ConfigMgr – NDES Certificate Deployment fails due to Network Device Enrollment Service failure

I was struggling a little bit within my LAB trying to get the Network Device Enrollment Service (NDES) up and running again for the Simple Certificate Enrollment Protocol (SCEP), which is I believe not that simple, but anyway. I was really unsure what I did have changed (because I changed a lot in the last month within my LAB), that would have stopped the functionality of the Certificates to my devices, but I had a start point, the event log of the NDES Server told me the following:
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

Network Device Enrollment Service error
Continue reading

Windows and Local Administrator permission delegation

In this post, I would like to explain, what my experiences and solutions for the delegation of local Administrator permissions are. In a Client deployment Scenario, you will often be asked for a solution to provide IT Professionals and maybe also end users with local Administrator permissions. I will point out the most useful solutions which I do prefer.

  1. Local Administrator Account
  2. Permanent Local Administrator permissions for IT Professional
  3. Microsoft Local Administrator Password Solution for spontaneous permission
  4. Local Administrator delegation based on group per client

Continue reading

ConfigMgr 1602 – All devices are part of the same server cluster

Hi folks,

we are on the way, it will finally happen: We will be able to serve Clusters with System Center Configuration Manager and it’s update functionality. With the new released current branch 1602, a new feature called server cluster maintenance coordination was added to ConfigMgr, it comes close to a Cluster Aware updating solution. You will find it on the General Tab of a collection named “All devices are part of the same server cluster”:
ConfigMgr Cluster Aware Updating
Continue reading

SCCM 2012 R2 SP1 – New Intune Features: Block Apps natively and deploy a iOS custom profile

Hi there,
finally I got time to check, which new Features was brought to us System Center 2012 configuration Manager guys with the R2 SP1 update. My interests were on the iOS and Windows Management. And for both of them, some nice Features were added.

Blocking Apps
The availability of blocking Apps is now supported through the normal configuration, rather than using OMA-URIs as before (https://blog.hosebei.ch/2014/11/10/sccm-2012-r2-windows-phone-8-1-black-listing-apps-and-vendors/). You can create a Configuration Item with the specific Settings: Continue reading

SCCM 2012 – Client Installation properties

In System Center Configuration Manager 2007, there was sometimes a challenge to find to correct Installation properties, most of the problem came with the patch files. But in 2012 we don’t have to install msp-files yet. But even then, a friend of mine considered a problem with the new apllication model in SCCM 2012. When you use apllications, and create deployments on collections, there isn’t an option to tell “Run from Distribution Point”, as it is still on Deployments of the 2007 style Packages. So if your SCCM Application Deployment Type which should run on the client, is larger than the default SCCM Client cache size of 5120MB, the download and installation will fail.

So I use for my client installation the following Installation properties (Client Push):
SMSSITECODE=H05 SMSCACHEFLAGS=PERCENTDISKSPACE;NTFSONLY SMSCACHESIZE=10 SMSMP=FQDN-MP FSP=FQDN-FSP Continue reading