Monthly archives "February 2015"

EMS for Everyone!

Joe Kuster

Microsoft announced that the licensing model around the Enterprise Mobility Suite is going to be changed on March the first, until now EMS is part of the Enterprise Agreement, but individual components could be purchased ala-carte.

Starting next week, EMS will be part of open license model.

Additionally, Microsoft Action Pack subscribers, along with Silver and Gold competency partners, will receive access to EMS and Azure AD Basic as part of their Internal Use Rights benefits.

More at:

Streamline Clients Upgrades via System Center 2012 Configuration Manager Servicing Extension

Joe Kuster

The Servicing Extension is a free add-on to Microsoft System Center 2012 R2 Configuration Manager. One of it’s most useful features in my opinion is automatically creating queries for every version of ConfigMgr agent that you need. This helps target client updates turning it into a trivial exercise since it writes the collection query for you.

First, download it here: 

After re-opening the console, you will now have a new Site Servicing module under the Administration Workspace.


To create targeted client collections, simply click on Client Targeting to view your options. Click Create Query for the version older than your most current update.


Choose that version and below, then Create Query.


Now that you have a reusable query, simply make a new Collection and import that query.



Create a deployment for your ConfigMgr update to the newly created collection.



This extension highlights also new updates and releases, helping you keep ahead of newly released updates.



Happy Patching!

3rd Party Love for gSyncit – Integrate Exchange data with Non-MS Friendly Tools

Joe Kuster

Today I decided to give some love to one of the cross platform sync apps that makes my life better. I’m passionate about how awesome Office 365 has become and I’m never switching back, but I also love making my live better through automation and delegation. There are tons of great services out there that use that tap into my calendar, contacts or tasks but they aren’t all natively compatible with Exchange or Exchange Online.

To list a few:

FancyHands – A virtual concierge service, from waiting on hold with Comcast for me, scheduling doctors appointments, to buying flowers at an out of state boutique to be delivered to my Mother’s place of work. They create appointments for me, but only use Google calendars. They also scan my upcoming appointments and emails for recommendations on things they can either automate or help me with.

IFTTT (If This Then That) – Synchronization engine to monitor triggers and initiate events via a large list of web APIs. This allows me to do things like text message me the evening before it snows, turn on my AC as I’m driving home, automatically post my blog summary to Twitter, add intelligence to my SmartThings home automation, automatically log all of my vehicle mileage in a spreadsheet for work and so on.

Zapier – Similar to IFTTT with different APIs that it can sync with and trigger from.

All of these services are firmly planted at synchronizing with Google and have no integration into Exchange delegation or sharing, so what’s a Microsoft entrenched fan boy to do?

Why, leverage a dummy Google Account for all of those services to talk to and just use gSyncit of course! I can set up one direction sync, customize privacy settings, visibility of details, only sync certain categories of data or anything else I need to do to keep my corporate data safe while making the most of the 3rd party services. Sure, the data is being mined, but in my circumstances, it doesn’t matter. I use Azure RMS on sensitive data, limit my sync details to protect my contacts and since it’s a dummy account I’ll will never log in to see the ads.


Installation and configuration takes a little less than 5 minutes, and once complete gSyncit will be running in the background while Outlook is open, silently synchronizing all of your Exchange data with Google and any other services like Evernote that you’d like it to do so. Once in place, simply target all of your 3rd party tools to this dummy Google account. As a heads up Outlook often doesn’t like to shut down gracefully while gSyncit is running even with the shutdown agent helper, so I’ve set mine up in a VM with auto login and auto start of Outlook so it’s up 24×7 so I don’t have to install the software anywhere else to keep my data up to date.

As a awesome perk, you can go from Exchange to Google to another Exchange account, allowing for seamless synchronization of Exchange data for folks like me who have a personal Office 365 account in addition to a work Exchange account and even includes a duplicate entry tool. It makes transferring contacts or meeting invites a thing of the past. That alone was well worth the $20.

Happy Automating!

CopyAccountCert: failed hr 0x80070005 During Intune Install

Joe Kuster


Very recently my colleague Nick Moseley over at encountered the following error during the installation of Intune on a Windows 7 workstation.

Process: C:\Users\<username>\Desktop\Microsoft_Intune_Setup.exe
CopyAccountCertificate(): Attempting to copy account certificate from C:\Users\<username>\Desktop\MicrosoftIntune.AccountCert
FATAL: CopyAccountCert: failed hr 0x80070005

We weren’t able to find many leads on the error for Intune, but I was able to find a related error related to Windows Updates We were logged in as an Administrator, so we could nix that issue. While not directly applicable to Intune, it did point us in the direction of checking the Access Control Lists (ACL). During our testing, were able to confirm that creating a new users on the system and installing from that account resolved the issue.

Root cause: Windows ACLs were corrupted

Fix: Rebuild user account or if you cannot do that, use the following the steps:

  1. Download the SubInACL tool and install it in the %windir%\system32 folder. The %windir% placeholder represents the Windows operating system folder. For example, C:\Windows.
  2. Start Notepad, and then copy and paste the following commands:

  3. Save the file as Reset.cmd.
  4. Right-click the Reset.cmd file in File Explorer (in Windows 8.1 and Windows 8) or Windows Explorer (in Windows 7 and Windows Vista), and then click Run as administrator. In Windows XP, double-click the file in Windows Explorer.
  5. Wait until the execution finishes, and then try to install the update again.

Note If you receive errors when you run SubInAcl, see the following Microsoft blog: Notes about a couple of possible issues while using the SubInAcl tool.

I Live Streamed My Microsoft Password to 5,000 Viewers–And I’m Not Scared

Joe Kuster

Scared KidDuring System Center Universe, I got to speak about Enterprise Mobility Suite. One of those nifty features in EMS is Multi-Factor Authentication (AKA Two-Factor Authentication). During my presentation, I intentionally fat fingered my password into my username field, why? To set up a scenario that would prove MFA’s value of course!

What did I expect? That at least some of you out there in viewer land would start hammering that account, and you didn’t disappoint! It took about thirty seconds during my presentation and my phone started vibrating like mad as the more devious among you tried to put in / Password123. But since you were all connecting from an unknown device, it needed that additional factor for authentication.

When you configure your MFA options, you have the choice to use the typical SMS, phone call or app key, but you also have the option to configure the Microsoft Account App to dynamically prompt. Here is what that looks like:

Multifactor Authentication via Interactive Prompt

While you all were hammering on my phone, this screen popped up. In one click, I could have reported the fraudulent attempts, warned my Administrator about your IP, the misuse of my account and immediately forced a reset on my password. Cool stuff right?

All I had to do is hit verify when I logged in, and continue my live presentation and ignore the rest. I left it on for the rest of the day and only had a couple dozen hits on the account. I did eventually reset the password, but it was great to see this in action.

If you choose the other options, instead you’d get something like this:

Multifactor Authentication via App



Multifactor Authentication via Phone Call


So, this is great an all for my presentations, but the real world application is probably closer to to your users, specifically the probable Post-It Note with passwords. During my IT career I’ve found hundreds if not thousands of these in places ranging from HR departments, government to banks.

Post-It notes, losing your passwords since 1978


password taped under monitor

password taped under phone

password taped under mouse


Securing your password doesn't mean using tape

Issues Running the Intune Managed Browser? See Requirements Below.

Joe Kuster

The new Intune Managed Browser allows some cool new capabilities such as whitelist/blacklist and remote wiping of browser caches. Right now it’s only available on Android, however word is that the iOS version has been submitted and is only awaiting Apple approval. If you want to give it a test run, as a word of caution, you cannot simply download it and run it, even if you have a compliant Intune Managed device. Go ahead an uninstall the browser for now and instead take the following steps:

  1. Create a Managed Browser Policy under Policy > Configuration Policies > Add
  2. Expand Software > Mobile Browser Policy (Android 4 and later) and select Create a Custom Policy
  3. Provide a Policy Name, add any whitelist/blacklist pages and hit Save Policy
  4. Under Software > Managed Software choose Add Software
  5. Sign into the Software Management wizard
  6. Choose Add Software and click Next
  7. Choose External Link and paste in 
  8. Fill out the Application Details. I have added the Intune Managed Browser logo below, simply save as and use it.
    2015-02-06 20_46_10-Intune Managed Browser - Android Apps on Google Play


  9. Click Next and Upload
  10. Back in the Intune Portal, Navigate to Software > Managed Software. Highlight the Intune Managed Browser and select Manage Deployment.
  11. Deploy to your users or devices, select your Android MAM policy if required (highly recommended, see MAM post for how to) and under Managed Browser select the policy you created on step.
  12. Enjoy your new Managed Web Browser Smile

2015-02-07 04.01.03

How to Look Up When Your Intune Tenant Will be Updated

Joe Kuster

Looks like February Intune update will hit North American on 2/9/15. How do I know? Easy, check out the Microsoft Intune Status Page and look for planned maintenance dates Smile


This month’s update will include:

  • Management of Word, Excel and PowerPoint in Android to include copy/paste restrictions
  • OneNote for iOS management, same as above
  • Windows Phone 8.1 app install via Company Portal website
  • Enhanced Wi-Fi profile deployment
  • Cisco AnyConnect per-app VPN for iOS
  • Encryption of Windows 8.1 x86
  • Configuration of minimum platform updates to install automatically on Windows 8.1 x86