Windows Intune – How to enroll a Windows Device and deploy a Windows App

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url:

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

NOTE: Follow this blog if you don’t have a Windows Store App.

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices.  For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide.  Read more about this process at Technet: How to use Sideloading Product Activation Key, see this website:


Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.


  • Enterprise PKI server
  • Certificate for ADFS
  • Active directory
  • AD Federation Service
  • Windows Intune subscription
  • Windows 8.1 update 1

Direct Management Setup:

Step 1 )

Step 2 )

Step 3 ) From Technet:

Users download the Windows Intune Company Portal app that is available in the Windows Store. The following steps describe the enrollment process.

  1. Go to Settings > PC Settings > Network > Workplace.
  2. Enter the User ID and click Turn on.
  3. Check the Allow apps and services from IT admin dialog box, and click Turn on.

Enable Direct Management on the client:

Go to Change PC Settings

Go to Network

Go to Workplace and click Join. If the device is joined the Workplace successfully, click on the Turn On button. The user needs Local Administrator permission to turn on device management.

You can verify the eventvwr for errors or warnings. Go to Applications and Services\Microsoft\Windows\Workplace Join\Admin. You will see few events.

After few minutes the device is added in Windows Intune, ready to be managed.

Ok, now we have to upload a Windows app. If you don’t have an app yet. Follow this blog to make a simple test app without content.

Go to Software -> Overview –> Step 1: Add Software

Click Add Software in the menu.

If you get this message, click Run.

You will get this window. Follow the screenshots/figures


Right click on the app -> Manage deployment…

I don’t have any groups, so I have to select All Users. Click Next.

Select Available Install. Click Finish.

Check the app again. Deployed is changed to Yes

We have to import the app certificate into Windows Intune. Go to Administration -> Mobile Device Management and click/select Windows. Click Modify Code-Signing Certificates

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.


Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps.  If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!


Create a Windows Store App

Create a test app for testing Windows Store app deployment for SCCM 2012 R2 or Windows Intune. More information about this process:

First you need Visual Studio 2012 Express from

Click I Agree to download and install the developers license (expiring in 30 days)

  1. Open Visual Studie Express. On the File menu, click New Project.
  2. In Templates\Javascript, click Blank App
  3. In the Name box, type a name for your app (Zipapp in my examples)
  4. Click Ok.

This App is blank and show only ‘Content goes here’ on screen.

  1. On the Project menu, click Store and click Create App Packages.
  2. On the Create Your Packages page for the Create App Packages wizard, click No and click Next. This allows you to create a Windows Store app without registering to submit it to the store.
  3. On the Select and Configure Packages page, click Next.
  4. Click Ok

Add the app into Windows Intune or create an application in Configmgr.


Installing and configuring ADFS/DirSync for Windows Intune

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: I have used an Enterprise PKI to create a certificate for ADFS. Read this blog for installing and configuring an Enterprise PKI environment.  

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget  to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

  • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
  • New-ADServiceAccount FsGmsa -DNSHostName w12r2adfs001.systemcenter.local -ServicePrincipalNames http/w12r2adfs001.systemcenter.local

Request a certificate from the PKI server.

MMC -> certificate – Local Computer

Click on the link More Information is required to enroll for this certificate….


  • Common Name: FQDN of your ADFS server, like: w12r2adfs001.systemcenter.local
  • DNS: FQDN of your adfs server
  • DNS: enterpriseregistration.systemcenter.local

Click Ok.

Click Enroll

Verify if listed in the Certificates(local computer) MMC:

Installing ADFS Role:

Configure the ADFS role:

NOTE: Ignore the last warning. You will get this warning if you have installed an ADFS on another server before. I have reinstalled ADFS on a fresh clean Windows Server 2012 R2 server 😉

Enable Device Registration in ADFS:


When prompted for a service account, type <domain>\fsgmsa$


Via Server Manager open ADFS management console.

Enable Device Authentication

Install the Windows PowerShell for single sign-on with AD FS

It’s time to configure the synchronization between on-premise with Microsoft Azure/Windows Intune.


Windows Azure AD Module:

Set up a trust between AD FS and Azure AD

  • Connect-MsolService –Credential $cred.
  • Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.
  • New-MsolFederatedDomain –DomainName <domain> or
  • Convert-MsolDomainToFederated –DomainName <domain>
  • To verify: Get-MsolFederationProperty –DomainName <domain> 

Add UPN for DirSync:


Installing DirSync:

DirSync needs Framework 3.5 or 4.0

To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account  to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.


Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to:


You can test if SSO is working. Go to or and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.

Installing and configuring an Enterprise PKI(ADCS) environment.

In this blogpost I describe the installation and configuration of Active Directory Certificate Service (ADCS) role. This is based on an Enterprise PKI. Enterprise PKI is an environment with a RootCA and a Subordinate CA. With this configuration the RootCA goes offline for security propose and goes online when issuing a subordinate CA certificate. Just follow the screenshots and you have in no time an Enterprise PKI in place. The servers are based on Windows Server 2012 R2 update 1 and you will need 2 servers (I assume you have the domain controller in place). This environment can be used for ADFS, Microsoft Azure, Windows Server 2012 R2 Workplace or for SCCM/SCOM 2012 R2 client communications.

Note: the RootCA is a standalone CA and the subordinate is an Enterprise CA. The RootCA is not domain joined.


Let’s begin!

If asked: Add all features. Next..



Click on the link for configuring the ADCS.

You have configured the ADCS into a RootCA. You have to change some settings for the subordinate CA. In Server Manager go to Tools – Certification Authority (CA). Right click on the your CA server/name and choose for Properties. Open the tab Extensions.

Add this url (http://<YOUR SUBCA FQDN>/certdata/<CaName><CRLNameSuffix><DeltaCRLAllowed.crl>.crt) in CDP.

Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates. See the example above.

Add this url in AIA (by select extension)

http://<YOUR SUBCA FQDN>/certdata/<ServerDNSName><CaName><CertificateName>.crt

Select Include in the AIA extension of issued certificates. Click on Ok and restart the service.

Now, we have to publish the revocation list.

Export certificate without a private key for the subordinate CA server.

MMC and add the certificate snapin for local computer. Create also a share for the content. This will be used for later if we are configuring the subordinate CA server.

Copy the content of c:\windows\system32\certsrv\certenroll to your shared folder.

RootCA is in place and we go further with the subordinate CA server. This process is the same with different options. So I have only made a screenshots of the different choices, especially for the subordinate CA.


Add all features

Add all features


Now we have to install the certificate into the subordinate CA server. Go to your share and right click on the exported certificate for installing the certificate into the local machine’s trusted root CA.

Copy the request file on the root of C: to your shared folder.

Go to your root CA and submit a new request.

We have to issue the new request.

We need to export the certificate into a p7b.

Open the exported file to verify it.

Go back to the subordinate CA server and stop the CA service.

After that install the p7b certificate.

Final step before we have the subordinate CA in place.. Open GPO and import the RootCA certificate for distributing at domain level.


Deploying Certificate Templates:

Go to your subordinate CA and right click on Certificate Templates -> Manage

Right click on Web Server and choose Duplicate Template

Open the tab General. Change the name and select Publish certificate in Active Directory

Open the tab Request handling and select Allow private key to be exported:

Edit the security for the computer. If you know the hostname add this name in the security list. The computer does need Read, Enroll and Autoenroll.


Click apply. You see your templates in the list:

The next is to publish the created template for issuing certificates. Go back to your CA console and right click on Certificate Templates -> New -> Certificate Template to Issue

At this time the newly created templates are published. You could test this templates via IIS to request a web server certificate.


This certificate is working and ready to bind with a port for SSL.

You are finished. The RootCA and a Subordinate CA are in place.





Opsmgr 2007 / Powershell: Change command line parameters in the Notification Channel

I have found a PowerShell commands to change the command line parameters in the notification channel. This one works only for SCOM 2007.  This is the only way to change or update the subscription.

NOTE: this one works only on channel type: Command.

#Get the channel by name
$channel = Get-NotificationAction | Where-Object {$_.DisplayName -imatch “%NAME OF THE CHANNEL%”}

#The change for the command line parameters.
$channel.CommandLine = “-command C:\TEST\test.ps1 ‘$Data/Context/DataItem/ManagedEntityPath$\$Data/Context/DataItem/ManagedEntityDisplayName$’ -a ‘$Data/Context/DataItem/AlertName$’”

#Update the channel in SCOM


Good luck! 🙂

Update Rollup 2 for System Center 2012 R2 Operations Manager

Today Microsoft has released a new update rollup for System Center 2012 R2.  In this blog I describe only the update for Operations Manager 2012 R2.

Description from :

Issues that are fixed in this update rollup

Operations Manager

Issue 1

This update rollup makes the stored procedure performance aggregate more robust against out-of-range values.

Issue 2

Adding multiple regular expressions (RegEx) to a group definition causes an SQL exception when the group is added or run.

Issue 3

Web applications fail when they are monitored by the System Center Operations Manager 2012 R2 APM agent.

Issue 4

Service Level Objectives (SLO) dashboards sometimes load in several seconds and sometimes take minutes to load. Additionally, the dashboard is empty after it loads in some cases.

Issue 5

Operations Manager Console crashes when you try to override the scope in the Authoring pane.

Issue 6

The System Center Operations Manager console is slow to load views if you are a member of a custom Operator role.

Issue 7

This update rollup includes a fix for the dashboard issue that was introduced in Update Rollup 1.

Issue 8

SQL Time Out Exceptions for State data (31552 events) occur when you create Data Warehouse workflows.

Issue 9

This update rollup includes a fix for the Event Data source.

Operations Manager – UNIX and Linux Monitoring (Management Pack Update)

Issue 1

All IBM WebSphere application servers that run on Linux or AIX computers are not automatically discovered by the Management Pack for Java Enterprise Edition (JEE) if multiple application servers are defined in a single WebSphere profile.


You could download and install it manually or, you could use Windows Update. Link:

Windows Intune update, Q2/Q3 2014

How you doing, how you been? It’s a long time that I wrote a blog on my blogsite. I have been very busy at work and also at home. With 2 little children it’s a little bit messy at home, haha. But, this will change today. My blogsite has got a higher priority for the few coming months. I have (must) to blog more about Windows Intune en System Center, especially the integration Windows Intune with SCCM 2012 R2 (MDM/UDM feature). Beneath that I’m working on a corporate image for a company where I work with. A blog about this experience, with DaRt and MDT 2013 integrated, will coming soon.

This blog is not really that great, but I have to start with something 😉

Windows Intune update, Q2/Q3 2014 

Microsoft has introduce the new update policy for Windows Intune. The old one what Microsoft  managed was releasing a big update of Windows Intune once or twice a year, mostly in Q1 or Q4. The new one is splitting up the update into months, to speed up the release of the features.

The new features what’s coming in Q2/Q3 2014 are:

Flexible Deployment: 

  • Full MDM parity in Windows Intune standalone
  • Email/Wi-Fi Profiles, VPN and Certificates
  • Bulk IT enrollment of devices and devices targeting
  • Cloud-only scalability

Device Configuration Management: 

  • Windows Phone Enterprise Feature Pack support
  • Application Whitelist/Blacklist
  • Customizable IT  Terms of Use
  • Start Screen in Windows 8.1
  • Microsoft Azure AD Premium integration in Company Portal

Email Configuration and Protection: 

  • Access to email only if device is managed


  • Family Safety in Windows 8.1
  • URL Filtering

 Device Data Protection:

  • Application restriction policies for iOS
  • Enterprise Wipe of Email (iOS) and access controls via certs
  • TPM cert enrollment
  • MFA support Intune enrollment.

I got this information from Henk’s blog. Thanks to Henk Hoogendoorn: