Blog series about how to integrate Microsoft Intune and ConfigMgr with Single Sign-On

by

A few weeks ago I did a blog post about How to configure a relying party trust between on-premises AD FS and Microsoft Azure AD for single sign-on in Microsoft Intune. Based on that blog post I’ve got a lot of feedback of people mentioning that it was a great post, but that they would like to see the complete picture. That made me decide to create a step-by-step guide for a basic lab setup of Microsoft Intune and ConfigMgr with single sign-on. Starting today the complete series is online on windows-noob. I’ve sliced this guide in to the following four pieces: How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites; This first …

Read more

How to troubleshoot Windows Phone 8.1 enrollment via Microsoft Intune

by

In this blog post I want to put a spotlight on the troubleshooting of Windows Phone 8.1 enrollment in Microsoft Intune (with or without ConfigMgr integration). The problem with Windows Phone enrollment was that there was little to no log information about the enrollment process, but that has changed with Windows Phone 8.1. Before Windows Phone 8.1 there were only some log files (like the dmpdownloader) when the integration with ConfigMgr was used, but in most occasions they wouldn’t show helpful information. Starting with Windows Phone 8.1 this has changed and there is the ability to get some logging of the mobile device. It’s not an easy process, and probably not an option in every situation,  but it will help to verify the health of …

Read more

How to configure a relying party trust between on-premises AD FS and Microsoft Azure AD for single sign-on in Microsoft Intune

by

One of the things that is often requested by customers is to configure single sign-on for Microsoft Intune (with or without ConfigMgr integration). The main reasons for that request are simple, it’s to make the user experience better and to prevent the user from having different accounts and passwords. In this blog post I will show how relatively easy it is to federate on-premises Active Directory Federation Services (AD FS) with the Microsoft Azure Active Directory (Micorosoft Azure AD). The best thing about this is that after this configuration is done, all Microsoft Intune authentication requests will redirect to the on-premises AD FS. Also, in this post I will skip a few important steps (see prerequisites). I assume that those steps are more common knowledge. …

Read more

How to configure a Software Update Point to use SSL for communicating with WSUS

by

This blog post will be about configuring a Software Update Point (SUP) to use SSL for communicating with Windows Server Update Services (WSUS). I know there are many guides out on the web detailing the standard installation of WSUS and a SUP, but not many of them are explaining (or even touching) the HTTPS/SSL configuration. Also, I’ve been getting some questions about this subject lately, so I thought it would be time to dedicate a blog post to this. Very high-level, this post will go through the configuration of WSUS to require SSL communication and the configuration of a SUP to use SSL communication. So, actually the title doesn’t cover the complete blog post. Prerequisites Before we go through the configuration steps of WSUS and …

Read more

Weird but true: Permissions required to use Edit Primary Users / Devices in ConfigMgr 2012

by

The idea of this blog post is identical to my blog post about the permissions required to use Resultant Client Settings that I did a couple of weeks ago. I’m also thinking about making this something recurring, as I noticed that the role based administration model sometimes reacts a bit different then, at least, I would expect. For those following me on Twitter, this blog post will be an extended version of a tweet I posted last week. This blog post will explain a bit more about the situation, as that was a  bit hard in a tweet of 140 characters. Also, this blog is a lot easier to find for future references. Introduction In this blog post I’ll explain what permissions are required to …

Read more

Set the allowed Management Points via a Configuration Item in ConfigMgr 2012

by

This blog post will be about a new functionality that got introduced in Cumulative Update 3. This is the ability to configure a Management Point (MP) affinity on a client. Justin Chalfant wrote a nice post about this functionality. That post describes the functionality in detail and also shows how it can be configured. The only thing left open is an automated method to configure the MP affinity. This post will fill that small gap by providing a Configuration Item (CI) that contains the scripts to configure the MP affinity. Configuration Item Now let’s start with the details about the CI. Personally I really like this CI, as it’s created in such a way that it doesn’t need any script modifications any more. The discovery …

Read more

What is CMHttpsReadiness.exe?

by

This time I’ve got a short post about another executable that I’ve found very useful. It’s CMHttpsReadiness.exe, which belongs to the Configuration Manager HTTPS Readiness Assessment Tool. This tool can be used to check the ConfigMgr clients if they are ready for a switch to HTTPS communication. Basically, it simply checks the certificate requirements on a ConfigMgr client device. To be honest this tool even already existed in ConfigMgr 2007, but in those times the executable was named SCCMNativeModeReadiness.exe. As this tool hasn’t been mentioned a lot, I thought it would be worth a short blog post. Usage This tool is installed during the ConfigMgr client installation and can also be found in the ConfigMgr client installation directory. It can simply be started via the …

Read more

Local Group Policies for WSUS and the Software Update Agent of ConfigMgr 2012

by

This blog post will describe a scenario that I ran into this week. Also, to be honest, I wasn’t aware of this exact behavior and, until this moment, I haven’t been able to find any documentation that describes this behavior. Scenario The scenario is that the customer wants to have the ConfigMgr client deployed on their server environment. This server environment is currently patched by using different methods and one of them is WSUS. So far, nothing weird, but the servers patched by WSUS are configured via local group policies. Behavior I think that by now everybody knows that the ConfigMgr client uses the local group policy Specify intranet Microsoft update service location to point to the WSUS server of the ConfigMgr environment, if, of …

Read more

Different methods to set the User Device Affinity for usage during and after a task sequence in ConfigMgr 2012

by

Last week I’ve got a question about setting the User Device Affinity (UDA) during the task sequence. Well, actually the question was more about the easiest way to do this. I didn’t have a direct answer, as it’s of course also a relative question. The easiest way can be different depending on the current configuration. In this post I will go through three methods that can be used to set the UDA, so it can be used during and after the task sequence. For usage during the task sequence, think about something like installing user-targeted applications during the task sequence and for usage after the task sequence, think about the pre-deploy software to the user’s primary device option. Before using the first, or the second …

Read more

Weird but true: Permissions required to use Resultant Client Settings in ConfigMgr 2012

by

For those following me on Twitter, this blog post will be an extended version of a tweet I posted last week. This blog post will explain a bit more about the situation, as that was a  bit hard in a tweet of 140 characters. Also, this blog is a lot easier to find for future references. Introduction In this blog post I’ll explain what permissions are required to use the Resultant Client Settings feature that’s new since ConfigMgr 2012 R2. This feature can be used to view the calculated resultant client settings. This can be really useful when multiple client settings have been deployed to the same device, user, or user group, as the prioritization and combination of settings can be complex. Keep in mind …

Read more