System Center Mobile Device Manager Forum

How does MDM Device Inventory work? | Problem: slow device after policy update

Fri, 18 Sep 2009 14:04:19 Z

Hello,

i noticed something problematic in our MDM Installation.

Whats happening:
You startup a PDA, everything is going fine, VPN connects, ActiveSync Synchronizes, all fine.
Now you wait for some time ( maybe 8 hours ) or one just start "MDM Connect Now" -> "Connect Now".
After this manual or automatic policy update we notice the following behaviour on all our Handheld devices.

If you switch of the display (with a short tip at on/off) wait 5 minutes and switch it on again.
The device starts to hang at the logon screen.
You can see the pin mask, sometimes you can even type numbers but always it takes about 1 - 2 minutes to click "unlock".
After this you get to "today" the time is outdated (showing the time when you switch off the display) it takes another minute for everything to "settle".
So after 3 minutes the device is suddenly usable, you can open your calendar, the time is correct and so on.

What i found out:
So much for our problem, now to the interesting part.
The following was noted by accident.
If i disable the ability to reach the DeviceMgmt Server (due to a misleading host setting for example, or proxy config, or .. ).
Everything is working really fast and without any problem (except for policy updates, which is quite logical).

So what is my problem?
My Problem is that i don't understand what Management feature is slowing down all our devices.
We even got problems on accepting phone calls as the phone UI takes to long to show up.
I tried to track down this issue using jshell ( provided by the MS support ) and taskmanager, both showed nothing out of the ordinary.

All log files are clean, the only thing i noticed was a conflicting GPO setting ( 2 GPO saying opposite things ) which i corrected.
The problem occours on all Windows Mobile 6.1.x releases on nearly 100 devices distributed around 4 device generations ( HTC Diamond, HTC Diamond II, HTC Diamond HD, HTC Diamond Pro, ..).

--- About MDM Inventory ---

As i checked the entire configuration i haven't found any obvious error so i started looking for things which could cause this slow down.
One thing i am quite unsure about is the influence of the "MDM Inventory" does have on the device.
I looked up the Technet but haven't found an answer on how often (interval) and how much data is collected by the inventory.
There is only a way to disable and enable it globally and see the fetched data.

Is it problematic to disable it globally?
Could it cause this Slow down?
How often is the inventory renewed?

I would be really glad if someone even could me with just one of my above asked questions :-)
As i am quite familiar with MDM and all topics related to it you can give me any technical details or food for thoughts.

with best regards,

Robert

can SCDM support the mobile devices which are using Windows XP or Windows 7?

Thu, 15 Oct 2009 16:02:21 Z

Would like to know if SCDM can only manage Windows mobile 6.1 or it can also manage the windows XP and Window 7 devices? is there any specific hardware requirement on the managed devices?

Displaying Device Keyboard

Tue, 24 Nov 2009 14:30:26 Z

I am developing a mobile app on a Windows Mobile 6.1 device. I have a textbox. I want the user to be able to enter text. However, I can't display the keyboard. How can I?

Gateway Vs Device

Wed, 18 Nov 2009 15:37:22 Z

I have 2 Gateway servers, 1 DM server and 1 Enrollment server in my environment.

My question is, will the enrolled device stored any one of the Gateway server IP as default for communication after the enrollment?

If yes, any way to find out which Gateway server IP address has been stored by the device?

Thank.
KC

Adding a Gateway Server

Mon, 23 Nov 2009 11:41:41 Z

Hi,

Currently we have 1 Gatway Server and 1 Management/Enrollment Server that we were using for testing. Now we would like to go Live with the system how easy would it be to add an additional Gatway server for redundacny purposes?

Do we simply need to add 2 A Name dns records to point to the 2 ip address and then send the updated Gateway address over Group Policy? Or do we need to configure things like Microsoft NLB on the gatway servers?

Thanks,
Chris

Unable to keep Focus on TextBox

Tue, 24 Nov 2009 16:04:20 Z

I have an app I'm developing for WM6.1. I have a Textbox and a ListBox. Everytime set the DataSource of the ListBox, I lose focus of my TextBox and can't get it back. Without the ListBox, it's fine.

What's the deal? Any solutions?

Microsoft System Center Mobile Device Manager 2008 vs other software

Tue, 24 Nov 2009 19:59:28 Z

We were looking for software to manage our mobile work force and we came across Trust Digital. However, that was before we set our standards to windows mobile 6.1 phones. How does Mobile Device Manager compare to Trust Digitals software? Does anyone know?

Also, what can exchange 2010 do that device manager can or cannot do?

SCCM v.Next!

Fri, 13 Nov 2009 14:43:06 Z

I have seen from some Blog’s from Tech-Ed Berlin that MDM will merge into SCCM. To my horror I also see that the VPN access solution will be removed from this version. Is this correct?

Espen

Version Verification

Fri, 20 Nov 2009 09:31:43 Z

How/where to verify for my SCMDM version install? I like to check if it been patch to SCMDM 2008 SP1 but no clue where to check for it?

I had checked on Add/Remove program, it only show 1.0.4050

Thanks again.

Cheers,
KC

Issue with initiating VPN connection across GPRS, wireless 802.1x works fine though

Fri, 20 Nov 2009 11:07:19 Z

Hi all,

I’m having an issue with two recent customers deployments of System Center Mobile Device Manager 2008 SP1 (MDM).

Basically, from all my test Windows Mobile 6.1+ devices, I can connect to the MDM Gateway server across two different wireless 802.1X connections and get a VPN IP address via a VPN tunnel and the solution works 100%.

However, I cannot get the Windows Mobile devices to initiate the VPN tunnel using a GPRS connection. One customer has a Vodafone (UK) connection and we’ve had discussions about using various different APNs without success. The other customer has an O2 connection (UK) and we’ve only just engaged with them. Both customers have their own MDM Gateway servers with two different public DNS names.

Also, another curious issue, is that if you initiate the VPN tunnel across a 802.1X connection, then disable the wireless network – the VPN tunnel then switches to the GPRS connection and continues fine! Also the MDM port infiltration tests work fine across GPRS as well. So it appears the issue is limited to initiating the VPN tunnel only across one of the IPSEC ports.

The MDM VPN testing tool logging, just gives me the following error:

LOG-N:11-20.11:03:44- IPsecVPNPM: Using default connections.

LOG-I:11-20.11:03:47- IPsecVPNPM: STATE: [StateDNSResolve].

LOG-I:11-20.11:03:49- IPsecVPNPM: STATE: [StateTunnelSetup].

LOG-I:11-20.11:03:49- IKE SA Lifetime: 26280 seconds.

LOG-I:11-20.11:03:49- IPSec SA Lifetime: 21600 seconds.

LOG-I:11-20.11:03:49- IPsecVPNPM: commit succeeded.

LOG-I:11-20.11:03:49- IPsecVPNPM: STATE: [StateWaitForTunnel].

LOG-E:11-20.11:04:02- IPsecVPNPM: ActiveSync notification.

LOG-I:11-20.11:04:06- BASE CONNECTION DOWN: Marking tunnel local IPs changed, static IP disappeared

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- IKEv2 SA [Initiator] negotiation failed:

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- Local IKE peer x.x.x.x:4500 ID (null)

LOG-I:11-20.11:04:19- Remote IKE peer x.x.x.x:4500 ID (null)

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- Message: Invalid argument (65538)

LOG-I:11-20.11:04:19- IKE SA negotiations: 4 done, 0 successful, 4 failed

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- IPsec SA [Initiator] negotiation failed:

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- Local IKE peer x.x.x.x:4500 ID (null)

LOG-I:11-20.11:04:19- Remote IKE peer x.x.x.x:4500 ID (null)

LOG-I:11-20.11:04:19-

LOG-I:11-20.11:04:19- Message: Invalid argument (65538)

LOG-I:11-20.11:04:19- IPsec SA negotiations: 4 done, 0 successful, 4 failed

LOG-I:11-20.11:04:19- Phase-I negotiation failed

LOG-I:11-20.11:04:19- Message: Invalid argument (65538)

LOG-I:11-20.11:04:19- IPsecVPNPM: Tunnel down: Mobike was not operational

LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StatePurgeRules].

LOG-I:11-20.11:04:19- IPsecVPNPM: Deleting the Tunnel

LOG-I:11-20.11:04:19- IPsecVPNPM: commit succeeded.

LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StateDefaultPolicy].

LOG-I:11-20.11:04:19- IPsecVPNPM: STATE: [StateDefaultRun].

LOG-I:11-20.11:04:19- IPSEC VPN TUNNEL RETRY DELAY: 119 seconds.

LOG-I:11-20.11:04:19- IPsecVPNPM: Set the CESetUserNotification

LOG-I:11-20.11:04:19- IPsecVPNPM: out of UnAttended Mode.

A person in the Netherlands seems like he’s had the exact same issue on the Microsoft TechNet forums, however his resolution in dealing with his Telco appeared to resolve the problem:

http://social.technet.microsoft.com/Forums/en/SCMDM/thread/b1936e3f-bf4c-45a3-96ba-0343ef6725b2

We’re currently investigating trialling a dedicated Vodafone tunnel straight through to the router where the MDM gateway server sits, however I don't know if this will solve the issue.

Has anyone seem this problem before and/or could steer me in the right direction? I haven’t been able to use a GPRS enabled SIM with a correct APN setting to test this connection once successfully, so I cannot work out whether it’s device, APN, or something wrong with the MDM Gateway server dealing with GPRS connections.

Cheers if anyone can help

Michael

mpearn@gmail.com

MDM Stopped Working

Thu, 19 Nov 2009 15:09:13 Z

Hello,

We have a very strange problem. Up until a couple days ago our MDM setup was working perfectly. Enrollment, Management, Software Distribution were all working as expected. We then needed to reboot our Gateway server and since then none of our Devices have been able to connect!

The VPN doesn't show any problems with no errors on the device or server. The Gateway Server shows an up to date state in the Management Console and our devices are still able to access other network resources such as email through Active Sync.

So the problem seems to be the connection to the management server right? I can browse to https://dm.<domain>:8443/mdm/tee/handler.ashx from a machine on the network but not from a device. Looking at our internal firewall logs I can see traffic reaching the Management server but its like it doesn't know where to send the reply.

Device logs show the following error -

2009-11-19 08:24:58 omadmclient.exe: Failed sending an HTTP request to the server (0x80072ee2).
2009-11-19 08:24:58 omadmclient.exe: [PID = 0xab054fc2] - Transmitting package data FAILED (hr = 0x80072ee2)
2009-11-19 08:24:58 omadmclient.exe: Data transmission attempt 1/6 failed (0x80072ee2).
2009-11-19 08:24:58 omadmclient.exe: Data transmission failure is retriable.
2009-11-19 08:24:58 omadmclient.exe: Backing off for 30000 milliseconds.
2009-11-19 08:25:28 omadmclient.exe: [PID = 0xab054fc2] + Transmitting package data
2009-11-19 08:25:28 omadmclient.exe: [PID = 0xab054fc2] + Initializing wininet
2009-11-19 08:25:28 omadmclient.exe: [PID = 0xab054fc2] - Initializing wininet
2009-11-19 08:25:28 omadmclient.exe: Additional headers sent to server = "Content-Type: application/vnd.syncml.dm+wbxml

Anyone have any ideas?

Server Resource Kit Tools

Wed, 18 Nov 2009 15:49:29 Z

Anyone has successfully use of the tools:

1. Device Enrollment Cleanup Tool
2. Device Records Synchronization Tool
3. Blocked Device Cleanup Tool

I have tried but never success for any one of it.

The device still showing on the DM console, All Managed Device and Blocked Device list.

Anyone can share if you have any info about the tools?

Thanks.
KC

GCM service cannot find a valid certificate

Fri, 13 Nov 2009 10:56:03 Z

I get errors:
"5257: Gateway Central Management service cannot find a valid certificate to authenticate with the Gateways. The service can automatically detect a valid installed certificate issued with the Gateway Central Management template. Install a valid certificate and then restart the service."
and
"5258: Gateway Central Management service did not connect to any Gateway Server. Make sure that all Gateway Servers are running and are reachable from this computer, and that this computer can resolve the DNS names of the Gateway Servers."
I have seen there few times here on the technet forums, but I can not get my GCM to connect to the GW with those answers.

This is what I tried:
1) In the MDM console I see: Service Configuration State: Running and Sync State: Unreachable.
2) With the MDM ResKit:
> MDMCert.exe /install /mdminstance:iiii /ca:"bbb\CA ccc"
> MDMCert.exe /validate /mdminstance:iiii /ca:"bbb\CA ccc" /endpoint:gcm
The following is a filtered list of Gateway Central Management (GCM) certificates and validity statuses:
<Subject> <Issued Date> <Issued By> <Expiration Date> <Valid/Invalid>
CN=aaaaa 13-11-2009 bbbl\CA ccc 13-11-2011 Valid
Log file is created at: C:\Program Files\MDMResourceKit\MDMServerTools\MDMCertificate\MDMCert[2009_11_13][11_05_08].log
So this tells me the certificate is valid and the ACL for the NETWORK SERVICE is correct
3) Using a browser on the MDM/GCM I can connect to https://fqdn.of.the.gw/Vpn/applyconfig.ashx and is asking me for a client certificate (which of course does not exist im my current-user store)

So the certificate is correct and the GW is reachable by its fqdn.
Where to go next?

Thanks in advance.
Arnold

Antivirus Exclusions on SCMDM Servers

Wed, 11 Nov 2009 04:49:57 Z

Hi there Guys,

Is there any document or article on the internet outlining what to exclude when installing 3rd paty antivirus software on SCMDM servers? Including SCMDM gaateway server as well as enrollment and device management server?

Best Regards,

Ras

big problem

Thu, 19 Nov 2009 07:58:11 Z

i cant read any arabic texts on my htc hd2 6.5 windows version is thereany way to install software or update thnx

System Center Mobile Device Manager : Resolving Software Distribution 8041 warnings

Mon, 02 Nov 2009 16:05:12 Z

Here’s a problem which we’ve seen a couple of times which can be caused by bad packages in software distribution. This problem can arise when Software Distribution is being used, and you notice that devices don’t seem to be getting packages, nor getting updated in the Software Distribution console. As well as this, the following message is logged in the MDM event log on the Device Management Server:

Event Type:        Warning
Event Source:    Device Manager
Event ID:              8041
Description:
Software Distribution service received insufficient query results from device {DeviceSID}.
Missing LocUri ./Vendor/MSFT/SwMgmt/Download?list=StructData.

Steps for resolving this issue are at http://blogs.technet.com/mdm/archive/2009/11/02/software-distribution-8041-warning.aspx

J.C. Hornbeck | Microsoft

SQL role on Windows Server 2008

Wed, 18 Nov 2009 11:56:52 Z

Hello all. Although I suspect the answer, I want to know if SQL role in SCMDM 2008 SP1 can be configured on Windows Server 2008. Customer says he already has a SQL Server 2005 running on Windows Server 2008 and he would like to use that one.

Thanks,

Guillermo

Enrollment Autodiscovery

Mon, 09 Nov 2009 14:51:44 Z

Hi,
We have MDM up and running almost perfectly. Our only problem is that during the enrollement process the devices never seem to be able to auto discover the enrollement server.
The server is publish using ISA as mobileenroll.<domain.co.uk> and the devices can resolve this ok as it works when we manually input the server name.
I think the problem could be that our domain name and our email address are not the same, but does anyone know of any way around this?
Thanks

SCMDM 2008 SP1 - Device removal procedure?

Fri, 23 Oct 2009 00:13:27 Z

How do i go about to removing a device from the scmdm console? I managed to run removedevice powershell cmdlet it successfully removes the device from the domain and adds it to block list i then run clean up of blocked devices powershell cmdlet but the device still appears in the all devices section. Is there a way of removing them from the console completely?

I read on these forums that we might need to update TEE.db? If so how can that be done ?

Cheers

Ras

Active Directory Objects and Attributes used by SCMDM

Thu, 05 Nov 2009 06:52:58 Z

Hello,

Can you guys tell me wich AD object and attributes are used by SCMDM to create an AD account for a mobile device? Are these computer objects in Active Directory?

Thanks and regards

mat

SCMDM Gateway server WAN connection

Wed, 28 Oct 2009 08:56:21 Z

Hi there guys ,

I really hope this is something you can help me with. I have got a requirement that the public IP of the SCMDM gateway server will need to sit behind a firewall.

From the reading I have done so far NAT for the public interface is not supported!(well at least you wont get full functionality out of it). I have got a Cisco ASA firewall and have bunch of public ips available.

My SCMDM gateway is sitting in the DMZ nic 1 has a DMZ ip address assigned to it and nic 2 to has a public ip. Is there a way of setting this up so that the public interface sits behind the firewall as well? As at the moment some traffic is bypassing the Firewall and this raises some security concerns.

I would like to find out how everyone else is handling their public ip interfaces on the gateway server.

I intend to configure the server to be accessible from the internet is it sufficient to configure static NAT with 1:1 mapping of official to public IP or PAT. Does SCMDM Gateway support this option?

Cheers

Ras

Error with CA then do pre-deployment steps

Wed, 04 Nov 2009 15:57:32 Z

Hello!
I have problem with deployment Mobile Device Manager.
I have offline root CA based on Windows Server 2003 and clustered subordinate CA based on Windows Server 2008 Enterprise.

When i prepare my infrastructure for MDM and do command adconfig /enabletemplates i see error:

[11/04/2009-21:41:20] DEBUG : Invoking RunDll with arguments "C:\MDM\adconfig\CertificateAuthorityPermissions_x64.dll",InstallCASecurity vcngsubca.vcng.ru vcngsubca01 S-1-5-21-676356331-940865192-3957312832-1127 S-1-5-21-676356331-940865192-3957312832-1128 S-1-5-21-676356331-940865192-3957312832-1122
[11/04/2009-21:41:21] DEBUG : Rundll exited with error code -2147024891
[11/04/2009-21:41:21] ERROR : Failed to add security on the vcngsubca.vcng.ru\\vcngsubca01 certification authority using trustee security identifier [S-1-5-21-676356331-940865192-3957312832-1127], and subject security identifier [S-1-5-21-676356331-940865192-3957312832-1128]. Error: Access is denied.
[11/04/2009-21:41:21] DEBUG : Failed to add security on the vcngsubca.vcng.ru\\vcngsubca01 certification authority using trustee security identifier [S-1-5-21-676356331-940865192-3957312832-1127], and subject security identifier [S-1-5-21-676356331-940865192-3957312832-1128]. Error: System.ComponentModel.Win32Exception: Access is denied
at Microsoft.MobileDeviceManager.InstanceManager.CertificateAuthoritySecurity.CallExportedNativeMethod(String nativedll, String methodName, String args, Boolean bReturnExitCode)
at Microsoft.MobileDeviceManager.InstanceManager.CertificateAuthoritySecurity.AddSecurity(String certificationAuthority, IMDMProductInstance mdmInstance).
[11/04/2009-21:41:21] ERROR : Errors occurred while configuring security on vcngsubca.vcng.ru\vcngsubca01 certification authority for MDM instance VCNGMobile.

I check this KB: http://support.microsoft.com/kb/927066/ and it not help me.

But then in log i see:

[11/04/2009-21:41:21] INFO : Using BindRoot LDAP://rootDSE
[11/04/2009-21:41:21] DEBUG : Created directory entry for [DN=LDAP://rootDSE].
[11/04/2009-21:41:21] DEBUG : Created directory entry for [DN=LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vcng,DC=ru].
[11/04/2009-21:41:21] DEBUG : Considering CA VCNGSubCA.vcng.ru\VCNGSubCA01. Check if CommonName is matching vcngsubca01
[11/04/2009-21:41:21] DEBUG : Found CA vcngsubca.vcng.ru\vcngsubca01.
[11/04/2009-21:41:21] DEBUG : Considering CA VCNGSubCA.vcng.ru\VCNGSubCA01.
[11/04/2009-21:41:21] DEBUG : Found CA vcngsubca.vcng.ru\vcngsubca01.
[11/04/2009-21:41:21] DEBUG : The vcngsubca.vcng.ru\vcngsubca01 certification authority has dNSHostName = VCNGSubCA.vcng.ru.
[11/04/2009-21:41:21] DEBUG : Attempting to find the CERTSVC_DCOM_ACCESS group in the vcng.ru domain.
[11/04/2009-21:41:21] INFO : Using BindRoot LDAP://vcng.ru/rootDSE
[11/04/2009-21:41:21] DEBUG : Created directory entry for [DN=LDAP://vcng.ru/rootDSE].
[11/04/2009-21:41:21] DEBUG : Created directory entry for [DN=LDAP://DC=vcng,DC=ru].
[11/04/2009-21:41:21] DEBUG : Searching for well-known group using search filter [(&(samAccountName=CERTSVC_DCOM_ACCESS)(objectCategory=group))] and search root [LDAP://DC=vcng,DC=ru].
[11/04/2009-21:41:21] INFO : Found no groups using search filter [(&(samAccountName=CERTSVC_DCOM_ACCESS)(objectCategory=group))] and search root [LDAP://DC=vcng,DC=ru].
[11/04/2009-21:41:21] DEBUG : Did not find the CERTSVC_DCOM_ACCESS group in the vcng.ru domain.
[11/04/2009-21:41:21] INFO : The CERTSVC_DCOM_ACCESS group does not exist in the domain for the vcngsubca.vcng.ru\vcngsubca01 certification authority.
[11/04/2009-21:41:21] INFO : Result of AD Configuration Operation: Success

And i dont undestand: preconfiguration step normal or not.

Benq Mobile Registry Access Denied

Sun, 08 Nov 2009 11:28:10 Z

I currenlty have a Benq e72 mobile phone running windows mobile 6.1 and in order to see who was calling I downloaded a mobile registry editor to modify the CallerID from 8 to 7.

However, I needed to do a master reset on the phone and now when I am trying to redo the edit, I am getting Access Denied

SCMDM activesync policies to block email from sync-ing to device

Wed, 04 Nov 2009 07:33:39 Z

Hi,
I used SCMDM user policies to apply to my test user using the WM6.1 professional emulator. The policies for this user are supposed to:

1) Set maximum attachment allowed = 0 (Block all attachments)

2) Set maximum size limit for plain text e-mail = Header Only

3) Set maximum size limit for HTML text e-mail = Header Only.

These policies are effective on the enrolled user as shown by the Windows Mobile Group Policy Results.

I proceeded to setup the Activesync account for the user to access the Exchange 2007 server. I was expecting that the user's calendar data gets downloaded but emails and attachments are not supposed to be downloaded (should just see headers in Outlook Mobile) as they are set by the policies.

I realised that when they are first sync, indeed only the headers are downloaded (0/XXk is shown). But when I access the email, I can still click to download the emails and the entire message. Are the policies supposed to work like this or did I configure wrongly? I was expecting no email body and attachments could be downloaded to the device.

Thanks.

Policies for 6.5

Fri, 06 Nov 2009 15:39:10 Z

Hi,

Are there any differences between 6.1 and 6.5 when it comes to policies? I can't seem to find an updated list, just the classic http://technet.microsoft.com/en-us/library/dd261953.aspx and it says nothing about 6.5 changes, additions or any new ADM file.

Thanks,

- jorge

Automatic FixIt: You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version

Thu, 05 Nov 2009 21:25:37 Z

I asked the FixIt team for this a while back and they have delivered. Now if you ever run into the symptoms below the chances are good we can automatically fix it with just a few clicks of the mouse:

The Symptoms: When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:

HTTP 401.1 – Unauthorized: Logon Failed

Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

The Cause: This issue occurs when the web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

http://blogs.technet.com/mdm/archive/2009/11/05/automatic-fixit-you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrated-authentication-and-is-hosted-on-iis-5-1-or-a-later-version.aspx

J.C. Hornbeck | Microsoft

Device Status/Software Distribution

Tue, 06 Oct 2009 10:12:59 Z

I am trying to push new software down to few device but these are reporting 'the device has not reported status in 19 or more days'. These devices are not receving the new software. When checking the Device Report the following appears

No events are available. This may be because the client has not yet sent the event or the events have been purged from the server. Refer to %WINDIR%\WindowsUpdate.log on Device2.domain.local for details.

Where is the windowsupdate.log on the device or server?

Previously I was advised to enable alert logger in Status viewer but i can not see this option. I can only see the Menu, Managed programs and managed objects viewer. The connection in Status viewer/MDM connect now is successful.

Deploying SCMDM (Enrollment Server) on SBS 2008

Thu, 05 Nov 2009 14:06:12 Z

This might be a non-starter from the outset, but here's what I am trying to do. I want to install SCMDM on a Small Business Server (SBS2008). I am having trouble once I get to the point where I install the Enrollment Server, but here are the steps I have taken using this page as a reference http://technet.microsoft.com/en-us/library/dd261786.aspx :

I followed steps 1a, 1b, and 1d (1c was optional and I believe was done while configuring the AD) to configure the Active Directory. The only error I encountered was in step 1a, #6 (/enablegpsecurity), but this step appears to be optional, so I ignored the error and proceeded the rest of the way error-free.
When it comes time to install the Enrollment Server, I get the following Prerequisite error: "The TCP/IP port 443 is in use by another application. The Enrollment Server requires the TCP/IP port 443 for communication with clients. Stop the application currently using this port and restart the Setup wizard." This makes sense considering SBS 2008 has so many roles installed by default, and I use Outlook Web Access, which I believe also uses port 443.

So what do I do?

Can the Enrollment Server coexist on port 443?
Can I temporarily shut down any applications using port 443, install Enrollment Server, change its default port, and restart the other applications?
Can I even continue installation of Enrollment Server on the SBS machine? or am I wasting my time?
Other options?

A few other items to note:

I use Windows Server 2008 R2 as my host, and I have SBS2008 running on a Hyper-V VM.
SBS2008 is set up as the "heart and soul" of my network; it is the primary file server, AD controller, DHCP, DNS, Exchange 2007, etc...it is a typical SBS 2008 setup.
I am behind a dynamic IP. My local domain is mydomain.local, and my internet domain which I use for OWA is mydomain.dyndns.org. When completing step 1 from the deployment guide (the AD configuration), I used mydomain.local as my FQDN.
I've got OWA working fine, my mobile device synchronize quite nicely with Exchange, so on and so forth. I seem to have a solid, stable setup.

Any insight?

Thanks

Email Filtering Feature For SCMDM

Wed, 28 Oct 2009 08:50:59 Z

Hi,

Is there any way to filter "encrytped" email messages from MDM server before it send to the mobile device user?

Thanks.
KC

Cmdlet Get-DeviceManagementConfig

Tue, 08 Sep 2009 13:26:58 Z

Hi,

I can't seem to find an answer to this question so I'll post to the group. I have been looking at the MDM Powershell cmdlet called Get-DeviceManagementConfig. In particular I'm looking at parameters:

PurgeInterval and EnablePurge.

By default Microsoft have set these to:

PurgeInterval = 373 days and EnablePurge = True.

Now looking at the technet info, this has me confused - as follows:

EnablePurge
Specifies whether PurgeInterval is enabled. If set to $true, then a device is removed from the Device Registration database after a period of time defined by the PurgeInterval value. If set to $false, then devices are not automatically removed from the Device Registration database. The default value is $true.

PurgeInterval
Specifies the length of time after which devices that are no longer enrolled are completely removed from the Device Registration database. The value may range from one day to 3660 days. The default value is 373 days. If the value contains a space or other special characters, enclose the string in quotation marks.

My question is, does this only apply to blocked / wiped devices or all working devices aswell? Does this mean a device will be removed from the registration database (or expire) after 373 days, even if there is nothing wrong with it?

Sorry if I've missed the obvious or if I'm being a bit thick!

Neil.

importing personal certificate

Sun, 01 Nov 2009 14:22:42 Z

Hello,

can I import a personal certificate to a Windows Mobile device in a way that the private key will be marked as "non exportable"? Otherwise, if the device gets lost, any unauthorized person can export the private key then.

there are flags CRYPT_EXPORTABLE and CRYPT_USER_PROTECTED http://msdn.microsoft.com/en-us/library/aa924245.aspx
If someone knows if these flags in PFXImportCertStore are set or not that would help me a lot
Unfortunately the Windows Mobile UI does not offer to set these flags during the certificate import process

Martin

MDM support of CNG and keylength

Thu, 29 Oct 2009 13:32:28 Z

Does the latest version of MDM support CNG provider (using WS08 R2 PKI) and what is the maximum key length it supports?

problems connecting after enrollment

Tue, 06 Oct 2009 12:23:01 Z

in our org we are running MDMSP1 and have recently enrolled a large number of devices - the majority of which appear to be working fine.
however there are some that have successfully enrolled OK but then are unable to connect.
using the VPN diagnostic tool on the device it comes up with the reason as 'Root certificate does not exist'
i'm happy the connection works OK as its the same connection settings as other devices and i've tried re-adding those but to no avail.

anyone have any ideas what would cause this?

different activesync policies for different devices belonging to same user

Wed, 28 Oct 2009 02:19:38 Z

Hi,
Using SCMDM, I can specified whether a user can download emails and/or attachments to his mobile device. This is done by applying a user (not device) policy to that user.

I have a requirement such that a user has 2 mobile devices. PDA A is self-owned while PDA B is company-issued. The user is only supposed to sync calendar events and not emails to PDA A. But he can sync all emails, task, calendar to PDA B.

Given that the a user would have only 1 MS Exchange mailbox and the activesync policy is applied on the user and not device, how can I achieve this? Pls advise.

Thanks.

Regards.

MDM Enrollment server

Thu, 30 Jul 2009 15:58:13 Z

Hi

I have installed enrollment server.After successful installation i got only help file in my start program files ? How do i start accessing the enrollment server.

Also if i go to IIS webpage i am getting HTTP Error 403.4 - Forbidden: SSL is required to view this resource

Please let me know how do i proceed on this ?

Regards
Loganathan.b

BPA Error

Thu, 06 Aug 2009 10:11:52 Z

Hi,

I am getting below error when i am running BPA for scmdm 2008 ?

I am able to access the site and i am getting certificate warnings etc ? what could be a problem ?
Unable to connect to MDM Device Management Administration Web site.
Make sure that the certificate for the newly created Device Management Administration Web site for MDM Device Management Server is valid and the Web site is running. Obtain certificates for the site if it is necessary. See Deployment Guide for System Center Mobile Device Manager 2008 .

Unable to connect to MDM Device Management Web site.
Make sure that the certificate for the newly created Device Management Administration Web site for MDM Device Management Server is valid and the website is running. Obtain certificates for the site if it is necessary. See Deployment Guide for System Center Mobile Device Manager 2008 .

Mobile Device Factory Wipe on a single failed password

Fri, 09 Oct 2009 10:25:47 Z

We have had a situation reported where a device has performed a factory wipe on a single failed password or not at all. This has been reported on two different devices HTC Touch Pro2 and an HTC Diamond 2 running 6.1.4 (latest production release). Normally I would say the user was mistaken however I have just watched exactly the same this happen in front of me on an HTC Mega Mobile 6.5.
The group policy appplied for passwords is Simple Password, 4 characters, 10 attempts prior to wipe, "SCMDM 2007" prompt on attempt 7.

What has just happened is the HTC Mega was on my table and not connecting to the 3G network due to a SIM issue - ie no phone, no wifi, no 3g. The device was attempting to connect regularly then all of the sudden the screen becomes active and the you have one more attempt to logon prior to a wipe appears. To be clear there have been no logon attempts and no failed logons at all since enrollment on this device.

I then entered the password incorrectly and the factory wipe proceeded.

So this thing has wiped on a single incorrect password even though the group policy was for 10 attempts. The word prompt did not occur. The user was simply presented with the 1 logon left message without attempting to logon...

This is a disaster. Has anyone else seen this? I'm going to try and replicate on 6.1 , 6.5 devices but would be interested if anyone has seen this occur.

The only common thing I see at the moment is that the devices may not have had network coverage and be retrying prior to this occuring.

This is a real pain to debug as a factory wipe is performed so any local logs are toast as encryption is on so even cards are unless due to encryption. I'll have to try without encryption on. Any suggestions as to how to debug this one?

Cheers

Matthew

HP touchpad issues, again

Tue, 27 Oct 2009 18:32:01 Z

I have a factory Pavillion DV4-1220us, and am unable to get the touchpad to work. As usual, HP support said to do a full recovery, and that is really not an option here. I have done a sys. restore, and have reinstalled the driver for it(I think it was the right one). I could care less about the volume controls, but I cannot turn on my wireless without it. Any body got a sollution or some advice?

ISA Server and SSL reverse proxy for mobile enrollement

Mon, 26 Oct 2009 03:57:00 Z

Hi there Guys,

We have got an existing ISA 2006 server with single IP address (DMZ subnet), is it possible to utilisie reverse proxy capabilities of this box for enrollment. Please bear in mind that This server is also used as a proxy for internal clients. If so what would be the best way to go about it ?

I.e can i get the external firewall to forward SSL traffic to ISA and configure the publising rule and open 443 from isa to mdm enrollment server?

What i am trying to get to is whether or not we need dual nics on the ISA server?

Best Regards,

Ras

ISA Server and SSL Confogiration

Mon, 29 Sep 2008 17:24:09 Z

Hi, my company is the process of configuring our MDM which uses ISA server to publish the mobileenroll.domain.com.

The question I have is, do we terminate the SSL connection at the ISA Server, and pass non-SSL traffic to the Enrollment Server, or do we set the ISA Server to pass-through mode and put the SSL certificate on the Enrollment Server?

Thanks, Julie