Author Archive

Note-to-self: Strenghten your Intune/SCEP with ADCS

Fri 25 Sep 2015 Leave a comment

Recently I got a question from a customer about SCEP.
SCEP as in “Simple Certificate Enrollment Protocol”, not “System Center Endpoint protection”.

Pretty important difference, although SC (System Center as in SCCM) is involved in this case.

customer investigating integration of ADCS (Active Directory Certificate Services) with Intune.

Customer found an interesting article: “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests” (

In short, the article mentions (quote):

“SCEP was designed for use “…in a closed environment” and is not well suited for MDM and “bring your own device” (BYOD) applications where untrusted users and devices are in use.

When a user or a device requests a certificate, the SCEP implementation may require a challenge password. It may be possible for a user or device to take their legitimately acquired SCEP challenge password and use it to obtain a certificate that represents a different user with a higher level of access such as a network administrator, or to obtain a different type of certificate than what was intended.”

In Windows Server 2012 R2 the Active Directory Certificate Services (AD CS), NDES supports a policy module that provides additional security SCEP.

Windows Server 2012 R2 AD CS NDES does not ship with a policy module. You must create it yourself or obtain it as part of a software solution from a MDM vendor.

Microsoft Intune DOES HAVE that module.

But how do you integrate your ADCS with Intune?
Well, here’s the interesting stuff, there is a bunch of interesting reading and even step-by-step guides available from one of our Microsoft colleagues.
Just to be clear: all credits go to the original authors of ALL these articles I point you to.

But I thinks the links below must be in your favorites collection.

The technical background info you can find on TechNet had an update, recently:

If you really want to dive into it, with practical hands-on, please check this out (credits to Pieter Wigleven)

Pieter has put quite some effort to document the procedures step-by-step with very interesting screenshots.
Enjoy and share!

Using Powershell to generate eventviewer statistics and event exports

Thu 17 Sep 2015 Leave a comment

During FIM health checks we need to have a good overview of the event viewer on the FIM Servers.
In almost any case the event viewer is a good measure of the server’s health.

The more red and yellow you see, the more errors and warnings, the more work you’ll have to get your server in a healthy state.

First goal is to have a general temperature of the health.
Second goal is to have the details to fix the issues.

I’ve created a Powershell to analyse the event viewer logs.

Instead of posting the Powershell in this blog, I’ve published it on TechNet Gallery, over here:

There is a companion Wiki article with some guidance and configuration manual.

In short, the Powerscript below is a modular script that offers following functions:

  • display the event log properties
  • analyse number of events per category
  • analyse number of events per severity
  • overview of error events with source, severity and sample message
  • detailed list of last event per eventID

You can configure the script:

  • choice of event logs
  • history length (period of events to report on)
  • enable/disable logging
  • enable/disable result export to file


Before you start

  • validate your script execution policy
  • copy the script to a separate folder where you can execute the script
  • validate the script parameters

Script configuration parameters

  • $enableLogging
    • $TRUE = create a transcript of the script during run (does not work in ISE)
    • $FALSE = do not create a verbose log
  • $ExportEnabled
    • $FALSE = do not export the result to file
    • $TRUE = export the results, statistics and event details to file
  • $EventLogList
    • Default: ‘System’,’Application’,’Setup’,’Forefront Identity Manager’,’Forefront Identity Manager Management Agent’
  • $startdate
    • Defines from which point in time the event logs must be analysed
    • HINT: on a system with a large size of event logs, it’s advised to limit the history to x days or x weeks. A large volume event log will impact the usage of script memory.

I’m more than happy if you would test the script and provide me feedback to improve the script.


Note-to-self: quickly checking which #FIM2010 Sync Security groups used

Tue 15 Sep 2015 Leave a comment

Although, it’s best practices to use AD based security groups to setup your FIM/MIM, this is not always the case in practice.
So, how do you quickly verify which groups have been used to secure your FIM Sync configuration?

On the FIM Synchronization server, open the component services

(samples are taken from a Windows Server 2012, but this also applies to Windows 2008 …)

First, look up and open Component services

1. find component services

Within the Component Services navigate to “Computers > My Computer”, open DCOM Config

2. open DCOM config

It’s very likely that you get the icon view, switch it to detailed view.

3. change view to details

Then look up the Forefront Identity Synchronization Manager configuration item.

4. open FIMSync Service Props

Right click on it, click properties

5. open Security tab - launc and activation

Click the security tab.

And on the “Launch and Activation Permissions” section, click the edit button.

In case you the sections are greyed out, you need to set registry permissions to allow access

Side note

In the Component services console, you might encounter that the security options are greyed out…

Here’s the solution to fix this quickly:

6. Launch and activation permissions

Now you should see the FIM Sync Security groups configured.

The info will show you (based on the group names) if local or AD groups have been used.

End note on this topic: you can’t change these groups manually.
You need to run the FIM Sync installation wizard in repair mode to fix or change these groups.

The wizard will change the component services, DCOM config, regisgtry and local NTFS permissions to match the groups.

If you would like to do it in a more scripted way, you can use the DCOMPerm code sample, which is included with the Microsoft Windows SDK for Windows 7 and .NET Framework 4.

Sample command:

dcomperm -aa {835BEE60-8731-4159-8BFF-941301D76D05} list


Access permission list for AppID {835BEE60-8731-4159-8BFF-941301D76D05}:

Remote and Local access permitted to CONTOSO\FIMSyncAdmins.
Remote and Local access permitted to CONTOSO\FIMSyncOperators.
Remote and Local access permitted to CONTOSO\FIMSyncJoiners.
Remote and Local access permitted to NT AUTHORITY\SYSTEM.
Remote and Local access permitted to CONTOSO\svcfimsync.
Remote and Local access permitted to CONTOSO\FIMSyncBrowse.
Remote and Local access permitted to CONTOSO\FIMSyncPasswordSet.

Note-to-self: #FIM2010 Virtualisation support

Tue 15 Sep 2015 Leave a comment

Nowadays, it’s not a hot topic anymore, rather a common practices to run your FIM / MIM environment in a virtualized setup.
Still once in a while we do get questions about virtualization support for FIM/MIM.

Bookmark the sources below, as it might be useful to retrieve the answer quickly.

First, more general to check is: the Windows Server Catalog (
On that catalog page you find the link to the Server Virtualization Validation Program site (

“Please visit the Server Virtualization Validation Program site for more information on validated solutions and available support.” 

That page mentions:

“Information on Microsoft’s support policy for Hyper-V and Azure can be found at:


“The information provided by the Microsoft Application Support Policy is for guidance purposes only. Please visit the Products listing to review the latest information available ”

Microsoft Server Software and Supported Virtualization Environments points to this KB article :

It explicitly refers to Forefront Identity Manager as:

“Microsoft Forefront Identity Manager 2010
Microsoft Forefront Identity Manager 2010 and later versions are supported.”

Just as a side step, the Products Listing page (on, has the latest updates on Windows Server 2012 and later…

In the left side menu bar you’ll find OS Compatibility and Processor architecture:

OS compatibility

Supports Windows Server 2012 R2
Supports Windows Server 2012
Supports Windows Server 2008 R2
Supports Windows Server 2008

Processor architecture

Windows Server 2012 R2 (x64)
Windows Server 2012 (x64)
Windows Server 2008 R2 (x64)
Windows Server 2008 (x64)
Windows Server 2008 (x86)

Another side note, for support lifecycle the KB article refers to
But, for FIM 2010 / MIM 2016 there is an easier short cut you should use :

FIM 2010:

MIM 2016 (also include FIM2010 info):

For future use, this info has also been published on TNWIki, you can use this short URL and


Note-to-self: Windows 10 Device Guard white paper just shipped

Tue 15 Sep 2015 Leave a comment

The Device Guard white paper just shipped to Technet. Enjoy!


Note-to-self: Installing the Microsoft Identity Manager 2016 (4.3.1935.0) Service and Portal – Upgrade from FIM 2010 R2

Fri 7 Aug 2015 Leave a comment

#MIM2016 product page updated with eval download

Fri 7 Aug 2015 Leave a comment

MIM 2016 Product page is

With the new announcement of GA, also the “Try Now” link to the eval center has been correctly set to : ;)

Categories: mim, mim2016 Tags: , ,

Get every new post delivered to your Inbox.

Join 79 other followers