Workplace join

Similar Messages

• Trying to install KB3035025 to allow Non-workplace join machines use the UpdatePassword ADFS end point Error the update is not applicable to your computer

  I put the hotfix on our ADFS Server (2012 R2) and tried to install it and received this:
  I made sure all the prerequisites were installed - they are.
  Any ideas?

  I did some digging and the version of Microsoft.IdentityServer.Service.dll is version 6.3.9600.17720 
  This is higher than what is in this hot fix and I guess is related to this update: https://support.microsoft.com/en-us/kb/3045711
  In ADFS when I try an change the password for a non-workplace join computer I get a complexity error but I know for sure the password meets the domain complexity requirements.
  Thanks in advance!
  Jon

• Unable to workplace join IOS - Windows 8.1 ok

  I have 2012R2 up and WAP/ADFS all working nice, I can WPJ my 8.1 client no problem, but any IOS device just wont install the profile saying unable to connect to server, here are the logs from the device.
  All URLS are reachable fine from the devices, its a trusted public cert with enterpriseregistration on for the UPN also, any ideas?
  Jul 16 10:06:52 Martins-iPhone profiled[39] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
  Jul 16 10:06:52 Martins-iPhone profiled[39] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
  Desc   : A connection to the server could not be established.
  US Desc: A connection to the server could not be established.
  Domain : MCHTTPTransactionErrorDomain
  Code   : 23001
  Type   : MCFatalError
  Params : (
  "https://sts.domain.com/EnrollmentServer/otaprofile/profile?operation=enroll",
  400
  Jul 16 10:06:52 Martins-iPhone profiled[39] <Notice>: (Error) MC: Installation failed. Error: NSError:
  Desc   : Profile Installation Failed
  Sugg   : A connection to the server could not be established.
  US Desc: Profile Installation Failed
  US Sugg: A connection to the server could not be established.
  Domain : MCInstallationErrorDomain
  Code   : 4001

  Can you paste the config file please, so I can set up the same tracing? I have enabled it, but getting nothing logged?
  Hi Martin,
  Sorry for the delay, here is my Microsoft.DeviceRegistration.ServiceHost.exe.config.  I specified C:\Windows\Temp\drsTrace.xml for the trace file.  Just make sure that your DRS service account has write access to it.
  You can see where I have added the new entry for CertificateExpiryExemptForiOSProfileService.
  Mark.
  <?xml version="1.0"?>
  <configuration>
  <uri>
  <idn enabled="All" />
  <iriParsing enabled="true" />
  </uri>
  <appSettings><add key="CertificateExpiryExemptForiOSProfileService" value="true"/></appSettings>
  <system.serviceModel>
  <diagnostics>
  <messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true">
  </messageLogging>
  </diagnostics>
  </system.serviceModel>
  <system.diagnostics>
  <!-- To enable DRS tracing, change the switchValue below to desired trace level - Verbose, Information, Warning, Error, Critical, All -->
  <!-- Uncomment sources below to enable tracing -->
  <!-- Set initializeData to a complete path to a file that the Device Registration Service has write access to in order to generate traces -->
  <!-- NOTE THAT THE CHANGES TO THIS SECTION REQUIRE SERVICE RESTART TO TAKE EFFECT -->
  <sources>
  <source name="System.ServiceModel" switchValue="Verbose, ActivityTracing" propagateActivity="true">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.ServiceHost" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.DiscoveryService" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.HttpDiscoveryService" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.HttpCloudDiscoveryService" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.Utilities" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.WindowsDeviceEnrollmentService" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.iOSDeviceEnrollmentService" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  <source name="Microsoft.DeviceRegistration.Utilitities.DRSyncSourceDomain" switchValue="Verbose, All">
  <listeners>
  <add name="xml"/>
  </listeners>
  </source>
  </sources>
  <sharedListeners>
  <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="C:\Windows\Temp\drsTrace.xml"/>
  </sharedListeners>
  <trace autoflush="true"/>
  </system.diagnostics>
  <!-- By default the service will load the on-premise configuration
  The following optional attributes on to the 'startup' element
  can be used to modify this behavior.
  isCloudDeployment="true" and isOnPremiseDeployment="true"
  These settings should not both be set to true in production
  deployment.
  Example: <startup isCloudDeployment="true"... OR
  <startup isOnPremiseDeployment="true"
  -->
  <startup>
  <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
  </startup>
  </configuration>

• AD synced with Windows Intune, workspace join required??

  is workplace join required for managing devices? i'm not getting around this question. 
  When i install the windows intune client software with, the workspace join is not required. However, when i enroll from the company portal it seems the workspace join is required. 
  How is this designed actually?

  No, workplace join is about single sign-on and access control to internal resources. It has nothing to do with managing devices other than providing some limited visibility of them.
  Intune requires Azure Active Directory.
  Jason | http://blog.configmgrftw.com

• Authentication - multiple domains with multiple accounts

  Dear All,
  Consider an environment where a user, Joe Bloggs, has an account on two Windows domains:  DOMA and DOMB.  DOMA is a domain that all users in the organisation are members of.  DOMB is a domain used by a smaller subset of users.  The user's
  machine is part of the DOMB domain.
  I'd like to deploy SharePoint 2013 on DOMA and have the user, logged on to their DOMB machine, seamlessly authenticate (through IWA) with SharePoint 2013.  
  So far, I've thought of the following solutions:
  1.  Build a trust between the two domains.  Possible, but the AD information in DOMA is more up-to-date than that in DOMB and I'd like to use that to populate SharePoint user profiles.  Also, DOMB is likely to be deprecated in the future.
  2.  Use WorkPlace Join.  Unfortunately, devices are running Windows 7 and WorkPlace Join only works for devices running Windows 8.
  I've wondered whether it's possible to map two accounts on separate domains together so that a user on DOMB can effectively masquerade as their corresponding user on DOMA when authenticating with SharePoint, but haven't come across a way of doing this, yet.
  Any ideas?  Or, am I completely mad?!
  Thanks in advance.

  1) Is your only option for seamless logon with IWA. It is not possible to map accounts "together" so-to-speak. SharePoint stores a reference to the user's SID, which must match the user making the request.
  An ADFS trust might be another option, although that increases your deployment footprint and complexity.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Client Certificate Authentication

  Hi guys
  I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
  We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
  I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
  Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
  any help would be truly appreciated
  Jesus

  If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
  Users could go to the website of the issuing certificate authorities and make a request.
  I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
  So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
  I'll look further though (interested in this myself).
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Web Application Proxy and Safari

  Morning, all.
  I've installed and configured the new Windows Server 2012 R2 AD FS and Web Application Proxy, and I've run into some strange problems. I had some initial problems getting it to work, the documentation is a bit thin, but I now have Sharepoint and Webmail
  published to the Internet.
  I'm using x.509 Certificate Authentication for Extranet.
  In IE on a Windows 8.1 Surface Pro everything works. I can log in using ether a softcert or a SmartCard.
  On my OS X Mac I can log in using Chrome, but Safari won't work.
  Same thing on my iPad running iOS 7.0.4, Safari won't work. Interestingly enough, on my 7.0.4 iPhone it DOES work. Even more interestingly, I CAN Workplace Join the iPad using the URL https://<adfs fqdn>/enrollmentserver/otaprofile but
  I can't authenticate using the URL https://<adfs fqdn>/adfs/ls/IdpInitiatedSignon.aspx.
  I get to select my certificate, but after that I'm getting this error message: "Safari cannot open the page because too many redirects occurred." In the Event log on the AD FS server I'm getting this:
  Encountered error during federation passive request. 
  Additional Data 
  Protocol Name: 
  Saml 
  Relying Party: 
  http://<adfs fqdn>/adfs/services/trust 
  Exception details: 
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
     at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
     at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
     at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
  Since it does work on an iPhone running the same browser, and Workplace Join does work on the iPad even if nothing else does I'm thinking there's some UserAgent voodoo going on in parts of the Web Application Proxy. It's no big deal that Safari in OS X doesn't
  work, we can always run Chrome, but the iPad is a major problem and a total deal breaker if I can't fix it.
  I would appreciate some good advice.

  Hi,
  As both IE and Chrome work, I think it’s more a client side issue.
  Maybe you need to clear you browser cache and cookies.
  This also worth a try:
  http://stackoverflow.com/questions/2640030/adfs-v2-0-error-msis7042-the-same-client-browser-session-has-made-6-request
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Hope this helps.

• Not able to sign in to Company Portal app installed from Windows Store

  Not able to sign in to Company Portal app installed from Windows Store .I'm using Workplace joined (Intune + SCCM 2012 R2) Windows 10 Laptop.
  Following is the error which I got while trying to sign in with my Intune trail account
  Any idea much appreciated :)
  --- Exception Details ---
  System.Exception: Authentication failed because response data could not be parsed.
  Stack Trace:
     at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<UpdateContextFromAuthenticationResponseAsync>d__c.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
     at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<AuthenticateAsync>d__0.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
     at Microsoft.Management.Services.SelfServicePortal.ViewModels.ServiceLoginPageViewModel.<AuthenticateAsync>d__b.MoveNext()
  2014-10-30T17:44:27.6437234Z
  VERB MethodEnter
  Common          1800
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - CheckMonitoringCapable() Enter
  2014-10-30T17:44:27.6437234Z
  INFO Event
  None         0
  User is not authenticated, monitoring is not capable.
  2014-10-30T17:44:27.6437234Z
  VERB MethodLeave
  Common          1801
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - CheckMonitoringCapable() Leave
  2014-10-30T17:44:27.6437234Z
  VERB MethodEnter
  Common          1800
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - DelayPolling() Enter
  2014-10-30T17:44:27.6437234Z
  INFO Event
  None         0
  Attempting to delay polling task for '30' seconds.
  2014-10-30T17:44:45.9431915Z
  INFO Event
  Application       611
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 WebAuthenticationBroker AuthenticateAsync to url: https://go.microsoft.com/fwlink/?LinkID=314087&&appru=ms-app://s-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113/&api-version=1.1
  returned result:Success
  2014-10-30T17:44:45.9431915Z
  INFO Event
  Application       611
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 WebAuthenticationBroker returned result:Success
  2014-10-30T17:44:45.9744572Z
  INFO Event
  Application       208
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Authentication failed because response data could not be parsed.
  Exception:
  System.ArgumentException: User agent string ("Mozilla/5.0 (Windows NT 6.4; Win64; x64; Trident/7.0; MSAuthHost/1.0; rv:11.0) like Gecko") does not contain match for Windows version regex pattern ("Windows
  NT (?<Version>6\.2|6\.3)").
  Parameter name: userAgent
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.AuthenticationResponseData.GetWindowsVersion(String userAgent)
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.AuthenticationResponseData..ctor(String responseData)
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<UpdateContextFromAuthenticationResponseAsync>d__c.MoveNext()
  Response Data:
  wresult=eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiwieDV0IjoieE42Z05aYlhvYmRRMkhhbl8yT08xTUZ1SHFZIn0.eyJpc3MiOiJ1cm46aW50dW5lOm9hdXRoMjpjMWIwMWVmNS00ZTE3LTRkODMtYTMyMC1jYWZkOTE1YzJmYWUiLCJhdWQiOiJ1cm46aW50dW5lOnNlcnZpY2UiLCJuYmYiOjE0MTQ2OTEwNzksImV4cCI6MTQxNDY5MjI3OSwiVGVuYW50SWQiOiI1ZjZiMDRjOS1lZWZhLTQ4ZDYtYTEyZi02NDNkMDYxZjBhYjkiLCJVc2VySWQiOiJkZDZhNmRiOC0zZjdhLTQwODQtOWZhMS0xOThkNWNhMDkwNWIiLCJMaWNlbnNlIjoiU0NDTSIsIkF1dGhvcml0eSI6IlNDQ00iLCJSb2xlIjoiNmNiYzg0MDMtNjU2Yi00ZjA1LTc4ZDgtMDAwMDAwMDAwMDAxIiwidHlwIjoiVXNlciIsImp0aSI6IjA2YTEwNDgzLWFmM2MtNGIwZS1iNzNjLTU1YTVlZGE2YTI0MSIsIlZlcnNpb24iOiIxLjEiLCJJc3N1ZUluc3RhbmNlIjoiMTAvMzAvMjAxNCA1OjQ0OjM5IFBNIn0.bZmz4BNmW1sg90bmUED-y0gSpR3qFfHpBZz6jf_7pMIEiO-n8TF8aPryDgLE0_pOXBBxjGZj2CjvvCjKE3xtc_RCfQ66f8sPjJDk5nDn87Zqr3nuybcWyr_QJzLAV-wrqBQyZbhiKXjAHByQfovl25EJEljwiYc8gvDAh6mSpOiSNDRo51iycmtFPJVg9SLomONTtrIvNI-c4OksER4smKiuV989EBxA2IUUbuUMpEXArFBtAJMQe4IyDCdVV_c-45i69cVNeIjcc9WkzgUx4wkdMOVXY-TVKGkyW67Iu62dU_3fJhRJ6Cc_ZfSFWby-QB9Vj-1qu3LdtkU4z4LX_Q&tokenCookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiwieDV0IjoieE42Z05aYlhvYmRRMkhhbl8yT08xTUZ1SHFZIn0.eyJpc3MiOiJ1cm46aW50dW5lOm9hdXRoMjpjMWIwMWVmNS00ZTE3LTRkODMtYTMyMC1jYWZkOTE1YzJmYWUiLCJhdWQiOiJ1cm46aW50dW5lOnNlcnZpY2UiLCJuYmYiOjE0MTQ2OTEwNzksImV4cCI6MTQxNDY5MjI3OSwiVGVuYW50SWQiOiI1ZjZiMDRjOS1lZWZhLTQ4ZDYtYTEyZi02NDNkMDYxZjBhYjkiLCJVc2VySWQiOiJkZDZhNmRiOC0zZjdhLTQwODQtOWZhMS0xOThkNWNhMDkwNWIiLCJMaWNlbnNlIjoiU0NDTSIsIkF1dGhvcml0eSI6IlNDQ00iLCJSb2xlIjoiNmNiYzg0MDMtNjU2Yi00ZjA1LTc4ZDgtMDAwMDAwMDAwMDAxIiwidHlwIjoiVXNlciIsImp0aSI6IjA2YTEwNDgzLWFmM2MtNGIwZS1iNzNjLTU1YTVlZGE2YTI0MSIsIlZlcnNpb24iOiIxLjEiLCJJc3N1ZUluc3RhbmNlIjoiMTAvMzAvMjAxNCA1OjQ0OjM5IFBNIn0.bZmz4BNmW1sg90bmUED-y0gSpR3qFfHpBZz6jf_7pMIEiO-n8TF8aPryDgLE0_pOXBBxjGZj2CjvvCjKE3xtc_RCfQ66f8sPjJDk5nDn87Zqr3nuybcWyr_QJzLAV-wrqBQyZbhiKXjAHByQfovl25EJEljwiYc8gvDAh6mSpOiSNDRo51iycmtFPJVg9SLomONTtrIvNI-c4OksER4smKiuV989EBxA2IUUbuUMpEXArFBtAJMQe4IyDCdVV_c-45i69cVNeIjcc9WkzgUx4wkdMOVXY-TVKGkyW67Iu62dU_3fJhRJ6Cc_ZfSFWby-QB9Vj-1qu3LdtkU4z4LX_Q&userId=dd6a6db8-3f7a-4084-9fa1-198d5ca0905b&tokenExpiry=1196&serviceLocatorUrl=https%3A%2F%2Fmanage.microsoft.com%2FRestUserAuthLocationService%2FRestUserAuthLocationService%2FServiceAddresses&userAgent=Mozilla%2F5.0+%28Windows+NT+6.4%3B+Win64%3B+x64%3B+Trident%2F7.0%3B+MSAuthHost%2F1.0%3B+rv%3A11.0%29+like+Gecko
  2014-10-30T17:44:45.9744572Z
  VERB MethodLeave
  Common          1801
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService - AuthenticateAsync() Leave
  2014-10-30T17:44:45.9744572Z
  ERR_ Event
  ViewModel        2202
  c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 System.Exception: Authentication failed because response data could not be parsed. ---> System.ArgumentException: User agent string ("Mozilla/5.0 (Windows NT 6.4; Win64; x64; Trident/7.0; MSAuthHost/1.0; rv:11.0)
  like Gecko") does not contain match for Windows version regex pattern ("Windows NT (?<Version>6\.2|6\.3)").
  Parameter name: userAgent
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.AuthenticationResponseData.GetWindowsVersion(String userAgent)
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.AuthenticationResponseData..ctor(String responseData)
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<UpdateContextFromAuthenticationResponseAsync>d__c.MoveNext()
    --- End of inner exception stack trace ---
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<UpdateContextFromAuthenticationResponseAsync>d__c.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Management.Services.SelfServicePortal.DataAccess.Service.IntuneAuthenticationService.<AuthenticateAsync>d__0.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Management.Services.SelfServicePortal.ViewModels.ServiceLoginPageViewModel.<AuthenticateAsync>d__b.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
    at Microsoft.Management.Services.SelfServicePortal.ViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__6.MoveNext()
  ==========================================================
  2014-10-30T17:44:57.6486693Z VERB
  MethodLeave Common    
       1801 c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - DelayPolling() Leave
  2014-10-30T17:44:57.6486693Z VERB
  MethodEnter Common    
       1800 c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - CheckMonitoringCapable() Enter
  2014-10-30T17:44:57.6486693Z INFO
  Event None
          0 'Microsoft.Management.Services.SelfServicePortal.Common.Portable.DataAccess.IApplicationsRepository' is not registered, monitoring is not capable.
  2014-10-30T17:44:57.6486693Z VERB
  MethodLeave Common    
       1801 c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - CheckMonitoringCapable() Leave
  2014-10-30T17:44:57.6486693Z VERB
  MethodEnter Common    
       1800 c199f6f0-1d13-415a-be16-3ec1a41dcda6
  3-0-0 Microsoft.Management.Services.SelfServicePortal.ViewModels.Common.ApplicationStatusMonitor - DelayPolling() Enter
  2014-10-30T17:44:57.6486693Z INFO
  Event None
          0 Attempting to delay polling task for '30' seconds.
  ==========================================================
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

  I just noticed the same. Looking at the following error message it seems to do a version check and based on the results of that check I would think that it's not supported yet.
  System.ArgumentException: User agent string ("Mozilla/5.0 (Windows NT 6.4; Win64; x64; Trident/7.0; MSAuthHost/1.0; rv:11.0) like Gecko") does not contain match for Windows version regex pattern ("Windows NT (?<Version>6\.2|6\.3)").
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How do you set up the update password page in ADFS 3.0

  Hello,
  We have recently migrated to ADFS 3.0.  Everything is working except the update password feature.  In the KB article
  http://technet.microsoft.com/en-us/library/dn280950.aspx  the section under Update Password says that I need to enable  the ADFS endpoint -
  /adfs/portal/updatepassword/ and restart the ADFS service.
  This has been done, but when I go to
  https://sts.domain.com/adfs/portal/updatepassword.  All I get is a page that says "An error occurred.  contact your administrator."
  What I am trying to accomplish is this. 
  http://technet.microsoft.com/en-us/library/dn280950.aspx
  Any help would be greatly appreciated.
  Thanks
  Cheston

  it does not work domain joined machines! yes, I know. you are not the first one trying. it should also support domain joined machines, but unfortunately it only supports
  workplace joined machines
  <QUOTE>
  The update password page is only available for Workplace Joined devices
  </QUOTE>
  on the domain joined machine you can just use ctrl+alt+del to change the password
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• AD FS 3.0 MFA Question

  We are in the process of planning for the implementation of ADFS 3.0 (2012 R2). The primary question that I am trying to answer is: Can we can prevent an authorized user from
  being authenticated if they are trying to access the service from an unmanaged device (a device that is either not domain joined or not managed using our MDM solution)?
  I have read some information regarding the Device Registration Service, but that does not seem like a good option because it seems that any authorized user can "workplace
  join" a device then, regardless of the type of device, OS version, password protection, screen timeout settings, etc. The option that I am seeing is to authenticate based on a certificate that the device might have (either laptop or MDM mobile device).
  From what I have read of the type of configuration I am not entirely sure how that feature can be customized to look for certain items within a certificate. Does anyone have any experience with a similar configuration or approach?

  Hi Alex,
  How about using smart card authentication?
  More information for you:
  Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
  http://technet.microsoft.com/en-us/library/dn280949.aspx
  In addition, if this method is not useful to you, please refer to this dedicated ADFS forum below to get more efficient support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Best Regards,
  Amy

• ADFS Device Registration

  I have one application proxy and one adfs server. Right now normal sso works (utilizing Office 365 services). I am trying to configure two-factor using device registration. I was able to join an internal computer using Workplace join.
  I am trying to install an iPhone that's connected to the public internet. I can get to the otaprofile fine, but when I click install I get an error saying "A connection to the server could not be established." I ran the update command on my proxy
  server. Backend servers are enabled and initialized.
  In my certificate, I added enterpriseregistration as a SAN. My common name is sts.companyname.com. Public dns is CName from enterpriseregistration to sts. STS is A-record points to proxy server. Proxy server is using hosts file to get internal servers.
  Any thoughts? Am I missing something?
  -- Michael

  Hello,
  please see
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/195399e6-b5dd-46cf-a351-228bd62b24d8/adfs-specific-question-post-on-the-adfs-forum?forum=winserverDS
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Enrolling Windows 8.1 to Intune

  Hi!
  Let me start by saying that I'm really new to Intune and created a trail account few days ago. I've been browsing through Technet but haven't really found a solution to the problem i'm facing so here it goes..
  I have a "cloud-only" setup and I have configured MDM authority to Intune. I do not have DirSync yet inplace and I have one test account manually created from the Intune web console.
  I want to enroll Windows 8.1 device. I'm trying to do the enrollment by following the general guideline:
  https://technet.microsoft.com/library/dn858086.aspx
  I installed Company Portal from the Microsoft Store but when I go to Settings -> PC Settings -> Network -> Workplace and enter my Intune Account and credentials again when prompted, I do not get the "Allow apps and services from IT
  admin" that I could turn on. It just says that "This Device has joined your workplace network".
  My Windows 8.1 machine does not show up in the Intune console and I cannot access the Company Portal.
  If I access https://portal.manage.microsoft.com from a web browser, I can log in to the portal but it doesn't show (or give me a possibility to add) devices.
  If I install the Intune Client, everything works without even doing the workplace join that is instructed in the general guide.
  Is it even possible to enroll Windows 8.1 laptop to Intune without installing the Intune Client because according the general guide I get the impression that it is? The fact that I don't get the to choose that "Allow apps and services from IT admin"
  during workplace join might be the reason this isn't working for me but I can't seem to find out the configuration error that I have on why it isn't displayed.
  -klaus

  Asked from Microsoft support that the process of downloading Company Portal from Microsoft Store and doing the enrollment by following the instructions (and doing Workplace Join) only applies to tablet scenario. For every PC scenario, Intune Client is
  required.

• EAP-TLS and PEAP/MSCHAPv2 on non-domain equipment

  I'm not entirely sure this is the correct forum so I apologize. I'm merely having trouble finding the Network Policy Services forum. In short, I could use some answers to the following questions:
  Is it possible to do EAP-TLS Machine authentication with non-domain machines? Would this require 8.1's "Workplace Join" scenario?
  Can I do EAP-TLS User Authentication on non-domain machines?
  Is it possible to use a different RADIUS realm name than the internal domain structure? Something easier for the users to type and remember? Can I do that with NPS configured in Proxy mode?

  Hi,
  Based on my experience,
  EAP-TLS is only available for members of a domain.
  For non-domain member computers, the certificate must be manually imported into the certificate store or obtained by using the Web enrollment tool.
  You can specify a realm name and user name syntax in the
  Connection Manager profile so that the user only has to specify the user account name when typing their credentials during network connection attempts.
  In addition, you can also deploy NPS as a
  RADIUS proxy on your network.
  More detailed information, please refer to the following links:
  EAP
  http://technet.microsoft.com/en-us/library/cc757996(v=WS.10).aspx
  Certificates and NPS
  http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
  Realm names
  http://technet.microsoft.com/en-us/library/cc731342(v=WS.10).aspx
  Planning NPS as a RADIUS proxy
  http://technet.microsoft.com/en-us/library/dd197525(v=WS.10).aspx
  Best regards,
  Susie Long

• ADFS, Office 365 + Exchange 2012

  Need information on How to configure the ADFS, Office 365 + Exchange 2012 on IOS device.

  Hi,
  Based on my research, we can join iOS devices to a workplace with
  Windows Server 2012 R2:
  Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications
  http://technet.microsoft.com/en-us/library/dn280945.aspx
  Walkthrough Guide: Workplace Join with an iOS Device
  http://technet.microsoft.com/en-us/library/dn280933.aspx
  Best Regards,
  Amy

• Intune Company Portal application wants to install certificate during Android Enrollment

  I just tried to enroll an Android device into Intune. When I login into the Intune Company Portal application for the first time it prompts me to install a certificate and choose VPN or Wifi as Credential Use.
  Why is the Intune Portal application trying to install a certificate for VPN or Wifi use when I haven't setup or deployed any policies regarding VPN or Wifi certificates?

  This is our workplace join certificate that shows up on Non-Knox platforms.  The name and cert use info is not controlled by us.  You can ignore the VPN or WIFI information, it's just how Android catagorizes their certs.
  Thanks,
  Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.