Last month, Microsoft Endpoint Configuration Manager version 2207 was released; in this new release, Microsoft has introduced a series of innovations aimed at optimizing and improving the current features present in the product.
The goal of this article is to provide an overall overview of the main innovations introduced in this latest release in order to better manage your Configuration Manager infrastructure.
The update is available directly in the console on environments running version 2103 or later releases.
At the time of writing this article, the update appears to be available through the Early update ring channel; in order to add your infrastructure within this channel, you need to run the Powershell script available at the following link.
One of the most interesting innovations introduced by this latest release (currently in preview) is the Distribution point content migration feature: through the Powershell Start-CMDistributionPointMigration command it is possible to migrate content from one Distribution Point to another; for example, this functionality can be used to migrate content from a classic Cloud Management Gateway or from a Cloud Distribution Point (end of support 2024) to another Distribution Point.
In the next chapters we will report the other main new features in the 2207 release.
Segmentation of privileges for access to Configuration Manager administration services
With the introduction of the latest release, it is now possible to segment administrative privileges between a management point and admin services; the introduction of this new cloud app allows the Cloud Management Gateway (CMG) to limit access to the Configuration Manager administration services, thus allowing administrators to apply granular permissions for user access to these services (possibly also requiring Multi -Factor Authentication).
Simplified the app approval process
Version 2207 allows Configuration Manager infrastructure administrators to approve or deny an app distribution request simply by using a public URL present in the request email. This feature requires that the URL of the CMG be added in the Azure Active Directory app as a single page application redirect URI.
Use of a CMG as the primary source for the Default Boundary Groups
Until version 2203 of Configuration Manager, it was not possible to designate a cloud management point for Default Boundary Groups. When a new site is installed, a Default Boundary Group is automatically created and all clients use it by default until they are assigned to a specific Boundary Group.
This latest version allows, through the following Powershell syntax, to specify a CMG as the preferred management point for all clients that are certified to the Default Boundary Group:
Set-CMDefaultBoundaryGroup -IncludeCloudBasedSources $true -PreferCloudBasedSources $true
Timeout configuration for compliance script execution
It is now possible to define a timeout value (between 60 and 600 seconds) for the execution of compliance scripts; the Script Execution Timeout (seconds) option, available in the Client Settings, allows for greater flexibility on the Configuration Items in case you need to run scripts that exceed the default time of 60 seconds.
ADR organization in folders
Starting with release 2207, the ability to group Automatic Deployment Rule within folders has been introduced in order to better categorize and organize them within your Configuration Manager infrastructure.
Improved control over monthly maintenance windows
In this release, the product team has included the ability to define an offset to align deployments with the release of updates; for example, setting an offset of 2 days after the second Tuesday of each month will automatically define the maintenance window on the following Thursday.
Improved onboarding of Windows Server 2012 R2/2016 systems on Microsoft Defender for Endpoint
Through the Client Settings, for Windows Server 2012 R2 and Windows Server 2016 systems, it is possible to onboard systems on Microsoft Defender for Endpoint using the modern MDE agent compared to the Microsoft Monitoring Agent.
Improvements in the Application Guard section
In this latest release, Microsoft has introduced some new features related to the Application Guard section, such as:
- Section renamed to Microsoft Defender Application Guard.
- Within the General section of Microsoft Defender Application Guard, you can create policies in order to protect systems by leveraging Microsoft Edge and isolated environments.
- The Application Behavior section allows you to enable or disable the camera and microphone, together with the match on the thumbprint of the certificates with the isolated environment.
- Removal of the following settings:
- Enterprise sites can load non-enterprise content, such as third-party plug-in (Host interaction section).
- File trust criteria policy (File Management section).
More details on the Microsoft Defender Application Guard feature are available at the following link.
Improvements in the Configuration Manager console
In release 2207, Microsoft has tried to further improve the user-experience of the product by introducing some improvements on the console; the most important updates are:
- When you perform a search on any node in the console, the subfolders will also be automatically included in the search process (the Path criterion will be displayed in the search bar).
- Dark mode functionality has also been extended to buttons, contextual menus and links (the dark mode functionality is currently in pre-release, therefore it is necessary to activate it from the Administration section).
Microsoft Endpoint Configuration Manager version 2207 introduces a number of exciting features and settings to support IT admins in easier infrastructure management.