Microsoft Intune for Beginners

At first learning about Microsoft vision for MDM can be tricky. Different considerations for Personal Owned and Company Owned devices. Different approach for Standalone MDM solution (Microsoft Intune) and Unified Devices Management (ConfigMgr + Intune). Below collection of resources for beginners in MDM journey.

When we plan PKI Infrastructure for Customers big part is to define security policies aligned with business strategy. When we plan ITSM for Companies first phase is to validate or define process management according to ITIL/MOF aligned with Customer business needs. BYOD has the same requirement. Without good BYOD policy project may and likely will fail.

I recommend to get familiar with technology agnostic Microsoft guide called:

Bring Your Own Device (BYOD) Design Considerations Guide

Different industries have different challenges related to BYOD implementation. Microsoft published great document based on experience with schools environment:

BYOD Devices – A Deployment Guide for Education

Sooner or later we need to know capabilities for Microsoft Intune Standalone vs Unified Device Management:

Scenario System Center 2012 R2 Configuration Manager Only Microsoft Intune Only System Center 2012 R2 Configuration Manager and Microsoft Intune
Microsoft Windows Yes Yes Yes
Microsoft Windows Server Yes No Yes
Windows Phone No Yes Yes
Windows RT No Yes Yes
iOS No Yes Yes
Android No Yes Yes
Mac OS X Yes No Yes
Unix/Linux Servers Yes No Yes
Extensible Windows PC Device Configuration Settings (e.g., WMI, Registry) Yes No Yes
Extensible Mac OS X Configuration Settings Yes No Yes
Mobile Device Configuration Settings No Yes Yes
Application Deployment Yes Yes Yes
Windows Operating System Deployment Yes No Yes
(No deployment over Intune)
Software Updates Yes Yes Yes
Endpoint Protection Yes Yes Yes
Software Metering Yes No Yes
Hardware and Software Inventory Yes Yes Yes
Custom hardware and software inventory Yes No Yes
Role-based Administration and Reporting Yes No Yes
Unified Reporting for Cloud- and Corporate-connected Devices No No Yes
Cloud-based Reporting No Yes No
Security Settings Yes Yes Yes
Remote Wipe Yes Yes Yes
Remote Lock No Yes No
Passcode Reset No Yes No

Suppose we get familiar with document above and we are start implementation. First step to manage is to enroll and there are differences in “how to” during this phase:

Windows Phone 8 &Windows Phone 8.1 Windows Phone 8: Click system settings > company apps, and sign in using your user ID.Windows Phone 8.1: Click system settings > Workplace, and sign in using your user ID.Note : must select Install Company app or Hub to be able to get company apps Windows Intune account does not have a public domain and you are using a * account, you will need to type in the server address as “” when you are prompted for it
Windows RT , Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain 1. Go to Settings > PC Settings > Network > Workplace.2. Enter the User ID and click Turn on.3. Check the Allow apps and services from IT admin dialog box, and click Turn on. Account does not have a public domain and you are using a * account, you must add the following registry information to enroll your Windows 8.1 computer:1. Create the MDM registry key if it is not already present [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]2. Under the MDM registry key create a new REG_SZ called DiscoveryService with the value data “”
Windows RT Click Start, and type “System Configuration”, and click the dialog box to open the Company Apps.
iOS Enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later. On the iOS device, open the Windows Intune Company Portal and enter your credentials. When Prompted click Install in the Management Profile screen.
Android Enroll Android devices by using the Android company portal app, Windows Intune Company Portal that is available on Google Play. The company portal app can be installed on Android devices running Android 4 or later. On the Android device, Open the Windows Intune Company Portal and enter your credentials.

Company Owned (Unified Device Management feature) vs Personal Owned (Intune Standalone):

Platform For Personal-owned Devices For Company-owned devices
Windows 8.1 (without the Configuration Manager client) Only managed apps Only managed apps
Windows Phone 8 Only managed apps Only managed apps
Windows RT Only managed apps Only managed apps
iOS Only managed apps All apps
Android Only managed apps All apps

Hardware Inventory details for supported platforms:

Hardware Inventory Class WP 8 & WP 8.1 Windows RT iOS Android (available when using the Android company portal app)
Name Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Not applicable
Unique Device ID Device_ComputerSystem.DeviceClientID Device_ComputerSystem.DeviceName Device_ComputerSystem.UDID Not applicable
Serial Number Not applicable Not applicable Device_ComputerSystem.SerialNumber Device_ComputerSystem.SerialNumber
Email Address Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Not applicable
Operating System Type Device_OSInformation.Platform CCM_OperatingSystem .SystemType Not applicable Device_OSInformation.Platform
Operating System Version Device_ComputerSystem.SoftwareVersion Win32_OperatingSystem.Version Device_OSInformation.OSVersion Device_OSInformation.Version
Build Version Not applicable Win32_OperatingSystem.BuildNumber Not applicable Not applicable
Service Pack Major Version Not applicable Win32_OperatingSystem.ServicePackMajorVersion Not applicable Not applicable
Service Pack Minor Version Not applicable Win32_OperatingSystem.ServicePackMinorVersion Not applicable Not applicable
Operating System Language Device_OSInformation.Language Not applicable Not applicable Not applicable
Total Storage Space Not applicable Win32_PhysicalMemory.Capacity Device_Memory.DeviceCapacity Device_Memory.StorageTotal
Free Storage Space Not applicable Win32_OperatingSystem.FreePhysicalMemory Device_Memory.AvailableDeviceCapacity Device_Memory.StorageFree
International Mobile Equipment Identity or IMEI (IMEI) Not applicable Not applicable Device_ComputerSystem.IMEI Device_ComputerSystem.IMEI
Mobile Equipment Identifier (MEID) Not applicable Not applicable Device_ComputerSystem.MEID Not applicable
Manufacturer Device_ComputerSystem.DeviceManufacturer Win32_ComputerSystem.Manufacturer Not applicable Device_Info.Manufacturer
Model Device_ComputerSystem.DeviceModel Win32_ComputerSystem.Model ModelName Device_Info.Model
Phone Number Not applicable Not applicable Device_ComputerSystem.PhoneNumber Device_ComputerSystem.PhoneNumber
Subscriber Carrier Not applicable Not applicable Device_ComputerSystem.SubscriberCarrierNetwork Device_ComputerSystem.SubscriberCarrierNetwork
Cellular Technology Not applicable Not applicable Device_ComputerSystem.CellularTechnology Device_ComputerSystem.CellularTechnology
Wi-Fi MAC Not applicable Win32_NetworkAdapter.MACAddress Device_WLAN.WiFiMAC Device_WLAN.WiFiMAC

Information sent from Intune to Configuration Manager

The following table shows the customer information that is retrieved from Microsoft Intune. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Information and data sent to Microsoft Intune Examples
To help the Admin manage enrolled devices and deploy company’s software to users devices
  • Compliance settings and values, such as requiring a minimum password length of 4 characters
  • E-mail profile information, such as email server name and time of day preferences
  • Information to generate certificates for VPN profiles (but not the certificate itself)
  • Software name, description, encrypted content, and icon for apps
  • Any setting needed to enroll devices
To manage their users’ experience
  • Settings applied to user’s devices
  • Whether the company portal has been installed
  • What software applications are displayed as available in the company portals
  • What software the user has requested and installed
  • User’s software request history
To help enrolled users use single sign-on
  • User Principal Name (UPN)
  • User Name
  • Email (if email profiles are enabled and deployed)
To quickly view relevant information about enrolled devices
  • Device name
  • Device friendly name
  • Device Type
  • Device OS
  • Device Acton (Wipe/Retire/Connect) state
  • Certificate expiry date
  • Primary user
  • Last connection time
To distribute certs for Wi-Fi and VPN profiles
  • NDES server information
  • System Center Endpoint Protection challenge encryption certificate (public-key only)
  • Certificate provisioning information
  • Certificate assignment and status
To quickly assess current status and versions
  • Microsoft Intune Connector Installation status e.g. “Windows Phone 8.1 extension (V1) is installed”
  • Configuration Manager Version Information e.g. “Connector Build Version 5.0.7958.1000”
To connect authorized users remotely
  • RD Gateway Server Settings
  • Machine names and Microsoft Intune users for which this feature is enabled

Other information sent by Microsoft Intune to Configuration Manager

The following table shows information that is generated by Microsoft Intune and shared with Configuration Manager. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Type of Information Examples
End-user initiated commands
  • Device Wipe/Retire action information
  • Application Request information
  • User-generated device commands (rename, wipe, retire, connect now)
Tenant, user, and device error messages
  • “Apple APNs Certificate Expired”
  • “Side-loading key could not be applied”

Customer commands temporarily stored in Microsoft Intune

Commands sent to and received from mobile devices are temporarily stored in the Microsoft Intune service while the device is actively connected to the service. This data is subsequently deleted after the device’s active session ends.

The best document which I could find regarding security planning for Windows Phone is written by Paweł Pławiak and Marcin Ostrowski – you can find it here:

Przewodnik Zabezpieczeń dla Windows Phone 8.1

For English readers there also great ebook which you might find it useful:

Windows Phone 8.1 Field Guide


/Tomasz Gościmiński

Webinar: System Center 2012 R2 Configuration Manager – Free Support Tools

Hi All!

we promised publish links used in our last Webinar:

System Center 2012 R2 Configuration Manager – Free Support Tools

Don’t forget to read our blog post:

Link to Webinar:


Hydration Kit

Powershell Deployment Toolkit

GUI for Powershell Deployment Toolkit

SQL Sizing Document

Prereq Tool

SQL Maintenance Solution




MDT 2013



App Management

Powershell Application Deployment Toolkit

Coretech Shutdown Tool

Coretech Application Approval workflow

Microsoft Application Approval Workflow

Configuration Manager Application Request

Application Importer




Automated Documentation Tool




Client Operations

Configuration Manager Support Center

Microsoft Security Compliance Manager

Client Center for Configuration Manager

Cireson Remote Manage App

Right Click Tools

ConfigMgr Inbox Monitor

Client push manager


PoshCAT aka SCCM Client Actions Tool

Jason Sandys Startup script



ConfigMgr Management Pack

ConfigMgr Integration Pack

Coretech Asset Intelligence 3rd. party software utility


Status Generator (StatGen)

ConfigMgr Content Locator



best regards

/Tomasz Gościmiński

Deploy Applications in Enterprise like a PRO

Hello, my name is Tomasz Gościmiński and I’m an Infrastructure Consultant at Predica. Today’s post is about the value of deployment tandem called System Center Configuration Manager and his smaller companion PowerShell App Deployment Toolkit. When both are integrated in your environment great things can happen – so let’s start…

Business Problem: Recently, Contoso experienced a number of system outages in which the Company’s core business applications shut down unexpectedly. After several days of investigation, John Snow, Contoso Infrastructure administrator, discovered that the outages were the result of a number of vulnerabilities in Enterprise Line of Business applications and users Software. Since then, it is critical for Contoso to manage lifecycle of applications:

  • initial creation and testing of application deployment;
  • updating the deployed application to a newer version;
  • update and removal of the application from computers on the production network.

To reduce unplanned downtime in the future, Contoso must find a way to ensure being always up to date and manage lifecycle of applications in a controlled manner.

Business Solution: Company IT Director decided to invest in System Center 2012 R2 Configuration Manager to support IT Department staff. He wants to ensure:

  • compliance
  • unattended deployment
  • redrawn apps
  • tracking
  • versioning
  • reporting

Business Case: Application Lifecycle – Adobe Reader example

Scenario: John is the Configuration Manager administrator at Contoso who must deploy the latest version of Adobe Reader 11 to 200 users, according to the requirements. So far Contoso corporate standard is to use Adobe Reader 10 which has few important security vulnerabilities found few days ago. John decided to redrawn Adobe Reader 10 and replace by Adobe Reader 11 in automated manner. John needs to be sure if the user is currently using Adobe Reader, so it can be safety closed by user or Configuration Manager before installation. Requirements:

  • Unattended redrawn Adobe Reader 10.0.14 and installation of Adobe Reader 11.0.09.
  • Mechanism that can defer installation by user to allow save work and proceed.
  • Mechanism to allow display of custom messages for users.
  • Mechanism should check if Adobe Reader or other specified apps are running before installation.

The following sections provide example steps for how to use Configuration Manager to create, deploy, and manage applications together with PowerShell Application Deployment Toolkit in your organization.

  • Download Adobe Reader 11.0.09 MSi
  • Extract Adobe Reader binaries
  • Download PowerShell App Deployment Toolkit
  • Prepare ConfigMgr Package Content
  • Modify PS1 to fulfil requirements
  • Prepare ConfigMgr 2012 Application
  • Prepare ConfigMgr Adobe Reader 11.0.09 Collection
  • Deployment
  • User Experience

Detailed Steps

  1. From site: download Adobe Reader 11.0.09 for proper OS.
  2. After download of .exe extract installation files open Command Line prompt then go to Adobe Reader download folder and execute command: AdbeRdr11009_en_US.exe -nos_o”C:\download\AR11.0.09″ -nos_ne clip_image002
    After few seconds extracted installation files are stored in C:\download\AR11.0.09 folder. We will need them to deploy app.
  3. From site: download and extract
  4. From previously extracted archive copy Toolkit folder to network share where ConfigMgr packages are stored. Rename folder Toolkit according to your needs. In example: PS Adobe Reader 11009.
    Just renamed PS Adobe Reader 11009 folder contain Files folder. Copy extracted Adobe Reader binaries inside Files folder to ensure all of them are in one place ready to distribute.
  5. Modify Deploy-Application.ps1 to fulfill requirements. I recommend to read Powershell App Deployment Administration Guide. In our example Deploy-Application.ps1 look as follow:

    [code lang=”powershell”]
    This script performs the installation or uninstallation of an application(s).
    The script is provided as a template to perform an install or uninstall of an application(s).
    The script either performs an "Install" deployment type or an "Uninstall" deployment type.
    The install deployment type is broken down in to 3 main sections/phases: Pre-Install, Install, and Post-Install.
    The script dot-sources the AppDeployToolkitMain.ps1 script which contains the logic and functions required to install or uninstall an application.
    To access the help section,
    Deploy-Application.ps1 -DeployMode "Silent"
    Deploy-Application.ps1 -AllowRebootPassThru -AllowDefer
    Deploy-Application.ps1 Uninstall
    .PARAMETER DeploymentType
    The type of deployment to perform. [Default is "Install"]
    .PARAMETER DeployMode
    Specifies whether the installation should be run in Interactive, Silent or NonInteractive mode.
    Interactive = Default mode
    Silent = No dialogs
    NonInteractive = Very silent, i.e. no blocking apps. Noninteractive mode is automatically set if an SCCM task sequence or session 0 is detected.
    .PARAMETER AllowRebootPassThru
    Allows the 3010 return code (requires restart) to be passed back to the parent process (e.g. SCCM) if detected from an installation.
    If 3010 is passed back to SCCM a reboot prompt will be triggered.
    .PARAMETER TerminalServerMode
    Changes to user install mode and back to user execute mode for installing/uninstalling applications on Remote Destkop Session Host/Citrix servers
    Param (
    [string] $DeploymentType = "Install",
    [string] $DeployMode = "Interactive",
    [switch] $AllowRebootPassThru = $false,
    [switch] $TerminalServerMode = $false

    Try {

    # Variables: Application

    $appVendor = "Adobe"
    $appName = "Reader"
    $appVersion = "11.0.09"
    $appArch = ""
    $appLang = "EN"
    $appRevision = "01"
    $appScriptVersion = "1.0.0"
    $appScriptDate = "03/11/2014"
    $appScriptAuthor = "Tomasz Gosciminski"

    # Variables: Script – Do not modify this section

    $deployAppScriptFriendlyName = "Deploy Application"
    $deployAppScriptVersion = [version]"3.2.0"
    $deployAppScriptDate = "09/01/2014"
    $deployAppScriptParameters = $psBoundParameters

    # Variables: Environment
    $scriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Definition
    # Dot source the App Deploy Toolkit Functions
    # Handle ServiceUI invocation
    If ($serviceUIExitCode -ne $null) { Exit-Script $serviceUIExitCode }


    If ($deploymentType -ne "uninstall") { $installPhase = "Pre-Installation"

    # Show Progress Message
    Show-InstallationProgress "Performing Pre-Install cleanup. This may take some time. Please wait…"

    # Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, verify there is enough disk space to complete the install and persist the prompt
    Show-InstallationWelcome -CloseApps "iexplore,acrord32" -AllowDefer -DeferTimes 3 -CheckDiskSpace -PersistPrompt

    # Show Progress Message (with the default message)

    # Remove Adobe Reader
    Remove-MSIApplications "Adobe"

    $installPhase = "Installation"

    Show-InstallationProgress "Installing Acrobat Reader 11.0.09. This may take some time. Please wait…"

    # Perform installation tasks here
    Execute-MSI -Action Install -Path "AcroRead.msi"

    $installPhase = "Post-Installation"

    # Perform post-installation tasks here

    # Display a message at the end of the install
    # Show-InstallationPrompt -Message "You can customise text to appear at the end of an install, or remove it completely for unattended installations." -ButtonRightText "Ok" -Icon Information -NoWait

    } ElseIf ($deploymentType -eq "uninstall") { $installPhase = "Pre-Uninstallation"

    # Show Welcome Message, close Internet Explorer if required with a 60 second countdown before automatically closing
    Show-InstallationWelcome -CloseApps "iexplore, acrord32" -CloseAppsCountdown "60"

    # Show Progress Message (with the default message)

    $installPhase = "Uninstallation"

    # Perform uninstallation tasks here

    $installPhase = "Post-Uninstallation"

    # Perform post-uninstallation tasks here

    } } Catch { $exceptionMessage = "$($_.Exception.Message) ($($_.ScriptStackTrace))"; If (!($appDeployToolkitName)) {Throw "Failed to dot-source AppDeployToolkitMain.ps1 – please check if the file is present in the \AppDeployToolkit folder"; Exit 1}
    Else { Write-Log "$exceptionMessage"; Show-DialogBox -Text $exceptionMessage -Icon "Stop"; Exit-Script -ExitCode 1 } } # Catch any errors in this script
    Exit-Script -ExitCode 0 # Otherwise call the Exit-Script function to perform final cleanup operations

  6. Now we are going to create Adobe Reader package in Application Model.
    1. Open ConfigMgr Administrative Console and go to Software Library | Overview | Application Management.
    2. Right Click Applications and choose Create Application.
    3. Check Manually specify the application information. Click Next.
    4. In General Information tab fulfill as below. Click Nextclip_image005
    5. On Application Catalog tab click Next.
    6. On Deployment Types tab click Add.
    7. In Create Deployment Type Wizard, General tab check Manually specify the deployment type information. Click Next.
    8. On General Information tab fulfill as below. Click Next.clip_image006
    9. On Content tab ensure fields are as follows:
      1. Content location: [network location of Adobe Reader package]
      2. Installation program: Deploy-Application.exe Install
      3. Uninstall program: Deploy-Application.exe Uninstall
    10. On Detection Method tab click Add Clause and fulfill as follows:
      1. Settings Type: Windows Installer
      2. Product code: {AC76BA86-7AD7-1033-7B44-AB0000000001}
      3. Note: Value is provided automatically when we choose AcroRead.msi from location of Adobe Reader package.
      4. Choose This MSI product code must exist on the target system to indicate presence of this application.
    11. On User Experience tab fulfill as follows.
      1. Installation behavior: Install for system
      2. Logon requirement: Only when a user is logged on
      3. Installation program visibility: Normal
      4. Check: Allow users to view and interact with the program installation
    12. Rest of tabs leave with default options.
    13. Distribute Adobe Reader application on Distribution Point according to TechNet article:
  7. Create collection according to TechNet article:
  8. Create deployment according to TechNet article:
  9. Few screens from user experience
    1. There is Adobe Reader 10 icon on Desktop which will be replaced by 11.0.09. Applications of Adobe Reader and Internet Explorer are running to simulate daily user work.
    2. After policy is retrieved Application Deployment Toolkit check running processes and display message accordingly. User can defer installation for later after work is done and saved or can ask PADT to help close apps. Custom message is visible at top.
    3. After few dozen of seconds Adobe Reader 11 is installed and ready to go.

Summary PowerShell Deployment Toolkit is a must have for every ConfigMgr Admin. Saves time and has great amount of features. And even more important …IT IS FREE! To learn more:

Thank you and happy deployment! Tomasz

Direct Access + Network Access Protection – part 4 – Potential issue with multiple CAs. Lessons learned.

Hi, Andrzej Kaźmierczak (KAZM) again with the last article on DA + NAP integration. In my previous articles I have successfully configured and tested Direct Access with NAP integration using single, enterprise Issuing CA (DA + NAP part 3. Single CA work flows explanation).

There is a Microsoft MSDN article ( recommending to use a dedicated standalone subordinate CA for NAP health certificates. And so I did in my LAB to show that it isn’t that simple with multiple CAs around. This is how my LAB changed comparing to its original setup (DA + NAP part 2: LAB configuration and overview):

  1. I added a Standalone CA role on SRVNLS server that will be used only for issuing health certificates (CN=Standalone CA,C=PL):
  2. I have reconfigured Health Registration Authority to use Standalone CA and not to use enterprise certificate templates (which by the way can be used even with standalone CA):
  3. On the properties of the Standalone CA in the Security tab I gave the SRVNPS computer account full permissions. Also, in Policy Module tab I set Request Handling to “Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate” so that HRA request will not hit “Pending” state but will be automatically issued:

Everything is setup, so I start the client connected to the Internet (External) network and…. Hhmm… from the client machine I am able to connect to the SRVDC (Domain Controller) and to SRVNPS (NPS + HRA) – which means that infrastructure tunnel was working. Unfortunately I could only ping my internal server SRVFS as seen on below figure:


Let’s start troubleshooting:

  1. Quick look on the Direct Access server, everything looks green and good:
  2. What about the Remote Access Clients Status console? Ok, so user doesn’t have User Kerberos Authentication Method which is used for accessing intranet resources – that confirms that user cannot connect to SRVFS, but have to look deeper to get the cause:
  3. On the SRVNPS I can see that HRA has approved the request and enrolled a health certificate to the user, which means that the user was able to send statement of health (infrastructure and management tunnels are working fine) and HRA can “talk” to the new standalone CA as well:
  4. I confirm on the Standalone CA that health certificates have been issued to the SRVNPS (on behalf of the user):
  5. But have the user received health certificate? Yes, he did:
  6. Let’s have a look in client’s Windows Firewall – there is no User Kerberos – so no corp/intranet tunnel is created:
  7. In Event viewer on the SERVER and CLIENT there are NO THINGS that can lead to the problem cause. On the client, IKE negotiations logs are not shown by default, but you can view the success or failure of IKE negotiations in the Event Viewer security log doing little trick. To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer ( After doing this I could see more useful data:
    1. EVENT ID 4653 “An IPsec main mode negotiation failed” with Failure reason “No policy configured”
    2. EVENT ID 4984 “An IPsec extended mode negotiation failed” with Failure reason “SA establishment is not authorized”


  8. So everything seems to be ok, the client machine receives health certificate, but still no corp/intranet tunnel is setup. This has to be something with the health certificate! New Standalone CA certificate is trusted for the client computer (it is added to the Trusted Root Certification Authorities). I verify certificates for Main Mode SA with “netsh adv mon show mmsa” and everything should be clear now:
  9. Although certificates issued by the Standalone CA are trusted by the client computer and operating system, but they are not trusted by the service to setup IPsec Security Association ( Why? Well, let me remind you that Standalone CA was not configured as trusted for Direct Access. Only TST Root CA (my issuing CA that issued certificate for workstation used for infrastructure and management tunnel) is setup to be trusted in Direct Access configuration wizard:

But wait… what? so I’m using enterprise CA to issue computer certificate and a standalone CA to issue health certificates and there’s only one place in the DA configuration to setup a CA trust for that? How is that possible? The answer is very simple: in the DA configuration use common Root CA for both Enterprise and Standalone CA!

Lessons learned:

  1. If you want to have only 1 Issuing CA for both certificates: computer (workstation) certificate and a health certificate – that’s fine! You can even have a Standalone CA for that, but you have to MANUALLY issue all: SSL (even Direct Access IPHTTPS) and computer certificates as there is no way for auto enrolment feature with standalone CA.
  2. If you want to use 2 Issuing CAs – one for computer/workstation certificates and the second one for health certificates you should have a common offline Root CA, which would be pointed in the Remote Access Server Setup / Authentication page of the Direct Access configuration wizard. This is how my LAB environment should look like:
  3. If you don’t have root and have 2 separate CAs, you should reconsider changing your PKI architecture to meet the PKI best practice design ( . Or you can take your current issuing CA and consider it as a root – so standard CA will become a subordinate to your issuing CA, and DA should be configured with your issuing CA certificate in the Remote Access Server – which is not recommended, but will do the trick.
  4. When troubleshooting, ALWAYS read carefully Root/Issuing CA names and confirm with certificate thumbnail which certificate you are using for what . Sometimes Root and Issuing CA names are very similar and is very easy to get confused which one is which.

Direct Access + Network Access Protection – part 3 – Single CA work flows explanation

This is a follow-up on previous Andrzej Kaźmierczak’s (KAZM) article DA + NAP part2: LAB configuration and overview , where I have described my LAB settings for explanation of how things are working for Microsoft Direct Access and Network Access Protection integration on Windows Server 2012 R2. You can use below steps as a part of troubleshooting activities for DA with NAP in your environment.

First of all read this great TechNet article by The Cable Guy on NAP and DA integration

Let’s start! User got DA GPOs from the Domain Controller and now switched to the Internet (External) network. This is how things should be working:

  1. When the user was inside corporate network, he received GPOs telling him to connect to Direct Access server when he is not connected to corporate network. To confirm being outside, client should not be able to resolve https://nls.tst.lab . Now client machine is aware that it is in the External (Internet) network. To confirm that run “netsh dns show state”:
  2. Client machine tries different transition technologies to setup Direct Access connection.
    I have disable IPv6 on client’s NIC, so no 6to4 is used. Also, in my LAB, client is connected directly to the same network as DA is located, so no NAT means no Teredo. Client will use IPHTTPS transition technology which simply speaking packages the data in an HTTPS tunnel. To achieve that, in GPO client has been configured Direct Access IPHTTPS URL to connect to ( Its SSL certificate had to be issued by a trusted Root/Issuing CA for the client computer (in my case it had been issued by SRVPKI and CN=TST Root CA which is a trusted Root CA on the client).
  3. Run “ipconfig /all” to see if the IPHTTPS has configured itself with IPv6 address:
  4. The user should have setup infrastructure tunnel using “TST Workstation Authentication” certificate from the “TST Root CA, C=PL” Issuing CA that had been issued to the workstation with autoenrolment feature and user should be able to access SRVDC (Domain Controller).
  5. In NAP’s GPOs I have setup Health Registration and Trusted Server Group to point to https://srvnps.tst.lab/domainhra/hcsrvext.dll so once NAP client is started, DA client connects to this URL creating management tunnel. With this tunnel, SRVNPS (NPS + HRA) is accessible because it has been added to Management Servers in Direct Access configuration wizard. Management tunnel is created using “TST Workstation Authentication” from the “TST Root CA, C=PL” Issuing CA. At this point I am able to access both SRVDC and SRVNPS servers – if you try on your own, do not use “ping” command, because every server (that is ICMP enabled) will respond– even without corp/intranet tunnel enabled. Use share or a website if server has IIS role installed.
  6. The user is connected to SRVNPS and sends to HRA SoH (Statement of Health). The HRA sends it internally to the NPS health policy server (in my case it is one and the same server). NPS evaluates whether client computer matches the System Health Validators. I have setup policies letting every computer in, so every computer is compliant. NPS sends results to the HRA service. When the client computer is compliant, the HRA on behalf of the user, enrols health certificate using my “TST Root CA, C=PL” Issuing CA and “DA HRA Certificate” health certificate template. The certificate is sent back to the user in the management tunnel. You can confirm this by going to the CA server, open CA console an investigate Issued Certificates container. Also you can verify those on the HRA server in System Event Viewer. Event 22 “The Health Registration Authority has approved the request with the correlation-id-…. The Network Policy Server has indicated that the client should be given full network access” should be there. See figure below:
  7. Now, on the client computer I run certificate snap-in for the Local Computer store and verify that the client possesses 2 certificates, both issued by “TST Root CA” – THIS IS IMPORTANT!:

    1. Workstation/Computer certificate that had been issued only once through autoenrolment and stays in the certificate store. This one gives client Infrastructure and Management tunnels.
    2. System Health Authentication which HRA enrolled after confirming that client computer is complaint. This one gives us Corp/intranet tunnel (to other internal resources, such as SRVFS)
  8. From Client machine I initiate connection to one of my internal resources: \\srvfs.tst.lab . Access to such resources is possible because 3rd tunnel – corp/intranet tunnel is setup using health certificate issued through the HRA. There is a very good TechNet article ton how to check tunnels on the client: . To verify tunnels I run “netsh adv mon show mmsa” command and as an output I can see computer certificate and health certificate that is used for UserKerb authentication (connection to \\srvfs.tst.lab) successfully. What is important is that those certificates are confirmed to be Health Certificates, see below figure:
    Above tunnels can also be confirmed in the Windows Firewall Monitoring / Security Associations / Main Mode:
  9. From Direct Access Remote Client Status console I finally confirm that the client is connected and using User Kerberos as Authentication Method:

Great! Everything’s working – what’s the problem then? Well, Microsoft in this MSDN article recommends that “ (…)For optimal performance, a dedicated standalone subordinate CA should be used to issue health certificates.” This article also guides you on how to Configure Standalone CA, wait time, validity period, but there is not a single word on how new CA should fit into Direct Access with NAP integration.

To my environment I added a standalone CA and the very interesting results of what happened next are described in my last article DA + NAP: Potential issue with multiple CAs. Lessons learned

Direct Access + Network Access Protection – part 2 – LAB configuration and overview

This is Andrzej Kaźmierczak’s (KAZM) second part of my DA + NAP articles. You can read about overview in the first part: DA + NAP part 1: Introduction.

To get better overview and learn how to configure Direct Access with NAP follow those TechNet articles (even though some of them apply to Windows Server 2008 R2):

This is how my LAB is configured (the main parts of configuration are described only):


To configure my LAB, first of all I have installed and confirmed that Direct Access is working fine without NAP. After that, I have added SRVNPS server and switched DA to integrate with NAP server.


  • Internal network:
  • External (Internet) network:

Servers and Roles

Server OS Role Configuration
SRVDC Windows Server 2012 R2 Domain Controller FFL, DFL: 2008R2Domain: tst.lab
SRVPKI Windows Server 2012 R2 Enterprise Root CA used for issuing certificates for client machines and health certificates.SRVPKI is used for web enrollment and CDP/AIA paths publishing. CN= TST Root CA, C=PL2 NICs (Internal, External)*.crt/crl

TST Workstation Authentication certificate template for DA with EKU:

  • Client Authentication
  • Server Authentication

DA HRA Certificate template for NPS statement of health with EKU:

  • Client Authentication
  • System Health Authentication
SRVNLS Windows Server 2012 R2 Simple HTTPS website acting as NLS. https://nls.tst.lab
SRVFS Windows Server 2012 R2 File share and HTTPS site used for testing DA connection. \\srvfs.tst.lab\https://srvfs.tst.lab
SRVNPS Windows Server 2012 R2 NPS and HRA roles for Direct Access. System Health Validator: Default one, configured to allow any client computer (no firewall, no updates required, etc.)HRA detailed configuration see below
SRVDA Windows Server 2012 R2 Direct Access server NICs (Internal, External)

See detailed configuration below

Client Windows 7 Enterprise Client computer Forced GPOs before switching to external networkClient machine belongs to DA_Clients domain group

Direct Access server has been configured in the following way (if some setting is not mentioned, it has a default value):

  1. Remote Clients
    1. Deployment Scenario
      1. Deploy full Direct Access for client access and remote management – checked
    2. Select Groups
      1. Group: DA_Clients
      2. Enable Direct Access for mobile computers only – disabled (I could not test on client VM if this setting is enabled)
      3. Use force tunneling – enabled (my own requirement, could be disabled)
    3. Network Connectivity Assistant
      1. Allow Direct Access clients to use local name resolution – enabled
  2. Remote Access Setup
    1. Network Topology
      1. Network topology: Edge
      2. DA address:
    2. Network adapters
      1. IPHTTPS is not self-signed (issued by my SRVPKI), CN=
    3. Authentication
      1. As you can see I have chosen to use TST Root CA and enabled the “Enforce corporate compliance for Direct Access clients with NAP” option which simply enables NAP integration with DA.
      2. I didn’t choose “Use an intermediate certificate” because in this particular scenario I am having Root CA which issues certificates (try not to be confused). In any other well – designed PKI environment, one would use Subordinate Certification Authority as Issuing CA, NOT Root CA itself (this was done here only for LAB purposes and is crucial to understand the issue I’m describing in that article). If you have offline Root CA and separate online Issuing CA, you would need to enable “Use an intermediate certificate” option. Remember, if you do, the Browse button will show you only certificates that are stored in the “Intermediate Certification Authorities” Windows certificate store, not in the “Trusted Root Certification Authorities” store. I also have enabled Windows 7 computers, because this is OS of my client machine:
  3. Infrastructure Servers
    1. Network Location Server
      1. The network location server is deployed on a remote web server: https://nls.tst.lab
    2. DNS
      1. Default suffixes
      2. Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) – enabled
    3. DNS Suffix Search List
      1. Default settings
    4. Management
      1. Management servers: srvnps.tst.lab (it has to be available in management tunnel for the client to issue a health certificate for the user that will let you access corp/intranet tunnel).

Health Registration Authority configuration:

  • Added TST Root CA,
  • Enabled to use DA HRA Certificate template (duplicated and configured manually on SRVPKI):DANAP03

The setup is done (above are described only major parts of it). You can now go to the next article: DA + NAP part 3: Single CA work flows explanation

Direct Access + Network Access Protection – part 1 – Introduction

Hi, Andrzej Kaźmierczak (KAZM) here. Recently I’ve been doing some deep dive troubleshooting of two amazing technologies working together: Microsoft Direct Access and Network Access Protection. There is one thing I want to share about design of Certification Authorities for such implementation and a little bit of how to troubleshoot Direct Access client connection.

A few important words on those two technologies:

A really, really good overview on Direct Access can be find in Tim Warner’s YouTube CBT Nuggets

Let me share what’s this series of articles is all about. It is divided into 4 sections:

  1. DA + NAP part 1: Introduction
    This introduction.
  2. DA + NAP part 2: LAB configuration and overview
    I do a quick overview of my Direct Access and NAP settings and general configuration on the LAB setup which is a core for further certificate issue investigation.
  3. DA + NAP part 3: Single CA work flows explanation
    In this section I am guiding through the step by step process happening under the hood of user getting access to internal resources using Direct Access with NAP policies. This scenario is working fine, as long as you use single CA.
  4. DA + NAP part 4: Potential issue with multiple CAs. Lessons learned.
    The last section describes what was the problem when having different CAs and what is the right design for such scenarios.



TL;DR version: What happened was that client didn’t show any error at all, had all required certificates (computer and health) issued but couldn’t setup the corp/intranet tunnel to internal resources with Direct Access client. There was no indication of any kind of errors neither on PKI, NPS/HRA, DA nor client machine side. At the end of the day it turned out it’s always about certificates. You can’t have 2 separated CAs: one for issuing machine certificates (enterprise CA with auto enrollment) and a separate CA for Health certificates (standalone CA) UNLESS THOSE DON’T HAVE COMMON ROOT CA. If they both are subordinate CAs to the same Root CA – that’s fine, but if they are separate machines and have nothing in common it is impossible to set DA with NAP to utilize those two.

Security Issue – Yammer Account Details Unauthorized Change

Hi, Andrzej (KAZM) here.

During testing Yammer with DSync I have found a security issue letting anyone to change anyone’s other Yammer Account Details in an unauthorized way, knowing only user’s e-mail. In few words: you could change anyone’s details of Yammer account, including Name and GivenName, in an unauthorized way.

NOTE: Issue has already been fixed/patched and below I am demonstrating Proof of Concept of the way someone could exploit this security gap.

Products that were affected: Yammer Enterprise DSync.

Problem description

The scenario begins when I create a user in Active Directory with Name=New_Name, GivenName=New_GN and Description=My_new_description, Work phone=123456 and (IMPORTANT) with E-mail attribute of an email of the real user (that already has and uses a Yammer account). This email can be in any domain (eg., Let’s say I use my Predica’s email: akazmierczak [at]

During Dsync synchronization, details such as Name, GivenName, Description, Work number for that real user (my account) are OVERWRITTEN in Yammer to reflect details provided in account create in Active Directory. Must mention here that I AM NOT an administrator of Yammer Network and I do not need to know user’s password.

After synchronization is complete, user akazmierczak [at] receives welcome email with message to join Yammer Network, but his Yammer account details are already changed to match Active Directory users details. So instead of “Andrzej Kaźmierczak” account one can see “New_Name New_GN” on all my Yammer networks! Moreover, details of my account will include things configured in Active Directory (My_new_description and with Work Phone as “123456”).

It also means that users account and all his history of posts, comments, likes, etc. will suddenly be seen on all users’ Yammer networks as “New_Name New_GN”.

Environment details


  • Yammer Enterprise is enabled in Office365 tenant
  • Domains
    • (domain added and verified)
  • Accounts
    • is a global admin in O365 and also a Verified admin in Yammer. This account is also used by DSync

Domain Controller VM

  • OS: Windows Server 2012 R2
  • FFL, DDL: Windows 2008 R2

YammerSync VM

  • OS: Windows Server 2008 R2
  • Dsync Configuration
    • version: Yammer.DirSync_v3-0-8
    • Yammer Settings
      • Logged in as account in domain
    • Directory Settings
      • Only 1 Directory Connection to DC
      • Using dedicated yammerservice service account created in Active Directory
    • globalsettings.config.json File Settings
      • Queries Section left unchanged with attribute (“Filter”: “mail=*”, )
      • DirectoryAttributeMap Section left unchanged with default mapping settings
      • SyncSettings Section left unchanged with attributes (EnableAdds, EnableUpdates, EnableSuspends) set to “true”
      • AttributePreferences Section changed, so that all attributes (Prefer*) are set to “true”
      • Other settings left default/unchanged

All servers are patched up until 01.03.2014

Video with PoC

The issue has been reported to Microsoft:

  • 02.03.2014 Ticket #114030211227295 (Microsoft USA support)
  • 02.03.2014 Microsoft performed a call with me with long discussion explaining the problem and steps to reproduce. Advised to send some screenshots, video or links, so Microsoft can further investigation on the issue
  • 03.03.2014 The same video as above was uploaded to Microsoft DTM and informed Microsoft Support
  • 23.04.2014 Microsoft informed me that issue was fixed
  • 24.04.2014 Tried to reproduce bug but it is fixed now:


Directory Sync and Password Sync Cookbook – part 7 – Important FAQ

Hi, Andrzej (KAZM) again 😉 … with 7th part of Directory Sync and Password Sync – YES, that is the final! 😀

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ
  • In this article you use commands like “Set-MsolUserPrincipalName -UserPrincipalName oldUPN PrinciaplName newUPN” but it is not working for me. What is wrong?
    • To be able to run this and similar commands you need to connect to Windows Azure Active Directory through PowerShell:
      • Run PowerShell
      • Execute Import-Module MSOnline ,
      • $AdminCredentials = Get-Credential,
      • Type in your O365 Admininistrator credentials,
      • Run Connect-MsolService –Credential $cred,
      • And now you can run required command.
  • How can I add Alternative UPN Suffixes to my AD?
  • Is there any way I can install DirSync using my own SQL servers (I have high availability for databases, less SQL limitations and other cool features)?
  • Which users will be synchronized with DirSync?
    • DirSync does not synchronize accounts with User must change password at next logon option enabled,
    • DirSync will not sync passwords for users that are federated entities (have their UPN as public domain which is added and verified in O365 and converted to federated). Users can only be either SSO-enabled or Password Sync,
    • DirSync will sync all users from domain (unless OU/attribitues filtering is configured).
  • What is MSOL_AD_SYNC account?
    • This account has read and synchronization permissions to the Active Directory and is used for noticing password changes in your domain.
    • You should not change the password of that MSOL_AD_SYNC service account.
    • Important! If you force password changes (for example with a GPO) and MSOL_AD_SYNC account gets its password changed, you must run the Directory Sync Configuration Wizard again.
  • I have a different Password Complexity Policies in AD than in O365. Which one will be used?
    • Active Directory Password Complexity policy will override O365 password complexity policy.
  • After implementing DirSync what happens to current users that had been already created directly in the cloud?
    • Users created and managed in the cloud remain with cloud (not synchronized) password and are under subjected to cloud password complexity policy and will not be synchronized.
  • What is the default time of synchronization?
    • DirSync synchronizes users every 3 hours, Password Sync synchronizes password hashes every 3 minutes.
  • After 90 days users stopped synchronizing. What happened?
    • Your Office 365 Global Administrator account password, you used for configuring DirSync tool, has expired. Please refer to Preparation and then Troubleshooting part of this article on how to fix this.
  • Start-OnlineCoexistenceSync command doesn’t return anything in the Powershell session. Is that normal, is my synchronization working?
    • Yes, this is normal. If you see no errors, then probably everything is fine and miisclient starts running Management Agents.
  • What happens if the user is blocked or deleted in AD?
    • When the user is blocked or deleted in AD, after DirSync sync he/she is also blocked or deleted in O365.
  • Users with expired passwords in AD may be able to still login to O365 with old (expired) password. Why is this happening?
    • After account is synced to O365, its password is set to “never expire” and is synchronized only when the user changes password in AD. So if password expires in AD, but user doesn’t change it, it is still valid in O365.
  • Can I change passwords manually for users in Office 365? How?
    • If the user/administrator changes his/hers password in the cloud it will NOT get override after next Password Sync sync (3 minutes). Password will get changed only after you run manual full password sync (Set-FullPasswordSync command and FIM Synchronization Service restart) or after user changes password.
    • To change password in Office 365 manually run PowerShell command Set-MsolUserPassword -userPrincipalName –ForceChangePassword $false -NewPassword “NewSecurePasswordHere”.
  • Is there any changelog or version realeas history for DirSync?
  • Is there any information on what attributes are synced by DirSync?

I hope you have enjoyed my cookbook :)

Best regards,

Andrzej (KAZM)

Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting

Hi, Andrzej (KAZM) again 😉 … with 6th part of Directory Sync and Password Sync.

  1. Directory Sync and Password Sync Cookbook – part 1 – Overview and SSO Decisions
  2. Directory Sync and Password Sync Cookbook – part 2 – Preparation
  3. Directory Sync and Password Sync Cookbook – part 3 – UPN Sync Scenarios
  4. Directory Sync and Password Sync Cookbook – part 4 – Installation
  5. Directory Sync and Password Sync Cookbook – part 5 – Configuration and Operations
  6. Directory Sync and Password Sync Cookbook – part 6 – Troubleshooting
  7. Directory Sync and Password Sync Cookbook – part 7 – Important FAQ
  • General advices
  • IDfIX
    • Wen you run the IdFix, “Format” is displayed in the Error column for many objects. Solution: This issue occurs if the email address of the object is not a valid, publicly routed email address. If you are not planning to change AD suffixes, you can ignore it.
  • DirSync/Password Sync
    • During installation
      • Exception has been thrown by the target of an invocation”. Solution: add indicated in Event Viewer MSOL_AD_SYNC domain account to the local Administrators group of DirSync server and retry.
    • During synchronization
      • Missing-partition-for-run-step” when used filtering OUs for DirSync. Solution: if you have many child domains in your forest and you don’t want to synchronize from some of them so you just uncheck those domains, you will get this error. At least one OU in each domain must be checked for sync, so to avoid this error just create empty OU in each domain and then in filtering options select this OU only (no users will be synced),
      • Stopped-extension-dll-exception” during Windows Azure Active Directory Connector, Delta Import Delta Sync step in miisclient.exe. Solution: You have to change password of Office365 account that was used to configure DirSync (it has expired). After changing that password in Office365, set this account to have never expiring password (please refer to Preparation part of my article), Run Directory Sync Configuration Wizard on the desktop of DirSync server and provide new credentials of Administrator account and then restart FIM Sync Service. Also with this error you can get following entries in Event Viewer:
        • Event ID 0. The user name or password is incorrect. Verify your user name, and then type your password again GetAuthState() failed with -214718668 state. HResult:0. C(0x80048821)
        • Event ID 109. Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.oOnline.Coexistence.ProvisionException: The user name or password is incorrect. Verify your user name, and then type your password again.
        • Event ID 6803. The management agent “Windows Azure Active Directory Connector” failed on run profile “Delta Import Delta Sync” because the server encountered errors.