SCOM - Watching a log file for changes w/ PowerShell

February 19, 2016 FoxDeploy

Dunno what it is, but a lot of SCOM information STILL persists on the web in VB Script and refering to SCOM 2007, when 2012 R2 has been out for YEARS now! In this blog post, I'll walk you through monitoring a log file for changes, and throwing an alert if the log file hasn't changed.  And we'll do it in PowerShell, as the good saint Snover intended. Continue Reading...

SCCM 1511 - All prerequisites, in PowerShell

January 22, 2016 FoxDeploy

A quickie to help you install the prereqs of SCCM 1511 with PowerShell Continue Reading...

SCCM - Controlling Application Supersedence

January 21, 2016 FoxDeploy

You might be wondering how to control supercendence in your SCCM 2012 R2 SP1 (or ConfigMgr SP2, pretty much the same thing) deployments. I've finally been able (with the help of my friend and future ConfigMgr MVP nominee, Eric Anderson) to track down precisely what is going on in the confusing world of applications and supersedence in SCCM. Continue Reading...

SCCM - Updating all drivers after a migration

January 20, 2016 FoxDeploy

Every time you migrate from one SCCM instance to another, or if you have to move your drivers around (for instance: you originally had your drivers placed on the c:\ and want to mover them to another drive), you'll need to update the location not only of DriverPackages, but also of all drivers as well. This post provides a powershell script to make this easy! Continue Reading...

Conditional Access with SCCM and InTune

January 15, 2016 FoxDeploy

How does InTune Conditional Access Policy affect devices in the field?  (e.g. Bob's phone already has a manually configured mail profile.  What happens to Bob's e-mail when I enforce Conditional Access (i.e. saying a user must have InTune to receive e-mail?)) Continue Reading...

Solved: iOS Devices can connect via InTune, but not Android

December 10, 2015 FoxDeploy

We had a big issue at a client recently, which was quite a bear to solve.  They used ADFS with On-premise SSO (meaning that they didn’t use DirSync to push passwords into Azure AD/Office 365), so when clients come to authenticate over the web via the Company Portal App, they were referred to our on-prem ADFS for authentication.

This worked fine for our iOS and Windows Devices, no issues at all!  But then when we tried to use Android devices, they would be presented with the following error message:

The Symptom

Could not sign in. You will need to sign in again. If you see this message again, please contact your IT Admin.

Don’t you love those messages that tell you to contact yourself?

From the InTune app, you can obtain logs by clicking on the ‘…’ hamburger menu.  Opening the log, we see the following errors.

Authentication failed. Current state: FailedToAcquireTokens Failed to acquire Graph token from AAD. SignInService.access$900( SignInService$AadFailureAction.exec( SignInService$AadFailureAction.exec( GraphAccess$GraphTokenFailureDelegate.exec( GraphAccess$GraphTokenFailureDelegate.exec( AdalContext$AdalAuthenticationRetryCallback.onError(

Code:-11 primary error: 3 certificate: Issued to:,OU=E-Commerce,O=Company,L=Somewhere,ST=Georgia,C=US; Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US on URL:\[...\]

The Reason

The error occurs when the Company Portal app checks our certificates on ADFS to see if we are trustworthy.

The issue is that Android handles cert chaining in a way somewhat differently from iOS and Windows Phone. In short, Android needs all of our certs to be present on our ADFS Servers, where iOS would intelligently lookup the Cert Signer for us.

The Fix

Import the certs up the chain into the intermediate store on the ADFS Proxies themselves.

So, launch the MMC and add the Certificates Snapin for the Local Computer on your ADFS Server.  Find the cert your ADFS Service is using (likely issued to, and view it’s parent certificate.

Move a copy of the ‘parent’ cert, (in my case, Symantec) into the Computer\Intermediate Certification Authorities\Certificates store. This part is CRUCIAL!

Next, move copies of your ADFS, ADFS Decrypting, and ADFS Signing Certs into the Personal Store for the ADFS Service.

Finally, restart the ADFS servers, because restarting the service alone is not enough.

With all of this finished, I’m finally able to enroll Android devices into InTune.


Continue Reading...

Microsoft MVP

Five time Microsoft MVP, and now I work for the mothership

Need Help?

Get help much faster on our new dedicated Subreddit!

depicts a crowd of people in a night club with colored lights and says 'join the foxdeploy subrreddit today'

Blog Series
series_sml_PowerShellGUI series_sml_IntroToRaspberryPi Programming series_sml_IntroToWindows Remote Management Series The Logo for System Center Configuration Manager is displayed here Depicts a road sign saying 'Learning PowerShell Autocomplete'

Blog Stats