This blog will periodically release a series of articles dedicated to the new features introduced in the new builds of Microsoft Endpoint Configuration Manager.
The goal is to provide a comprehensive overview of the main news, in order to stay up to date on these topics and have the necessary references to conduct further studies.
Due to the current situation due to COVID-19, in this latest release, Microsoft wanted to focus its efforts on the flexibility and improvement of remote working such as allowing clients to upgrade version over networks to consumption, making it easy to download content from the cloud instead of the VPN connection.
Microsoft Endpoint Manager tenant attach
App Installation from the Admin Center portal
It is possible to start, from the Microsoft Endpoint Manager Admin Center portal, the installation of an application in real time on a device connected in the tenant attach mode (for more information about Tenant Attach, a dedicated article is available here).
Starting with 2006 version of Configuration Manager, the list of available applications also includes applications distributed to the user currently connected to the device.
Import of an Azure AD application previously created during onboarding
During a new onboarding, an administrator can specify an application created previously during the onboarding of the tenant attach.
Endpoint Analytics
Endpoint Analytics data collection active by default
Endpoint Analytics allows you to identify policies or hardware problems that could slow down the devices and make the appropriate changes proactively without interrupting the work of the end user.
The Enable Endpoint Analytics data collection option defined on the Client Settings side on the Configuration Manager is active by default. However, the data will not be sent to the Admin Center portal until the option to upload the collected data is activated:
If you upgrade from version 2002 to version 2006, the values of the Custom Client Settings will be maintained. The default value on CM 2002 for the Enable Endpoint Analytics data collection setting is No.
If you upgrade from version 1910 or earlier, the setting will be set to the new default value (Yes).
Infrastructure
VPN Boundary type
To simplify the management of remote clients, it is now possible to create a new type of boundary for VPNs. In previous releases, it was necessary to create boundaries based on an IP range or on a subnet. Now, when a client sends a location request, it includes more information about its network configuration. Based on this information, the Configuration Manager server determines whether the client is using a VPN connection.
Improvement to Windows Virtual Desktop support
Windows 10 Enterprise multi-session is available in the supported operating systems list in the requirements rules and applicability lists.
CMG Software Update Point for non-internet devices
From this build, Intranet clients are able to access a Cloud Management Gateway with the role of Software Update Point when it is assigned to a boundary group.
Cloud-Attach
Notifications for Secret Key expiration
If the infrastructure is configured to perform cloud-attach, Configuration Manager console will allow you to view notifications in the event that:
- One or more secret keys for an Azure AD application are expiring;;
- One or more secret keys for an Azure AD application have expired;
Real-time management
Improvement to CMPivot feature
CMPivot is an utility in the Configuration Manager console that allows you to access information on connected devices in real time; this utility immediately queries all currently connected devices and returns the results. In the event that the device is not connected, the inventory data will be provided.
Below are the main improvements introduced in this release:
- It is possible to run CMPivot on one or more devices without necessarily having to select or create a collection;
- Based on the results returned by a CMPivot query, it is possible to select one or more devices in order to launch an additional instance of CMPivot based on the selection made;
- Standalone CMPivot and CMPivot launched from the administration console have been unified;
Client management
Installation and upgrade on metered connection
In previous versions, if a device was connected to a paid network, the installation/update of the CM client was not possible; for those systems often roaming it generated a condition of unmanaged systems or with obsolete client versions. From this build, it is possible to install / upgrade the Configuration Manager client even if the communication between the client and the Primary Site on paid connections has been limited.
Improvements to managing device restart
Starting with version 2006, it is possible to instruct the CM client to inhibit automatic restart of the device when requested by the deployment.
This setting applies to applications, software updates and package deployments that require a reboot.
To take full advantage of the new Configuration Manager features, after updating the site, it is necessary to update the CM client to the latest version.
Application management
Improvements to available apps via CMG
In this release, if a client joined to Azure AD and connected to the local network uses a Cloud Management Gateway (CMG), the Azure AD credentials will be used to check the availability of the apps (at the user level).
In previous versions, Software Center used Windows authentication which generated errors and fail during the process of retrieving the list of applications available at the user level.
Microsoft 365 Apps for enterprise
As of April 2020, Office 365 ProPlus has been renamed to Microsoft 365 Apps for enterprise. In this regard, on the console side, all the sections have been modified to adapt to the new naming and the presence of Automatic Deployment Rule using obsolete names will be notified (through a special banner).
For more information, on the new naming convention introduced by Microsoft you can refer to the following link.
OS Deployment
Cloud-based content support on Task Sequence media
One of the most important features introduced in this release is certainly the ability to download content directly from the cloud through Task Sequence media (PXE, USB sticks, etc. ..); this new functionality can be useful for the standardization of the machine park in branch offices.
By sending a special USB key or using an on-site PXE server, it is possible to provision an image directly from the cloud without saturating the connection with the main office.
Improvements to BitLocker task sequence steps
Through the Enable BitLocker and Pre-provision BitLocker steps, it is possible to define the encryption method to be used; also, a new setting has been added to the Enable BitLocker step (Skip this step for computers that do not have a TPM or when TPM is not enabled) to manage cases in which the device does not support TPM or the latter does not appear correctly initialized.
Improvements to OS deployment
In the 2006 version, the following improvements were introduced within the OS Deployment functionality:
- It is possible to use a variable as a target for the Format and Partition Disk step; this allows to manage the formatting of disks dynamically in complex scenarios.
- Check Readiness step includes checking to determine if the system is using UEFI; through this check, the _TS_CRUEFI variable will be automatically valued with the returned value.
- If the detailed display of the progress bar is activated, the steps included in a disabled group will not be counted; in previous releases, even disabled steps were included in the count.
- During the Windows 10 upgrade process via Task Sequence, the two command prompt windows related to the SetupCompleteTemplate.cmd and SetupRollbackTemplate.cmd scripts will no longer be displayed.
Protection
CMG support for endpoint protection policies
Starting with this release, clients that communicate via Cloud Management Gateway are able to apply Endpoint Protection policies without the need for communication with the Active Directory infrastructure.
BitLocker Management
It is possible to install the administrative and self-service portals related to BitLocker on a CAS (central administration site) system.
Console
Community hub and GitHub
Through Community Hub, it is possible to share and find content (such as scripts) to speed up the work of IT administrators. For this first release, the content available within the Community Hub will only be uploaded by Microsoft.
Notifications from Microsoft
It is possible to receive notifications from Microsoft directly within the Configuration Manager console. These notifications allow you to stay informed about new features or any updates, changes to Configuration Manager; in addition, problems will also be reported that require action by the IT administrator to be resolved.
Enterprise Mobility Blog 