UDM: Conditional Access – Saving of Access Rules to Exchange has failed (error: A2CE0100)

March 29, 2015 Leave a comment

A few days ago we have been working on extending our hybrid demo environment. We made some changes required to demonstrate conditional access with Exchange online. Details on how we set things up will follow shortly in another post.

Once the basics were in place we implemented a policy that would block a user to access their mailbox when using an unmanaged device.

The policy was properly deployed to a collection which included my demo user, however I noticed my demo user could still sync his mail on an iPhone 5 which was not enrolled. Even after an hour or two this condition remained unchanged so something was wrong.

Initial investigation did not show anything out of the ordinary in the Configuration Manager console. However in the Intune console I noticed an entry in the Alerts node:

Saving of Access Rules to Exchange has failed


Microsoft Intune was unable to set the requested mobile device access rules or related settings in Exchange due to the following error: A2CE0100

 

image

Unfortunately the “View Troubleshooting Information” link is broken. So is the one on the top right in the console and the right-click one. As such it was hard to find any further details on this specific error.

I made a few attempts to get things working, including the following:
- Modifying the compliance policy (increasing the revision number)
- Removing and adding the user from and to the target collection
- Removing and recreating the deployment of the compliance policy

I can confirm none of the above resolves the issue. The policy still did not get applied.

In the end to get things working again what I had to do was to delete the compliance policy,  recreate it from scratch, and deploy it again.

image

When synching mail on the iPhone 5 a few minutes later, the policy kicked in.

image

Although the problem was solved and we now have a working demo scenario; in the end I have no idea what went wrong initially and how I could have been troubleshooting this in a more optimized way. Whatever it was it does not seem to resolve itself. Also the repeat count of the alert not increasing indicates the system itself does not do any retries.

I definitely see a few areas for improvement here:

  • Fixing the link to the troubleshooting information so the admin can troubleshoot properly and in a most optimized way.
  • Exposing Intune alerts to the Configuration Manager Console so the admin does not have to look in multiple locations.
  • Having the system retry the action “Saving of Access Rules” at least a few times. In case the alert repeat counter increases the admin can further look into a blocking issue. Otherwise there may have just been a glitch and the issue would have resolved itself.

If you are ever facing the same issue, I hope this article will save you some troubleshooting time!

Tim

Microsoft Intune: March updates quick overview

March 6, 2015 Leave a comment

As announced previously Microsoft is planning to release updates to Intune on a monthly basis. The service update for March is ongoing as we speak and will include the following new features for Intune standalone:

  • Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP)
  • Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies
  • Management of OneDrive apps for iOS and Android devices
  • Ability to deploy .appx files to Windows Phone 8.1 devices
  • Ability to restrict the number of devices a user can enroll in Intune

For hybrid customers (UDM) there is also a new feature:

  • The ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices

Unfortunately still a rather unfair balance for those working with a hybrid setup, although in the original announcement Microsoft is indicating that delivering new features for those hybrid customer remains a top priority as well.

More details on the Microsoft Intune blog.

Until next time.

Tim

UDM with ConfigMgr and Intune – why CU’s Matter

February 27, 2015 Leave a comment

When delivering sessions on Unified Device Management (UDM) with Configuration Manager and Intune we have always stressed the fact that running on the latest CU level is really important. If you attended our most recent session in Zurich you may recall the following slide header:

image

 

A post that was published on the Configuration Manager Team Blog yesterday now gives a perfect overview on why those CU’s matter: as of CU2 there were a lot of fixes and improvements included related specifically to Mobile Device Management.

First there was CU2 which included fixes and improvements related to policies. CU3 included Simple Certificate Enrollment Protocol (SCEP) related fixes and the latest CU4 added the following:

  • Attempts to enroll a device in a user collection containing security groups will fail with an access denied error.
  • Inventory data collected from mobile devices and the Windows Intune connector may be for the wrong device if two devices synchronize simultaneously.
  • Hotfix extends client notification in System Center 2012 R2 Configuration Manager to MDM devices http://support2.microsoft.com/kb/2990658
  • Mobile Device Management settings are not applied to cloud-managed users in System Center 2012 R2 Configuration Manager http://support2.microsoft.com/kb/3002291

For a full history and overview of what was included in which CU have a look at the original post. Remember that these updates are cumulative so installing CU4 is sufficient as it includes everything from previous releases.

So our recommendation remains: apply the latest available Cumulative Update to your Configuration Manager environment as soon as possible!

Until next time!

Tim

Microsoft Intune: February update introduces more new features

February 6, 2015 Leave a comment

MicrosoftIntune_LogoThe February update for Microsoft Intune just got announced on the Microsoft Intune blog. It will be released between February 6th (today!) and February 11th. You can check the status page for more specific timeframes here.

This update will include the following new features for Intune standalone:

  • Management of Office mobile apps (Word, Excel, and PowerPoint) for Android devices, including ability to restrict actions such as copy, cut, and paste outside of the managed app ecosystem.
  • Management of the OneNote app for iOS devices.
  • Ability to browse and install apps on Windows Phone 8.1 devices using Intune Company Portal website.
  • Deployment of WiFi profiles for Windows devices using XML import and Windows Phone devices using OMA-URI.
  • Support for Cisco AnyConnect per-app VPN configurations for iOS devices.
  • Ability to require encryption on Windows 8.1 (x86) devices.
  • Ability to set minimum classification of platform updates to be installed automatically on Windows 8.1 (x86) devices.

As part of the announcement Microsoft is also mentioning a more frequent release cadence: in the future they will be releasing new features to Intune on a monthly basis.

Have a nice weekend!

Tim

Implementing Configuration Manager 2012 R2 Cumulative Update 4

February 4, 2015 Leave a comment

Earlier on I have installed the newly released Cumulative Update 4 for Configuration Manager 2012 R2 in my lab. This blog post outlines the steps done during this implementation and can be used as a step by step guide.

First step is to get the sources for the CU here. The KB article also gives a full overview of the fixes and improvements in this update. As the name indicates, this update also contains all elements fixed or added in one of the previously released CU’s.

Note that this update is only applicable to Configuration Manager 2012 R2 – if you are currently still running Configuration Manager 2012 SP1 the latest available cumulative update is CU5.

The CU is applicable directly to the following components:

    • CAS
    • Primary Sites (standalone or in a hierarchy)
    • Secondary Sites
    • SMS Provider(s)
    • Console(s)

    Additionally it contains updates for the following components:

    • CAS
    • Primary Sites
    • Secondary Sites
    • SMS Provider(s)
    • Consoles
    • Clients

    The lab we are upgrading does not contain all the components listed above, a CAS and Secondary Site(s) are not present.

    Primary site

    Cumulative Updates for Configuration Manager are implemented top-down so we start with the site server of the standalone primary site. Before running the installer with elevated privileges ensure there are no more console connections.

image

 

The installation wizard kicks off.

clip_image001

On the welcome screen, click next.

clip_image002

Accept the License Agreement and click Next.

clip_image003

Verify the prerequisite checks and click Next.

clip_image004

Leave the option to update the locally installed console.

clip_image005

Leave the option to update the site database and click Next.

clip_image006

During the setup process we can opt to create packages to support updating other components in the infrastructure. Leave the options to have these packages created and click Next.

clip_image007

Leave the default settings for the servers package and click Next.

clip_image008

Leave the default settings for the console package and click Next.

clip_image009

Leave the default settings for both the x86 and x64 client package and click Next.

clip_image010

Review the setup summary and click Install when ready.

clip_image011

Progress is shown for each action.

clip_image012

Install completed! Click Finish to close the wizard.

Notice the mention that a reboot is required.

clip_image013

If you are interested in the more technical details about the installation and would like to see what is happening behind the scenes, have a look at the log file cm12-r2cu4-kb3026739-x64-enu.log  located in the %windir%\temp folder.

After the installation you can do a few verification checks to see if the CU got implemented.

First one is to look for the following entries in Programs & Features > View Installed Updates.

clip_image014

Second one would be to look in the registry in HKLM\Software\Microsoft\SMS\Setup

image

And lastly you can also check the version in the console (see About Configuration Manager):

image

 

As we opted to have some packages created to support implementing the CU in our environment these should now also be visible in the console. Go to the software library and select packages. Select the Configuration Manager Updates folder and then type CU4 in the search box to quickly locate those packages.

image

Important: Do not forget to distribute the content of these packages to your Distribution Points!

Important (2): Do not forget to update your boot images. This can be done by selecting a boot image, right-clicking it and then selecting the action to Update Distribution Points.

Secondary Sites

If there are any Secondary Sites in your environment the next step is to implement the CU on those sites. The server update package can be used to automate this. To target the site servers a collection can be built which is populated based on the following query:

    • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
      SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "System Center 2012 R2 Configuration Manager Secondary Site Setup"

Consoles

    As part of the implementation process on the site server the locally installed console was updated. Any remaining remote consoles in the environment can be updated using the console upgrade package.

    To build a collection containing the machines with the console installed the following query could be used:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM. ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "System Center 2012 R2 Configuration Manager Console"

    Clients

    Last but not least we also need to get the CU installed on our clients. There are multiple approaches to accomplish this; one method could be to deploy the client update packages created automatically during the implementation process.

As there is a package per processor architecture we will also create matching collections to target our deployments. This is an example query for a collection containing all 64-bit clients with a client version not equal to CU4:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.ClientVersion != "5.00.7958.1501" and SMS_G_System_SYSTEM.SystemType = "X64-based PC"
    The query for the collection with 32-bit clients is identical; just replace “x64-based PC” with “x86-based PC”.

A client with CU4 installed will display the following version in its properties:

image

Version numbers for some of the components are also updated:

imageimage

 

As you can see the experience for implementing this CU is pretty straightforward and identical to the previously released CU’s.

Until next time!

Tim

Cumulative Update 4 for System Center 2012 R2 Configuration Manager released!

February 3, 2015 Leave a comment

metrofixMicrosoft has released Cumulative Update 4 for System Center 2012 R2 Configuration Manager.

This CU includes a large list of fixes for various issues. Details on those fixes and information on added functionality can be found in KB3026739.

PowerShell changes are documented in a separate KB article KB3031717. Additionally the update includes performance optimizations for data replication, an Endpoint Protection platform update (KB2998627) and OS Support for Max OSx 10.10 and Suse Linux Enterprise Server 12.

A few interesting reads about this CU which were published earlier today:

Until next time!

Tim

Outlook for iOS badge count not showing

February 2, 2015 Leave a comment

Earlier this week Microsoft has released the Outlook for iOS application. I have been using the application for the past few days and I personally find it a major improvement compared to the default mail application.

One thing I noticed straight away was that the badge counter indicating the number of unread emails did not display for the Outlook application. The counter did work fine for my old email app. As I am not using any other notifications (sound or display) for email I found this is a feature I quite heavily rely on when quickly checking for new mails. I needed to get this resolved.

First step I did for troubleshooting was to check the settings menu in the application to see if anything was hinting toward this option. There is a badge count setting, but other than switching between the Focused and All inboxes there are no other options to set.

2015-02-02 16.38.23

 

When digging further into this I found that the key to solve this problem is in the notification settings for the application (in the general phone settings). Here I had to enable the Allow Notifications option first to reveal further options. The badge app icon is the one that I needed to enable.

2015-02-02 16.37.59

 

The immediate result:

OutlookIOSBadge

Simple fix for a simple issue. Why the Allow Notifications setting was disabled by default remains an unanswered question. A few of my friends installed the application as well and for them the badge count was enabled immediately.

I hope this may help you save some troubleshooting time in case you are also missing the badge count on your Outlook for iOS application.

Until next time!

Tim

Follow

Get every new post delivered to your Inbox.

Join 583 other followers