Monthly Archives: November 2016

Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console


I have enabled conditional access policy.


Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below


And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen


This looks the same on Windows 10


The same screen when accessing OWA on a Windows 10 machine


What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online


Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription


Have a read of the Getting Started and click Next.


Sign in with your Intune account


Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.


Enter in your Intune username and password


Once you’re signed in, click on Next


Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next


Fill in any other information you would like and click Next


Specify a company logo if you like and click Next.


Select the user that you would like to be the Device Enrollment Manager. You can see more info here


If you would like to use MFA, select the enable checkbox and Next.


Confirm your settings and click Next.


Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.


Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices




Next we will login to the APN certificate portal with an Apple ID. The link is here


Click on Create Certificate


Click Accept if you accept the terms and conditions.


Upload the certificate you created earlier.


Now Download the certificate


Now we will configure the iOS platform.


Click Enable and browse to the certificate you downloaded before and click Ok.


ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to
  • Cloud management gateway certificate for <name> Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update


Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.


Enter in your Azure Subscription ID which can be found from or and select the Management Certificate (which needs to already be uploaded to Azure)


When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.


You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.



You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.


Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.


Next the Cloud Management Gateway connection point role will be added.


The information is filled in automatically


Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 


On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.


If you’re curious about what it looks like in Azure, if you go to and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.


ConfigMgr Intune enrolled device – send sync request

One of the new features of the recently released 1610 update for ConfigMgr current branch is the ability for an admin to initiate a policy sync from the ConfigMgr console for an Intune enrolled device. Previously this had to be done from the Company Portal on the device.

This can be done by right clicking on the device, in my example an enrolled iPhone, clicking on Remote Device Actions, then Send Sync Request.


ConfigMgr CB 1610 Software updates dashboard

One of the nice new enhancements that came with the recently released 1610 update for ConfigMgr current branch is the Software Updates Dashboard. This dashboard is available in the Monitoring > Overview > Security section in the ConfigMgr console

If you haven’t installed update 1610 yet, here is what the dashboard looks like:


Update 1610 available for ConfigMgr Current Branch

Update 1610 is available for ConfigMgr Current Branch. The update will be rolled out globally in the next few weeks. You can run a script to enable fast ring to get the update now. ConfigMgr 1610: Enable Early Update Ring

Some of the new features include:

Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.

Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.

Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.

Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.

Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.

Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.

New remote control features including performance optimization for remote control sessions and keyboard translation.

This release also includes new features for customers using Configuration Manager connected with Microsoft Intune. Some of the new feature include:

New configuration item settings and improvements now only show settings that apply to the selected platform. We also added lots of new settings for Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).

Lookout integration allows to check device’s compliance status based on its compliance with Lookout rules.

Request a sync from the admin console improvement allows you to request a policy sync on an enrolled mobile device from the Configuration Manager console.

Support for paid apps in Windows Store for Business allows you to add and deploy online-licensed paid apps in addition to the free apps in Windows Store for Business.

For more info see What’s new in version 1610 of System Center Configuration Manager



GetDPLocations failed with error 0x80072ee2

Recently I was helping an old colleague setting up an SCCM Current Branch 1606 site. When installing the SCCM client via client push, the ccmsetup.log on the client failed with the errors “GetDPLocations failed with error 0x80072ee2” and “Failed to get DP locations as the expected version from MP ‘’. Error 0x80072ee2”

The error 0x80072ee2 translates to “The operation timed out Source: Winhttp”. I checked from the client that I could successfully ping the site server which I could not, which is why it was failing. Doing an nslookup revealed that the site server was resolving to an incorrect IP. The site had some DNS issues. Once updating the DNS the clients could connect to the MP then download the ccmsetup files and install fine.