Configuration Manager 2002 current branch.
Microsoft Endpoint Manager tenant attach
Device sync and device actions
Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center. Starting in this release you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center.
Desktop Analytics
- Connection Health dashboard shows client connection issues – Use the Desktop Analytics Connection Health dashboard in Configuration Manager to monitor the clients’ connectivity health. It now helps you to more easily identify client proxy configuration issues in two areas:
- Endpoint connectivity checks
- Connectivity status
Site infrastructure
Remove a central administration site
If your hierarchy consists of a central administration site (CAS) and a single child primary site, you can now remove the CAS. This action simplifies your Configuration Manager infrastructure to a single, standalone primary site.
New management insight rules
This release includes the following management insight rules:
- Nine rules in the Configuration Manager Assessment group courtesy of Microsoft Premier Field Engineering. These rules are a sample of the many more checks that Microsoft Premier provides in the Services Hub.
- Active Directory Security Group Discovery is configured to run too frequently
- Active Directory System Discovery is configured to run too frequently
- Active Directory User Discovery is configured to run too frequently
- Collections limited to All Systems or All Users
- Heartbeat Discovery is disabled
- Long running collection queries enabled for incremental updates
- Reduce the number of applications and packages on distribution points
- Secondary site installation issues
- Update all sites to the same version
- Two additional rules in the Cloud Services group to help you configure your site for adding secure HTTPS communication:
- Sites that don’t have proper HTTPS configuration
- Devices not uploaded to Azure AD
Improvements to administration service
The administration service is a REST API for the SMS Provider. Previously, you had to implement one of the following dependencies:
- Enable Enhanced HTTP for the entire site
- Manually bind a PKI-based certificate to IIS on the server that hosts the SMS Provider role
Starting in this release, the administration service automatically uses the site’s self-signed certificate. This change helps reduce the friction for easier use of the administration service. The site always generates this certificate. The Enhanced HTTP site setting to Use Configuration Manager-generated certificates for HTTP site systems only controls whether site systems use it or not. Now the administration service ignores this site setting, as it always uses the site’s certificate even if no other site system is using Enhanced HTTP. You can still use a PKI-based server authentication certificate.
Proxy support for Azure Active Directory discovery and group sync
The site system’s proxy settings, including authentication, are now used by:
- Azure Active Directory (Azure AD) user discovery
- Azure AD user group discovery
- Synchronizing collection membership results to Azure Active Directory groups
Cloud-attached management
Critical status message shows server connection errors to required endpoints
If the Configuration Manager site server fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When the site server can’t connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.
Token-based authentication for cloud management gateway
The cloud management gateway (CMG) supports many types of clients, but even with Enhanced HTTP, these clients require a client authentication certificate. This certificate requirement can be challenging to provision on internet-based clients that don’t often connect to the internal network, aren’t able to join Azure Active Directory (Azure AD), and don’t have a method to install a PKI-issued certificate.
Configuration Manager extends its device support with the following methods:
- Register on the internal network for a unique token
- Create a bulk registration token for internet-based devices
Microsoft Endpoint Configuration Manager cloud features
When new cloud-based features are available in the Microsoft Endpoint Manager admin center, or other attached cloud services for your on-premises Configuration Manager installation, you can now opt in to these new features in the Configuration Manager console.
Desktop Analytics
Connection Health dashboard shows client connection issues
Use the Desktop Analytics Connection Health dashboard in Configuration Manager to monitor the clients’ connectivity health. It now helps you to more easily identify client proxy configuration issues in two areas:
- Endpoint connectivity checks: If clients can’t reach a required endpoint, you see a configuration alert in the dashboard. Drill down to see the endpoints to which clients can’t connect because of proxy configuration issues.
- Connectivity status: If your clients use a proxy server to access the Desktop Analytics cloud service, Configuration Manager now displays proxy authentication issues from clients. Drill down to see clients that are unable to enroll because of proxy authentication.
Real-time management
Improvements to CMPivot
We’ve made it easier to navigate CMPivot entities. You can now search CMPivot entities. New icons have also been added to easily differentiate the entities and the entity object types.
Content management
Exclude certain subnets for peer content download
Boundary groups include the following option for peer downloads: During peer downloads, only use peers within the same subnet. If you enable this option, the content location list from the management point only includes peer sources that are in the same subnet and boundary group as the client. Depending on the configuration of your network, you can now exclude certain subnets for matching.
Proxy support for Microsoft Connected Cache
If your environment uses an unauthenticated proxy server for internet access, now when you enable a Configuration Manager distribution point for Microsoft Connected Cache, it can communicate through the proxy.
Client management
Client log collection
You can now trigger a client device to upload its client logs to the site server by sending a client notification action from the Configuration Manager console.
Wake up a device from the central administration site
From the central administration site (CAS), in the Devices or Device Collections node, you can now use the client notification action to Wake Up devices.
Improvements to support for ARM64 devices
The All Windows 10 (ARM64) platform is available in the list of supported OS versions on objects with requirement rules or applicability lists.
Track remediation history when supported
You can now Track remediation history when supported on your configuration item compliance rules. When this option is enabled, any remediation that occurs on the client for the configuration item generates a state message.
Application management
Microsoft Edge management dashboard
The Microsoft Edge management dashboard provides you insights on the usage of Microsoft Edge and other browsers. In this dashboard, you can:
- See how many of your devices have Microsoft Edge installed
- See how many clients have different versions of Microsoft Edge installed
- Have a view of the installed browsers across devices
- Have a view of preferred browser by device
From the Software Library workspace, click Microsoft Edge Management to see the dashboard. Change the collection for the graph data by clicking Browse and choosing another collection. By default your five largest collections are in the drop-down list. When you select a collection that isn’t in the list, the newly selected collection takes the bottom spot on your drop-down list.
Improvements to Microsoft Edge management
You can now create a Microsoft Edge application that’s set up to receive automatic updates rather than having automatic updates disabled. This change allows you to choose to manage updates for Microsoft Edge with Configuration Manager or allow Microsoft Edge to automatically update.
Task sequence as an app model deployment type
You can now install complex applications using task sequences via the application model. Add a deployment type to an app that’s a task sequence, either to install or uninstall the app.
Operating System Deployment
Bootstrap a task sequence immediately after client registration
When you install and register a new Configuration Manager client, and also deploy a task sequence to it, it’s difficult to determine how soon after registration it will run the task sequence. This release introduces a new client setup property that you can use to start a task sequence on a client after it successfully registers with the site.
Improvements to Check Readiness task sequence step
You can now verify more device properties in the Check Readiness task sequence step. Use this step in a task sequence to verify the target computer meets your prerequisite conditions.
- Architecture of current OS
- Minimum OS version
- Maximum OS version
- Minimum client version
- Language of current OS
- AC power plugged in
- Network adapter is connected and not wireless
Improvements to task sequence progress
The task sequence progress window now includes the following improvements:
- You can enable it to show the current step number, total number of steps, and percent completion
- Increased the width of the window to give you more space to better show the organization name in a single line
Improvements to OS deployment
This release includes the following improvements to OS deployment:
- The task sequence environment includes a new read-only variable, _TSSecureBoot. Use this variable to determine the state of secure boot on a UEFI-enabled device.
- Set task sequence variables to configure the user context for the Run Command Line and Run PowerShell Script steps.
- On the Run PowerShell Script step, you can now set the Parameters property to a variable.
- The Configuration Manager PXE responder now sends status messages to the site server. This change makes it easier to troubleshoot OS deployments that use this service.
Protection
Expand Microsoft Defender Advanced Threat Protection (ATP) onboarding
Configuration Manager has expanded its support for onboarding devices to Microsoft Defender ATP.
Improvements to BitLocker management
- The BitLocker management policy now includes additional settings, including policies for fixed and removable drives.
- Starting in this version, the HTTPS requirement is for the IIS website that hosts the recovery service, not the entire management point role. This change relaxes the certificate requirements, and still encrypts the recovery keys in transit.
Software updates
Orchestration groups
Orchestration Groups are the evolution of the “Server Groups” feature. Create an orchestration group to better control the deployment of software updates to devices. An orchestration group gives you the flexibility to update devices based on a percentage, a specific number, or an explicit order. You can also run a PowerShell script before and after the devices run the update deployment.
Evaluate software updates after a servicing stack update
Configuration Manager now detects if a servicing stack update (SSU) is part of an installation for multiple updates. When an SSU is detected, it’s installed first. After install of the SSU, a software update evaluation cycle runs to install the remaining updates. This change allows a dependent cumulative update to be installed after the servicing stack update
Office 365 updates for disconnected software update points
You can use a new tool to import Office 365 updates from an internet-connected WSUS server into a disconnected Configuration Manager environment.
Reporting
Integrate with Power BI Report Server
You can now integrate Power BI Report Server with Configuration Manager reporting. This integration gives you modern visualization and better performance. It adds console support for Power BI reports similar to what already exists with SQL Server Reporting Services.
Configuration Manager Console
Show boundary groups for devices
To help you better troubleshoot device behaviors with boundary groups, you can now view the boundary groups for specific devices. In the Devices node or when you show the members of a Device Collection, add the new Boundary Group(s) column to the list view.
When you Send a smile or Send a frown, a status message is created when the feedback is submitted. This improvement provides a record of:
- When the feedback was submitted
- Who submitted the feedback
- The feedback ID
- If the feedback submission was successful or not
A status message with an ID of 53900 is a successful submission and 53901 is a failed submission.
Search all subfolders for configuration items and configuration baselines
Similar to improvements in previous releases, you can now use the All Subfolders search option from the Configuration Items and Configuration Baselines nodes.
Tools
OneTrace log groups
OneTrace now supports customizable log groups, similar to the feature in Support Center. Log groups allow you to open all log files for a single scenario. OneTrace currently includes groups for the following scenarios:
- Application management
- Compliance settings (also referred to as Desired Configuration Management)
- Software updates
Improvements to extend and migrate on-premises site to Microsoft Azure
The extend and migrate on-premises site to Microsoft Azure tool now supports provisioning multiple site system roles on a single Azure virtual machine. You can add site system roles after the initial Azure virtual machine deployment has completed.
