Wednesday, December 3, 2014

Windows 8.1 No Longer Require Symantec Certificate for Intune Enrollment

With the new released Microsoft Intune, we no longer require Symantec certificate to enroll Windows 8.1 devices. However, if you are facing the following scenarios, you still require Symantec certificate.

  • If you want to sign and deploy your own line of business (LOB) apps to Windows Phone 8.1 devices
  • If you need to enroll Windows Phone 8 devices, even if you don’t want to deploy LOB apps to these devices
  • If your Intune subscription is connected to System Center 2012 R2 Configuration Manager. Support for the “certificate-less” enrollment feature is planned for a future release of System Center Configuration Manager.
  • If your users cannot access the Microsoft Store, either because their access has been blocked by their IT admin or because they don’t have Microsoft accounts.
  • Wednesday, November 19, 2014

    New Release of Microsoft Intune – Nov 2014

    New Intune standalone features that will be released as part of this service update include:

    • Enhanced user interface for Intune administration console
    • Ability to restrict access to Exchange on-premises email based upon device enrollment
    • Bulk enrollment of devices using a single service account
    • Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode
    • Targeting of policies and apps by device groups
    • Ability to report on and allow or block a specific set of applications
    • Enforcement of application install or uninstall
    • Deployment of certificates, email, VPN and WiFi profiles
    • Ability to push free store apps to iOS devices
    • More convenient access to internal corporate resources using per-app VPN configurations for iOS devices
    • Remote pin reset for Windows Phone 8.1 devices
    • Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices
    • Ability to restrict administrator access to a specific set of user and device groups
    • Updated Company Portal apps to support customizable terms and conditions

    Please visit http://blogs.technet.com/b/microsoftintune/archive/2014/11/17/new-microsoft-intune-capabilities-coming-this-week.aspx for more information.

    Saturday, September 13, 2014

    Empty Inventoried Software under Asset Intelligence

    If you are getting nothing from the inventoried software under the Asset Intelligence, please check the Hardware Inventory Classes.

    Hau1

    Please make sure the below are checked:

    • Installed Executable – Asset Intelligence (SMS_InstalledExecutable)
    • Installed Software – Asset Intelligence (SMS_InstalledSoftware)

    hau2

    After the SCCM Client receive the machine policy, and the hardware inventory policy ran, you should be able to have something pop up from the inventoried software list under Asset Intelligence. You can search for SMS_InstalledSoftware in the InventoryAgent.log from the client machine to check if the classes are inventoried.

    Friday, September 5, 2014

    SCCM 2012 Distribution Point Prerequisites – Windows Server 2003

    Below is the prerequisites requirement for setting up a SCCM 2012 DP.
    image

    I would like to highlight the Remote Differential Compression prerequisites on Windows Server 2003. Remote Differential Compression is not available to be configured in the Add/Remove Windows Components like any others prerequisites. If you have missed out this prerequisite, you will not able to perform any content distribution, the operation will fail!!! Although you have checked to install IIS automatically during the DP installation, it just simply won’t install because that only available on Windows Server 2008 and above.

    You can manually install the Remote Differential Compression prerequisite. It is located in the client folder, \\SCCM12\SMS_PS1\Client\i386. Look for the installer named “msrdcoob.exe”. Run the installer manually in the Windows Server 2003 and you should be able to distribute content to the DP now.

    Thursday, July 3, 2014

    Failed to launch SCCM 2007 reports from remote console, "You do not have permission to view this directory or page."

    I was performing a maintenance fro a SCCM 2007 customer this morning. Customer is complaining that he couldn’t launch the report from his remote console, but no problem launching it from the ConfigMgr Console from SCCM Server.

    I went to the verify the DCOM configuration, and the setting is correct. Checkout the DCOM configuration guide here.

    Next, I check the SMSReporting_XXX Authentication configurations. I make sure only the Windows Authentication is enabled. Somehow the “Enable Kernel-mode authentication” setting is checked under the Advance Settings of the Windows Authentication, which is not correct. I uncheck the setting and it should looks like the screen captured below.

    image 

    Lastly, I reconfigure the Providers settings of the Windows Authentication, which looks like the screen captured below. Only NTLM and Negotiate: Kerberos are enabled.

    image

    User can now successfully launch the report from his remote console. Cheers!!

    Friday, June 13, 2014

    SCCM 2012 Limited Support on IPv6

    SCCM 2012 is not fully support on IPv6 yet. Below are some of the features that are not IPv6 ready. I was working on OSD and randomly getting error “Failed to download policy” with generic error code 0x80004005. I opened a case with Microsoft and the engineer find out that SCCM 2012 is not fully ready on IPv6 yet. We disabled the IPv6 configuration from the server and the error seems to went away.

    image

    Technet reference:

    1. http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigIpv6
    2. http://technet.microsoft.com/en-us/network/hh994905.aspx

    Tuesday, June 10, 2014

    Moving, Changing, Migrating, Restoring of your SCCM 2012 SQL Database?

    Are you performing any one of the actions above to your SCCM 2012 SQL database? After you did that, please make sure that the new SQL server configuration is correct. Especially the Allow Snapshot Isolation, Is read Commited Snapshot On, Trustworthy, Broker Enabled. and Honor Broker Priority settings. All these settings need to be set as TRUE. If these settings are not configured correctly, you might end up getting errors “Microsoft SQL Server Reported SQL Message 50000, Severity 16: *** Unknown SQL Error!” from SMS_POLICY_PROVIDER Component or this error. Please also ensure that the owner of the database is SA!!!

    image 

    image
    To alter the settings above:

    ALTER DATABASE <CM_XXX>
    SET ALLOW_SNAPSHOT_ISOLATION ON

    ALTER DATABASE <CM_XXX>
    SET READ_COMMITTED_SNAPSHOT ON

    --- Enable the SQL Broker on the Site database

    USE master;
    GO
    ALTER DATABASE CM_XXX SET ENABLE_BROKER
    GO

    --- SET the Site Database as trustworthy

    USE master;
    GO
    ALTER DATABASE CM_XXX SET TRUSTWORTHY ON
    GO

    --- SET the Database to honor the HONOR_BROKER_PRIORITY

    USE master;
    GO
    ALTER DATABASE CM_XXX SET HONOR_BROKER_PRIORITY ON;
    GO

    image
    To change the owner to “sa”
    EXEC sp_changedbowner ‘sa’

    Thanks for reading…

    References:

    1. http://blogs.technet.com/b/configurationmgr/archive/2013/04/02/how-to-move-the-configmgr-2012-site-database-to-a-new-sql-server.aspx
    2. http://support.microsoft.com/kb/2709082/en-us