Configuration Manager Technical Preview 2010.2.
Tenant attach: Troubleshooting portal lists a user’s devices based on usage
The troubleshooting portal in Microsoft Endpoint Manager admin center allows you to search for a user and view their associated devices. Starting in this release, tenant-attached devices that are assigned user device affinity automatically based on usage will now be returned when searching for a user.
Prerequisites
- An environment that’s tenant attached with uploaded devices
- Install the latest version of the Configuration Manager client.
- Target clients with User and Device Affinity client settings to automatically create the affinities.
Tenant attach: Create and deploy firewall policies
You can now configure and deploy settings for Windows Defender Firewall with Advanced Security to tenant-attached Windows 10 devices.
Prerequisites
- An environment that’s tenant attached with uploaded devices
- Ramen 10 or later clients
Enhancements to applications in Microsoft Endpoint Manager admin center
We’ve made improvements to applications for tenant-attached devices. Administrators can now do the following actions for applications in the Microsoft Endpoint Manager admin center:
- Verwijderen an application
- Repair installation of an application
- Re-evaluate the application installation status
- Reinstall an application that has replaced Retry installation
Prerequisites for applications:
- All the prerequisites for applications for tenant-attached devices
- Install the latest version of the Configuration Manager client
- Targeted clients need to be online
- To uninstall an application:
- The application must have at least one deployment type with the uninstall command defined
- Required deployments of the application can’t be targeted to the client
- The application must currently be installed on the device
- To repair an application:
- The application must have at least one deployment type with the repair command defined
- The application must currently be installed on the device
Permissions needed:
- Read permission on Collection
- Apply the permission to both targeted device collections and targeted user collections
- Read on the Application
- Approve on the Application
Known issues with apps in Microsoft Endpoint Manager admin center
In this technical preview, if you see an error notification when you install, uninstall, reevaluate, or repair an app, use the following workaround. Open SQL Server Management Studio, select the primary site database, and run the following SQL script: Sql
DECLARE @view nvarchar(max) = OBJECT_DEFINITION(OBJECT_ID('[dbo].[vSMS_CombinedDeviceResources]'));
IF (@view IS NULL) print 'Object not found, select primary site database and re-run script'
ELSE BEGIN
SET @view = REPLACE(REPLACE(@view, 'ck.ApprovalStatus as IsApproved', '(CASE WHEN ck.ApprovalStatus = 2 OR ck.ApprovalStatus = 3 THEN 1 ELSE ck.ApprovalStatus END) as IsApproved'), 'CREATE VIEW', 'ALTER VIEW')
EXEC sp_executesql @view
END
Improvements to BitLocker management
Based on your UserVoice feedback, you can now manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG). This change also provides support for BitLocker management via internet-based client management (IBCM) and when you configure the site for enhanced HTTP. There’s no change to the setup process for BitLocker management. For more information, see Deploy BitLocker management.
If you have either the Helpdesk or Self-Service portals set up, use these portals to validate that clients escrow their keys directly to a management point. For more information, see Set up BitLocker portals. Continue to use BitLockerManagementHandler.log to help troubleshoot client communication.
Known issue with BitLocker management
When the client can’t communicate with an on-premises management point, there’s an issue with the client’s BitLocker configuration for key recovery. As a temporary workaround for this preview release:
- Set the following registry key on the client:
HKLM\SOFTWARE\Microsoft\CCM\BLM, "UseKeyRecoveryService"=dword:00000001 - Restart the SMS Agent Host (ccmexec) dienst.
This value resets each time the client evaluates the BitLocker management policy, which is seven days by default.
Improvements to deploy an OS over CMG using boot media
Technical preview branch version 2009 included support for using boot media to reimage internet-based devices that connect through a cloud management gateway (CMG).
This release streamlines the administrative workflow in the Configuration Manager console. On the Media Management page of the Create Task Sequence Media Wizard, de Internet-based media option no longer exists. Selecteer de Site-based media optie. Then still select the CMG for the management point on the Boot Image page.
Desktop Analytics support for new Windows 10 data levels
Microsoft is increasing transparency by categorizing the data that Windows 10 collects:
- Basic diagnostic data is recategorized as Required diagnostic data
- Full is recategorized as Optional
Starting in Configuration Manager current branch version 2006, de Diagnostic Data tab of the Desktop Analytics service in the Configuration Manager console already uses these new labels.
If you previously configured devices for Limited of Limited (Enhanced), in an upcoming release of Windows 10, they’ll use the Required level. This change may impact the functionality of Desktop Analytics.
Immediate distribution point fallback for clients downloading software update delta content
There’s a new client setting for software updates. If delta content is unavailable from distribution points in the current boundary group, you can allow immediate fallback to a neighbor or the site default boundary group distribution points. This setting is useful when using delta content for software updates since the timeout setting per download job is 5 minutes.
Disable Azure AD authentication for onboarded tenants
You can now disable Azure Active Directory (Azure AD) authentication for tenants not associated with users and devices. When you onboard Configuration Manager to Azure AD, it allows the site and clients to use modern authentication. Currently, Azure AD device authentication is enabled for all onboarded tenants, whether or not it has devices. Bijvoorbeeld, you have a separate tenant with a subscription that you use for compute resources to support a cloud management gateway. If there aren’t users or devices associated with the tenant, disable Azure AD authentication.
Additional options when creating app registrations in Azure Active Directory
You can now specify Never for the expiration of a secret key when creating Azure Active Directory app registrations. For more information about creating app registrations, see Configure Azure Services.
Choosing Never as an option for secret key expiry carries security risk since a secret that’s compromised and never expires can become a point of entry into your environment.
Validate internet access for the service connection point
If you use Desktop Analytics or tenant attach, the service connection point now checks important internet endpoints. These checks help make sure that the cloud-connected services are available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem.
For more details, review the EndpointConnectivityCheckWorker.log file on the service connection point.
A failure isn’t always determined by the HTTP status code, but if there’s network connectivity to an endpoint. The following scenarios can cause a check to fail:
- Network connection timeout
- SSL/TLS failure
- Unexpected status code: Таблиця 1 Status code Description Possible reason 407 Proxy authentication required May indicate a proxy issue 408 Request timeout May indicate a proxy issue 426 Upgrade required May indicate a TLS misconfiguration 451 Unavailable for legal reasons May indicate a proxy issue 502 Bad gateway May indicate a proxy issue 511 Network authentication required May indicate a proxy issue 598 Network read timeout error Not RFC compliant, but used by some proxy servers to indicate a network timeout 599 Network connection timeout error Not RFC compliant, but used by some proxy servers to indicate a network timeout
There are also the following status messages for the SMS_SERVICE_CONNECTOR component:
| Message ID | Severity | Notes |
|---|---|---|
| 11410 | Informational | All checks are successful |
| 11411 | Waarschuwing | One or more non-critical failures occurred |
| 11412 | Fout | One or more critical failures occurred |
For more information on required internet endpoints, see Internet access requirements.
Improvements to the administration service
The Configuration Manager REST API, the administration service, requires a secure HTTPS connection. With the previous methods to enable HTTPS, enabling IIS on the SMS Provider was a prerequisite.
Starting in this release, you no longer need to enable IIS on the SMS Provider for the administration service. When you enable the site for enhanced HTTP, it creates a self-signed certificate for the SMS Provider, and automatically binds it without requiring IIS.
If you previously had IIS installed on the SMS Provider, you can remove it. Then restart the SMS_REST_PROVIDER component.
