#7 Troubleshoot: OpsMgr VBScript error event ID 21405

At the moment I’m working with OpsMgr 2007 R2 at a customer here in the Netherlands. It was time to troubleshoot the VBScript and PowerShell scripts error or exited codes 🙂  We are monitoring over 600 servers per environment(we got 4) (Windows and Linux) and so often I see some script errors from the Base OS management pack or SQL management pack.There is a view for these events. This view is located in the folder Operations Manager\PowerShell Scripts or Script and Executable Responses.

I had one server that couldn’t run VBscripts for monitoring free space and network bandwidth. I saw this event in the eventlog and in the view.

The process started at 8:55:01 failed to create System.PropertyBagData, no errors detected in the output. The process exited with 1

Command executed: “C:\Windows\system32\cscript.exe” /nologo “Microsoft.Windows.Server.FreeSpace.vbs” HOSTNAME false 500 10 300 5 2000 10 1000 5
Working Directory: D:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 33\136046\

One or more workflows were affected by this.

Workflow name: Microsoft.Windows.Server.2008.LogicalDisk.FreeSpace
Instance name: C:
Instance ID: {946C9D1C-AEAA-3B75-B442-D16701AC4B11}
Management group: MG1

This server has 3 logical disks, C:, D: and E: and for both I got this warning. So for these logical disks the monitoring doesn’t not work properly.

What I did to troubleshoot this warning was; First I copied the vbs file from the Health Service State in the root directory of the SCOM agent. Mostly in C:\Program Files\System Center Operations Manager 2007\Health Service State\ The best way is searching on the name of the vbs file in that directory After that I pasted the file into a temp directory and opened the command prompt.  I tried to run the vbs file and got this message.

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Input Error: There is no script engine for file extension “.vbs”.

Ok, this is odd, because there are more VBScripts that are running for monitoring, but I got especially from freespace en networkbandwidth. So, now I have to troubleshoot this warning because they are, of course, related 😉 I tried to associate the .vbs extension via assoc.vbs, but that didn’t help. I got still the same message after running the vbs file.  So, I had to search on Google and I found this blog; http://jamesmcdonald.id.au/it-tips/input-error-there-is-no-script-engine-for-file-extension-vbs

The problem was; the server was missing the registry key ScriptEngine. After adding the key and edit the default string, I ran the VBscript again. As result I didn’t get the same error message but another message that I’m not using the arguments correctly. This is good and means that the vbs is associated with the script engine again.. 🙂

The server must have these keys and strings in the registry to associate the .vbs extension.

Windows Registry Editor Version 5.00




That’s all folks.. Good luck!



#6 Troubleshoot: Workplace Join Discovery Failed – error: 0x80072F19

If you get this message when you tried to join the device into a Workplace.

The eventlog (Applications and Services\Microsoft\Windows\Workplace Join\Admin) has logged this message; event id 102 Workplace Join? You might be having problems with your certificate. There is a workaround for this problem.

Open Internet Explorer and go to Internet Settings. Open tab Advanced and scroll down until you see Security. Find Check for Server certificate revocation  and deselect his one.

NOTE: do not try this in a production environment. This is an import security option that must be on in a production environment.

Click Ok and close Internet Explorer. Try it again. Now you have joined the Workplace without an error.

Windows Intune – How to enroll a Windows Device and deploy a Windows App

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url: http://technet.microsoft.com/en-us/library/dn613831.aspx

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

NOTE: Follow this blog if you don’t have a Windows Store App. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices.  For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide.  Read more about this process at Technet: http://technet.microsoft.com/en-us/library/dn613831.aspx How to use Sideloading Product Activation Key, see this website: http://technet.microsoft.com/en-us/library/dn613835.aspx


Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.


  • Enterprise PKI server
  • Certificate for ADFS
  • Active directory
  • AD Federation Service
  • Windows Intune subscription
  • Windows 8.1 update 1

Direct Management Setup:

Step 1 ) https://albertneef.wordpress.com/2014/05/05/installing-and-configuring-an-enterprise-pkiadcs-environment/

Step 2 ) https://albertneef.wordpress.com/2014/05/07/installing-and-configuring-adfsdirsync-for-windows-intune/

Step 3 ) From Technet:

Users download the Windows Intune Company Portal app that is available in the Windows Store. The following steps describe the enrollment process.

  1. Go to Settings > PC Settings > Network > Workplace.
  2. Enter the User ID and click Turn on.
  3. Check the Allow apps and services from IT admin dialog box, and click Turn on.

Enable Direct Management on the client:

Go to Change PC Settings

Go to Network

Go to Workplace and click Join. If the device is joined the Workplace successfully, click on the Turn On button. The user needs Local Administrator permission to turn on device management.

You can verify the eventvwr for errors or warnings. Go to Applications and Services\Microsoft\Windows\Workplace Join\Admin. You will see few events.

After few minutes the device is added in Windows Intune, ready to be managed.

Ok, now we have to upload a Windows app. If you don’t have an app yet. Follow this blog to make a simple test app without content. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

Go to Software -> Overview –> Step 1: Add Software

Click Add Software in the menu.

If you get this message, click Run.

You will get this window. Follow the screenshots/figures


Right click on the app -> Manage deployment…

I don’t have any groups, so I have to select All Users. Click Next.

Select Available Install. Click Finish.

Check the app again. Deployed is changed to Yes

We have to import the app certificate into Windows Intune. Go to Administration -> Mobile Device Management and click/select Windows. Click Modify Code-Signing Certificates

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.


Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps.  If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!

Create a Windows Store App

Create a test app for testing Windows Store app deployment for SCCM 2012 R2 or Windows Intune. More information about this process: http://technet.microsoft.com/nl-nl/windows/jj874388.aspx

First you need Visual Studio 2012 Express from http://www.microsoft.com/en-us/download/details.aspx?id=30664

Click I Agree to download and install the developers license (expiring in 30 days)

  1. Open Visual Studie Express. On the File menu, click New Project.
  2. In Templates\Javascript, click Blank App
  3. In the Name box, type a name for your app (Zipapp in my examples)
  4. Click Ok.

This App is blank and show only ‘Content goes here’ on screen.

  1. On the Project menu, click Store and click Create App Packages.
  2. On the Create Your Packages page for the Create App Packages wizard, click No and click Next. This allows you to create a Windows Store app without registering to submit it to the store.
  3. On the Select and Configure Packages page, click Next.
  4. Click Ok

Add the app into Windows Intune or create an application in Configmgr.


Installing and configuring ADFS/DirSync for Windows Intune

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: I have used an Enterprise PKI to create a certificate for ADFS. Read this blog for installing and configuring an Enterprise PKI environment.  

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget  to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

  • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
  • New-ADServiceAccount FsGmsa -DNSHostName w12r2adfs001.systemcenter.local -ServicePrincipalNames http/w12r2adfs001.systemcenter.local

Request a certificate from the PKI server.

MMC -> certificate – Local Computer

Click on the link More Information is required to enroll for this certificate….


  • Common Name: FQDN of your ADFS server, like: w12r2adfs001.systemcenter.local
  • DNS: FQDN of your adfs server
  • DNS: enterpriseregistration.systemcenter.local

Click Ok.

Click Enroll

Verify if listed in the Certificates(local computer) MMC:

Installing ADFS Role:

Configure the ADFS role:

NOTE: Ignore the last warning. You will get this warning if you have installed an ADFS on another server before. I have reinstalled ADFS on a fresh clean Windows Server 2012 R2 server 😉

Enable Device Registration in ADFS:


When prompted for a service account, type <domain>\fsgmsa$


Via Server Manager open ADFS management console.

Enable Device Authentication

Install the Windows PowerShell for single sign-on with AD FS

It’s time to configure the synchronization between on-premise with Microsoft Azure/Windows Intune.


Windows Azure AD Module:


Set up a trust between AD FS and Azure AD

  • Connect-MsolService –Credential $cred.
  • Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.
  • New-MsolFederatedDomain –DomainName <domain> or
  • Convert-MsolDomainToFederated –DomainName <domain>
  • To verify: Get-MsolFederationProperty –DomainName <domain> 

Add UPN for DirSync:


Installing DirSync:

DirSync needs Framework 3.5 or 4.0

To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account  to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.


Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to: manage.microsoft.com


You can test if SSO is working. Go to http://manage.microsoft.com or http://portal.manage.microsoft.com and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.

Installing and configuring an Enterprise PKI(ADCS) environment.

In this blogpost I describe the installation and configuration of Active Directory Certificate Service (ADCS) role. This is based on an Enterprise PKI. Enterprise PKI is an environment with a RootCA and a Subordinate CA. With this configuration the RootCA goes offline for security propose and goes online when issuing a subordinate CA certificate. Just follow the screenshots and you have in no time an Enterprise PKI in place. The servers are based on Windows Server 2012 R2 update 1 and you will need 2 servers (I assume you have the domain controller in place). This environment can be used for ADFS, Microsoft Azure, Windows Server 2012 R2 Workplace or for SCCM/SCOM 2012 R2 client communications.

Note: the RootCA is a standalone CA and the subordinate is an Enterprise CA. The RootCA is not domain joined.

INFO: http://technet.microsoft.com/en-us/library/hh831348.aspx

Let’s begin!

If asked: Add all features. Next..



Click on the link for configuring the ADCS.

You have configured the ADCS into a RootCA. You have to change some settings for the subordinate CA. In Server Manager go to Tools – Certification Authority (CA). Right click on the your CA server/name and choose for Properties. Open the tab Extensions.

Add this url (http://<YOUR SUBCA FQDN>/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed.crl>.crt) in CDP.

Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates. See the example above.

Add this url in AIA (by select extension)

http://<YOUR SUBCA FQDN>/certdata/<ServerDNSName><CaName><CertificateName>.crt

Select Include in the AIA extension of issued certificates. Click on Ok and restart the service.

Now, we have to publish the revocation list.

Export certificate without a private key for the subordinate CA server.

MMC and add the certificate snapin for local computer. Create also a share for the content. This will be used for later if we are configuring the subordinate CA server.

Copy the content of c:\windows\system32\certsrv\certenroll to your shared folder.

RootCA is in place and we go further with the subordinate CA server. This process is the same with different options. So I have only made a screenshots of the different choices, especially for the subordinate CA.


Add all features

Add all features


Now we have to install the certificate into the subordinate CA server. Go to your share and right click on the exported certificate for installing the certificate into the local machine’s trusted root CA.

Copy the request file on the root of C: to your shared folder.

Go to your root CA and submit a new request.

We have to issue the new request.

We need to export the certificate into a p7b.

Open the exported file to verify it.

Go back to the subordinate CA server and stop the CA service.

After that install the p7b certificate.

Final step before we have the subordinate CA in place.. Open GPO and import the RootCA certificate for distributing at domain level.


Deploying Certificate Templates:

Go to your subordinate CA and right click on Certificate Templates -> Manage

Right click on Web Server and choose Duplicate Template

Open the tab General. Change the name and select Publish certificate in Active Directory

Open the tab Request handling and select Allow private key to be exported:

Edit the security for the computer. If you know the hostname add this name in the security list. The computer does need Read, Enroll and Autoenroll.


Click apply. You see your templates in the list:

The next is to publish the created template for issuing certificates. Go back to your CA console and right click on Certificate Templates -> New -> Certificate Template to Issue

At this time the newly created templates are published. You could test this templates via IIS to request a web server certificate.


This certificate is working and ready to bind with a port for SSL.

You are finished. The RootCA and a Subordinate CA are in place.