Configuration Manager Technical Preview Branch Update 1710.
This month’s new preview features include:
- Check compliance for co-managed devices from Software Center when conditional access is managed by Intune – Users can now use Software Center to check the compliance of their co-managed Windows 10 devices when conditional access is managed by Intune.
- Limit Windows 10 enhanced telemetry to only send data relevant to Windows Analytics Device Health – You can now set the Windows 10 telemetry data collection level to Enhanced (Limited). This setting enables you to gain actionable insight about devices in your environment without devices reporting all of the data in the Enhanced telemetry level with Windows 10 version 1709 or later.
- Configure and deploy Windows Defender Application Guard policies – You can now create and deploy Windows Defender Application Guard policies to Windows 10 clients that help protect your users by opening untrusted web sites in a virtualized browser (Edge and Internet Explorer).
- Authorize software that is trusted by the Intelligent Security Graph as part of Windows Defender Application Control – Device Guard policies in Configuration manager are now renamed to Windows Defender Application Control policies. This better reflects the scope of their functionality. On devices that run Windows 10 version 1709, software that is trusted by the Microsoft Intelligent Security Graph (ISG) can now be automatically authorized. The trustworthiness of the software is defined by reputation data from Windows Defender SmartScreen, Windows Defender Antivirus, and more.
- Configure Windows Defender Exploit Guard – Windows Defender Exploit Guard provides intrusion prevention rules and policies that make vulnerabilities more difficult to exploit in Windows 10. All Exploit Guard components are now configurable with Configuration Manager.
- Improved descriptions for pending computer restarts – The reason for a pending computer restart is posted.
- Run Scripts – We’ve added the ability to configure security scopes for the Run Scripts feature. We’ve also integrated an additional improved monitoring experience as part of the Run Scripts wizard.
This release also includes the following improvements based on your feedback from UserVoice:
- Allow up to 512×512 pixel icons for application in Software Center – You can now deploy apps with up to 512×512 pixels icon to display in Software Center. This was earlier capped at 250×250 pixels and anything larger showed up blurry on Software Center. We have now changed this after receiving feedback from our customers.
- Support for Cryptography: Next Generation certificates – We’ve added limited support for Cryptography: Next Generation (CNG) certificates. For more information about the supported scenarios please read Introducing support for Cryptography: Next Generation (CNG) certificates in Configuration Manager.
Supported in 1710 Technical Preview
Beginning with the 1710 Technical Preview you can use certificates created using CNG certificate templates for client-specific scenarios. The following scenarios are supported:
- Client registration and communication with a HTTPS management point
- Software distribution and application deployment with a HTTPS distribution point
- Operating system deployment
- Cloud Management Gateway configuration
- Client messaging SDK (with a soon to be released update) and ISV Proxy
Note: CNG is backward compatible with Crypto API (CAPI). CAPI certificates will continue to be supported even when CNG support is enabled on the client
Not supported for 1710 Technical Preview
- Application Catalog Web service, Application Catalog website, Enrollment point, and Enrollment proxy point roles will not be operational when installed in HTTPS mode with CNG certificate bound to the web site in Internet Information Services (IIS). Software Center will not display applications and packages deployed to user or user group collection as available .
- State Migration Point will not be operational when installed in HTTPS mode with a CNG certificate bound to the web site in IIS.
- Using CNG certificates to create a Cloud Distribution Point is not supported.
- NDES Policy Module to Certificate Registration Point (CRP) communication will fail if the NDES Policy Module is using a CNG certificate for client authentication certificate.
Creating CNG certificate templates
You will need to create CNG certificate templates from the Certificate Authority (CA) and the enrolling certificate on the target machines (clients or servers) depending on the purpose and scenario you are testing e.g. client authentication, server authentication, etc.
Required certificate template properties (Windows CA):
- Under the Compatibility tab, “Certification Authority” must be at least “Windows Server 2008” (recommended “Windows Server 2012”)
- Under the Compatibility tab, “Certificate recipient” must be at least “Windows Vista/Server 2008” (recommended “Windows 8/Windows Server 2012”)
- Under the Cryptography tab, make sure the “Provider Category” is “Key Storage Provider”
Note: The requirements for your environment or organization may be different. Please consult with your PKI expert. The important points to consider are a certificate template must use a Key Storage Provider to be able to take advantage of CNG.