• Force a refresh of Microsoft Intune policies on iOS

    Posted 18 days ago
    by Pieter Wigleven}

    When testing new policies or deploying applications it’s useful to force a policy refresh. In iOS you can force this when using the latest Company Portal.


    Follow these easy steps:

    1. Open the Company Portal
    2. Select your device in use
    3. Hit the Sync button

    Checkin

  • Hotfix: Large URI request in Web Application Proxy on Windows Server 2012 R2

    Posted 19 days ago
    by Pieter Wigleven}

    In one of the last posts we discussed the option to put a Web Application Proxy in the DMZ as a reverse proxy for NDES. You could request a hotfix via Microsoft Support in order to get this to work. The good news is that you no longer have to contact support, it’s available in the in the December Windows Update:

    Large URI request in Web Application Proxy fails in Windows Server 2012 R2
    http://support.microsoft.com/kb/3011135

    Just install the latest Windows Update on your Windows Server 2012 R2 and you should be good to go:

    December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
    http://support.microsoft.com/kb/3013769

  • How to assign EMS licenses using the Azure Portal

    Posted 29 days ago
    by Pieter Wigleven}

    In this post I will show you how to assign EMS licenses using the Azure Portal.
    Open a browser, to prevent cookie issues I recommend to use InPrivate mode.

    image

     

    Navigate to http://manage.windowsazure.com/ and sign-in using your administrator account for your tenant (e.g. admin@mycompanyname.onmicrosoft.com)

    image

    After successful logon, on the left side navigate to Active Directory. Select the desired directory.

    image

    After selecting the directory, navigate to the License section.
    Select the EMS licenses that are bound to this tenant. In case your licenses don’t show up you will have to call support to have your licenses assigned.

    image

    From this point you can either assign licenses to individual users or a group.

    image

    After selecting a group or individual you can assign licenses by pressing the “assign” button at the bottom of the screen.

    image

    In case this post helped you, please consider leaving a reply.

  • Configure certificate based authentication to Wi-Fi with ConfigMgr and Intune

    Posted 1 month ago
    by Pieter Wigleven}

    Once you have certificate deployment working, you can use it for several purposes. One example would be to use certificate based authentication against Exchange (on-prem), VPN or WiFi Profiles. Certificate based authentication against WiFi profiles is a common ask, in this post I'll explain how to configure this in ConfigMgr 2012 R2.

    1. Create a new WiFi profile.
      image

    2. Enter SSID details.
      image

    3. Select your Security Type, Encryption and “Smart Card or other certificate” and select “Configure”.
      image

    4. Configure as follows: “Use a certificate on this computer”, deselect “Verify the server’s identity…..”  and hit “Advanced”.
      image

    5. Pressing the “Advanced” button will bring you to the “Configure Certificate Selection” dialog.
      Make sure you select your issuing CA and add the “Client Authentication” SKU at the AnyPurpose section. 
      image 

    6. Hit OK until you return to “Add Wi-Fi Profile Security Configuration” wizard (shown at step 3).
      Select the appropriate Root Certificate.
      Select the appropriate Client Certificate.
      image image

    7. After selecting “Next” make sure you enable “Specify Authentication Mode” and select “User Authentication”.
      image

    8. If a proxy is required, details can be provided in the next dialog.
      image

    9. Select the platforms and deploy this profile to a user group.
      image

    After deploying the profile, wait a few minutes and enroll a new user or enforce a policy refresh on Windows Phone 8.1. You phone should connect to the WiFi automatically using the SCEP Certificate.

    If this post helped you, consider leaving a reply.

  • NDES - Error 12186 in ndesplugin.log

    Posted 1 month ago
    by Pieter Wigleven}

    Are you trying to configure certificate deployment for mobile devices and run into the error 12186 in ndesplugin.log? This post might help you reach a solution.

    The exact error shown in ndesplugin.log is:

    Failed to send http request /CMCertificateRegistration/Certificate/VerifyRequest. Error 12186

    This error occurs if the account under which NDES application pool runs may not have read permission to the client certificate's private key while doing https connection to the Certificate Registration Point (CRP).

    In order to assign this permission connect to the NDES server and perform the next steps:

    1. Get the Unique Container Name of the NDES client certificate:
      certutil -VerifyStore My
      The container will be listed as something similar to this:
      Key Container = fc9b3ab746d7b0739ae8c6c0468e0eb5_6de86d88-a02c-4b33-91b0-43d27ebe455b

    2. Check the location of the certificate by matching the unique container name acquired at step 1 with the filenames, on Windows Server 2012 R2 check this location:
      %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
      (these certs will be hidden, use ATTRIB or adjust Explorer to show hidden files.)

    3. Run the icacls.exe command line tool to grant R (Read) permission for the NDES user account (DOMAIN\User).  Make sure you adjust the filename starting with fc9b3……
      iCacls.exe %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys\fc9b3ab746d7b0739ae8c6c0468e0eb5_6de86d88-a02c-4b33-91b0-43d27ebe455b /grant DOMAIN\User:R

    image

    Restart the NDES server and you should not get the same error. Please consider leaving a reply in case this post helped you.