Microsoft Endpoint Configuration Manager version 2107 was released this week; in this new release, Microsoft has introduced a series of very useful innovations both from the point of view of infrastructure (ex: interaction with external sources) and from the point of view of securing the product itself.
The goal of this article is to provide an overall overview of the main innovations introduced in this latest release in order to better manage your Configuration Manager infrastructure.
The update is available directly in the console on environments running version 2002 or later releases.
At the time of writing this article, the update appears to be available through the Early update ring channel; in order to add your infrastructure within this channel, you need to run the Powershell script available at the following link.
CMG conversion in Virtual Machine scale set mode
From the 2010 version, it is possible to activate a new Cloud Management Gateway in the Virtual Machine scale set mode, thus giving the possibility to deploy this solution also on CSP subscription.
Starting from this release, it is possible to convert the CMG created in classic mode in the new mode which is also the mode recommended by Microsoft.
CMG VM size selection
During the deployment of a new CMG, it is now possible to select the following sizes dedicated to the new Virtual Machine that will be created:
- Lab (B2s);
- Standard (A2_v2) – default size;
- Large (A4_v2);
In this way, you will have the ability to create VMs based on your needs, thus also reducing any costs related to the solution.
Naming review for the Co-Management service
To better express the cloud services provided through Configuration Manager, the naming relating to the Co-Management node has been changed: the various settings/wizards have been renamed with the suffix Cloud Attach.
Windows diagnostic data processor configuration support
The new Windows diagnostic data processor configuration is now supported on Desktop Analytics: through Windows diagnostic data processor configuration, companies are able to better manage the diagnostic data collected by Microsoft.
Support for Windows Server 2022 and Windows 11
Starting with release 2107, support for Windows Server 2022 was introduced as a platform for installing the Site System role; in addition, it is possible to install the Windows ADK for Windows 11/Windows Server 2022.
In this release, Configuration Manager requires the installation of the .NET Framework version 4.6.2 as a requirement for some components; for this reason, before proceeding with the upgrade process, it is necessary to update the version of this component and proceed with the required restart. Where possible, Microsoft recommends installing version 4.8.
Also with the introduction of this release, during the installation process, the presence of the Microsoft Visual C ++ Redistributable 2015-2019 component is checked; if it is not present, the process will automatically install this component. The presence of SQL Server 2012 will also be notified through a specific warning as support for this version expires on 12 July 2022.
If it is not possible to download version 2107, make sure that the Service Connection Point is able to correctly reach the endpoint configmgrbits.azureedge.net.
One of the most interesting innovations introduced in this latest release is certainly the ability to send notifications related to Configuration Manager to external systems/applications. This feature allows you to automate any actions not natively present on Configuration Manager in response of a specific event (ex: status message filter rules).
Various improvements have been introduced in the CMPivot functionality, such as:
- Added a new entity called RegistryKey which returns all registry keys that match the indicated expression;
- Added maxif and minif aggregators to be used during summerize operations;
- Improvements in the auto-completion of queries;
- Reviewed security permission:
- CMPivot no longer requires the read permission of the SMS Scripts property;
- CMPivot no longer requires the default scope permission;
Custom properties for devices
As previously reported, in this latest release, Microsoft has introduced interesting innovations related to the iteration between Configuration Manager and external sources. Regarding this topic, a news introduced in this build is the possibility to set custom properties on the devices that come from other data sources; these properties and their values are saved in a new class called Device Custom Properties in the Configuration Manager database and can then be used to create queries, collections and reports.
More details on this interesting novelty are available at the following link.
Improvements in communication security
Configuration Manager uses self-signed certificates to encrypt communication between the client and the site system. Once the infrastructure and agent have been updated to version 2107, this certificate will be saved, in a non-exportable way, on the TPM (Trusted Platform Module). Furthermore, if Use encryption option is activated, the client will use the AES-256 algorithm to encrypt the status messages and inventory data that will be sent to the Management Point.
Also in this release, if Enhanced-HTTP is used, both Software Center and Company Portal will use HTTPS communication to obtain the applications available to users from the Management Point.
Hardware inventory for client log settings
It is now possible to activate the inventory of configurations related to the logs generated by the client such as, for example, level and size; this configuration is useful if you want to trace any changes that have occurred through the activation actions of verbose logging. This new inventory class isn’t enabled by default.
Support for macOS Big Sur
Starting from this release, it is possible to manage devices that appear to have installed the new Apple macOS Big Sur operating system through Configuration Manager.
Implicit uninstall of application
Another interesting new feature in Configuration Manager 2107 is the ability to implicitly uninstall an application thus reducing the proliferation of collections.
During the creation of the installation deployment of a specific application, it is possible to enable the option Uninstall this application if the targeted object falls out of the collection which allows you to start the process of removing the application when the device is removed from the collection.
This settings is only available for device-based distributions.
Audit Mode option for potentially unwanted applications (PUA)
With a view to increasing endpoint protection, Microsoft Defender allows you to block the execution of potentially harmful applications that could compromise the operation of the operating system; to avoid generating false-positives and thus blocking trusted applications, through the implementation of an Antimalware policy, it is now possible to activate this type of protection in Audit Mode.
Run software updates evaluation from deployment status
Among the improvements introduced on the console, it is necessary to mention the possibility of running a Software Update evaluation cycle directly from the Deployment Status panel in the Monitoring section.
List of third party catalogs
Within the Third-Party Software Update Catalogs section, you can select the More Catalogs option which will allow you to access the documentation containing the list of third-party catalogs that can be used on Configuration Manager.
Community hub improvements
In this release, new features have been introduced in the Community Hub including the ability to upload CMPivot queries directly from the relevant window but, above all, the ability to download extensions that can then be applied to all consoles present.
Improvements in the Configuration Manager console
In release 2107, Microsoft has tried to further improve the user-experience of the product by introducing some improvements on the console; the most important updates are:
- Editing of scripts through the appropriate editor;
- Possibility to send any error directly from the error message received through the Report error to Microsoft link;
- Authorization of console extensions not digitally signed;
- Ability to access the various collections that automatically populate other collections through the View Collection option.
- Added the Maintenance window column in the Devices section.
- Ability to perform recursive search also within the Boot Images, Operating System Upgrade Packages and Operating System Images sections;