What’s new in version 2103 of Microsoft Endpoint Configuration Manager

On April 6, Microsoft Endpoint Configuration Manager version 2103 was published; in this version, Microsoft has tried to optimize and make more “user friendly” the upgrade and distribution procedures of the Windows 10 operating system; the goal of this article is to provide an overall overview of the main innovations introduced in the 2103 release, in order to have the necessary references to better manage your infrastructure.

At the time of writing this article, the update appears to be available through the Early update ring channel; in order to add your infrastructure within this channel, you need to run the Powershell script available at the following link.

One of the main innovations introduced in this version is the ability to upgrade your Windows 10 systems by directly calling the Feature Update during the Task Sequence execution. With the introduction of this new feature, the update process will be much less onerous in terms of size, as it will no longer be necessary to manage the entire Windows 10 WIM image (the file distributed in esd format is significantly smaller); a further advantage that this integration brings is the ability to fully exploit the optimization features natively present in the operating system (such as Dynamic Update and Delivery Optimization) together with the flexibility that the use of a Task Sequence brings.

Figure 1 – Upgrade OS with Feature Update during Task Sequence

Also starting from this release, the HTTP communication has been categorized as deprecated and therefore, during the installation of this update, a warning will be displayed if this type of communication is still used.
As reported by the official Microsoft documentation (see link), support on this type of communication will be removed starting with the first release available after November 2022.

Microsoft Endpoint Manager tenant attach

View all applications available through the Microsoft Endpoint Manager admin center portal

Once the device has been selected, in the Applications section on the admin center portal, it is now possible to view all the applications distributed on the device. The following applications are included:

• Distributed to the device.
• Distributed to the user connected to the device, to the primary user and those previously installed for the user.

With the introduction of this feature, the option An administrator must approve a request for this application on the device (present during the configuration of the deployment on the Configuration Manager side) will no longer have to be set.

Merge between exclusions defined on antivirus policies

From this version, in the event that multiple configuration policies of the antivirus component are distributed, the Tenant Attach client will merge the various defined exclusions; this allows a more granular management of antivirus exclusions.

Simplify user discovery in Hybrid mode

To allow the discovery of user objects in Hybrid mode, it is sufficient that they are correctly identified by one of these two types of discovery:

  • Azure Active Directory user discovery
  • Active Directory user discovery

Infrastructure

New prerequisite checks

During the 2103 update procedure, new warning checks may be displayed:

  • Enable the site for HTTPS-only or enhanced HTTP: as previously reported, this warning highlights the failure to activate the Enhanced HTTP functionality or the activation of HTTPS communication.
  • Deprecated Azure Monitor connector: if the Log Analytics for Azure Monitor connector is present, the upgrade procedure will be blocked and an error status will be reported.
  • SQL Server Express version: in the presence of a Secondary Site with a SQL Express edition, a warning will be reported if the version is lower than 2016 SP2.

Exclusion of specific OUs from Active Directory User Discovery

It is now possible to exclude certain OUs during the Active Directory User Discovery procedure.

Collection

Improvements when viewing relationship collections

From the 2010 release, the possibility of viewing the dependencies between collections (collection relationship) through a special view has been introduced; starting from this version, some improvements have been introduced on this interface to allow a faster visualization of the relationships between collections.
In detail, the ability to view the “parent-child” relationships between collections has been introduced within a single chart on which it is also possible to drill down.

Improvements in query preview and collection evaluation view

Within the collection query preview feature, the following improvements have been introduced to make this feature more usable:

  • Limit the number of rows returned: the limit can be between 1 to 10,000 rows; the default value was set to 5,000 rows.
  • Omit duplicate rows from the result set: duplicate entries are automatically omitted from the result if Omit duplicate rows option is selected.
  • Review statistics: it is now possible to view the total number of rows that would be returned for the entered query and the respective query execution time.
Figure 2 – Collection Query Preview

In addition, improvements have been made within the collection evaulation view: this feature introduced starting with the 2010 release allows IT admins to view and analyze issues related to the collection evaluation process. For more details on this process, you can refer to the following link.

Software Center

Improvements in User Experience

Starting from 2103, it is possible to change the font color used on the Software Center (white) for better accessibility and to make the interface more usable; furthermore, always with a view to greater usability and increased security, all web apps and links made available through the Software Center will be opened automatically with Microsoft Edge.

Application

Disable application deployments

As already possible for other types of deployments (eg: Software Update deployment, Task Sequence, etc …), it is now possible to disable deployments related to applications.
When the device refreshes the machine policies, the Configuration Manager infrastructure immediately notifies the client that the object has been disabled.

OS Deployment

Changes to the Windows 10 Servicing dashboard

In this release, Windows 10 Servicing dashboard has been revised to make it more relevant; the charts shown are the following:

  • Quality Update Versions: displays the first 5 versions available on your Windows 10 devices;
  • Latest Feature Update: displays the number of devices that appear to have installed the latest build available;
  • Feature Update Versions: displays the distribution of the main releases of Windows 10;

Notifications during the Check Readiness

Following the activation of the Check Readiness step (validation check on the system status) within the Task Sequence, if the system does not meet the minimum requirements set, the user will be notified (through a specific pop-up) of the causes the non-compliance of the system.
This improvement dramatically simplifies the identification of issues during operating system deployment or update workflows.

Figure 3 – Check Readiness Failure

Improvements in the OS Deployment procedure

Within this release, some improvements dedicated to the OS Deployment procedure have been introduced:

  • Task sequence conditions now include a not like operator;
  • The Check Readiness step verifies the free space on disks without partition;
  • The following PowerShell cmdlets now have an Index parameter:
    • New-CMOperatingSystemImage
    • New-CMOperatingSystemInstaller
  • The following new cmdlets are available to get the list of existing hardware IDs in the site database:
    • Get-CMDuplicateHardwareIdGuid
    • Get-CMDuplicateHardwareIdMacAddress

Protection

Improvements to BitLocker management

A great feature introduced by the 2010 version was the ability to escrow (save) the recovery key using the Cloud Management Gateway (CMG) functionality; with the introduction of this feature, systems connected directly to the internet are able to save their recovery key without the need to be connected to the company network.

Starting with this release, the following features are supported:

  • Recovery key saving also for removable disks via CMG;
  • TPM password hash, otherwise known as TPM owner authorization;
  • Enhanced HTTP support;
  • Recovery service on management point that uses replica databases;

Software Update

Use of approved scripts on Orchestration Group

During the creation of a new Orchestration Group, a new section called Script Picker has been made available, within which it is possible to select from the list of scripts already approved those to be used as pre and post scripts during the update procedure.

Change default maximum run time

In this release, Configuration Manager sets the following values for the maximum update run time:

  • Feature updates for Windows: 120 min
  • Non-feature updates for Windows: 60 min
  • Updates for Microsoft 365 Apps (Office 365 updates): 60 min

Increased security in HTTPS scans

The security of HTTPS scans to WSUS has been further increased by applying the certificate pinning; to enable this type of configuration, it is necessary:

  • Verify that all Software Update Points are configured to use TLS / SSL;
  • Add your WSUS certificate within the WindowsServerUpdateServices store on your clients;
  • Check that the Enforce TLS certificate pinning for Windows Update client for detecting updates option in the Client Settings in the Software Updates section is set to Yes (default value);

Console

Improvements in Community hub

In this release, some improvements have been introduced in the Community Hub including the ability to download Power BI templates, configuration items and configuration baseline.
It is also possible to view the most commonly used shared CMPivots within the list of those available on-premise.

Improvements in the Configuration Manager console

Also in this release, some improvements have been introduced on the Configuration Manager console; one of them is the support for a new style of console extension which offers the following advantages:

  • Centralized extension management instead of the need to manually place binary files on individual consoles;
  • Greater control by IT Admins over the extensions that are loaded and used;
  • Possibility to configure the use of the new style only;
  • Clear separation of extensions by provider;

For more information on this new style, please refer to the following link.

Another console-related improvement is the ability to mark a report as a favorite in order to make it easily accessible for subsequent accesses.

Support Center

Improvements to Support Center

This Support Center update splits the tool into two parts:

  • Support Center Client Data Collector: collects data from a device to view in the Support Center Viewer. This separate tool encompasses the existing Support Center action to Collect selected data.
  • Support Center Client Tools: the other Support Center troubleshooting functionality, except for Collect selected data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: