Dunno what it is, but a lot of SCOM information STILL persists on the web in VB Script and refering to SCOM 2007, when 2012 R2 has been out for YEARS now! In this blog post, I'll walk you through monitoring a log file for changes, and throwing an alert if the log file hasn't changed. And we'll do it in PowerShell, as the good saint Snover intended. Continue Reading...
A quickie to help you install the prereqs of SCCM 1511 with PowerShell Continue Reading...
You might be wondering how to control supercendence in your SCCM 2012 R2 SP1 (or ConfigMgr SP2, pretty much the same thing) deployments. I've finally been able (with the help of my friend and future ConfigMgr MVP nominee, Eric Anderson) to track down precisely what is going on in the confusing world of applications and supersedence in SCCM. Continue Reading...
Every time you migrate from one SCCM instance to another, or if you have to move your drivers around (for instance: you originally had your drivers placed on the c:\ and want to mover them to another drive), you'll need to update the location not only of DriverPackages, but also of all drivers as well. This post provides a powershell script to make this easy! Continue Reading...
How does InTune Conditional Access Policy affect devices in the field? (e.g. Bob's phone already has a manually configured mail profile. What happens to Bob's e-mail when I enforce Conditional Access (i.e. saying a user must have InTune to receive e-mail?)) Continue Reading...
We had a big issue at a client recently, which was quite a bear to solve. They used ADFS with On-premise SSO (meaning that they didn’t use DirSync to push passwords into Azure AD/Office 365), so when clients come to authenticate over the web via the Company Portal App, they were referred to our on-prem ADFS for authentication.
This worked fine for our iOS and Windows Devices, no issues at all! But then when we tried to use Android devices, they would be presented with the following error message:
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT Admin.
Don’t you love those messages that tell you to contact yourself?
From the InTune app, you can obtain logs by clicking on the ‘…’ hamburger menu. Opening the log, we see the following errors.
Authentication failed. Current state: FailedToAcquireTokens Failed to acquire Graph token from AAD. SignInService.access$900(SignInService.java:44) SignInService$AadFailureAction.exec(SignInService.java:464) SignInService$AadFailureAction.exec(SignInService.java:444) GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:190) GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:174) AdalContext$AdalAuthenticationRetryCallback.onError(AdalContext.java:228) com.microsoft.aad.adal.AuthenticationContext.waitingRequestOnError(AuthenticationContext.java:899) com.microsoft.aad.adal.AuthenticationContext.onActivityResult(AuthenticationContext.java:758) com.microsoft.windowsintune.companyportal.authentication.aad.AdalContext.onActivityResult(AdalContext.java:150) com.microsoft.windowsintune.companyportal.views.AadAuthenticationActivity.onActivityResult(AadAuthenticationActivity.java:57) Code:-11 primary error: 3 certificate: Issued to: CN=adfs.company.com,OU=E-Commerce,O=Company,L=Somewhere,ST=Georgia,C=US; Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US on URL: https://adfs.company.com/adfs/ls/?wfresh=\[...\]
The error occurs when the Company Portal app checks our certificates on ADFS to see if we are trustworthy.
The issue is that Android handles cert chaining in a way somewhat differently from iOS and Windows Phone. In short, Android needs all of our certs to be present on our ADFS Servers, where iOS would intelligently lookup the Cert Signer for us.
Import the certs up the chain into the intermediate store on the ADFS Proxies themselves.
So, launch the MMC and add the Certificates Snapin for the Local Computer on your ADFS Server. Find the cert your ADFS Service is using (likely issued to adfs.yourcompany.com), and view it’s parent certificate.
Move a copy of the ‘parent’ cert, (in my case, Symantec) into the Computer\Intermediate Certification Authorities\Certificates store. This part is CRUCIAL!
Next, move copies of your ADFS, ADFS Decrypting, and ADFS Signing Certs into the Personal Store for the ADFS Service.
Finally, restart the ADFS servers, because restarting the service alone is not enough.
With all of this finished, I’m finally able to enroll Android devices into InTune.Continue Reading...