Unleash your Azure CSP subscription for Cloud Management Gateway deployments

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet ‘without’ additional (on-premise) infrastructure.


Create & deploy cloud services with an associate Azure subscription.

However, there is a limitation when deploying CMG using Azure CSP subscription.

This capability does not enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP does not support. For more information, see available Azure services in Azure CSP.

As CSP model is becoming more and more popular as Azure subscription, this scenario is a potential blocker for many customers having a CSP subscription which wants to deploy a CMG. The Microsoft product teams are aware of this situation and I’m sure they will solve this the sooner or later.

Converting your CSP subscription to an eligible Azure subscription is no option here (managed by CSP Partner). Therefore I would like to take you how to deploy a CMG while you’re on a CSP subscription. Yes it’s possible! In this blog I’ll describe what it takes to achieve this. Continue reading “Unleash your Azure CSP subscription for Cloud Management Gateway deployments”

Windows Defender ATP updates including BitLocker & Firewall security controls

Alongside the announcement of down-level support for Windows 7 and Windows 8.1, there is more exciting news in regards to Windows Defender ATP. Since today Windows Defender ATP Security Analytics is extended with two new security controls; BitLocker and Firewall.

Windows Defender ATP Security Controls: BitLocker & Firewall

Continue reading “Windows Defender ATP updates including BitLocker & Firewall security controls”

MBSA 2.3 Preview Release is available for download!

MBSA 2.3 Preview has been released on the Client Management Connect site to the ConfigMgr Open Beta community.


MBSA 2.3 release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported with this release. The final release of MBSA 2.3 is expected to be available in Fall 2013.

You can download MBSA 2.3 Preview here.

Windows Intune: required Firewall & Proxy Configuration



Implementing Windows Intune might be for the most of us an ease approach because it is uses commonly used standards like http and https. Nevertheless, in organizations where internet access is controlled using firewall(s) and proxy servers this might be a challenge.

Specific services or websites has to be disclosed to work properly. The same applies to Windows Intune. For those who have to implement in such environments where internet access is limited the overview below outlines the required domain and ports in order to let Windows Intune work like a charm.

Required domains for documentation, online Help, and support

Domain Ports
*.livemeeting.com 80 and 443
*.microsoftonline.com 80 and 443
onlinehelp.microsoft.com 80
*.social.technet.microsoft.com 80
blogs.technet.com 80
go.microsoft.com 80
http://www.microsoft.com 80


Continue reading “Windows Intune: required Firewall & Proxy Configuration”

Rollup 1 for Forefront Unified Access Gateway (UAG) 2010 Service Pack 3

February this year Microsoft has released Service Pack 3 for Forefront UAG 2010. Today Microsoft Forefront Unified Access Gateway (UAG) product team has released Rollup 1 for Forefront UAG 2010 Service Pack 3.

Issues that are fixed in Rollup 1

The issues that are fixed in Rollup 1 are listed in the following articles. To view the issues, click the article number to view the article in the Microsoft Knowledge Base.

  • 2810229 FIX: You cannot redirect local computer resources in an RDS session after you disable the client endpoint components in Forefront Unified Access Gateway 2010
  • 2831570 FIX: "The URL you requested cannot be accessed" error message may be returned when a client sends an HTTP POST request to a portal in Forefront Unified Access Gateway 2010
  • 2831573 FIX: Traffic is not forwarded or you receive an error message about ADVAPI32.dll when you use a Windows XP client to start an application from a Forefront Unified Access Gateway 2010 Service Pack 3 portal
  • 2831865 FIX: The endpoint policy expression "Any Personal Firewall (Windows)" is incorrect for Windows 7 and Windows 8 in Service Pack 3 for Forefront Unified Access Gateway (UAG) 2010
  • 2831868 FIX: Endpoint policies for existing trunks are not updated after you install Forefront Unified Access Gateway 2010 Service Pack 3
  • 2832679 FIX: You receive a 500 Internal Server error when you run the File Access application from the Forefront Unified Access Gateway 2010 Service Pack 3 portal trunk
  • 2832681 FIX: You receive a script error that prevents file access configuration in the Management Console in Forefront Unified Access Gateway 2010
  • 2832685 FIX: The Forefront Unified Access Gateway 2010 portal may intermittently become unresponsive to clients after Service Pack 2 is installed

Rollup 1 for Forefront UAG 2010 Service Pack 3 can be requested here

Forefront UAG 2010 Service Pack 3 is available for download from the Microsoft Download Center, as an upgrade from UAG 2010 Service Pack 2.


Offline Servicing: Failed to install update with error code 5 #sysctr

In general and more specific for Configuration Manager there Antivirus Exclusions lists available in order to let Configuration Manager function optimally thorough security level from anti-malware and antivirus perspective.

During a Configuration Manager implementation I was running into an issue with Offline Servicing. Scheduled Offline Servicing ended up in unpredicted results like not all Windows Updates (randomly) were applied of even images which got corrupted.


Continue reading “Offline Servicing: Failed to install update with error code 5 #sysctr”

Windows 7 and Windows Server 2008 R2 KMS hosts to support Windows 8, Windows Server 2012 and Office 2013 (KB2691586)

This update extends the Key Management Service (KMS) for Windows 7 and Windows Server 2008 R2 to allow enterprise licensing of Windows 8 and of Windows Server 2012. KMS provides support for the following KMS activations:

  • Windows Server 2008 R2 and Windows Server 2008 R2 Service Pack 1 (SP1)
  • Windows Server 2008 and Windows Server 2008 Service Pack 2 (SP2)
  • Windows 8
  • Windows Server 2012
  • Windows 7 and Windows 7 Service Pack 1 (SP1)
  • Windows Vista and Windows Vista Service Pack 2 (SP2)
  • Office 2013 (Preview)

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Windows 7 Deployment Options for Small and Midsize Businesses

Download a printable overview of Windows 7 deployment options for small and midsize organizations that includes the advantages and limitations of each option.

Explore the different options for deploying Windows 7 in a small or midsize organization. This print-ready poster from the Springboard Series for Windows 7 features an overview of each method, details on advantages and limtations, basic requirements, and helpful links to additional tools and guidance. You’ll also find a helpful step-by-step overview of the Windows 7 deployment process.

Download the handy overview in PDF, XPS or VSD here