Wednesday, October 12, 2016

New ConfigMgr Current Branch features from 1511 till now! (part 1)

Since December 8, 2015 ConfigMgr Current Branch is Generally Available. This based on version 1511, which stands for November 2015 (MMYY). Since this release (and even before that too), there are monthly features added in Technical Preview, which are merged in public release (1602, 1606). Let's have a look at new features so far. When available this blogpost will be updated with new releases.

Really love the speed on new (Windows and ConfigMgr) builds and update experience. Remember: When you want to go fast with Windows, you need to go fast with ConfigMgr too! :-)

Microsoft did an amazing job on new ConfigMgr features for both standalone and hybrid environments. Let's have a look at new features (in production) so far:

Cloud Proxy Service:
The Cloud Proxy Service provides a simple way to manage ConfigMgr clients on the Internet. The service, which is deployed to Microsoft Azure and requires an Azure subscription, connects to your on-premises ConfigMgr infrastructure using a new role called the cloud proxy connector point. You use the ConfigMgr console to deploy the service and configure the supported roles to allow cloud proxy traffic. Cloud Proxy Service currently only supports the management point, distribution point, and software update point roles.
Device Categories:
You can create device categories, which can be used to automatically place devices in device collections when used in hybrid environments. Users are then required to choose a device category when they enroll a device in Intune.
Device Guard: ConfigMgr as a managed installer with manual client configuration:
Administrators can use the new Managed Installer AppLocker rules to configure clients so that ConfigMgr-deployed software is automatically trusted, but software from other sources is not. You cannot currently configure this functionality from the ConfigMgr console. Use the instructions at this blog post to manually configure client computers to use this functionality.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Enforcement grace period for application and software update deployments:
Give users a grace period to install required application or software updates beyond any deadlines you configured after their computers are offline for an extended period of time.
Multiple device management points available for enrolled Windows 10 Anniversary Edition devices:
On-premises Mobile Device Management (MDM) supports a new capability in Windows 10 Anniversary Edition (Redstone 1) that automatically configures an enrolled device to have more than one device management point available for use. This capability allows the device to fallback to another device management point when the one it was using is not available.
You can deploy offline-licensed applications to a Windows 10 desktop PC managed by on-premises MDM:
You can deploy an app with an offline license from the Windows Store for Business to a Windows 10 PC managed by on-premises MDM.

Auto-Connect App List in Windows 10 VPN Profiles:
Admins can specify desktop and universal applications in Windows 10 VPN profiles that automatically establish a connection with the VPN when launched on the client. Admins can decide whether or not to limit VPN traffic to the apps in the list.
End users on a Windows 10 desktop managed by on-premises MDM can install an app from the Intune Company Portal:
You can deploy an app as Available Install to a user collection and the users on a Windows 10 PC managed by on-premises MDM can use the Intune Company Portal to browse, download, and install this app.
Improvements to the Install Software Updates task sequence step:
This release includes improvements to smsts.log to help you troubleshoot, and a new task sequence variable, SMSTSSoftwareUpdateScanTimeout, to control the timeout on the software updates scan during the Install Software Updates task sequence step.
New tabs for Updates and Operating Systems in Software Center:
Software Updates and Operating Systems now have their own respective tabs in Software Center, rather than being accessible via the categories dropdown in the Applications tab.
On-premises Health Attestation Service integration:
Collect Health Attestation information via on-premises Health Attestation Service with a few critical bug fixes from 1604 Technical Preview.
Pre-Declare Corporate Owned Devices:
You can now identify corporate-owned devices by importing their international station mobile equipment identity (IMEI) numbers. You can upload a comma-separated values (.csv) file containing device IMEI numbers or you can manually enter device information. You can also import serial numbers for iOS devices. Imported information will set ownership of the devices that enroll as “Corporate”. An Intune license is still required for each user that accesses the service. View a video walkthrough of the Pre-declare Corporate Owned Devices feature.
Remote Device Actions Experience Update:
The admin experience for wiping, resetting the passcode, remote locking, and bypassing iOS Activation Lock on mobile devices has been adjusted. The states of these actions are now part of the devices' details and properties.
Remote Full Wipe for Windows 10 desktop devices:
Support for remotely wiping and resetting Windows 10 desktop devices to factory settings.
Server groups:
Control settings for software updates in server groups, including the order and percentage of devices that can be updated at any one time. These capabilities introduce some enhancements over our pre-release "Servicing a cluster aware collection" feature, including the ability to control the order and better monitoring.
Windows 10 Enterprise Data Protection policies:
Enterprise data protection (EDP) policy settings - with this technical preview, you can create and deploy EDP policies for Windows devices running Windows 10 Insider Preview and Windows 10 Mobile Preview builds, including specifying apps, defining network boundaries, choosing the restriction modes and other EDP settings.
Windows Defender Advanced Threat Protection:
Manage Windows Defender Advanced Threat Protection policies for onboarding and offboarding Windows 10 clients to the cloud service, and view agent health in the monitoring dashboard. (Requires a Windows Defender ATP tenant in Azure.)
Windows Store for Business Integration:
ConfigMgr can manage and deploy applications purchased through the Windows Store for Business portal for both online and offline licensed apps. The 1605 Technical Preview adds the ability to create both online and offline apps with the ability to deploy offline apps to Intune and ConfigrMgr managed devices. View video walkthroughs of how to set up and deploy Windows Store for Business apps.

Client cache size:
We added a new item to Client Settings called "Client Cache Settings". Use this to configure the client cache size as a percentage of overall disk space and megabytes.
Client Peer Cache:
A built-in ConfigMgr solution for clients to share content with other clients, directly from their local Cache with monitoring and troubleshooting capabilities.
Passport for Work:
Administrators can now deploy Passport for Work policies to domain-joined Windows 10 devices managed by the ConfigMgr client.
Policy Setting to Disable Smart Lock and other Trust Agents:
Hybrid administrators can now deploy a policy in the ConfigMgr console that disables Smart Lock and other trust agents from being used to circumvent passcode policy on devices running Android 5.0 or higher.
Software Updates Compliance Dashboard:
The Software Updates Dashboard continues our commitment to helping you keep your devices up to date with the latest security updates and Windows features. The dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
Switch Software Update Point:
Administrators will be able to switch Software Update Points for clients when there are multiple SUPs available on a primary site. Administrators should use this option when clients are failing SUM scenarios due to SUP/WSUS issues on their assigned SUP. When administrators switch SUPs for a collection of clients, the selected clients will look for another SUP at the next scan interval. To try out this change go to the Asset and Compliance tab -> Device Collections -> and in the context menu of a device collection click on "Switch to Next Software Update Point".
VPN for Windows 10:
You can use 3rd party VPN providers for computers with the ConfigMgr client. These include Pulse Secure, F5 Edge, Dell SonicWall and Checkpoint.

List View for Applications in Software Center:
In the Software Center Applications tab, users now have the option to switch between the default tile view and a new list view by clicking on the view selection icons underneath the search bar.
Install Selected Updates in Software Center:
In the new Updates tab in Software Center, click on the select mode button at the top left of the list of updates. In select mode, multiple updates may be selected and then simultaneously installed using the Install Selected button.
Content Status links in the Admin Console:
The Content Status links for objects like applications, packages, task sequences or software updates, now go directly to the related Content Status object node.
PXE Provider TFTP Window Size:
The administrator can now configure the TFTP window size (RamDiskTFTPWindowSize) via a registry setting on the PXE-enabled distribution point.
Limit access to the Clipboard in Remote Control Sessions:
You can now enable the remote tools client setting "Prompt user for shared clipboard file transfer permission" to limit access to the shared clipboard in a remote control session. When enabled, the end-user who is sharing a remote session must grant permissions to the viewer of that session before they can transfer files from the shared clipboard.

Support for in-place upgrade of ConfigMgr Site Server's operating system:
In-place upgrade of the ConfigMgr's Site Server's operating system from Windows Server 2008 R2 to Windows Server 2012 R2 is now supported.
Sync Policy button in Software Center:
The new Sync Policy button helps you keep machine and user policies in sync. The button is available through the Software Center options tab, under Computer Maintenance.
Automatic creation of Microsoft Office mobile apps for iOS and Android:
Microsoft Office mobile apps for iOS and Android are pre-created for users using ConfigMgr integrated with Microsoft Intune.
iOS Activation Lock management:
iOS Activation Lock management capabilities include: enabling, querying for the status, retrieving bypass codes, and performing an Activation Lock bypass on corporate-owned iOS devices.

Windows 10 Team configuration settings:
New configuration settings added and supported for Windows 10 Team when using either Intune managed (hybrid) devices, or ConfigMgr full client devices.
Windows 10 Microsoft Edge configuration settings:
Specify Windows 10 Edge settings and assign them to users or devices in their organization.
Windows 10 Conditional Access new compliance checks:
Set 3 new compliance checks: require a password to unlock an idle device, time until the device is locked, and require automatic updates with minimum classification. These policy rules are evaluated as part of overall device compliance.
Windows 10 Conditional Access with Health Attestation service:
For Intune managed devices, Windows 10 Health Attestation data can be used as part of device compliance when used with Conditional Access.
Device Compliance report:
Device Compliance report provides you the number and percentage of devices and their compliance state for each compliance policy.
Windows 10 Health Attestation service reports:
Users can view reports on Windows 10 Health Attestation data collected by Intune. Windows 10 device Health Attestation helps evaluate the vulnerability of Windows 10 desktop and mobile devices.
Kiosk mode for Samsung KNOX devices:
ConfigMgr kiosk mode allows you to lock a managed mobile device only to allow certain features. For example, you can allow a device only to run a specific managed app, or you can disable the device's volume buttons.
Client Online Status:
View the online status of devices in Assets and Compliance. New icons indicate the status of a device as online or offline.
Conditional Access for ConfigMgr Managed PCs:
To help secure Office 365 access and other services on PCs enrolled with ConfigMgr, use Conditional Access. Conditions that can be used to control access include: Workplace Join, BitLocker, Antimalware, and Software Updates.
On-Premises Exchange Default Rule Override:
Set a default on-premises Exchange rule to block mobile devices from accessing email. You can allow Intune-enrolled and compliant mobile devices to access mail. You can also choose to override the default Exchange rule to allow Intune-enrolled and compliant devices to access email, even when the default rule is set to Block or Quarantine.
iOS App Configuration:
Create and deploy iOS app configuration policies to dynamically change settings such as server name or port for iOS applications that support configuration.
Apple Volume Purchase Program:
ConfigMgr can manage and deploy applications purchased through the Apple Volume Purchase Program for Business portal.

New antimalware policy settings:
Added settings for protection against Potentially Unwanted Applications, user control of automatic sample submission, and scanning of network drives during a full scan.
Device Health Attestation:
Users are able to view the status of Windows 10 Device Health Attestation in the ConfigMgr console, to ensure that client computers have trustworthy BIOS, TPM, and boot software.
User acceptance of Terms and Conditions:
Users who use ConfigMgr integrated with Intune (hybrid) can view which users have accepted the Terms and Conditions configured by IT and which users have not, right from the ConfigMgr console.

Will be continued in a next blogpost!

No comments:

Post a Comment