SCCM 2009 技术预览

SCCM 2009 技术预览.

Cloud management gateway with virtual machine scale set

根据您的 UserVoice 反馈, cloud management gateway (CMG) deployments now use virtual machine scale sets in Azure. This change introduces support for Azure Cloud Solution Provider (CSP) subscriptions.

Except for the following aspects, the configuration, operation, and functionality of the CMG remains the same:

• A new prerequisite is to register the following resource providers in your Azure subscription:
  • Microsoft.KeyVault
  • Microsoft.Storage
  • Microsoft.Network
  • Microsoft.Compute
  For more information, see Azure resource providers and types.
• When you create a CMG in the Configuration Manager console, the default option to deploy the cloud service is as a Virtual machine scale set. If necessary, you can still select Cloud service (classic) to use the existing Azure Resource Manager deployment.
• For a CMG deployment to a virtual machine scale set, the service name is different. This name is from the CMG server authentication certificate.
  • With the previous Azure Resource Manager deployment option, the service name is in the cloudapp.net 领域. For example, GraniteFalls.CloudApp.Net.
  • With a virtual machine scale set, the service name uses the cloudapp.azure.com domain along with the region. For example, GraniteFalls.EastUS.CloudApp.Azure.Com for a deployment in the East US Azure region.
• The CMG connection point only communicates with the virtual machine scale set in Azure over HTTPS. It doesn’t require TCP-TLS ports 10140-10155 to build the CMG communication channel.

If you already have an existing CMG deployment using Azure Resource Manager, you don’t have to redeploy the service. This new deployment method is primarily to support CSP customers to use the CMG. If you do redeploy the service to leverage the new architecture, since the service name changes, you’ll need to make configuration changes:

• If you issue the CMG server authentication certificate for your own domain name, update the CNAME record in DNS. For example, the certificate uses GraniteFalls.Contoso.Com. First deploy the new service with the same certificate. When you’re ready to switch, change the CNAME to point to the virtual machine scale set. For example, change the CNAME mapping for GraniteFalls.Contoso.Com to GraniteFalls.EastUS.CloudApp.Azure.Com.
• If you’re using a CMG server authentication certificate from a third-party provider, they issued the certificate in the cloudapp.net domain. You need to get a new certificate for the new service domain. For example, GraniteFalls.EastUS.CloudApp.Azure.Com. Create the new service with the new certificate, and add a second CMG connection point. Then wait at least one day before you delete the old CMG and remove the original CMG connection point. If clients are turned off or without an internet connection, you may need to wait longer.

For more general information on the cloud management gateway, see Plan for the CMG.

Preview limitations for CMG with virtual machine scale sets

The following CMG configurations are currently not supported in this release:

• Azure US Government Cloud
• Enforce TLS 1.2

Improvements to remote control

This release continues to improve the functionality of remote control as first introduced in technical preview version 1906. You can now connect to any Configuration Manager client with an online status.

The following prerequisites now apply:

• In the Remote Tools group of client settings:
  • Enable remote control
  • Add the user as a permitted viewer for remote control.
  For more information, see About client settings – Remote Tools.
• Configuration Manager client requirements:
  • Update the client to the latest version.
  • The client status needs to be online.
  • If the client is internet-based, use a cloud management gateway (CMG).
  Примітка Remote control now supports all available client authentication methods. For example, internet-based clients might authenticate using one of the following methods:
  • A valid PKI client certificate
  • Azure 活动目录 (Azure AD)
  • Token-based authentication
  These requirements aren’t unique to remote control. If you properly configure clients to communicate with a CMG, HTTPS management points, or sites with enhanced HTTP, then they already use a supported authentication method.

For more information on how to use remote control, see the instructions from version 1906.

1. When you start a remote control session, select the option to Connect via CMG or HTTPS MP for any of the following scenarios:
   • CMG
   • HTTPS management point
   • Enhanced HTTP site
2. Enter the fully qualified domain name (fqdn) of the applicable service. For example:
   • CMG: granitefalls.cloudapp.net
   • HTTPS management point: mp1.contoso.com

If you specify a CMG, the permitted viewer and the target client device need a connection to the internet. This connection is required even if they’re on the internal network.

Deploy an OS over CMG using boot media

Starting in current branch version 2006, the cloud management gateway (CMG) supports running a task sequence with a boot image when you start it from Software Center. With this release, you can now use boot media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won’t start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.

Prerequisites for boot media via CMG

• Set up a CMG
• For all content referenced in the task sequence, distribute it to a content-enabled CMG or a cloud distribution point. For more information, see Distribute content.
• Enable the following client settings in the Cloud services 团体:
  • Allow access to cloud distribution point
  • Enable clients to use a cloud management gateway
• Configure the Apply Network Settings task sequence step to join a workgroup. During the task sequence, the device can’t join the on-premises Active Directory domain. It doesn’t have connectivity to a domain controller to join the domain.
• 当你 deploy the task sequence to a collection, configure the following settings:
  • User experience page: Allow task sequence to run for client on the internet
  • Deployment settings page: Make available to an option that includes media.
  • Distribution points page, deployment options: Download content locally when needed by the running task sequence. For more information, see Deployment options.
• Make sure the device has a constant internet connection while the task sequence runs. Windows PE doesn’t support wireless networks, so the device needs a wired network connection.

View collection relationships

根据您的 UserVoice 反馈, you can now view dependency relationships between collections in a graphical format. It shows limiting, include, and exclude relationships.

If you want to change or delete collections, view the relationships to understand the impact of the proposed change. Before you create a deployment, look at the potential target collection for any include or exclude relationships that might affect the deployment.

Wake machine at deployment deadline using peer clients on the same remote subnet

Wake on LAN (WoL) has always posed a problem in complex, subnetted networks. Good networking best practice reduces the size of broadcast domains to mitigate against the risk of broadcast traffic adversely affecting the network. The most common way to limiting network broadcast is by not allowing broadcast packets to be routed between subnets. Another option is to enable subnet directed broadcasts but most organizations don’t allow the magic packet to traverse internal routers.

In version 1810, the introduction of peer wake up allowed an administrator to wake a device or collection of devices, on demand using the client notification channel. Overcoming the need for the server to be in the same broadcast domain as the client.

This latest improvement allows the Configuration Manager site to wake devices at the deadline of a deployment, using that same client notification channel. Instead of the site server issuing the magic packet directly, the site uses the client notification channel to find an online machine in the last known subnet of the target device(s) and instructs the online client to issue the WoL packet for the target device.

Improvements to in-console notifications

You now have an updated look and feel for in-console notifications. Notifications are more readable and the action link is easier to find. 此外, the age of the notification is displayed to help you find the latest information. If you dismiss or snooze a notification, that action is now persistent for your user across consoles.

Right-click or select ... on the notification to take one of the following actions:

• Translate text: Launches Bing Translator for the text.
• Copy text: Copies the notification text to the clipboard.
• Snooze: Snoozes the notification for the specified duration:
  • One hour
  • One day
  • One week
  • One month
• Dismiss: Dismisses the notification.

To see these improvements for notifications, update the Configuration Manager console to the latest version.

Notifications for devices no longer receiving updates

To help you manage security risk in your environment, you’ll be notified in-console about devices with operating systems that are past the end of support date and that are no longer eligible to receive security updates. 此外, a new Management Insights rule was added to detect Windows 7, Windows服务器 2008, and Windows Server 2008 R2 without Extended Security Updates (ESU).

Environments with the following operating systems installed on client devices receive a notification:

• 视窗 7, Windows服务器 2008 (non-Azure), 和 Windows服务器 2008 R2 (non-Azure) without ESU.
• Versions of Windows 10 Semi-Annual Channel that are past the end-of-support date.
  • Enterprise and Education
  • Home and Pro

Selecting More info on either of these notifications takes you to All Insights in Management Insights. Choose from the following options for review:

• For Windows 10 clients, review the Update clients to a supported Windows 10 version rule in the Simplified Management 团体. The rule shows clients running Windows 10 versions that are no longer supported or will reach end of service within the next three months.
• For Windows 7, Windows服务器 2008, and Windows Server 2008 R2 without Extended Security Updates (ESU), review the new rule, Update clients running Windows 7 and Windows Server 2008 in the Security 团体. The rule shows clients running Windows 7, Windows服务器 2008, and Windows Server 2008 R2 that are no longer receiving security updates.

Improved Windows Server restart experience for non-administrator accounts

For a low-rights user on a device that runs Windows Server, by default they aren’t assigned the user rights to restart Windows. When you target a deployment to this device, this user can’t manually restart. For example, they can’t restart Windows to install software updates.

从此版本开始, you can now control this behavior as needed. In the Computer Restart group of client settings, enable the following setting: When a deployment requires a restart, allow low-rights users to restart a device running Windows Server.

Improvements to OS deployment

This release includes the following improvements to OS deployment:

• After you update the site to version 2009, the Configuration Manager console shows the size in KB for all existing task sequences. Previously, the console showed a size of 0 for existing task sequences, which only updated when you modified the task sequence.
• It resolves a bug with boot image metadata on PXE-enabled distribution points that have multiple content library drives. This bug could cause the client to fail to download the boot image over TFTP.