can also enroll your personal computers and devices in the service and locate contact information for your IT team.

One additional change that was not clearly communicated is a change to how the Intune Company Portal or Self Service Portal (SSP) app for Windows Phone 8.1 is offered and installed.

Before , If you wanted to manage and deploy applications on your Windows phone 8 and 8.1 , the Company Portal app was offered as a deployable download at Microsoft’s Download Center, sign it with a Symantec code signing Certificate and deploy it to the management system infrastructure to enable device enrollment for Windows Phone 8 and 8.1 devices. The download was infused with a Symantec certificate to ensure trustworthiness of the app and to help secure enrollments.

Microsoft has now updated the Windows Intune Company Portal app for Windows Phone 8.1. The Symantec certificate is no longer embedded and no longer required because the app is now only available through the Microsoft Store.

However , there are some things to take into account when doing hybrid or standalone implementations.

Starting this week for Windows Intune standalone only , Microsoft removed the requirement that a company have an AET (Application Enrollment Token) and signed Company Portal app before we let them enroll, but devices must be enrolled for management before they can install sideloaded apps from our MDM, and they must also have the AET.

In short this means that you do not longer need the Symantec certificate to enroll and manage WP8.1 devices ( not WP 8.0! ) , but you will still need the Symantec certificate to sideload any application that doesn’t come thru the app store .

Anything else still requires both cert and signed SSP.xap from download center –> so are Hybrid implementations still today.

My advise for now:

1. Admins who want to stay on the old school ssp.xap for now ( For hybrid deployment this is mandatory !!! )

    • Don’t tell users about store app
    • Add store app to blocked list, for extra insurance, so they can’t run it
    • Just keep doing what you’re doing

Hybrid users could still install the SSP from store if you do not blacklist the application. However , if the do install the SSP from the store , they can’t enroll unless a cert and signed ssp have been uploaded, but they can use the portal in the “unenrolled” scenario.

2. Admins who want to move to appx from app store ( Intune standalone only !! )

    • Create an app that uninstalls ssp.xap
    • Tell users to start by installing store app and using link in app to enroll just like android or IOS


The only new thing you get with the App Store SSP version is the ability to show users “Terms and Conditions” . Period.

If companies want to sideload applications, there’s still no way around having the Symantec cert

The new App Store SSP is taking the version to 4.1.2777.2 and can be found over here :


Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

IOS 8 support now available for System Center 2012 R2 Configuration Manager thru an extension for Windows Intune

4:18 am in ConfigMgr, configmgr 2012 R2, intune, MDM, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, System Center, UDM by Kenny Buntinx [MVP]


A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Configmgr SP1 : Windows 7 deployment is not supported anymore from the setup.exe

8:10 pm in CM12, ConfigMgr 2012, ConfigMgr 2012 SP1, Operating System Deployment, OSD, SCCM 2012, SCCM 2012 SP1, System Center by Kenny Buntinx [MVP]


Windows 7 Setup.exe install is not supported ( but also VISTA , Windows Server 2008 / 2008 R2 )on ConfigMgr 2012 SP1.  With SP1, you need to use a WIM installation unless you’re installing Windows 8.  It was mentioned here :

The build and capture task sequence was updated to apply an operating system image instead of running Setup.exe for installation. You can still run Setup.exe for Windows 8 deployments by editing the task sequence in the task sequence editor.

If you want to use the Windows 7 install.wim, find some instructions here to make sure the OS ends up on drive C:

When doing build and capture for Windows 7, you will need to first import the Windows 7 install.wim, which can be found in the sources folder on the Windows 7 installation media.


Once you have imported the install.wim as an available Operating System Image package, then you can update the build and capture task sequence to use the image instead of Setup (in my screenshot, I’m using the Windows 8 install.wim, but Windows 7 works the same way).


Now with Windows 7, there are some additional considerations required to ensure the installed/captured image ends up on drive C: (because the Windows 7 install.wim was captured using drive D: originally).  You must add a Set Task Sequence Variable step before the Apply Operating System step that sets OSDPreserveDriveLetter=False.


Finally, you need to make sure that any partitions that come before the Windows partition are configured to not assign a drive letter.


This will ensure the Windows partition is assigned the first drive letter (C:) when the OS is booted.  Once the image has been captured, it will already have the Windows partition captured as drive C:, so none of these additional steps are needed when actually deploying the image.

Hope it Helps ,

Kenny Buntinx

Intel HD Graphics driver and software for HP Models in OSD in the New Configmgr 2012 Application model

9:04 am in Application Model, ConfigMgr 2012, ConfigMgr 2012 SP1, Deployment, deployment types, Drivers, Global Conditions, query, Requirements, SCCM 2012, SCCM 2012 SP1, System Center by Kenny Buntinx [MVP]


System Center 2012 Configuration Manager has a great feature called the Application model that has many great built-in requirement rules that will help you to get the right deployment type installed on the right machine type even during OSD.

For most of the drivers you need to install during OSD , the driver alone isn’t enough. A great example here is the Intel HD graphics or IDT high definition Audio drivers.

In the old CM07 days you would build packages and programs , use them in your task sequence with a condition that uses a WMI query to apply that TS step on the right HW model. Well , forget about that and start using applications to install your “bad drivers” that need software as well. Let those global conditions figure out on what HW model hardware it is applicable.

For most of my applications the built-in rules can get the job done, but some times we need to create our own Global Conditions, to fit the requirement rules for an application/Deployment Type. In this particular case , we will use a global condition to detect the right PNP ID so we are able to detect the HW. We simply don’t care on what HW model we apply this step , as the global condition will figure it out for you . This will allow you to simplify things in your TS.

Let me give you an example on how to do it :

1. Create your Application : HP Graphics driver and Software and fill in your supported models. Note: When downloading the driver software from the HP website , in the .inf file you will find on what HW models this software is applicable.


2. Create your Deployment Type and specify the install / uninstall parameters . In this case : “Setup –s”


3. Create your “Detection Method” . In this case we will look in to the registry :

Hive: “HKLM”

Key : \Software\Wow6432Node\Intel\GFX”

Value :”Version”

Data Type : “String”

Equals version “”

Now you can detect if the app is already installed or not .


4. Create your custom Global condition under the “Global Condition” Node in the Console .


5. Create your custom Global condition called:”Video is Intel HD Graphics Compatible Adapter” and specify the following settings :

Name :”Video is Intel HD Graphics Compatible Adapter”

Device Type : “windows”

Condition Type : “Setting”

Setting Type : ”WQL query”

Data Type :”String”

Namespace : “Root\Cimv2”

Class: ”CIM_LogicalDevice”

Property : “PNPDeviceID”

WQL query where clause  :

“PNPDeviceID like ‘%VEN_8086&DEV_0166%’ or PNPDeviceID like ‘%VEN_8086&DEV_0106%’ or PNPDeviceID like ‘%VEN_8086&DEV_0102%’ or PNPDeviceID like ‘%VEN_8086&DEV_0116%’ or PNPDeviceID like ‘%VEN_8086&DEV_0112%’ or PNPDeviceID like ‘%VEN_8086&DEV_0126%’ or PNPDeviceID like ‘%VEN_8086&DEV_0122%’ or PNPDeviceID like ‘%VEN_8086&DEV_010A%’ or PNPDeviceID like ‘%VEN_8086&DEV_0162%’ or PNPDeviceID like ‘%VEN_8086&DEV_016A%’ or PNPDeviceID like ‘%VEN_8086&DEV_0152%’ or PNPDeviceID like ‘%VEN_8086&DEV_0156%’ or PNPDeviceID like ‘%VEN_8086&DEV_015A%’”


To find the above information , you must open the corresponding inf file of the specified driver


6. Attach your previous defined “Global Condition” as a requirement on your deployment type. Make your sure to select that your global condition must exist on the client device .


7. Add the application to your OSD task Sequence . You’re done.

I hope you see that the power of Applications can also be used in your OSD deployment scenarios .

Hope it Helps ,

Kenny Buntinx

Configmgr 2012 Reporting throws an error at you when trying to run a report

6:29 am in ConfigMgr, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr Reporting, Report, Reporting, SCCM 2012, SCCM 2012 SP1, SQL Reporting services, System Center by Kenny Buntinx [MVP]


Did you ever configured reporting in Configmgr 2012 and specified a reporting service account like below ?


Did you get an error thrown at you like this when you try to run a report ?


If we look a little closer , we see the following line that is very interesting :”Logon failure: the user has not been granted the requested logon type at this computer “ as shown below in the log file


System.Web.Services.Protocols.SoapException: An error has occurred during report processing. —> Microsoft.ReportingServices.ReportProcessing.ProcessingAbortedException: An error has occurred during report processing. —> Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Cannot impersonate user for data source ‘AutoGen__5C6358F2_4BB6_4a1b_A16E_8D96795D8602_’. —> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Log on failed. Ensure the user name and password are correct. —> System.ComponentModel.Win32Exception: Logon failure: the user has not been granted the requested logon type at this computer
   at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)
   at Microsoft.ReportingServices.WebServer.ReportingService2005.GetReportParameters(String Report, String HistoryID, Boolean ForRendering, ParameterValue[] Values, DataSourceCredentials[] Credentials, ReportParameter[]& Parameters)


Solution :  When you request a service account , make sure that people creating this service account grant you the right "Allow log on locally" thru Local Policy or Group Policy. For more information about configuring this group policy on Windows Server 2003, see the Microsoft TechNet article, "Allow log on locally".  To solve this you will need to change the Local Security Policy of the server.

As a best practice , most service accounts don’t get per default the "Allow log on locally" for security best practices .However in this case it is needed to run the reports .

Hope it Helps ,

Kenny Buntinx

ConfigMgr 2012 SP1 Beta : Skipping Client prerequisites in the OSD “Setup windows and install Configmgr client” step.

6:22 pm in CM12, ConfigMgr 2012, ConfigMgr 2012 SP1, Operating System Deployment, OSD, SCCM 2012, SCCM 2012 SP1, System Center, WES, WES 2009, WES2009 by Kenny Buntinx [MVP]


Hi guys ,

Working for a customer on managing WES 2009 Clients with Configmgr 2012 sp1 in TAP. On of the requirements by the customer was not to install Silverlight 5.0 or .net 4.0 onto the WES2009 Device as they did not manage or support their core image.

The client prerequisites documentation can be found here on technet .

Silverlight is not required, Software Center and Software Catalog are the only things that need it.  You can specify a commandline switch on ccmsetup to not install Silverlight.  Example: CCMSetup.exe /skipprereq: silverlight.exe but that only works to client push or manual install in RTM

If my base image has .net 2.x installed and I don’t want install .net 3.0/3.5/4.0 because of lack of disk space – (image being build by another company and no possibility to adjust ) and app compatibility on the embedded, how can I use the */skipprereq* on the OSD “Setup windows and install Configmgr client” step ?

GOOD NEWS ! They fixed that in SP1 . Now you are able to pass that “/SKIPPREREQ” parameter in your  OSD “Setup windows and install Configmgr client” step .

Hope it Helps ,

Kenny Buntinx

Configmgr 2012 : Automate / Create User Collections from AD user Groups (based on Active Directory group discovery)

8:40 am in CM12, collection, ConfigMgr 2012, ConfigMgr 2012 SP1, query, SCCM 2012, SCCM 2012 SP1, System Center, users by Kenny Buntinx [MVP]


Did you ever wanted to automate the creation of “User Collections” based on your AD user Groups (which is based on User group discovery)

I have posted the script here ( ) and these are the steps to follow :

1) Create/Configure your AD group discovery to target your AD application groups.


2) Run this script from a site server machine and this will require appropriate RBAC rights for the user to create collections.

2) Open a command prompt and run the following cmd:

Cscript CreateCollectionForUserGroups.vbs


3) The script will create a user collection for each AD security group with the same name as the unique user group name retrieved from active directory. The appropriate AD group will be added as a direct member of that user collection. This will avoid the refresh that you would need if you would use a query method !



4) On subsequent reruns the script will check if a collection with the same name exists or not and if it does it will skip.

The only 2 things I would still add to the script and I am busy trying to figure it out is :

– Check for incremental updates ( in case you would add a user directly into it )

– Check the default collection update (7days)


Note : I have not written this script myself . I would like to thank the Configmgr Product group and in particular Bhaskar, as he created the script . However you should first try this script in a lab and see if it fits your needs . We’ll take no responsibility what so ever .


Hope it Helps ,

Kenny Buntinx