What’s new in version 2207 of Microsoft Endpoint Configuration Manager

Last month, Microsoft Endpoint Configuration Manager version 2207 was released; in this new release, Microsoft has introduced a series of innovations aimed at optimizing and improving the current features present in the product.

The goal of this article is to provide an overall overview of the main innovations introduced in this latest release in order to better manage your Configuration Manager infrastructure.

The update is available directly in the console on environments running version 2103 or later releases.

At the time of writing this article, the update appears to be available through the Early update ring channel; in order to add your infrastructure within this channel, you need to run the Powershell script available at the following link.

One of the most interesting innovations introduced by this latest release (currently in preview) is the Distribution point content migration feature: through the Powershell Start-CMDistributionPointMigration command it is possible to migrate content from one Distribution Point to another; for example, this functionality can be used to migrate content from a classic Cloud Management Gateway or from a Cloud Distribution Point (end of support 2024) to another Distribution Point.

In the next chapters we will report the other main new features in the 2207 release.


Segmentation of privileges for access to Configuration Manager administration services

With the introduction of the latest release, it is now possible to segment administrative privileges between a management point and admin services; the introduction of this new cloud app allows the Cloud Management Gateway (CMG) to limit access to the Configuration Manager administration services, thus allowing administrators to apply granular permissions for user access to these services (possibly also requiring Multi -Factor Authentication).

Simplified the app approval process

Version 2207 allows Configuration Manager infrastructure administrators to approve or deny an app distribution request simply by using a public URL present in the request email. This feature requires that the URL of the CMG be added in the Azure Active Directory app as a single page application redirect URI.

Use of a CMG as the primary source for the Default Boundary Groups

Until version 2203 of Configuration Manager, it was not possible to designate a cloud management point for Default Boundary Groups. When a new site is installed, a Default Boundary Group is automatically created and all clients use it by default until they are assigned to a specific Boundary Group.

This latest version allows, through the following Powershell syntax, to specify a CMG as the preferred management point for all clients that are certified to the Default Boundary Group:

Set-CMDefaultBoundaryGroup -IncludeCloudBasedSources $true -PreferCloudBasedSources $true

Client Management

Timeout configuration for compliance script execution

It is now possible to define a timeout value (between 60 and 600 seconds) for the execution of compliance scripts; the Script Execution Timeout (seconds) option, available in the Client Settings, allows for greater flexibility on the Configuration Items in case you need to run scripts that exceed the default time of 60 seconds.

Software Updates

ADR organization in folders

Starting with release 2207, the ability to group Automatic Deployment Rule within folders has been introduced in order to better categorize and organize them within your Configuration Manager infrastructure.

Figure 1 – ADR organization

Improved control over monthly maintenance windows

In this release, the product team has included the ability to define an offset to align deployments with the release of updates; for example, setting an offset of 2 days after the second Tuesday of each month will automatically define the maintenance window on the following Thursday.

Endpoint Protection

Improved onboarding of Windows Server 2012 R2/2016 systems on Microsoft Defender for Endpoint

Through the Client Settings, for Windows Server 2012 R2 and Windows Server 2016 systems, it is possible to onboard systems on Microsoft Defender for Endpoint using the modern MDE agent compared to the Microsoft Monitoring Agent.

Figura 2 – MDE onboarding

Improvements in the Application Guard section

In this latest release, Microsoft has introduced some new features related to the Application Guard section, such as:

  • Section renamed to Microsoft Defender Application Guard.
  • Within the General section of Microsoft Defender Application Guard, you can create policies in order to protect systems by leveraging Microsoft Edge and isolated environments.
  • The Application Behavior section allows you to enable or disable the camera and microphone, together with the match on the thumbprint of the certificates with the isolated environment.
  • Removal of the following settings:
    • Enterprise sites can load non-enterprise content, such as third-party plug-in (Host interaction section).
    • File trust criteria policy (File Management section).

More details on the Microsoft Defender Application Guard feature are available at the following link.


Improvements in the Configuration Manager console

In release 2207, Microsoft has tried to further improve the user-experience of the product by introducing some improvements on the console; the most important updates are:

  • When you perform a search on any node in the console, the subfolders will also be automatically included in the search process (the Path criterion will be displayed in the search bar).
Figure 3 – Path criteria
  • Dark mode functionality has also been extended to buttons, contextual menus and links (the dark mode functionality is currently in pre-release, therefore it is necessary to activate it from the Administration section).


Microsoft Endpoint Configuration Manager version 2207 introduces a number of exciting features and settings to support IT admins in easier infrastructure management.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: