In one of the last posts we discussed the option to put a Web Application Proxy in the DMZ as a reverse proxy for NDES. You could request a hotfix via Microsoft Support in order to get this to work. The good news is that you no longer have to contact support, it’s available in the in the December Windows Update:

Large URI request in Web Application Proxy fails in Windows Server 2012 R2
http://support.microsoft.com/kb/3011135

Just install the latest Windows Update on your Windows Server 2012 R2 and you should be good to go:

December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
http://support.microsoft.com/kb/3013769

When testing new policies or deploying applications it’s useful to force a policy refresh. In iOS you can force this when using the latest Company Portal.

Follow these easy steps:

1. Open the Company Portal
2. Select your device in use
3. Hit the Sync button

Once you have certificate deployment working, you can use it for several purposes. One example would be to use certificate based authentication against Exchange (on-prem), VPN or WiFi Profiles. Certificate based authentication against WiFi profiles is a common ask, in this post I'll explain how to configure this in ConfigMgr 2012 R2.

1. Create a new WiFi profile.
   
   
   
2. Enter SSID details.
   
   
   
3. Select your Security Type, Encryption and “Smart Card or other certificate” and select “Configure”.
   
   
   
4. Configure as follows: “Use a certificate on this computer”, deselect “Verify the server’s identity…..”  and hit “Advanced”.
   
   
   
5. Pressing the “Advanced” button will bring you to the “Configure Certificate Selection” dialog.
   Make sure you select your issuing CA and add the “Client Authentication” SKU at the AnyPurpose section. 
    
   
   
6. Hit OK until you return to “Add Wi-Fi Profile Security Configuration” wizard (shown at step 3).
   Select the appropriate Root Certificate.
   Select the appropriate Client Certificate.
   
   
   
7. After selecting “Next” make sure you enable “Specify Authentication Mode” and select “User Authentication”.
   
   
   
8. If a proxy is required, details can be provided in the next dialog.
   
   
   
9. Select the platforms and deploy this profile to a user group.
   

After deploying the profile, wait a few minutes and enroll a new user or enforce a policy refresh on Windows Phone 8.1. You phone should connect to the WiFi automatically using the SCEP Certificate.

If this post helped you, consider leaving a reply.

My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise Mobility Suite. This includes Azure AD premium, Microsoft Intune and Azure Rights Management Service. Due to the change of focus (and name change of Microsoft Intune) I decided to create a new blog.
My previous blogs and content can be found here:

Tune in to Windows Intune:

Technical tips related to, mostly, Intune:

• Part 3 - Protecting NDES with Web Application Proxy (WAP) in the DMZ
• Hotfix available for faster remote retire or wipe via Intune
• Windows Phone 8.1 in Kiosk Mode (Assigned Access) using Intune and ConfigMgr
• Manual run a directory sync with Azure AD Sync
• AAD Sync: An unknown error occurred with the Microsoft Online Services Sign-in Assistant
• Cumulative Update 2 for System Center 2012 R2 Configuration Manager
• Black or Whitelist applications on Windows Phone 8.1 with Windows Intune
• How to build a modern UI App and deploy using Intune
• PART 2 - SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune
• How many Intune enabled users do I have?
• Company Portal not installed after enrolling on Windows Phone
• Windows Intune Mobile Device Inventory Information FAQ
• Errors in the ConfigMgr cloudusersync.log
• What happens to tenant data when my trial expires?
• Error: “Confirm you are using the correct sign-in info, and that your workplace uses this feature”
• SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune
• Troubleshoot ConfigMgr 2012 and Intune SCEP/NDES
• New Technet articles published
• How to check if Sideloading is enabled
• How to troubleshoot User Enrollment for ConfigMgr 2012 and Windows Intune
• Type mismatch: 'UBound' when using the Support Tool for Windows Intune Trial Management of Window Phone 8
• Sync failed. Error: (0x80c81000) Data in the stream is not in the proper format.
• Get Certificate thumbprint using PowerShell
• How to put a “Request Remote Assistance” icon on users desktop in Windows 8 or 8.1
• Android Company Portal for Windows Intune released

• After enabling AD Federation Service (ADFS) you are being refered to your internal domain
• Replace certificates on ADFS 3.0
• Test Workplace Join with a self-signed certificate
• Error when trying to install Windows Azure Active Directory Module for Windows PowerShell
• Upgrade System Center Configuration Manager SP1 to R2
• Using Workplace Join and a Web Application Proxy
• The connection to adfs.domain.com Active Directory Federation Services 2.0 server failed due to invalid credentials
• “Device Registration Service is not in a valid configuration state”
  

Home is where I lay my head

Technical stuff from my times as a Senior Premier Field Engineer:

• Reduce WinSxS folder size in Windows 8 or 8.1
• Enabling Secure Boot in Windows 8
• How to upgrade a Surface RT to Windows 8.1 Preview with language mismatch
• Windows 8.1 Preview Explorer.exe crashes
• Optimization Guidance for Windows 7
• Important Windows 7/2008 R2 Performance Rollup Package Is Available
• How to migrate your Microsoft Account (a.k.a. Live ID) to a different country
• Outlook: Mail stuck after editing in Outbox
• Upgrading Windows Server 2008 R2 to 2012 – via RDP
• Error: "We cant connect to xbox service right now”
• Windows 8 - Nothing happens when you initiate a shutdown or hangs at the “shutting down” donut.
• Windows 8 Interactive Services Detection “Error 1: Incorrect Function”
• How to install Windows 7 or 8 from USB using UEFI
• How to check in Windows if you are using UEFI
• How to install the Windows Performance Recorder for Windows 8

There are several ways to initiate a revocation of a certificate on a mobile device, in this post we will discuss the options and their behavior per platform. It’s important to note that we can only revoke certificates which are delivered via SCEP.

There are two types of removal:

1. Due to device wipe/retire or unenrollment.
2. Due to user leaving the targeted collection/group, deployment being deleted or profile/policy is being deleted.

From a server side perspective, the certificate will always be revoked on the CA.
From a client side perspective, the certificate will be removed from the device. This applies to all platforms we currently support: Windows, Windows Phone, Android and iOS with one exception (see below).

The only scenario is we are currently investigating is removal type 2 in combination with Windows Phone, in certain conditions the certificate is not removed from the device.