Monthly Archives: February 2013

Citrix XenMobile

When Citrix bought ZenPrise, they bought one of the leading MDM companies on the market, and Citrix themself had some MDM functionality in their own products but nothing to what ZenPrise had, this was in December. Now in February Citrix has managed to release XenMobile (Which is a part of the bigger package called Mobile Solutions Bundle, which also includes CloudGateway)

So it is going to be interesting to see how well Citrix has managed to integrate the product into their own.
You can read more about XenMobile here à

XenMobile consists of multiple packages.

you have the Device Manager which is the main component of the MDM solution, where you create policies and enroll the devices.
Secure Mobile Gateway is the gateway in for mobiles, for instance they can block mobile devices based on their status.
You also have the Remote Support component and Multi-tenant Console I will come back to those in a later post.

Now XenMobile Device Manager Component requires a couple of things before you install it.
Java SE (For the OS you are going to install it on)

Or you will get this error message during install

It also requires PostgreSQL (But the installer is included and will pop up during installation)

(Citrix should also fix so we support for MSSQL soon)
Now after you click Next and choose install it will start with the PostgreSQL installation

The Service Configuration creates a local user and runs as a service so remember to choose a password that complies with the password complexity policy.
(And don’t choose a user which already exists)

Next we get to the real database setup, we create a superuser which we can user to connect to the database server and the databases.

Now after this it should continue on with the install.
Now we first have to choose if we have a Crystal Reports keykode

Next we enter a license code for the product

Then we create the database on the PostgreSQL server

Remember the user that you created earlier! J
Next we create a bunch of connectors for the mobile devices.

Next we need to either create self-signed or import a chain of certificates.
We require the root-CA certificate, Intermediate-CA certificate for servers and the Intermediate-CA certificate for devices.

Next we create a user we can use to access the webconsole

Next we create a certificate for the web service

Phuh, done!

Now after that is done you can access the XenMobile Console at

And login with the user you created in the last step (This install was done on a WS2012 and it worked fine!)

Looks quite the same as before J

But for previous ZenPrise customers it will only be a logo change.

Looking forward to try this product in more detail, and the synergy effect with for instance Cloudgateway and the whole Mobile solution bundle.

AppController 2.5 setup

Quick post, when setting up AppController 2.5 using the Wizard you are required to enter alot of information:

  • Administrator password and email address
  • AppController host name, IP address, subnet mask, and default gateway

    Note: You can also configure an IP address for AppController if you want a different IP address than what you configured by using the command-line console.

  • Active Directory settings
  •  Network Time Protocol (NTP) server
  • DNS server settings
  • Workflow email settings

Make sure that the Administrator which you use to connect to Active Directory has the following attributes in AD populated
Firstname, Lastname and e-mail address or you are going to get an error message when connecting. (Please make sure that the user has en e-mail address in Active Directory)

ASUS Padpone 2 First-impressions

As a part of the ASUS PadFone 2 Test Pilot project. Asus have given me the opportunity to test-drive the new Asus PadPone 2.
In addition, what is the PadPone 2? The name implies it; it is a phone and a Pad.


As you can see you have the phone which is running Android Jelly Bean, and you have a dockable pad where you slide the phone down and you have a fully functional Pad (Now the System is running in the phone so you can’t use them separately ) But they have their each separate battery, so when you dock the phone in the pad and start charging the pad you charge them both.
And! If you are running low on batteries on the phone, you can connect it to the pad and start charging it.

I have only been testing it a couple of days, and I like what I see so far I will come back with a more detailed review when I have explored most of the features.
So far the phone is light and of solid build, same goes for the pad and have tested the battery to it full extent yet since I have used the phone In docking mode sometimes and charged it there so going for 4 days straight.


PowerShell one-liners for Configuration Manager 2012

With Service Pack 1 you now have the option to use PowerShell against Configuration Manager. It comes with almost 500 cmdlets, which you can use.
And I planned that this post would be a live post where I am going to post all of my PowerShell one-liners for various tasks within Configuration Manager.
Now first of we need to import the module in order to get access to the cmdlets.

Import-module C:Program files (x86)Microsoft Configuration ManagerAdminConsoleBinConfigurationManager.psd1

after that we need to change context to the site name. In my case the site is called TST therefore I type
cd c:TST

NOTE: If you get any error messages here change to x86 PowerShell J
After you have done this you should look something like this.

Now a couple of commands first.
(Note that you can show all the cmdlets available either in PowerShell ISE or run the command

get-command –module ConfigurationManager

Install client on a device name.
Install-cmclient -AlwaysInstallClient $true -Devicename configmgr -IncludeDomainController $false -sitecode TST

You can also specify it by deviceID.
Install-CMClient -AlwaysInstallClient $True -DeviceId 16777220 -IncludeDomainController $False -SiteCode TST

If you want to fetch the deviceID or get more information regarding the device.
Get-CMDevice -Name configmgr

Get information regarding a device collection
get-cmdevicecollection -Name “all systems”

If you want to export out the XML definition of a baseline

Get-CMBaselineXMLDefinition -name laptop | out-file C:testkonge2.xml

Wish to export an application
Export-CMApplication -name intune -path

If you wish to import an application
Import-CMApplication –path

Create a new client policy
New-CMClientSetting -name konge

And if you wish to add settings to that new policy
Set-CMClientSetting -Name konge -EnableEndpointProtection $True

Add a software metering rule
New-CMSoftwareMeteringRule -productname “Notepad” -path c:windowssystem32notepad.exe -SiteCode TST

Get software requests

There are a lot more to come, with this cmdlets it makes it a lot easier to automate deployment.

Windows Server Core

With Windows Server 2012, the default option when installing is Server Core.
Server Core is not a new function it was also included in Windows Server 2008 R2 but if you installed Server Core there you had no option to upgrade to “full GUI” if you wanted to change.
In 2012, you have full options to upgrade / downgrade as you choose.

So why choose Server Core and why does it matter?

Server Core strips a server of its GUI, and all of the unnecessary components (Including Internet Explorer) and It reduces how many patches you would need to install on the server (and thus reducing the needed downtime for patching)
and since it removes Internet Explorer and the GUI it also reduces the attack surface on that server.

Does it improve the performance on the server?
Yes, it does, you do not have the CPU wasting cpu cycles on the GUI and you also get more memory available. Here is the difference between Server 2012 GUI and Core.

In 2008 R2 you had limited options to manage it remotely you would need some good tool or use WS-MAN / PowerShell.
Since WS2012 includes a fully multiserver management tool with Server Manager, it makes it easy to manage servers with Server Core.

So what options do you have for managing a server core?
Server Manager
Command Prompt

when you are finished with installing a server core setup you only get this window

(NOTE: If you manage to close the command prompt, press CTRL + ALT + DEL to open task manager and eventually start cmd.exe from there again.

From here we can start for instance sconfig or we can use PowerShell, if we use sconfig we get a command based interface to change the regular settings that appear in server manager.

Or we can use Server Manager, from here we can manage multiple servers (either via the GUI itself, or launch RDP or PowerShell

So from here I can also chose to install Roles and Features as well, I can also choose to shutdown computers as well.
And if you wish to upgrade from Core to GUI you can run the command

install-windowsfeature Server-Gui-Shell, Server-Gui-Mgmt-Infra in PowerShell.

And append a –restart on the end of the PowerShell command.

Veeam Cloud Edition

Veeam has recently (as of yesterday 11.02.2013) released a new product called Backup and replication Cloud Edition.
This product allows you to setup backup to a public cloud provider.

For instance, you can now setup a backup plan to store your backups on a blob in Windows Azure. Veeam will can also define how much backup it can done before it costs too much to store (I’ll show you in a bit how to set it up)
But this opens up a new world for it-departments that doesn’t have a secure (Veeam can encrypt file names and data with AES-128bits encryption) way to take data securely off-site to a remote destination for DR purposes.

Veeam Cloud Edition can be downloaded for testing purposes from here à

After you have installed it you can just start it from the start menu.

So we just start the backup wizard, then we are presented a lot of choices

Here we are going to choose what Cloud provider we use for our purpose. In my case I have a Azure account which I am going to setup for this purpose.
You can either setup an account here or you can go back to the main console and press the file button there.

And as you can see we have a lot of options here, so Veeam have done their homework regarding choices.
So when I choose Azure I choose add a new account, and from here I need to enter my information (Regarding endpoint in azure and my primary key)

And I choose a container (If you are unsure where to get this information you can logon the Azure portal and go into the storage pane and get the first url part of the Blob storage.
So you need this part of the blob url and down below you choose the “Manage Keys” and you get out the Primary key from there and enter it into the Veeam console.

Now we can also specify a cost of the backup, (In case the backup exceeds the cost, Veeam will not continue the backup

And we can also get Veeam to present the azure share as a local folder on the server (This requires installation of the virtual driver and also a restart)

So for instance you can get Veeam to present this share to your users as a network share and Veeam will handle the traffic from the endpoints to Azure.
After we have setup all the account information we can create a backup plan.

So choose the account you enter previously and click next à
As I mentioned before Veeam has the option to encrypt all of your data stored in the Cloud (This is not a default option)

We are going to choose Advanced mode which supports encryption and continue on from there à

Next we choose what folder to backup

Next we choose encryption algorithm and enter a password, and if we want it to encrypt the file names as well.
(ill show you later how they appear in Azure)

Then we create a purge option (how long and how many versions should we store in Azure)

And if we should run any commands and notifications after the job is complete

And after you are done with this you can run a backup.

After that Is done you can see in the Azure storage portal that the filename as encrypted

And that the data is compressed. Pretty neat ? 😉
If you go back to the server where you installed the Veeam console (And you have the virtual driver installed)
You can on the local folder there see that the data is not encrypted and that Veeam is decrypting the data in real-time.

This is the first release from Veeam which contains the functionality to store data in the cloud.
I am impressed with the amount of vendors that are supported in this release, and I am looking forward to what we can expect from them later.

Content Validation in Configuration Manager

If you have a large infrastructure with Configuration Manager, you have a lot of power at your disposable. Deploying software to maybe 100.000 computers spreading over different sites and geographical areas.
However, in many cases you will not be alone with that responsibility and everyone once in a while you always have someone that is there to make your work even harder J
And let us presume for one min that someone manages to swipe a software packages on a DP or change it in some way.
It is not easy to check that a file has been altered except if you have audit policies in place but then again you would have to monitor the access.
Also you need some form for compliance to see that the packages are the same on all the DP’s and didn’t suffer from a corruption and are deploying not working packages/applications

This is where Content Validation comes in; Content validation is a feature to check the status of content that has already been distributed on a distribution point.
It will compare the content on the disitribution point is the same as the content in the source of the application or package. If the content is not valid, then it will be reported in the content status node in the monitoring node.

So how to activate Content Validation?
This is done on Distribution Point level under Administration à Servers and Site System Roles à Distribution Point

When you activate this you can watch the smsdpmon.log (To check if any packages report back non-compliant) and if you go into the monitoring pane à Distribution Status à Distribution Point Configurations Status à

In case it is non-compliance you will end up with a log file like this.

Now if you get a non-compliant package, Configuration Manager cannot auto remediate the package, you would have to redistribute the package to the distribution point again.

Configuration Manager 2012 Toolkit

Seeing that many are goggling on this site for how to troubleshoot Configuration Manager deployment in one or many forms, I decided to write a post of the common toolkit that you can download which can be used in many cases (and make it easier) to troubleshoot within Configuration Manager. Now in many cases there is a log file, which in many cases will tell you what the problem is if you have any, but looking through all the text files is not always as easy.
But always remember that on the Configuration Manager media you have CMtrace. Under SMSSETUP à Tools.

This will be your best friend when troubleshooting in log files (Both on the client and the server)

It updates in real-time therefore it is easy to follow what activities happen on the server. When you choose open log file it will automatically open a network destination to the Configmgr server and the log file.
And it will highlight error and warnings that appear.

In addition, with using filter abilities you can find the data you are looking for, and have multiple log files open at the same time.
However, let us head back to the Toolkit I actually spoke of (Which is a separate download from Microsoft, which can be downloaded here à )

It Contains multiple tools.

System Center 2012 Configuration Manager Toolkit The Microsoft System Center 2012 Configuration Manager Toolkit contains nine downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 Configuration Manager. The following list provides specific information about each tool in the toolkit.

  • Client Spy – A tool that helps you troubleshoot issues related to software distribution, inventory, and software metering on System Center 2012 Configuration Manager clients.
  • Policy Spy – A policy viewer that helps you review and troubleshoot the policy system on System Center 2012 Configuration Manager clients.
  • Security Configuration Wizard Template for Microsoft System Center 2012 Configuration Manager – The Security Configuration Wizard (SCW) is an attack-surface reduction tool for the Microsoft Windows Server 2008 R2 operating system. Security Configuration Wizard determines the minimum functionality required for a server’s role or roles, and disables functionality that is not required.
  • Send Schedule Tool – A tool used to trigger a schedule on a client or trigger the evaluation of a specified DCM Baseline. You can trigger a schedule either locally or remotely.
  • Power Viewer Tool – A tool to view the status of power management feature on System Center 2012 Configuration Manager clients.
  • Deployment Monitoring Tool – The Deployment Monitoring Tool is a graphical user interface designed help troubleshoot Applications, Updates, and Baseline deployments on System Center 2012 Configuration Manager clients.
  • Run Metering Summarization Tool – The purpose of this tool is to run the metering summarization task to analyze raw metering data
  • Role-based Administration Modeling and Auditing Tool – This tool helps administrators to model and audit RBA configurations.
  • License Tracking PowerShell Cmdlets – The PowerShell cmdlet “Get-ConfigMgrAccessLicense” is used to get license usage information for all the servers and clients within scope of System Center 2012 Configuration Manager. The cmdlet returns a list of licensable features and a list of unique users and devices per unique licensable feature.
    • So let’s take a look.
      Client Spy is a tool to check what Software distribution, inventory and metering is running on the client. It will get information from the registry and the local folders on the disk.
      (So remember that Remote Registry service needs to run in order for it to function.

      For instance, here I can see what Software Metering rules are running on the client. If we click Tools, we can choose from Distribution, Metering or Inventory.

      Policy Spy, allows you to see what policies (agent settings) which have been deployed to the client. For instance, we can see what Endpoint protection policies the client currently has.
      And we can also see Software Metering rules here as well ( since that is a policy rule )

      The Security Configuration Template is for SCW which is a role that is designed to reduce the attack surface on a Windows Server OS. The template is installed in the installation path you choose when installing.

      Note that this template does not work in WS2012 yet.

      Send Schedule Tool allows to trigger for a specific baseline (DCM on a client) it is run in a cmd window.

      Power Viewer Tool allows you to see Power policies on the client.

      Deployment Monitoring Tool is another tool to monitor deployments on the clients.

      And it shows all the options for the deployment.

      Run Metering Summarization is just a command line tool to run summarization task to analyze raw metering data.

      And the Role Based Administration Modeling and authoring tool is a pretty cool one, it allows you to enumerate what access a user can get in the console.

      And last but not least the PowerShell cmdlets, which allows to get license usage for the Configirmgr site (servers and clients)

      First we have to import the module, then run the get-configmgraccesslicense command.

      In addition, we have other third party tools (Right Click tools) is a popular release (which was recently updated) Which is a add-on that is installed as an add-on on the Console.


CAS and WSUS syncing

A Quick post
With System Center 2012 the CAS role was introduced ( Look at my previous post à )
Since this is the role sits on top of the hierarchy it needed to sync its SUP/WSUS point directly with Microsoft Update.
In many cases, the CAS role might not even be connected to the internet or have limited connectivity, and with this came the challenge.
You had little or few options that you could use to connect your CAS server to Microsoft update, one of those options could be to use a proxy server between the CAS and Microsoft update. Another one would be to allow the CAS to only talk directly to the internet, but this is not always the best way to go.

But! With Service Pack 1 of System Center 2012 you now have the option to synchronize your CAS with an on-premise WSUS server, (this is one of the many changes in the hierarchy structure in SP1 refer to more of these articles on TechNet à

Starting in Configuration Manager SP1, you can install multiple software update points at a primary site. The first software update point that you install is configured as the synchronization source. This synchronizes from Microsoft Update or a WSUS server not in your Configuration Manager hierarchy. The other software update points at the site use the first software update point as the synchronization source.

Starting in Configuration Manager SP1, at the top-level site, you can specify as the synchronization source instead of Microsoft Update an existing WSUS server that is not in the Configuration Manager hierarchy.

Starting in Configuration Manager SP1, You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle.

Install images and servicing

After installing Windows 7 and Windows 8 a couple of times you get tired of running Microsoft update for the hundred time to run through a bunch of security updates (Which in many cases will leave your clients in a vulnerable state until they are finished patch) and OS bug fixes. Since your deployment (install.wim) only contains the latest patch until it was releases you have to manually patch the image file in order to get the latest patches.

This is where Image servicing comes in. With Image servicing you can update your install image files directly from Configuration Manager (This requires that you have configured your Configuration Manager site with a SUP point) and with it you can create a schedule that automatically updates your images.
One thing about this function that it can only apply Component Based Updates (CBS) (You can read more about CBS here à
so when you run the wizard you will most likely not see all updates that are available for the OS. In that, there are other ways to update your image.
Either you can use the Task Sequence activity or you can create a new master image, which contains the latest updates.
If you wish to inject a new driver into the image, you can use DISM.

IF you have installed and configured SUP you can open Software Library à Operating Systems à Operating System Images à Right click on the selected Image you wish to update and choose “Schedule updates” à

(Here you will be presented with a list of patches, which meet the following criteria:

* They are CBS updates
* The updates have been deployed to your environment (this is so you can easier use patches that you have already tested and you know it works)

The updates will show according to what architecture you choose à

And from here I can choose to update the image with the patches, so when I choose update the site server will move the updates and the install.wim file to a temp file, mount the wim file via DISM and inject the updates.
Then it will move the wim file back to the original folder.
After the update is complete, you can see under “installed updates” to see which updates are installed.