SCCM 1906 current branch.
Version 1906 client requires SHA-2 code signing support
Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs Configuration Manager binaries using the more secure SHA-2 algorithm. The following Windows OS versions require an update for SHA-2 code signing support:
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2008 SP2
Use Desktop Analytics with Configuration Manager to:
- Create an inventory of apps running in your organization.
- Assess app compatibility with the latest Windows 10 feature updates.
- Identify compatibility issues and receive mitigation suggestions based on cloud-enabled data insights.
- Create pilot groups that represent the entire application and driver estate across a minimal set of devices.
- Deploy Windows 10 to pilot and production-managed devices using Configuration Manager.
- Minimize deployment risks by monitoring the health state of your devices during and after the deployment.
- Ensure your devices are still supported with security and feature updates status.
Management insights rule for NTLM fallback
Management insights include a new rule that detects if you enabled the less secure NTLM authentication fallback method for the site: NTLM fallback is enabled.
Improvements to support for SQL Always On
- Add a new synchronous replica from setup: You can now add a new secondary replica node to an existing SQL Always On availability group. Instead of a manual process, use the Configuration Manager setup to make this change.
- Multi-subnet failover: You can now enable the MultiSubnetFailover connection string keyword in SQL Server. You also need to manually configure the site server.
- Support for distributed views: The site database can be hosted on a SQL Server Always On availability group, and you can enable database replication links to use distributed views. This change doesn’t apply to SQL Server clusters.
- Site recovery can recreate the database on a SQL Always On group. This process works with both manual and automatic seeding.
- New setup prerequisite checks:
This release also includes:
Cloud Value
- Multiple pilot groups for co-management workloads – You can now configure different pilot collections for each of the co-management workloads. Using different pilot collections allows you to take a more granular approach when shifting workloads.
- Improvements to co-management auto-enrollment – A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token.
- Azure Active Directory user group discovery – You can now discover user groups and members of those groups from Azure Active Directory (Azure AD).
- Synchronize collection membership results to Azure Active Directory groups (Pre-release) – You can now enable the synchronization of collection memberships to an Azure Active Directory (Azure AD) group.
- Support for Windows Virtual Desktop – Windows Virtual Desktop is a preview feature of Microsoft Azure and Microsoft 365. You can now use Configuration Manager to manage these virtual devices running Windows in Azure.
Customer Voice
Site infrastructure
- Site server maintenance task improvements – Site server maintenance tasks can now be viewed and edited from their own tab on the details view of a site server. The new Maintenance Tasks tab gives you information such as:
- If the task is enabled
- The task schedule
- Last start time
- Last completion time
- If the task completed successfully
- Configuration Manager update database upgrade monitoring – Improved progress monitoring in the installation status window and information about blocking tasks. When applying a Configuration Manager update, you can now see the state of the Upgrade ConfigMgr database task in the installation status window.
- If the database upgrade is blocked, then you’ll be given the warning, In progress, needs attention.
- When the database upgrade is no longer blocked, the status will be reset to In Progress or Complete.
- When the database upgrade is blocked, a check is done every 5 minutes to see if it’s still blocked.
Application management
- Application groups (Pre-release) – Create a group of applications that you can send to a user or device collection as a single deployment.
- Filter applications deployed to devices – User categories for device-targeted application deployments now show as filters in Software Center.
This release includes the following infrastructure improvements to Software Center:
- Software Center now communicates with a management point for apps targeted to users as available. It doesn’t use the application catalog anymore. This change makes it easier for you to remove the application catalog from the site.
- Previously, Software Center picked the first management point from the list of available servers. Starting in this release, it uses the same management point that the client uses. This change allows Software Center to use the same management point from the assigned primary site as the client.
These iterative improvements to Software Center and the management point are to retire the application catalog roles.
- The Silverlight user experience isn’t supported as of the current branch version 1806.
- Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can’t install new application catalog roles.
- In the first current branch release after October 31, 2019, support will end for the application catalog roles.
Operating System Deployment
- Task sequence debugger (Pre-release) – The task sequence debugger is a new troubleshooting tool. You deploy a task sequence in debug mode to a collection of one device.
- Multiple improvements based on UserVoice feedback – This includes the ability to clear app content from the client cache, reclaim SEDO lock for task sequences, pre-cache driver packages and OS images, and more.
Improvements to OS deployment
This release includes the following improvements to OS deployment:
- Use the following two PowerShell cmdlets to create and edit the Run Task Sequence step:
- New-CMTSStepRunTaskSequence
- Set-CMTSStepRunTaskSequence
- It’s now easier to edit variables when you run a task sequence. After you select a task sequence in the Task Sequence Wizard window, the page to edit task sequence variables includes an Edit button.
- The Disable BitLocker task sequence step has a new restart counter. Use this option to specify the number of restarts to keep BitLocker disabled. This change helps you simplify your task sequence. You can use a single step, instead of adding multiple instances of this step.
- Use the new task sequence variable SMSTSRebootDelayNext with the existing SMSTSRebootDelay variable. If you want any later reboots to happen with a different timeout than the first, set this new variable to a different value in seconds.
- The task sequence sets a new read-only variable _SMSTSLastContentDownloadLocation. This variable contains the last location where the task sequence downloaded or attempted to download content. Inspect this variable instead of parsing the client logs.
Software updates
- Additional options for WSUS maintenance – You now have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software update points.
This release includes the following infrastructure improvements to Software Center:
- Software Center now communicates with a management point for apps targeted to users as available. It doesn’t use the application catalog anymore. This change makes it easier for you to remove the application catalog from the site.
- Previously, Software Center picked the first management point from the list of available servers. Starting in this release, it uses the same management point that the client uses. This change allows Software Center to use the same management point from the assigned primary site as the client.
These iterative improvements to Software Center and the management point are to retire the application catalog roles.
- The Silverlight user experience isn’t supported as of the current branch version 1806.
- Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can’t install new application catalog roles.
- In the first current branch release after October 31, 2019, support will end for the application catalog roles.
Configuration Manager Console
- Role-based access for folders – You can now set security scopes on folders. If you have access to an object in the folder, but don’t have access to the folder, you’ll be unable to see the object.
- Multiple improvements based on UserVoice feedback – This includes adding a collections tab in the devices node, adding a task sequences tab in the applications node, and improving multi-select support.
Real-time management
- Add joins, additional operators, and aggregators in CMPivot – For CMPivot, you now have additional arithmetic operators, aggregators, and the ability to add query joins such as using Registry and File together.
- CMPivot standalone (Pre-release) – You can now use CMPivot as a standalone app outside of the Administrative Console. This enables you to share the power of CMPivot with other personas, such as helpdesk or security admins, who don’t have the console installed on their computer.
Added permissions to the Security Administrator role
The following permissions have been added to Configuration Manager’s built-in Security Administrator role:
- Read on SMS Script
- Run CMPivot on Collection
- Read on Inventory Report
Office 365 ProPlus upgrade readiness dashboard
To help you determine which devices are ready to upgrade to Office 365 ProPlus, there’s a new readiness dashboard. It includes the Office 365 ProPlus upgrade readiness tile that was released in Configuration Manager current branch version 1902. In the Configuration Manager console, go to the Software Library workspace, expand Office 365 Client Management, and select the Office 365 ProPlus Upgrade Readiness node.
Protection
Windows Defender Application Guard file trust criteria
There’s a new policy setting that enables users to trust files that normally open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host device instead of in WDAG.
Deprecated features and operating systems
Version 1906 drops support for the following features:
- Classic service deployment to Azure for cloud management gateway and cloud distribution point.
- You can’t install new application catalog roles. Updated clients automatically use the management point for user-available application deployments.
Version 1906 deprecates support for the following products:
- Windows CE 7.0
- Windows 10 Mobile
- Windows 10 Mobile Enterprise
Support Center OneTrace (Preview)
OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with the following improvements:
- A tabbed view
- Dockable windows
- Improved search capabilities
- Ability to enable filters without leaving the log view
- Scrollbar hints to quickly identify clusters of errors
- Fast log opening for large files
Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.