News

Microsoft Releases Next SCCM Technical Preview Update

• By Kurt Mackie
• June 24, 2016

Microsoft recently released technical preview 1606 of its System Center Configuration Manager (SCCM) product.

The technical preview is just for testing purposes as it doesn't have full production environment management capabilities. While Microsoft commercially released the SCCM product last year, it now gets regularly updated via a service model that's analogous to Windows 10 servicing. For instance, SCCM gets monthly updates, along with major product updates arriving approximately every four months.

Also, like Windows 10 servicing, Microsoft now regularly issues test releases of SCCM. Microsoft calls them "technical preview" updates to SCCM, which let IT pros try out the new capabilities before product rollout. The last such release was technical preview update 1605 for SCCM, which appeared in May.

Getting the Tech Previews
Getting a technical preview is done from within the SCCM product itself. It seems that IT pros must have a lab version of SCCM set up to use these previews. Here's how Yvette OMeally of Microsoft's team explained it, per Microsoft's announcement of technical preview 1606:

TP1606 is available as an in-console update only. So to get it you must first have a baseline version of the technical preview installed. If you don't already a version of the technical preview installed then technical preview 5 is a baseline version that you can use to install a new site from scratch.

The SCCM previews will automatically arrive once a baseline is set up in the test environment. However, some people already have reported failures in trying to use update 1606. OMeally said Microsoft is working on fixing it.

New Managed Installer Capability
SCCM technical preview 1606 is notable for introducing a so-called "managed installer" security capability. It's an emerging whitelisting approach for applications that currently can be tested with AppLocker at the prototype stage. AppLocker is Microsoft's security solution that lets organizations set rules for running applications and executable files.

Dune Desormeaux, a SCCM program manager at Microsoft, explained in a blog post this week that this managed installer approach will simplify the application white-listing process, which can be unwieldy for organizations maintaining large software catalogs. Here's how the managed installer approach helps out, according to Desormeaux:

Any applications or other software (executables and .dll's) that are installed by that specified installation authority will be automatically trusted by AppLocker and allowed to run without needing to create any other rules. Applications and software that are installed using any other mechanism will not pass the Managed Installer rule and will only run if explicitly allowed by another AppLocker rule. This will drastically reduce the overhead required to maintain whitelisting policy when deploying applications and software to systems protected by Windows AppLocker.

This capability is just designed to work with the Windows 10 Enterprise edition anniversary update, according to Desormeaux. Microsoft is expected to release the Windows 10 anniversary update sometime this summer, but it's currently available as a preview for Windows Insider testers. The managed installer AppLocker capability can be tested with Windows 10 Enterprise "build 14367 or later" using the SCCM technical preview 1606 release.

This managed installer approach will be extended beyond AppLocker. It'll work with Windows 10's Device Guard, too, according to Desormeaux. Device Guard is a Windows 10 Enterprise edition hardware and software security feature that compels devices to run only signed and trusted code. Currently, it's not possible to test the managed installer capability with Device Guard. That capability will be arriving with a future release, Desormeaux indicated.

Other New Capabilities
SCCM technical preview 1606 has a few other perks for IT pros to try. It lights up "a new role called the cloud proxy connector point," which will simplify managing SCCM clients remotely. It requires having an Azure subscription to the "Cloud Proxy Service" to use it, though.

It's not exactly clear what the Cloud Proxy Service is but perhaps it's something like the old "Cloud-Based Distribution Points in Microsoft Azure" feature, which supports SCCM client management scenarios for spread-out organizations. Here's how OMeally described it:

"The Cloud Proxy Service uses the same functionality as the Cloud DP. So you can use the guidance here."

Apparently, Microsoft just made it simpler to use its cloud service to update spread-out SCCM clients, or something like that.

Lastly, Microsoft added a couple of mobile device management perks with SCCM technical preview 1606. IT pros can configure more than one device management point, typically for fallback purposes. IT pros using Microsoft Intune can create device categories, compelling users to choose a device category when they enroll their devices under Intune management.

Microsoft no doubt will clear up some matters in its Reddit Q&A session scheduled for Wednesday, June 29, when the SCCM team will field questions.