CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

One thing that many of my customers both Servicedesk staff, Support staff and administrators complain about with Configuration Manager 2012 Remote Tools is that the client service is set to Automatic (Delayed Start) when installed per default.

When remote controlling a user’s machine and a reboot is necessary, the service doesn’t start immediately and it feels like it takes forever for them to able to remote control the computer again.

Changing the startup to Automatic instead of Automatic (Delayed Start) can be done using a Group Policy and a Group Policy Preference setting. Under Services add the SCCM Remote Control Service and change the startup to “Automatic”



When the Group policy preference is applied, the service startup is changed. Have run it as Automatic for more than a year now, works great.


Next question would be:
“Doesn’t the sccm client remediation task that runs on the clients change it back to “Automatic (Delayed Start)?”
No it doesn’t, actually it will however change it back to “Automatic” if you set it to “Automatic” before setting it to “Disabled” and then run the CCMEval task, so it will work just fine.

Next Question: “Is it supported?”
I guess that could be debated ;-)

I had a scenario at a customer where I needed to set and iOS device in Kiosk Mode with the only allowed app, the Safari browser. Currently in Microsoft Intune Standalone when you select Kiosk Mode you have to select either a Managed App or a Store App when you select the Kiosk Mode option.

Let’s start with the background. To be able to set an iOS device in Kiosk Mode you need to configure it to “supervised mode” which have to be done with the Apple Configurator on an computer running OS X. When the device is in supervised mode enroll it in Intune as you normally would with any device, then we can configure Kiosk mode using Intune.

Create an iOS Configuration Policy with the following settings.

1. Create a new “iOS Configuration Policy”

2.  Enable the “Select a managed app that will be allowed to run when the device is in Kiosk mode:” if you browse you have to select either an application in the App Store or a managed app that you have deployed (.ipa). Instead of browsing simply type “”, then Safari is the app that will be allowed to run in Kiosk mode and no one else. You can also turn off/control if you want to allow screen rotation and so on in the options below.
iOS_Safari13. Save the policy and deploy it to a group, in my scenario a group called “kiosk”



4. As soon as the policy is applied Safari will be launched on the iPad and you cannot close it or do anything else than browse the web using Safari.

If you want it out of Kiosk mode you can do any of these things:

  • Choose to Retire it using the Intune console, it will be removed from Intune if you choose this option.
  • Delete the deployment of the policy that has set it in Kiosk mode
  • Delete it from the group where the policy is applied.

I have a new favorite feature in standalone Intune, custom iOS Policy. This lets you basically deploy a XML file with the supported configuration information you want to set on an iOS device even if it isn’t available in the Intune console, like deploying a Wi-Fi network with WPA2 and a Password.

The easiest way to create a profile file is to use the Apple Configurator, it is only available for OSX so you need a machine running OS X. Notepad can of course also be used ;-) Apple Configurator is available in the App store on OS X. In this example I will create a custom policy using Apple Configurator which configures a Wi-Fi WPA2 SSID with a password and then deploy it using Intune.

  1. Launch Apple Configurator and create a new policy.Apple_conf1
  2. Give the policy a Name and enter your Organization name.Apple_conf2
  3. Select Wi-Fi and click configure.Apple_conf3
  4. Enter the information about the Wi-Fi network, here you can select WPA2 Personal and supply the password which isn’t possible in Microsoft Intune for now at least. Then select Save Apple_conf4
  5. When the policy is created, select it and select Export Profile.Apple_conf5
  6. Save it somewhere where you can access it later and upload it to Intune, I save it to my Onedrive.Apple_conf6

The XML file will get an extensions of .Mobileconfig and it looks like this:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">

<plist version="1.0">
















<string>Configures Wi-Fi settings</string>

































More information about valid syntax and settings can be found here:

To deploy the newly created custom iOS policy file do the following:

  1. Login to the Intune console at using a supported browser and platform = Windows Client.
  2. Under Policy and Configuration Policy, select AddPolicy1
  3. Select Create and Deploy a Custom Policy and Create Policy.Policy2
  4. Enter a Name, Name displayed to the user and import the wifi4.mobileconfig file created before. Then select Save Policy.Policy3
  5. A dialog appears that asks you if you want to deploy the policy.Policy4
  6. We then select a group to deploy the policy to, in my case TechX demoPolicy5
  7. On the iOS device, in my case an IPad Mini I can now see that the policy is applied under the Management Profile (yes it is in Swedish)Profile1

The Custom iOS policy is a really powerful tool, wish for it to be available in Hybrid scenarios as well!

As I wrote here before there were some issues with the update of the System Center Endpoint protection client that caused all downloads in Internet Explorer, Firefox, Chrome and so on was blocked with a message that they contained a virus.

A new updated version is now released, where this issue is fixed. It is available through Windows Update and WSUS. The KB that describes the revised System Center Endpoint Protection Client can be found here:


A couple of weeks ago TechX Azure 2015 Sweden took place in Stockholm. I had the great honor to present on how to manage Android and iOS devices using Microsoft Intune. The recording is now available here (in Swedish):…

As Enterprise Mobility Suite is a really hot topic right now here are two great sessions on Azure RMS and Azure AD Premium as well also in Swedish.

Happy EMS weekend!

On patch Tuesday this month, February 2015, a new version of the System Center Endpoint Protection client was released, which replaces the one released in October. The same way as the latest versions of the Endpoint protection client they are released on Microsoft Update / WSUS and can be deployed as an update to your clients. The scpeinstall.exe file on the Configuration Manager 2012 servers are updated with the Cumulative Updates as it has been before as well. So when you deploy a new System Center Endpoint Protection client it will require this update as well.

New in this release from the KB article,
The KB article was updated 13/2 with this new content.

Update 20150220:

The Update is now pulled back from Windows Update and expired in WSUS, if you are experiencing the issues with downloads being blocked with a message that they contain virus, you should downgrade those effected systems. More details can be found here: Team Blog

Update 20150302

A new version  is released with the issue resolved:

“The revised update to address the Internet Explorer download issue is now available on Microsoft Update and Windows Software Update Services as KB3041687. This release is version″.

  • Improvements to registry and file system protection to counter tampering from malware.
  • Sub-mount points can be automatically excluded, and volumes can be fully excluded in Real time protection (RTP).
  • This update also includes the deprecation of the DisableGenericReports subkey in the following registry location:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

    Note Unless this key is edited directly in the registry, this update should not have any effect on telemetry behavior.

    After you apply this update, to disable telemetry that’s sent by Endpoint Protection through Microsoft Active Protection Service (MAPS), open the Endpoint Protection UI, click the Settings tab, select the MAPS section, and then click I don’t want to join MAPS.


    • Administrators can manage the MAPS configuration options through Windows Management Infrastructure (WMI), Windows PowerShell, and Group Policy.
    • Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.
    • Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:
      • MAPS Configuration Registry location:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

        DWORD name: SpyNetReporting
        DWORD values:

        • 0 – Off
        • 1 – Basic Membership
        • 2 – Advanced Membership
      • Sample Submission Registry location:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

        DWORD name: SubmitSamplesConsent
        DWORD values:

        • 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
        • 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
        • 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
        • 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.

The new version is which can be seen in the UI under help.

SCEP4.7.250.0I have seen some issues being reported on the forums and from customers.

  • WMI related errors in the event logs and SCCM Client Health reports back a faulty WMI, a reboot solves this issue.
  • The next issue with the update is that registry keys needs to be configured as the KB articles states above, to stop the Submit sample consent dialog from being displayed and to be able to configure MAPS membership.
  • There has also been reports about all downloads in IE being blocked as they contains virus, no real solution to that one yet.

I thought I would share how I demo Microsoft Intune and management of devices as it hard to display some devices in a Lync call or in a conference room, and it is heavy to carry all that hardware with you ;-)

Android, for testing Android I use Genymotion which is a Android Emulator that is free for personal use. It uses VirtualBox seamless in the background and runs Andorid virtual on top of Virtualbox. You can download Android images for Samsung Galaxy S4 with Andorid 4.4, Nexus and a lot more.
Genymotion1 To be able to enroll it Google Play must be working on the virtual Android device, here is a blog post on how to enable it

After that you can just fire up you Android device and enroll it in Intune.

iOS, For iOS I have used iTools before but it doesn’t work that well with iOS 8.2 anymore so I reverted back to using the Reflector application instead which makes you PC a Airplay device so you can simply use Airplay on you iOS device and select to mirror the screen of your PC. Works really well.
One note though, if you are using guest wireless network it is not always that they allow peer-to-peer connections so I use a small 4G wifi pocket router so I know it works.

Windows Phone, Windows Phone is somewhat easier as in Visual Studio Express 2013 with Update or later you can choose to install the Windows Phone 8.1 emulator as well. . The Windows Phone 8.1 emulators uses Client-Hyper-V in the background so it cannot run on the same machine as Virtual box and Genymotion, here is one solution that can be used from Scott Hanselman to add a boot option to your Windows 8.1 and choose Hyper-V or VirtualBox.

Happy Intune testing!!

In the January 2015 Patch Tuesday update the .Net Framework 4.5.2 is included as an update to all supported platforms. Category: Feature Packs.


If you haven’t tested .NET Framework 4.5.2 with your applications already and you are building your images and pulling the updates for those images from Windows Update Directly you need to exclude the .NET Framework 4.5.2.

I wrote a post on this a while ago so just replace the KB article with the one for .NET framework 4.5.2 in this post.

Some more information about .NET Framework 4.5.2:

What’s new in .NET Framework 4.5.2
nown issues with .NET Framework 4.5.2