Sunday 27 January 2013

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows RT Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

System Center 2012 SP1 Configuration Manager when linked with an Intune subscription has the ability to manage Windows RT devices such as the Microsoft Surface or Asus Vivo Tab RT.

First up Windows RT Management/Enrolment requires enabling within ConfigMgr.

  1. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
  2. Click on the Windows Intune Subscription that you setup previously
  3. Click on Properties on the ribbon bar
  4. On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
  5. Tick the check box next to Enable Windows RT platform
  6. Leave the Code signing certificate bit for now and Click OK

N.B. These next steps assume you've followed the previous guides and have setup the required accounts in Intune using DirSync and have the Intune Subscription in ConfigMgr pointed at a collection containing the users that are allowed to enrol devices.

Next we need to enrol the Windows RT device and download the "Company Portal".

  • On your Windows RT device (Surface RT in my case) navigate back to the Start Screen
  • On the Start Screen start typing Company App  and then click on Settings

  • Click/Tap on Company Applications and accept the UAC elevation box that pops up
  • Enter your e-mail address and password for the account you synchronised to Intune
    (N.B. If you haven't setup ADFS then remember this will be a unique password for the Intune service.  You may need to go into the Intune account management portal and reset the password if you haven't already)
  • Click OK
  • If you haven't setup a DNS CNAME on your domain for enterpriseenrollment with the alias pointing to you will be presented with a screen asking you to Try Again or Enter more information.

  •  You could either:
  • I had to do the second option in my lab as my hosting provider for my domain moaned that the DNS alias was too long...
  • Click OK and wait while the device is registered with Intune/ConfigMgr
  • Once that's complete you'll be shown a screen informing you that before you can access company applications and resources that you will need to install a management application, a.k.a the Company Portal
  • Click the link shown on the screen to open Internet Explorer to show the Company Portal App Store information
  • Click the View in Windows Store button and when the Windows Store opens, Click Install
  •  Once the app downloads and installs it should appear on the very right hand side of the Start Screen, move the Company Portal to which ever position best suits you
  • Click/Tap the Company Portal app to open it
  • You'll then be asked to Sign in again.  Use the credentials you used to enrol the Windows RT device

  • Once signed into the application you should then see your company name that you specified in the properties of the Intune Subscription in the ConfigMgr console, any devices you have enrolled and any applications that have recently been made available to you.
  • Click/Tap on New Apps to see which applications have been recently made available to you, or All Apps to just show everything.
  • Click/Tap on the app you would like to install
  • In my example, the application is a link to an application within the Windows store rather than a LoB app that I have the .appx file for so I have a link to View in the Windows Store

  • Click/Tap on the View in Windows Store link and then click/tap Buy or Try 

 Following this guide will allow you to register a device with Intune/ConfigMgr, ready for deploying applications to it and setting policies, which will be explained in more detail in another blog post.

Another two settings can also be setup for the management of Windows RT Devices, if you require the ability to push out Line of Business apps that don't exist in the Windows Store.

To do this you must supply an Enterprise Sideloading key, which can be obtained from your Microsoft Volume Licensing Service Center portal or if you require another key, from your Licensing LAR.
  • Once you have your key, navigate in the ConfigMgr console to Software Library>Windows RT Sideloading Keys
  • Click on Create Sideloading Key
  • Fill out the information in the Specify Sideloading Key window

If your applications are only signed with an Internal PKI certificate and not one that is publically trusted then you will also need to add your certificate to Intune/ConfigMgr to enable trusting of your certificate that you sign apps with.
  • Navigate in the ConfigMgr console to Administration>Windows Intune Subscriptions
  • Click on the Windows Intune Subscription that you setup previously
  • Click on Properties on the ribbon bar
  • On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
  • Click Browse and navigate to your certificate, select it and Click OK
  • Click OK

Saturday 12 January 2013

SCVMM - Delete IP Pool

Quick PowerShell snippet for handy reference when I'm playing in the lab and need to delete an IP Pool:

##Display all IP's and the VM's they are assigned to:
$ippool = Get-SCStaticIPAddressPool "Internal Network"
Get-SCIPAddress -StaticIPAddressPool $ippool | ft -property Address,Description,State

##Return all the IP's for that pool ready to remove the pool
$ip = Get-SCIPAddress -StaticIPAddressPool $ippool
$ip | Revoke-SCIPAddress

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring and Installing Active Directory Synchronisation (DirSync)

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post will explain how to setup the DirSync tool that will synchronise your internal AD accounts across to the Windows Azure AD platform for usage by Intune and other online services such as Office 365.  It's important to note that if you already have this setup for an O365 subscription you don't need to do this again just for Intune and vice versa for a new O365 if you already have Intune.

Just as a bit of background, you may want to read this link to see just what is Windows Azure AD Tenant?

This link will give you some idea around what preparing for AD Sync

This link will allow you to download the DirSync Prep Tool which will perform a series of checks across your domain to find any potential problems.

  • Running the Prep Tool will start the analysis for Office 365, but 99% of the rules apply to Intune in terms of Directory Synchronisation.
  • When it's complete, review the report and correct anything that might cause a problem.

  • Once your happy that you're ready to go, Login to the Intune account portal at and Click on the Users link on the left under the Management grouping.
  • Look for the Active Directory synchronisation wording above the users and Click Setup
  • A 6 step guide page will open, Click the Activate button at step 3
  • On step 4, Choose the relevant OS platform, in this example I've chosen 64 bit as I'm installing it on Windows Server 2012
  • Click Download to get the DirSync tool 
  • Back on the main users page, the Setup link next to the Active Directory synchronisation text should now say Deactivate. If not it may still be setting up in the background.
  • To allow your users to logon to the Company Portal later on, they will need an account that matches the Universal Principal Name (UPN) of the accounts that ConfigMgr knows about.

    This requires you to add a domain to the Intune portal and then verify it to ensure that you do indeed own the domain name.
  • Click on the Domains link under the Management heading on the left hand side of the account management portal
  • Click Add a domain
  • Enter the name of your domain and Click Next
  • You'll then be presented with some methods of verifying your domain, usually by adding a TXT entry to the DNS records or by changing your MX record. 
  • Walk through the instructions to complete this and when ready click verify next to your domain name back on the Domain page

  • All things being good, you should then see your domain as verified.
  • However, sometimes things never go smoothly.  Certain domain registrars such as 1&1 don't accept the MX record method as it's not a registered TLD.  They also don't allow you to add TXT records to your DNS.

    Thankfully Todd Douglas across on the O365 forums posted an alternative method.
  • Using this method you basically you create a subdomain within the 1&1 control panel using the ID ringed as shown in the screenshot as the subdomain name.  You then add to this subdomain a CNAME that points to and when done, you can verify your domain fine.
  •  Once your domain is verified, it's time to install the DirSync tool.
  • This tool has some specific requirements for the account running it.
    • The account installing it must be a local admin on the server (obviously)
    • The account installing it must be in the Enterprise Admins group.

      The Enterprise Admins group membership is temporary only and is just used during setup to create a service account in AD to be used by the sync tool going forwards to read AD.
  • Another thing to watch out for is even if the account you are logged onto the server with has local admin rights, you may get told by the installer that it doesn't 
  • This is because you must right click the installer and choose Run as administrator.
  • Step through the installer, there's nothing really in the way of configuration options to worry about.

  • When the installer completes, either leave the option to Start Configuration Wizard now ticked or untick it and then find the Configuration Wizard on your Start Screen/Menu
  • Review the Welcome screen and then Click Next. 
  • Supply the credentials for an account in Intune that has permissions to create accounts.
    N.B. I would advise manually creating a dedicated account for this in the Intune accounts management portal.  Don't be tempted to use your account or the one created when you first setup the service.
  • If at this point you get a Configuration error message, check in the account management portal that AD Synchronisation has finished setting up and then retry. 

  • Supply the credentials for the account in your AD that has admin rights.  The documentation says it needs Enterprise admins rights, but you might get away with just domain admin rights.

  •  This step allows you to start setting up an Exchange hybrid deployment.  I'm only interested in getting Intune working at the moment, so I'll skip this bit.
  • Configuration doesn't take long, Click Next when it completes. 
  • Leave the option to Synchronise directories now ticked (unless you're aware of the advanced PowerShell options to scope the synchronisations down) and Click Next 

  • A message box will pop up with a link to some online information regarding verifying the sync is working. Click OK. 
  • To quickly check if the Sync Tool is working, browse in explorer to: C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
  • Find the miisclient.exe file and right click and Run as Administrator 
  • This will open a console (look familiar?) and you can easily check the status of the sync. 

  • After a little while, depending on the size of your AD, spec of the sync server and speed of your Internet connection, you should see some accounts start to appear. 

  • That should complete the setup of users within Intune.  Users that are allowed to enrol mobile devices is controlled within ConfigMgr by the properties of the Intune Subscription and selecting a collection.

Troubleshooting a lab environment scenario

One of the first problems I ran into when setting this up in a lab environment that I hadn't hit elsewhere, was the fact that my internal domain name didn't relate to anything externally verifiable.

So while I do own an external domain name, my lab is using trustlab.local as it's domain name which bears no relevance to my external name. This also mean my user accounts Universal Principal Names (UPNs) didn't match the accounts created in Windows Azure AD.

This meant that after setting up my Subscription and the DirSync, none of my test users could access the company portal on a mobile device (, just getting a message than an error had occurred.

Checking the cloudusersync.log file in the ConfigMgr logs directory showed this:

That's because my UPN's for those accounts don't match with the accounts within Intune.

Consider the account for Mark.Harrison
  • Without a verified domain in Intune, the DirSync tool will create this as
  • With a verified domain in intune, but no matching UPN, the dirsync tool will do the same as above.
They only way around this is to have added an additional UPN to the forest/domain and then change those accounts to use the new UPN BEFORE you setup the DirSync tool.

This would then create the account as

If you've already setup the sync tool, then you won't be able to delete the account from Intune and you will either need to deactivate the AD Sync and then manually remove the accounts from Intune and then re-activate the sync or delete the account in AD, let it sync and remove it, then re-add the account with the matching UPN.

In short, your domain UPN MUST match a verified domain that has been added to Intune.

Thanks must also go to Craig Morris at Microsoft for confirming my thought process on the UPN mismatch issue on this one.  Keep an eye out for some blog posts from him also coming soon on this subject.