On April 6, Microsoft Endpoint Configuration Manager version 2103 was published; in this version, Microsoft has tried to optimize and make more “user friendly” the upgrade and distribution procedures of the Windows 10 operating system; the goal of this article is to provide an overall overview of the main innovations introduced in the 2103 release, in order to have the necessary references to better manage your infrastructure.
At the time of writing this article, the update appears to be available through the Early update ring channel; in order to add your infrastructure within this channel, you need to run the Powershell script available at the following link.
One of the main innovations introduced in this version is the ability to upgrade your Windows 10 systems by directly calling the Feature Update during the Task Sequence execution. With the introduction of this new feature, the update process will be much less onerous in terms of size, as it will no longer be necessary to manage the entire Windows 10 WIM image (the file distributed in esd format is significantly smaller); a further advantage that this integration brings is the ability to fully exploit the optimization features natively present in the operating system (such as Dynamic Update and Delivery Optimization) together with the flexibility that the use of a Task Sequence brings.
Also starting from this release, the HTTP communication has been categorized as deprecated and therefore, during the installation of this update, a warning will be displayed if this type of communication is still used.
As reported by the official Microsoft documentation (see link), support on this type of communication will be removed starting with the first release available after November 2022.
Microsoft Endpoint Manager tenant attach
View all applications available through the Microsoft Endpoint Manager admin center portal
Once the device has been selected, in the Applications section on the admin center portal, it is now possible to view all the applications distributed on the device. The following applications are included:
• Distributed to the device.
• Distributed to the user connected to the device, to the primary user and those previously installed for the user.
With the introduction of this feature, the option An administrator must approve a request for this application on the device (present during the configuration of the deployment on the Configuration Manager side) will no longer have to be set.
Merge between exclusions defined on antivirus policies
From this version, in the event that multiple configuration policies of the antivirus component are distributed, the Tenant Attach client will merge the various defined exclusions; this allows a more granular management of antivirus exclusions.
Simplify user discovery in Hybrid mode
To allow the discovery of user objects in Hybrid mode, it is sufficient that they are correctly identified by one of these two types of discovery:
- Azure Active Directory user discovery
- Active Directory user discovery
New prerequisite checks
During the 2103 update procedure, new warning checks may be displayed:
- Enable the site for HTTPS-only or enhanced HTTP: as previously reported, this warning highlights the failure to activate the Enhanced HTTP functionality or the activation of HTTPS communication.
- Deprecated Azure Monitor connector: if the Log Analytics for Azure Monitor connector is present, the upgrade procedure will be blocked and an error status will be reported.
- SQL Server Express version: in the presence of a Secondary Site with a SQL Express edition, a warning will be reported if the version is lower than 2016 SP2.
Exclusion of specific OUs from Active Directory User Discovery
It is now possible to exclude certain OUs during the Active Directory User Discovery procedure.
Improvements when viewing relationship collections
From the 2010 release, the possibility of viewing the dependencies between collections (collection relationship) through a special view has been introduced; starting from this version, some improvements have been introduced on this interface to allow a faster visualization of the relationships between collections.
In detail, the ability to view the “parent-child” relationships between collections has been introduced within a single chart on which it is also possible to drill down.
Improvements in query preview and collection evaluation view
Within the collection query preview feature, the following improvements have been introduced to make this feature more usable:
- Limit the number of rows returned: the limit can be between 1 to 10,000 rows; the default value was set to 5,000 rows.
- Omit duplicate rows from the result set: duplicate entries are automatically omitted from the result if Omit duplicate rows option is selected.
- Review statistics: it is now possible to view the total number of rows that would be returned for the entered query and the respective query execution time.
In addition, improvements have been made within the collection evaulation view: this feature introduced starting with the 2010 release allows IT admins to view and analyze issues related to the collection evaluation process. For more details on this process, you can refer to the following link.
Improvements in User Experience
Starting from 2103, it is possible to change the font color used on the Software Center (white) for better accessibility and to make the interface more usable; furthermore, always with a view to greater usability and increased security, all web apps and links made available through the Software Center will be opened automatically with Microsoft Edge.
Disable application deployments
As already possible for other types of deployments (eg: Software Update deployment, Task Sequence, etc …), it is now possible to disable deployments related to applications.
When the device refreshes the machine policies, the Configuration Manager infrastructure immediately notifies the client that the object has been disabled.
Changes to the Windows 10 Servicing dashboard
In this release, Windows 10 Servicing dashboard has been revised to make it more relevant; the charts shown are the following:
- Quality Update Versions: displays the first 5 versions available on your Windows 10 devices;
- Latest Feature Update: displays the number of devices that appear to have installed the latest build available;
- Feature Update Versions: displays the distribution of the main releases of Windows 10;
Notifications during the Check Readiness
Following the activation of the Check Readiness step (validation check on the system status) within the Task Sequence, if the system does not meet the minimum requirements set, the user will be notified (through a specific pop-up) of the causes the non-compliance of the system.
This improvement dramatically simplifies the identification of issues during operating system deployment or update workflows.
Improvements in the OS Deployment procedure
Within this release, some improvements dedicated to the OS Deployment procedure have been introduced:
- Task sequence conditions now include a not like operator;
- The Check Readiness step verifies the free space on disks without partition;
- The following PowerShell cmdlets now have an Index parameter:
- The following new cmdlets are available to get the list of existing hardware IDs in the site database:
Improvements to BitLocker management
A great feature introduced by the 2010 version was the ability to escrow (save) the recovery key using the Cloud Management Gateway (CMG) functionality; with the introduction of this feature, systems connected directly to the internet are able to save their recovery key without the need to be connected to the company network.
Starting with this release, the following features are supported:
- Recovery key saving also for removable disks via CMG;
- TPM password hash, otherwise known as TPM owner authorization;
- Enhanced HTTP support;
- Recovery service on management point that uses replica databases;
Use of approved scripts on Orchestration Group
During the creation of a new Orchestration Group, a new section called Script Picker has been made available, within which it is possible to select from the list of scripts already approved those to be used as pre and post scripts during the update procedure.
Change default maximum run time
In this release, Configuration Manager sets the following values for the maximum update run time:
- Feature updates for Windows: 120 min
- Non-feature updates for Windows: 60 min
- Updates for Microsoft 365 Apps (Office 365 updates): 60 min
Increased security in HTTPS scans
The security of HTTPS scans to WSUS has been further increased by applying the certificate pinning; to enable this type of configuration, it is necessary:
- Verify that all Software Update Points are configured to use TLS / SSL;
- Add your WSUS certificate within the WindowsServerUpdateServices store on your clients;
- Check that the Enforce TLS certificate pinning for Windows Update client for detecting updates option in the Client Settings in the Software Updates section is set to Yes (default value);
Improvements in Community hub
In this release, some improvements have been introduced in the Community Hub including the ability to download Power BI templates, configuration items and configuration baseline.
It is also possible to view the most commonly used shared CMPivots within the list of those available on-premise.
Improvements in the Configuration Manager console
Also in this release, some improvements have been introduced on the Configuration Manager console; one of them is the support for a new style of console extension which offers the following advantages:
- Centralized extension management instead of the need to manually place binary files on individual consoles;
- Greater control by IT Admins over the extensions that are loaded and used;
- Possibility to configure the use of the new style only;
- Clear separation of extensions by provider;
For more information on this new style, please refer to the following link.
Another console-related improvement is the ability to mark a report as a favorite in order to make it easily accessible for subsequent accesses.
Improvements to Support Center
This Support Center update splits the tool into two parts:
- Support Center Client Data Collector: collects data from a device to view in the Support Center Viewer. This separate tool encompasses the existing Support Center action to Collect selected data.
- Support Center Client Tools: the other Support Center troubleshooting functionality, except for Collect selected data.