Allow ActiveSync for Android through Microsoft’s Web Application Proxy

While moving to Web Application Proxy for our reverse proxy, which is replacing TMG 2010 servers, we had an issue with Android devices connecting to Exchange.

After much playing around I discovered the issue was due to Server Name Indication (SNI). According to Wikipedia:

Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

My understanding is that Android supports this, but for some reason it wasn’t working. This was tested with a few devices i.e. Samsung Galaxy Note (Cyanogen and Stock), Samsung Galaxy S3 & S4, & HTC One.

I found this article that explains how to resolve this issue. You simply need to add a binding by running this command:

netsh http add sslcert ipport= certhash=<your certificate's hash> appid={f955c070-e044-456c-ac00-e9e4275b3f04}

This acts as a legacy non-SNI binding. Once this is done you should be able to use Android devices through WAP.

Deploy Image from Stand-Alone USB on SCCM 2012 R2


This deploy will be done via USB and connect to a domain through a WPA2-Personal wireless connection. It then needs to connect to the WPA2-Enterprise connection once completed. The reason we needed to do this was because we were deploying to devices with no LAN port, only WLAN. We could have purchased a bunch of USB to LAN adapters but that required manufacturer-only adpaters and it would have been more expensive than USB drives.

Adding an action to run a script after Task Sequence is completed

Early in the sequence (any where after “Restart in Windows PE”) you need to set a Task Sequence Variable for SMSTSPostAction. This allows you to run a command or script once the Task Sequence is completed. I have set this up with a script to run gpupdate and delete our hidden wireless network profile. Because I have used a script I have had to use DISM to add the script into C:\Temp on the image. Here is instuctions on how to modify the image. The type is a Set Task Sequence Variable. In the Task Sequence Variable name you set it as SMSTSPostAction and the Value to C:\Temp\<script name> My batch script is simple and looks like this:

timeout 60
timeout 60
netsh wlan delete profile name=<profilename>
netsh wlan connect ssid=<SSID>

Naming the computer automatically

The next step is to do with naming. I have a Run Command Line sequence to set the computer’s name. This is a simple command that calls a script that I have added to a package. The script is as follows:

Set env = CreateObject("Microsoft.SMS.TSEnvironment")
Set ProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
Set colItems = objWMIService.ExecQuery("Select * from Win32_BIOS",,48)

For Each objItem in colItems
env("OSDComputername") = objItem.SerialNumber

Connecting to hidden wireless network

The next part was connecting to the domain over wireless. We had to create an extra SSID, which we hid, and protected with WPA2-Personal security. This required creating a connection to this network on another machine and then exporting the profile for that connection.

To export the XML after creating the connection is simple. In a command prompt you run

netsh wlan export profile key=clear

This will save it to the directory your command prompt is running from. Note that this saves your wireless network with the passphrase in clear. With this I created a new Package in SCCM which contained the XML (which I rename domainjoin.xml) and a batch script. In the batch script I had the following:

netsh wlan add profile filename=domainjoin.xml user=all
netsh wlan connect name=<SSID>
timeout 60

The timeout is required; I haven’t tested for a shorter time than 60 seconds.

Task sequence completion

After that a domain join is completed and a restart.
Once the Task Sequence completes, the script set with SMSTSPostAction will run. Sometimes it takes a few minutes before it connects to the wireless but have yet had one to fail.

SCCM 2012 Backup Configuration

I set-up a quick backup system that archives a week of SCCM backups.  If you have not configured your backup you will need to go to ConfigMgr Console > Administration > Site Configuration > Sites > Site Name > Site Maintenance.

SCCM Site Maintenance

SCCM Site Maintenance

Once your backup task is set-up and working, you can then create the AfterBackup.bat which automatically runs as part of the backup maintenance task. I used these instructions to make the archived backups with the name of the day it was created.

REM @echo off
setlocal enabledelayedexpansion
set target=\\SCCM01\ConfigMgr$\Backup\Archive\%date:~0,3%
If not exist %target% goto datacopy
RD %target% /s /q
xcopy "\\SCCM01\ConfigMgr$\Backup\WCMBackup\*" "%target%\" /E /-Y

I did a test with this and all worked perfectly. I now have a week of backups.

Upgrade SCCM 2012 SP1 to SCCM 2012 R2

First thing is to make sure you have a good backup and the backup is working correctly.

Problems: Had to manually reinstall the console Install location > Tools > AdminConsole.msi

Had to disable then re-enable PXE on the Migration Point

Should have uninstalled client on the SCCM server before install.

Had to update Client Installation Settings on the site.