The document provides an overview of the latest features in Configuration Manager current branch. It discusses new capabilities for tenant attach, management insight rules, client log collection, Edge management, task sequences, software updates orchestration groups, servicing stack updates, Power BI reports, and other areas. The document includes demos of several new features.
1. Latest and greatest in the world of
Configuration Manager
TIM DE KEUKELAERE
JUNE 2020
2. About me
Tim De Keukelaere
Freelance Consultant
Tim.De.Keukelaere@IT-Essence.be
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://www.dekeukelaere.com
Timdk_itpro
6. Tenant attach != Co-Management
Manage devices from Microsoft Endpoint Manager admin center
Managed by column identifies devices uploaded
Tenant Attach
7. Actionable through device details page
◦ Sync Machine Policy
◦ Sync User Policy
◦ App Evaluation Cycle
Tenant Attach
8. Azure public cloud environment
Global Administrator account
◦ Onboarding creates a third-party app and a first party service principal in Azure AD
Prerequisites for User accounts triggering device actions:
◦ Discovered with both Azure Active Directory user discovery and Active Directory user discovery.
◦ This means the user account needs to be a synced user object in Azure AD
◦ Initiate Configuration Manager action permission under Remote tasks in the Microsoft Endpoint
Manager admin center.
Tenant Attach – Requirements
9. Tenant Attach – Implementation Paths
ALREADY ON CO-MANAGEMENT
Enable through properties
Enable upload for all managed devices or
select limit based on a device collection
NO CO-MANAGEMENT YET
Enable using co-management setup wizard
Disable co-mgmt. if not needed!
12. For hierarchies with a CAS and single child primary site
Pre release feature
◦ Disabled by default
◦ Available through Microsoft Premier (request advisory case through TAM)
Do not forget to review and adjust your hierarchy design first !
CAS Removal Support
13. Configuration Manager Assessment – 9 new rules
◦ Active Directory Security Group Discovery is configured to run too frequently
◦ Active Directory System Discovery is configured to run too frequently
◦ Active Directory User Discovery is configured to run too frequently
◦ Collections limited to All Systems or All Users
◦ Heartbeat Discovery is disabled
◦ Long running collection queries enabled for incremental updates
◦ Reduce the number of applications and packages on distribution points
◦ Secondary site installation issues
◦ Update all sites to the same version
Cloud Services – 2 additional rules
◦ Sites that don't have proper HTTPS configuration
◦ Devices not uploaded to Azure AD
Additional Management Insight Rules
15. REST API for the SMS Provider
Now automatically uses the site's self-signed certificate
◦ Even if Enhanced HTTP is not configured
No longer needed to:
◦ Enable Enhanced HTTP for the entire site
◦ Manually bind a PKI-based certificate to IIS on the server that hosts the SMS Provider role
Administration Service Improvements
16. Proxy Support for
Azure AD Discovery and Group Sync
Site System Proxy and Authentication settings
now also used by
◦ Azure Active Directory (Azure AD) user discovery
◦ Azure AD user group discovery
◦ Synchronizing collection membership results to
Azure Active Directory groups
17. More simplification – relieve the burden of PKI certificates
Methods:
◦ Register on the internal network for a unique token
◦ Create a bulk registration token for internet-based devices
and install client using /regtoken installation parameter
CMG Token Based Authentication
18. Improved client connectivity monitoring
in DA Connection Health Dashboard
Identify client proxy configuration issues
◦ Endpoint connectivity checks: If clients
can't reach a required endpoint, you see
a configuration alert in the dashboard.
◦ Connectivity status: If your clients use a
proxy server to access the Desktop
Analytics cloud service, Configuration
Manager now displays proxy
authentication issues from clients.
Drill down to client level to get list of
devices to troubleshoot
Desktop Analytics Connection Health
Dashboard - Client Connection Issues
19. Search CMPivot Entities
New Icons help easily differentiate
the entities and the entity object
type
CMPivot Improvements
20. Boundary groups option to only use peers within the same subnet
Content location list from the management point only includes in the same subnet and
boundary group as the client
Exclude certain subnets for peer content
download
21. Connected Cache application can now use an unauthenticated proxy server for internet access
Proxy support for Microsoft Connected Cache
22. Collect client logs through console client
diagnostics
Logs are sent to MP using channel for software
inventory file collection
Accessed using resource explorer
Opened in Support Center
Logging
◦ Diagnostics.log (client)
◦ MP_SinvCollFile.log (MP)
◦ Sinvproclog (site server)
Client log collection
26. 1910 : installation script turns off automatic updates
2002 : option for automatic updating during app creation
Microsoft Edge – Manage Updates
27. For installing complex applications using the application model
For Install and Uninstall
App task sequence displayed with an icon in Software Center
Important!
◦ Cannot be deployed to a user collection
◦ Do not use Install Application steps in the TS.
Use Install Package steps.
Task sequence as App deployment type
PRE RELEASE
28. Issue
◦ Sometimes difficult to determine when a newly installed client runs a targeted TS
Solution:
◦ Start a task sequence on a client after it successfully registers with the site
◦ Using PROVISIONTS=%TS Deployment ID% client installation property
Example scenario for co-managed device:
◦ Provision a new Windows 10 device with Windows Autopilot
◦ Auto-enroll it to Microsoft Intune
◦ Then install the Configuration Manager client for co-management
◦ With this new option the newly provisioned client Immediately runs a task sequence
(allows further configuration and/or installing additional apps, updates)
Bootstrap TS
immediately after client registration
29. More device properties to check prerequisites are met
◦ Architecture of current OS
◦ Minimum OS version
◦ Maximum OS version
◦ Minimum client version
◦ Language of current OS
◦ AC power plugged in
◦ Network adapter is connected
and not wireless
Improvements to Check Readiness TS step
30. Enable option to show current step number, total number of steps, and percent completion
◦ TSProgressInfoLevel variable
◦ 1: Include the current step and total steps to the progress text. For example, 2 of 10.
◦ 2: Include the current step, total steps, and percentage completed. For example, 2 of 10 (20% complete).
◦ 3: Include the percentage completed. For example, (20% complete).
Increased window width = more space to show organization name in a single line
Improvements to task sequence progress
31. New TS Variables
◦ _TSSecureBoot, holds the state of SecureBoot on a UEFI-device
◦ NA - device doesn't support secure boot (registry value doesn't exist)
◦ Enabled
◦ Disabled
TS variables to configure user context for Run Command Line and Run PowerShell Script steps
◦ SMSTSRunCommandLineAsUser
SMSTSRunPowerShellAsUser.
◦ Set PowerShell Script step Parameters property to a variable
TS Improvements
32. For better control over Software Updates deployments
Update devices based on a percentage, a specific number, or an explicit order
Run PowerShell scripts pre- and post-
Control patching order
Important
◦ A device can only be member of one Orchestration Group
◦ Maximum 1000 devices per Orchestration Group
◦ Client version should be at least 2002
◦ If Software updates are installed from Software Center then Orchestration Groups are bypassed
Orchestration groups
PRE RELEASE
33. SSU’s are installed first!
Evaluate software updates runs immediately after a servicing stack update
◦ Fewer restarts
◦ Software updates installed in the correct order
SSUs are installed first only for non-user initiated installs
Servicing Stack Updates
34. Pre 2002
◦ When you exported and imported metadata for software updated in disconnected environments, you
were unable to deploy Office 365 updates.
◦ Office 365 updates require additional metadata downloaded from an Office API and the Office CDN
New tool in /tools/OfflineUpdateExporter directory
Import Office 365 updates from an internet-connected WSUS server into a disconnected
Configuration Manager environment
Office 365 updates
for disconnected software update points
35. Additional settings available in policy
Certificate requirements simplified
◦ HTTPS requirement for the IIS website that hosts
the recovery service – not for entire MP
BitLocker management
36. Integrate Power BI Report Server with Configuration Manager reporting
◦ Modern visualization
◦ Better Performance
Requires reinstalling Reporting Service Point role
Prereqs
◦ Licensing
◦ Power BI Premium
◦ SQL Server Enterprise Edition with Software Assurance
◦ Power BI Report Server 2019
◦ Power BI Desktop – Optimized for Power BI Report Server
Sample reports:
https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/powerbi-sample-reports
Power BI Report Server Integration
37. Devices node or when viewing the members of a Device Collection
Add new Boundary Group(s) column to the list view
Show boundary groups for devices
38. Status messages created when sending a Smile or Frown
Provides a record of:
◦ When the feedback was submitted
◦ Who submitted the feedback
◦ The feedback ID
◦ If feedback submission was successful or not
Types
◦ Status message ID 53900 = success
◦ Status message ID 53901 = failure
Send a smile improvements
41. OneTrace tool now supports customizable log groups similar to the feature in Support Center
Allows grouping log files per specific scenario
Currently included
◦ Application management
◦ Compliance settings
◦ Software updates
OneTrace – Log Groups