Archive for April, 2012

Mobile Device Management in SCCM 2012 – Hands on (Part 2)

April 29, 2012

So, after connecting the SCCM 2012 server to Exchange and getting some info about devices through EAS, now it’s time to really get busy with Mobile Device Management.

In this posting i will show you how i set up the Mobile Device Enrollment, and actually got my old Windows Mobile 6.5 phone enrolled. W00t!

Starting point in this is this 10-step program to get your mobile devices managed in SCCM 2012.

The basic steps are:

  • Set up a working Microsoft PKI infrastructure
  • Install and configure certificates to SCCM servers
  • Install Enrollment Point Roles
  • Publish the Enrollment point so devices can contact it
  • Allow users to enroll their device

The first step is a tricky one already. Setting up a single issuing Root CA in a test environment is no big deal. But setting up a PROPER PKI Infrastructure is a whole different ballgame.

Since this is way out of scope for this post, i’ll just assume you’ve got a working PKI Infrastructure already. (hehe)

So, onto configuring the required certificates then.

I created a couple of new certificate templates:

Important note when creating these certificate templates and enabling them, is to use the “Windows Server 2003, Enterprise Edition” version.  That is the only supported version in ConfigMgr.

O, and don’t forget to configure a GPO for auto-enrollment of workstation certificates

Well, after you get all the certificates created, enabled and installed, it’s time to configure them in ConfigMgr.

Yes, that’s step 5 of the 10 step program already 🙂

This involves first configuring the MP and DP to manage Mobile Devices, which basically means enabling https, allowing internet-based client access, and selecting certificates. And don’t forget to first configure the Site System on which these roles run, with an external FQDN.

Then the Distribution Point:

and finally the MP:

Then, onto step 6, installing the Enrollment Point Role, and the Enrollment Proxy Point Roles.

When adding these roles it is important to keep in mind that you must use the external FQDN that you will use for Device Enrollment.

After his, you can already access the website containing the Device Enrollment Agents:

This very basic page (what, not even a nice System Center logo??)  contains two links, to the Client Agent installers for Windows Mobile (.cab format) and for Nokia Symbian Belle (.sisx format)

Now, we fly to step 9, to configure the device settings for Mobile Devices

Here you can set things like which usergroup you want to allow to enroll their devices.

This is done in the Mobile Device Enrollment Policy:

Now, that’s it. Now to get the old Windows Mobile device charged up, and see what we can do with it.

In the next posting that is.


Mobile Device Management in SCCM 2012 – Hands on (part 1)

April 28, 2012

In SCCM 2012 there is a completely revised version of the Mobile Device Management part.

Sure, this was already there in SCCM 2007, but hey, would YOU want to “manage” ancient Windows CE or Windows Mobile 5.0 devices? I didn’t think so too. Also, in the SCCM 2007 era, Bring Your Own Device (BYOD) wasn’t as hot as it is today, with everyone wanting to bring in and use their own Tablets, Smarphones and laptops.

Now with SCCM 2012, there is proper support for BYOD. Yeah! For a nice overview of this, see this video of Principal Program manager Jeffrey Sutherland, talking about Mobile Device Management in SCCM 2012.


Light and Depth Management

We can define two types of device management in SCCM 2012:

-> Light Management <

Working through Exchange ActiveSync, we leverage on the existing Exchange Device Policies, to do light management of the device (remote wipe, lockdown etc)

Why do we want this? It’s already in Exchange right?

Well, the Exchange admins might not be very concerned with specific end-users devices as they are with handling the mailflow, so this task may better fit with the desktop/enduser/device management team in your organization. They are the ones working with SCCM 2012, and they are the ones most interested in gathering information about, and managing the devices. Also, SCCM provides some very nice Reporting on these devices.

->In-Depth Management <-

The other type is the In-Depth Management of Mobile Devices

This does not work through EAS, but through two new SCCM Roles that have been introduced in SCCM 2012; the Enrollment Point and the Enrollment Proxy point.

In-depth management can be done in two ways;

– Enroll the mobile devices into SCCM by installing the Mobile Device Client on them. Only on supported mobile OS’s.(Currently WinMobile 6.1, 6.5 and Nokia Symbian Belle) .Offers most features.

– Enroll the mobile devices into SCCM by installing the Legacy Mobile Device Client on it. Only on supported mobile OS’s, which currently are ancient WinCE 5, 6 and 7, and WinMo 6.0. Less features, but still way more options than with EAS.

For a good comparison of all features on all three scenarios( EAS, Mobile Device Client on device, and Legacy Mobile device client), see this page on Technet.

Note that both in-depth solutions require a PKI Infrastructure, because of the Certificates that are used on the devices!

So, more on the In-Depth part later, let’s first get the EAS connected. (Yes, you can also choose hybrid solutions, ie. managing with both EAS and through the Enrollment)


Configuration of Mobile Device Management through Exchange

So, how do we set this up?

First the prereqs: an Exchange 2010 SP1 server (or Exchange Online(office365),and a working SCCM 2012 server (duh) and a network connection between them.

Then we have to establish a connection between the SCCM server and the Exchange (CAS) server.

We click Add exchange server and get the wizard:

Specifiy the name of the exchange CAS server…

Hey, look at this screen. A precise listing of the exchange permissions that the connector account requires. I’d say this calls for a new RBAC  Role in Exchange!

So, lets first create a serviceaccount for this connection and assign the proper exchange permissions to it.

Now i am going to be assigning Read-Only rights to this service account, ’cause i just want to get data from EAS about the devices, and not do any remote wiping. Which is by the way also how Microsoft IT did this (read here )


Then continue through the wizard:

I just set this to Weekly Full discovery, and Delta discovery twice a day.

So, after this wizard, the connection has been established with the CAS server.


As you can see, the path /powershell has been added to the targetpath of the Exchange server. Which makes sense, because all it really does is fire up PowerShell cmdlets against the CAS, to get information from it.

So, do we see any devices now?

First lets kick off a discovery cycle:

And behold:


Well that device has my name written all over it (tee-hee)

So, what can we do with it then?

Well, not an awfull lot:

Wipe, Block, and.. hmm. well.

Lets have a look at those Reports then:

Wow. That’s a lot of Reports Built-in. Very cool!


So far for this then.

Time to get really busy, and fire up an old Windows Mobile 6.5 phone, and start doing some real managing.

In the Next post that is.


SCVMM 2012 error – You cannot access Virtual Machine Manager server localhost. Ensure that your account is a member of a valid user role, and then try the operation again. ID: 1604

April 27, 2012

When opening the SCVMM Console and trying to logon to it, i got the following error:

You cannot access Virtual Machine Manager server localhost.

Ensure that your account is a member of a valid user role, and then try the operation again.

ID: 1604

Weird. Last time i ran it it worked fine.

Into the Eventlogs of the SCVMM server then. There i found this entry:

“Unable to connect to the VMM database because of a general database failure.
Ensure that the SQL Server is running and configured correctly, then try the operation again.”

Event ID 2605, Virtual Machine Manager

So, no connection to the SQL Server that holds the database? Onto the SQL Server then. There, in the Eventlog was this error:

Login failed for user ‘CONTOSO\sa_scvmm’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <ip-address of scvvm server>]


Hey, that’s weird. After some googling, this error turns up related to UAC (User Account Control) issues on servers.

So i right-clicked the SCVMM Console and ran it with “Run as Administrator”.

And behold, it worked!

Wait, wut? Does that mean i have to start the SCVMM Console as Administrator every time from now on?

So i closed the console, and re-opened it, now without “Run as Administrator”.

Still worked fine. Hmmkay…. Some weird one-time error?

Server App-V 2012; error installing Server Application Virtualization PowerShell Cmdlets

April 23, 2012

When installing the Server Application Virtualization PowerShell Cmdlets, i got the following error:

Not very descriptive.
It tells me to look in the installer logfile.
So, where is that logfile then?
After looking around a bit, I opened the %temp% folder, which on this machine was located in C:\Users\\AppData\Local\Temp, and in there was a folder called “1” with in there… yes logfiles.
In the logfile the following error was shown:


Right, now what?
Ah, but wait, there are more logfiles in there:

Great, a clear message.
No problem, i’ll just install .NET FW 3.5 then.

But why wasn’t this mentioned somewhere before? Like, on the “How to install Server App-V Virtualization PowerShell Cmdlets page

Server App-V 2012 – A First look (really)

April 23, 2012

So, after trying to install the Server App-V sequencing client on Windows Server 2012 Beta (and failing), I switched back to good ol’ Windows Server 2008 R2 SP1 as the testclient.

At least now i’m following the Software Requirements for installing Server App-V

I mounted the DVD/ISO of SCVMM 2012, browsed to the folder SAV\AMD64, and ran SeqSetup.exe, and behold:

And off we go!

Just another EULA to quickly skip through? Well, just note that this product is a part of SCVMM 2012, so no separate licensing for App-V here.


I’m installing this on a clean Windows Server 2008 R2 SP1 VM, and it appears it needs these two Visual C++ packages. Good thing they’re packed into the App-V installer 🙂

And we’re done. Now that was easy. Let’s see what we’ve got now:

The App-V Sequencer  Client installed in Program Files (x86)… hey, didn’t I choose the x64 installer of the client? Oh well…

Another thing, notice the Q:\ drive? If you’re already familiar with the current (client) App-V you’ll not be surprised to see this Q; mapping.

Well actually it’s a redirection to the local C:\ drive, as you can see in this picture:

So, client installed, no reboot asked… let’s start packaging then!

Well, in the next posting that is.




Server App-V 2012 – a (very short) testdrive on Server 2012 Beta.

April 23, 2012

With the System Center 2012 “Cloud-based” approach, focusing on easily deploying multiple VM’s (both Servers and Workstations), a new feature has been added that makes it even easier to get an ApplicationServer quickly up-and-running.
Server Application Virtualization, or Server App-V , or SAV.
The latter not to be confused with Symantec Anti Virus 🙂
So in my testlab based on Server 2012 Beta, Hyper-V, and System Center 2012 SP1 CTP, I was ready to go and build me some packages.
First, we have to install the App-V Sequencing Agent on a clean server, to start packaging.
Of course, I did this on a freshly deployed Windows Server 2012 Beta VM.
Only to get this message:

Okay, I know that the prereqs page states that only Windows Server 2003, 2008, 2008 R2 are supported, but I was hoping that this was outdated, with the CTP of SP1 for SC2012.
So, no dice.
Ah well, lets fire up a good ol’ Server 2008 R2 VM then. :p

File copying in Windows Server 8 beta rocks

April 18, 2012

Just wanted to share some experiences on File Copying in Windows Server 8 Beta.
I was copying two large ISO files to a local VM, but my harddisk didn’t really like this.

So i paused one copy-action, so the other one went faster.  Check this out:

After the first copy-action was done, I resumed the second one:

This looks pretty nice, doesn’t it?

What is NOT supported in the SCVMM 2012 SP1 CTP version?

April 16, 2012

After reading this 65-page documentation for the CTP of SP1 for SC2012 i was a little disappointed.

A lot of things are not supported in this release, amongst them:
– installing the VMM Selfservice Portal
Yep. I tried it, but got a LOT of funky errors. Mainly to do with IIS not liking some multiple configuration settings in the web.config.

VMM user roles, anything except the Administrator role is not supported

Perimeter network based hosts. All computers must be in the same AD.

Hmm, but this seemed to work quite well. Just remember that when you install the VMM agent software on the Hyper-V host, you should choose for the SCVMM server to contact the Hyper-V host BY NAME, and not by IP Address. Otherwise you’ll get nasty certificate based errors when you want to connect to a VM on it.

Apparantly the choice for hostname- or ip based connection is written to the Securityfile.txt which is then used to import the host into SCVMM.

When you select IP based, the certificate used to connect to the console of the VM won’t match with the issuer. Bummer. When re-installing the SCVMM agent and choosing the hostname option, all works fine.

– ALL servers, need to run Windows Server 8 Beta.

All? Well, the hyper-v host, the guest VMs, the vmm library server, the vmm management server, even the VMM console must run on it. Only exception is the vmm database server, this can be a 2008 r2 server.  No, Windows 8 Consumer Preview is also not supported.

Well, this makes this CTP really a ” Windows Server 8- only”  release.

To be continued.. 🙂

Setting up a Server 8 – System Center 2012 testenvironment… on a laptop – Part 3: Hyper-V

April 16, 2012

Now that we have WiFi working, let’s get our Hyper-V on 🙂

After making sure that Intel-VT is enabled on the BIOS, install the Hyper-V role.

Go to Server Manager, Manage, Add Roles and Features, and select the Hyper-V Role.

Do not choose any adapters to bind to while installing this Role, we’ll do that later.

After rebooting the Role is installed and we can start configuring it.

Now the goal here is to have multiple Virtual Switches, binding to different networks.

I want to be able to easily switch to another network in a running VM, without having to add or remove Network Adapters.

Also, I want to be able to share the WiFi connection of my parent OS (Windows 8 Server Beta) with the VM’s.

As we can read in this article , it was a little tricky for the Server 8 / Hyper-V team to get this stuff working. But they managed, by using the ol’ trusted Network Bridging technique, which people were using already to get WiFi connected to their Server 2008 R2 Hyper-V environments.

So, these are the networks and their Hyper-V virtual Switches I use:

– External Switch – Wifi

Connected to the Intel 6300 WiFi adapter. Provides internet access to the VMs.

– External Switch – Wired

Connected to the Intel 82579LM Gigabit wired adapter. Provides internet access to VMs.

– Internal Switch – SC2012 Demo

No external connections, just for internal InterVM communication.

Basically, all VM’s in this environment will only be attached to the SC2012-Demo switch. This is an Internal Switch, allowing connecting to/between VMs and the host.

I created this ‘vSwitch with the checkbox on for ” Allow management OS to use this Connection”, and after that I assigned the newly created NIC in the parent OS with an IP address in the range i’m using for this environment.

This way I can include the parent OS of the laptop into the SC2012 environment. Hey, I need a Hyper-V host to manage, right?

So this is how it looks in Switch Manager in Hyper-V:

and this is how it looks in Networking Center in the parent OS:

As you can see a Network Bridge has been created that links the WiFi adapter to the Virtual Switch called External Virtual Switch – Wifi.

This will allow my VMs to access the internet when needed.

Setting up a Server 8 – System Center 2012 testenvironment… on a laptop – Part 2- Configuring Server 8

April 16, 2012

Now for running Server 8 Beta on the laptop.

WiFi on Server 8 Beta

Firstly, as this is a mobile workstation, i want to be able to use WiFi in the testenvironment.

Luckily the drivers for the Intel Centrino Ultimate-N 6300 AGN WiFi NIC are already included in Server 8 Beta.

If it would not be included, i’d have a go for a Windows 7 x64 driver to see it that would work. This is what i did for the display driver and it turned out fine.

This is however not enough to use WiFi connections. Being a Server, the WiFi services are not enabled by default. Makes sense right? So, lets enable this first.

So, go to Server Manager, Click Manage, and choose Add Roles and Features

Select “Role-based or Feature-based installation”, Select the local server and click Next.

We’re not going to install a Role now, so click Next to get to the Features list.

Scroll down to the “Wireless LAN Service” and select it.

Click Next and wait for the installation to finish.

This installs the Wireless Autoconfig Service, allowing connecting to WiFi networks.

Now i can connect to the internet, and start with running Windows Update to get available updates for Server 8 Beta, and see if there are some drivers available for the hardware.

Display drivers

Next thing to do is install a display driver for the built-in Intel HD display, so i can get some more features like using an external display for presentation mode. For this i use the Windows 7 X64 driver for Intel GMA HD provided by Dell (Click)

The installer for these drivers requires .NET Framework , and it doesn’t accept the built-in 4.5 version of .NET FW that comes in Server 8.

So I installed the .NET FW 3.5 Feature, which also includes .NET FW 2.0.

Easy, just click the feature, let it install and done. Right?


.NET Hell

As it turns out the source files for this feature are not installed in the local sxs folder,  and it downloads its source files from Windows Update rather then from the local installation files..

So , when it cannot access the Windows Update site, for example when you do not yet have a working internet connection or are behind a corporate firewall, the installation of the feature fails!

That sucks, especially because you don’t get any feedback that an internet connection is required here….

So, off to DISM.exe then:

type “Dism /online /enable-feature /featurename:NetFx3 /All /Source:x:\sources\sxs /LimitAccess”

where x: maps to your Windows Server 8 Beta ISO/DVD and LimitAccess is for telling the installer that there is no internet connection available, so it shouldn’t even try it.

Oh yeah, on my first installation this situation f*cked up the installer store, so this dism.exe method wouldn’t even work anymore. So I reinstalled Server 8 completely . Yes that sucked. 😦

Also, I want to use the Snipping Tool to do some screenshots now and then. For this we have to enable the Desktop Experience feature.

Its a little hidden, within the “User Interfaces and Infrastructures ” item so check this out: