Intune: What’s New – RSS Feed

December 9, 2014 at 6:43 pm in Uncategorized by Valérie Siroux

Updates to Microsoft Intune used to be done on a quarterly base.
But Microsoft is going for a more agile method, and release service updates on a more frequent base.

After the updates in November, Microsoft is already releasing a service update this week.

New features that will be released to Intune standalone (cloud only) as part of this service update include:

  • Ability to restrict access to Exchange Online email based upon device enrollment and compliance policies
  • Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem
  • Ability to extend application protection to existing line-of-business apps using the Intune App Wrapping Tool for iOS
  • Managed Browser app for Android devices that controls actions that users can perform, including allow/deny access to specific websites. Managed Browser app for iOS devices currently pending store approval
  • PDF Viewer, AV Player, and Image Viewer apps for Android devices that help users securely view corporate content
  • Bulk enrollment of iOS devices using Apple Configurator
  • Ability to create configuration files using Apple Configurator and import these files into Intune to set custom iOS policies
  • Lockdown of Windows Phone 8.1 devices with Assigned Access mode using OMA-URI settings
  • Ability to set additional policies on Windows Phone 8.1 devices using OMA-URI settings

And new Intune-managed Office mobile apps (Word, Excel, and PowerPoint) for Android devices are coming soon.

Faster updates is a good thing, this means we are able to use the new features faster. But it makes it harder to follow up the releases and new features.

You can follow this RSS feed to stay up-to-date on all of the exciting capabilities coming to Microsoft Intune. And of course there will be a lot of information on the SCUG blogs :).

Intune Extensions not installed in SCCM

December 9, 2014 at 9:03 am in Uncategorized by Valérie Siroux

Last week, I prepared the lab environment for a Mobile Device Management demo.

I created a Microsoft Intune evaluation subscription, and created a connector on System Center Configuration Manager 2012 R2. Installed DirSync on my domain controller and synchronized users in a specific OU to Microsoft Intune. No Azure components were used. I configured Windows Phone enrollment using the support tools. IOS enrollment was enabled by creating the certificate.

All this was working fine. I was able to create a mobile device policy and application policy. All users were in the correct collections and appreared correctly in Intune.

But when I tried to deploy a Windows Phone or IOS device, I received an error.

In the dmpdownloader.log I saw the following errors repeatedly:

Error: GetMessages CommunicationException: [An error occurred while receiving the HTTP response to This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details)
Failed to call Download. error = No such interface supported

In eventviewer:
On 6/12/2014 14:29:28, component SMS_DMP_DOWNLOADER on computer <SCCM Server> reported: SMS Executive detected that this component stopped unexpectedly.

Possible cause: The component is experiencing a severe problem that caused it to stop unexpectedly.
Solution: Refer to your ConfigMgr Documentation or the Microsoft Knowledge Base for further troubleshooting information.

When checking in the SCCM console –> Administration > Cloud Services > Extensions for Windows Intune – I noticed there were no extensions. It can take up to 24 hours for the extensions to get installed. But a few days had already passed.

I validated all steps in Ronny de Jong’s blogpost: but everything was ok.

To ensure nothing was wrong with the SCCM install, I set up an additional new SCCM site to test the Intune connector. But this gave exactly the same error.

Eventually, I created a new Intune Subscription also in evaluation. And configured my connector in SCCM with this subscription and the dmpdownloader log didn’t gave any errors anymore.


After a few hours, the Intune extensions were available in the SCCM console. After enabling them, I was able to enroll my devices.

I have no idea what went wrong with my first subscription, something must have went wrong in the back-end when creating it. Creating a new subscription solved my issue.



DPM–Console Crashes when opening Recovery Tab

August 21, 2014 at 2:17 pm in DPM, SCDPM, System Center 2012 SP1, Uncategorized by Valérie Siroux

At one of my customers, we migrated the DPM 2012 SP1 server to newer hardware.
The DPM server got the same name, and the DPMDB was restored.

After the migration, all agents needed to be repointed to the new DPM server.
This was done by executing the command: setdpmserver.exe –dpmservername <Name>

For workgroup servers, that command didn’t work. Because the local accounts weren’t created on the new server.
After re-adding the workgroup servers to DPM. Everything ran fine.

But after a small week, the customer wanted to do a restore and noticed the console crashed when trying to open the Recovery Tab.
Error in the application log:

The description for Event ID 999 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

An unexpected error caused a failure for process ‘mmc’.  Restart the DPM process ‘mmc’.

Problem Details:
<FatalServiceError><__System><ID>19</ID><Seq>0</Seq><TimeCreated>21-8-2014 11:59:26</TimeCreated><Source>DpmThreadPool.cs</Source><Line>163</Line><HasError>True</HasError></__System><ExceptionType>ArgumentException</ExceptionType><ExceptionMessage>An entry with the same key already exists.</ExceptionMessage><ExceptionDetails>System.ArgumentException: An entry with the same key already exists.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.TreeSet1.Add(T item)
at System.Collections.Generic.SortedDictionary
2.Add(TKey key, TValue value)
at Microsoft.Internal.EnterpriseStorage.Dls.UI.RecoveryPage.RecoveryBrowseTab.UpdateProductionServers(ICollection`1 productionServerList, TreeNode dataOnDiskAndTapeNode)
at Microsoft.Internal.EnterpriseStorage.Dls.UI.RecoveryPage.RecoveryBrowseTab.RenderTreeView(Boolean firstTime)
at Microsoft.Internal.EnterpriseStorage.Dls.UI.RecoveryPage.RecoveryBrowseTab.RenderView()
at Microsoft.Internal.EnterpriseStorage.Dls.UI.CommonControls.FireOnceTimer.OnTimerTick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.OnTick(EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&amp; m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)</ExceptionDetails></FatalServiceError>

the message resource is present but the message is not found in the string/message table

Because we had some problems attaching the workgroup servers, I executed the following SQL query on the DPMDB for all our servers.

use dpmdb
select *
from tbl_am_installedagent
Where serverid in (select Serverid from tbl_am_server where serverName = ‘<Workgroup Server Name> ‘)

Some of the workgroup servers had double entries.
I stopped protection for all of the workgroup, but retained the recovery points.
For 1 server, I had multiple Inactive Protection Items. To be sure, I deleted the oldest items.
After this, the Recovery tab started working again.

To be sure, I removed the workgroup servers with the following command:
.\Remove-ProductionServer (make sure to enter the FQDN for the DPM Server).

I then re-added the servers by executing the command on the workgroup servers;
Set-dpmserver.exe –dpmservername <DPMServer> –isnondomainserver –username <useraccount>

and attached them to the DPM server using the gui:


Note: make sure to enable the option: Password never expires on the account on both servers.

Problem Solved :)

DPM 2010: Sharepoint Full VM Backup Failed

April 11, 2013 at 1:29 pm in DPM by Valérie Siroux

All Full VM backups of the Sharepoint virtual machine failed with the following error:

DPM encountered a retryable VSS error. (ID 30112 Details: VssError: The writer experienced a transient error. If the backup process is retried, the error may not reoccur. (0x800423F3))

Running a synchronization job with consistency check gave the same error.
Backups of other VMs worked perfectly.


In the DPM log files on the Hyper-V host I only found the same error code as in the DPM alert.
In this case, the logs weren’t really helpful.

I logged on to the Sharepoint server, opened an elevated command prompt and ran:
vssadmin list writers

A lot of writers, both system and SharePoint writers, where in state Waiting for Completion.
Rebooting the server made the writers Stable. Until I retried the backup job.
All writers went to exactly the same state as before the reboot.

I opened event viewer and noticed a lot of SharePoint related errors. image
One of the IT guys at the customer site had also told me the SharePoint search didn’t work.
Because SharePoint vss writers were also in a error state I decided to look closer into the SharePoint issues.

Alerts in event viewer looked like this:
The mount operation for the gatherer application 5bfe200c-6fbe-4eef-811f-487d7b875766 has failed because the schema version of the search administration database is less than the minimum backwards compatibility schema version supported for this gatherer application. The database might not have been upgraded.

This led me to the following blog post about SP1:

SP1 installation requires two steps! Running the update executable, which updates the binaries, and running an additional command which updates the database etc!

By running the following command in an elevated SharePoint PowerShell prompt I noticed the upgrade wasn’t executed correctly.
get-spserver $env:computername).NeedsUpgrade

I completed the upgrade with the following command:
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures

Rebooted the server and retried my backup! It worked without any issues!

My Virtual Machine Backup failed because of an issue on Sharepoint application level!
Sharepoint issues were blocking VM backups. The sharepoint application backups were running fine the entire time.

I have said it before: it’s not always a DPM issue. A lot of people find it easy to blame DPM. 
But I have learned the most issues are because of issues on application level! 

Make sure your application runs fine when troubleshooting backup failures!

SCSM–Custom Console Task: Change Status To In Progress

February 9, 2013 at 9:06 am in Service Manager, System Center 2012 SP1 by Valérie Siroux

Most of my customer create one or more custom statuses like In Progress.

In Service Manager 2012, changing the status to In Progress requires many clicks.
The console tasks used to change the status of an Incident are grouped in a parent task called "Change Incident Status". When you want to update the status to In Progress, there are to many steps required: Change Incident Status –> Other –> Select the correct status –> Click OK.


To motivate analysts to always keep the incident status up to date, we searched for a way to update statuses with one single click.
This means we need to create tasks at the root level.

There is already a custom management pack available in the Technet Gallery to do this for the default statuses (Activate, Resolve,Close). Download & Import this management pack (

Now, we only need to create console tasks for our custom status, in this case, In Progress.
First, we need to get the ElementId for this status.

Export & Open the Management Pack which contains your custom status (Default: Service Manager Incident Management Configuration Library).
Scroll down to the DisplayStrings section and search for the Display string with Name: In Progress.
Note down the value in ElementID, in this case InProgress.Enum (Note: when creating a status using the lists in Service Manager your elementID will look like enum.<GUID>, use this value)


Go to Library , Tasks and Start the Create Task wizard.

Task Name: In Progress
Description: Change the incident status to In Progress
Target Class: Incident
Management Pack: I used the same management pack as the one from the Technet Galleries,  you can create a new MP or use an existing.

Categories: Where will the task be displayed. I selected Incident Management Folder Tasks.


Full path to Command: powershell.exe
Parameters: cd ‘C:\Program Files\Microsoft System Center 2012\Service Manager\Powershell';Import-Module .\System.Center.Service.Manager.psd1; $IncidentClass = Get-SCClass -Name System.workitem.incident;$Incident = Get-SCClassInstance -Class $IncidentClass -Filter ‘Id -eq $Context/Property[Type=’CustomSystem_WorkItem_Library!System.WorkItem’]/Id$';If ($Incident.count -gt 0) { $Incident | Foreach-Object {$_.Status = ‘InProgress.Enum’;Update-SCClassInstance -Instance $_}; };
Log in action log when this task is run: Enabled
Show output when this task is run: Enabled.

Note: Update the InProgress.Enum to the value you found in the previous step.

The In Progress task is displayed in the incident management folder, and should be working.

But we still need to do some fine tuning to the task: Add an image and only show the task when an incident is selected.
There is no way to do this using the SCSM GUI, so we need to change the management pack XML code.

Export the management pack and open it in an xml editor.

Scroll down to the DisplayStrings section and find the DisplayString with In Progress in the <Name> Tag. Copy/Note down the ElementID.

Search for the <Categories> tag, and look for the <category> with the ElementID from the previous step as target.


Update the Value from: SMIncident!ServiceManager.IncidentManagement.IncidentManagementFolderTasks to SMConsole!Microsoft.EnterpriseManagement.ServiceManager.UI.Console.MultiSelectTask

Your category should look like this now:    <Category ID="Category_7112A19A5D9C497D8BEB78A9D23B2D9B65D92CC1" Target="ConsoleTask.c5d9d01115684a04a6ddfc646dd77c8d" Value="SMConsole!Microsoft.EnterpriseManagement.ServiceManager.UI.Console.MultiSelectTask" />

Now, search for the <ImageReferences> tag. (You can create the tag if it doesn’t exist)
And add an image reference for the in progress status:

<ImageReference ElementID="ConsoleTask.c5d9d01115684a04a6ddfc646dd77c8d" ImageID="SMIncident!IncidentMgmt_IncidentStatusChange_16" />

Note: Update to the ElementID in yellow to the ElementID you found in the previous step.



Update your Management Pack Version number and re-import the Management Pack.

The task is displayed correctly:


SCSM–Exchange Connector: Never Run

February 9, 2013 at 8:02 am in Service Manager, System Center 2012 SP1 by Valérie Siroux

After importing & configuring the Exchange Connector 3.0 RTM at a customer it remained in a “Never Run” state.


In the Operations Manager log in event viewer I noticed the following events:

Event ID 33880

A Windows Workflow Foundation workflow failed during execution.
Workflow Type: Microsoft.SystemCenter.ExchangeConnector.ProcessEmailsWorkflow
Workflow Identifier: 26a9e5a1-185f-60f7-e83f-4d6bb49dc686
Exception Type: Microsoft.EnterpriseManagement.Common.UnauthorizedAccessEnterpriseManagementException
Exception Message: The user Domain\WorkflowAccount does not have sufficient permission to perform the operation.

Event ID 26319

An exception was thrown while processing ProcessDiscoveryData for session ID uuid:f22483af-6795-4aed-8470-eab0b72e23f0;id=597.
Exception message: The user Domain\WorkflowAccount does not have sufficient permission to perform the operation.

The Workflow Account always need to be a member of the Service Manager Administrator Role.
After adding the workflow account to the Administrator role, and waiting for a few minutes, the exchange connector started working.

SCSM–Assign incident to support group based on Office Location

December 20, 2012 at 2:09 pm in Service Manager, System Center 2012 by Valérie Siroux


One of my customer’s has multiple sites worldwide.
Some of these sites have their own Support Group. For these sites, support groups are created within Service Manager.

All users world wide can create requests on the portal.
But when a users in the US creates an Incident, the incident needs to be assigned to the US Support Group. The same needs to happen for users in Belgium, these users need to be added to the BE Support Group.

The support group only needs to be set automatically for Incidents created by the portal.
This is because an analyst in Belgium can solve a problem for a user in the USA.
We don’t want to update the support group to the USA when the analyst in Belgium created the problem using the console.

This blog post will explain how to do this using the SCSM Console.

To do this, we will use the “Office” AD property. Make sure the office is correctly filled in for each user IN Active Directory.

You can check a users location by going to Configuration Items – Users open a users properties and verify the Office field is set correctly.
In this example, the office is set to “Ferranti Houston”.

Create an Incident Template and only define the Support Group in the template.image

Go to Administration – Workflows – Configuration – Incident Event Workflow Configuration
And create a new workflow.

Give the Workflow a Name, Description and select a Management Pack.
Set the parameter “Check for Events” to: When an object is created.

In the Event Criteria, select the Affected User class, and search for the Office property.
Add this property to the criteria, and set the criteria to contain your office name.
In this example the office name is “Ferranti Houston” so the property is set to Houston.

You can add multiple Offices to the criteria if you want to use the same support group for more offices.

Because we only want to apply this template for incidents created by the portal, we also need to add a criteria for this.
Select the Incident class, and add the source property to the criteria. Set the criteria to “equal Portal”.image

In the Select Incident Template settings, apply the template created earlier.image

You can send out a notification if you want to but it isn’t needed in this case.
Create the workflow. Follow the same steps for other regions.




DPM 2012 CU3 : Large DPMDB

November 20, 2012 at 9:25 pm in SCDPM, System Center by Valérie Siroux

One of my customers upgrade from DPM 2010 to DPM 2012.


The DPM worked without issues, but after a few weeks, they noticed the DPM database became really big.
In a few weeks the database had grown from 5 GB to more as 200 GB.

had an issue were the DPMDB became really large, bigger than 200GB.

The database kept growing and growing.


I asked the customer to execute a query on the DPMDB, to see which items are causing the database to become this large.

declare @TableSpace table (TableName sysname, RowsK varchar(32), ReservedMB varchar(32), DataMB varchar(32), IndexSizeMB varchar(32), UnusedMB varchar(32))
insert @TableSpace
exec sp_MSforeachtable @command1=”exec sp_spaceused ‘?';”
update @TableSpace set RowsK = CONVERT(varchar, 1+convert(int, RowsK)/1024)
update @TableSpace set ReservedMB = CONVERT(varchar, 1+convert(int,LEFT(ReservedMB, charindex(‘ K’, ReservedMB,-1)))/1024)
update @TableSpace set DataMB = CONVERT(varchar, 1+convert(int,LEFT(DataMB, charindex(‘ K’, DataMB,-1)))/1024)
update @TableSpace set IndexSizeMB = CONVERT(varchar, convert(int,LEFT(IndexSizeMB, charindex(‘ K’, IndexSizeMB,-1)))/1024)
update @TableSpace set UnusedMB = CONVERT(varchar, convert(int,LEFT(UnusedMB, charindex(‘ K’, UnusedMB,-1)))/1024)
select * from @TableSpace order by convert(int,ReservedMB) desc

The query output looked like this:


From this query, it was obvious Sharepoint was the problem.
We also noticed the database started growing really fast when the sharepoint catalog task was running.


The customer opened a case at Microsoft for this issue.
Microsoft identified this as a problem after the CU 3 installation.

The following steps are provided as a solution.
The line that is now commented out in the SQL query in yellow is what is causing the problem.


1. Backup the DPM Database (dpmbackup –db) or use SQL to make a backup.

2.  Paste the SQL Query below and execute it, it will update the DPM Stored procedure causing the problem.

1.       Backup the DPM Database (dpmbackup –db) or use SQL to make a backup.     


2.       Paste the SQL Query below and execute it, it will update the DPM Stored procedure causing the problem.




/****** Object:  StoredProcedure [dbo].[prc_PRM_SharePointRecoverableObject_Update]    Script Date: 11/03/2012 01:36:08 ******/





ALTER PROCEDURE [dbo].[prc_PRM_SharePointRecoverableObject_Update]


    @Caption                        nvarchar(40),

    @ComponentType                  nvarchar(16),

    @RecoverableObjectId            BIGINT



    DECLARE @error INT,

            @rowCount INT

    SET @error = 0




    — UPDATE tbl_RM_SharePointRecoverableObject SET Caption = @Caption        

    UPDATE tbl_RM_SharePointRecoverableObject SET Caption = @Caption,

                ComponentType = @ComponentType        

    WHERE RecoverableObjectId = @RecoverableObjectId


    SELECT @error = dbo.udf_DPS_CheckRowCount(1)



    RETURN @error



3.       Start a new SharePoint Catalog Task – it should run and not cause the DB growth issue.


A big thank you to Bart D. for sending me the solution form the Microsoft call !


Config Manager Software Updates: Download failed

November 20, 2012 at 8:37 pm in SCCM, System Center by Valérie Siroux

I created a basic Automatic Approval in Config Manager 2012.
This rule approves all critical and security alerts for windows client OS.

Running this rule gives an error with Error code 0x87020417.


When looking into the Application Event Log, the following event with id 8706 is displayed:

On 20/11/2012 16:57:00, component SMS_RULE_ENGINE on computer SCCMSERVER reported: Content download failed.
Message: failed to download one or more content files.
Source: SMS Rule Engine

When opening the ruleengine.log in the CMTrace utility, the following error was shown.

Failed to download the update from internet. Error=407
Failed to download ContentID 16778381 forr UpdateID 16779081. Error code = 407


This error is related to the proxy. But the SCCM server, which is also running the WSUS role, was excluded from the proxy.

I openend Internet Explorer with my user account, opened Internet Options > Connections > LAN Settings.
The option Automatically detect settings was enabled! Is disabled this option but this didn’t change anything!



Config Manager was still using the proxy to download the updates.

But I realised config manager wasn’t using MY account to download the updates.
So, I decided to run Internet Explorer as Local System.

To do this, download the PSTools from SysInternals.
Open an administrative command prompt and browse to the PStools directory.

Execute the following command to open an command prompt as local system:

psexec –I –s C:\Program Files\Internet Explorer\iexplore.exe


A new Internet Explorer window opens. Disable the auto detect settings in this Internet Explorer window.

Run the rule again, the updates should download now!





Windows Server and System Center trials

November 19, 2012 at 9:11 am in Campaign by Valérie Siroux

Try Windows Server 2012 and System Center 2012


Download a
free trial version of Windows Server 2012


Download a
free trial of System Center 2012


Enter your contact details to get your tickets!

Let’s try


(*) Limited offer
Please read the full terms & conditions of this promotion.

Attend a free Windows Server 2012 IT Camp near you.