Microsoft Gives SCCM Management Boost with Update
- By Kurt Mackie
- August 01, 2017
Microsoft recently released the new "current branch" version of System Center Configuration Manager (SCCM).
Now ready for use in production environments, update 1706 of SCCM adds new management capabilities. Microsoft also released update 1707 last week, but as a "technical preview branch," meaning that it's just for testing purposes.
Microsoft's SCCM lingo hasn't changed much, even though it recently swapped out its "branches" nomenclature for "channels" for Windows 10 and Windows Server 2016, as well as Office 365 ProPlus releases. For those products, a current branch release is for testing purposes. For SCCM, a current branch is a production-quality release and there is no subsequent "current branch for business" release that will be arriving. Microsoft's SCCM team outlined this odd naming scheme for SCCM about a year ago, and they seem to be sticking with it.
Update 1706 will just show up in the "Updates and Servicing" node of SCCM when it's available. Microsoft now counts "more than 40,000 organizations managing more than 84 million devices using the Current Branch of Configuration Manager," according to the update 1706 announcement.
For SCCM users stuck on a previous update, there's a new Configuration Manager Update Reset Tool. It will "reset and restart in-console updates when they have problems downloading or replicating," Microsoft's update 1706 announcement indicated. The reset tool "worked like a charm," according to Kent Agerlund, a principal consultant for CT Global, who described its use in a blog post.
Organizations still using SCCM version 1702 now have access to a hotfix, Microsoft noted last week. The hotfix addresses "software update download failures from Microsoft Update," along with content distribution problems that can occur with client or SMS Agent Host restarts.
Here are a few SCCM update 1706 highlights. Many more details are listed in Microsoft's "What's New" for update 1706 document. Microsoft also removed some features, as described in this "Removed and Deprecated" document, but they were mostly gone with earlier SCCM releases, such as update 1511.
Update 1706 enables SCCM users to deploy PowerShell scripts to clients "using packages and programs." Users can import PowerShell scripts to SCCM, edit them, mark them as "approved" or "denied" for security purposes and then run them on Windows-based PCs. It requires PowerShell 3.0 or higher. Microsoft added a bunch of new PowerShell cmdlets that will work with SCCM update 1706, and removed two cmdlets, as listed in this document.
This release permits organizations to configure the deferral policies in Windows Update for Business for the "feature updates" or "quality updates" that arrive each month for Windows 10. Feature updates can be deferred for 180 days, and devices can be paused from receiving feature updates for "up to 60 days." Quality updates can be deferred for 180 days, but they can be paused for "up to 35 days."
For organizations maintaining Windows 10 and Office 365, SCCM update 1706 brings peer cache support for Express Updates installs. In March, Michael Niehaus, director of Windows Commercial, had suggested that the use of Microsoft's Express Updates technology with Windows 10 would reduce the size of monthly quality updates to about 100MB per month. Microsoft was still working to integrate the technology with SCCM and Windows Server Update Services back then, Niehaus had indicated.
Another client management addition with update 1706 is the ability to manage Microsoft Surface driver updates. One caveat is that "all software update points must run Windows Server 2016," according to Microsoft's "What's New" document.
Microsoft improved the Office 365 click-to-run update install experience for end users. They now get "pop-up and in-app notifications, and a countdown experience."
SCCM can more easily work with Device Guard, a Windows 10 application white-listing security feature. Update 1706 permits SCCM to add trust for "specific files and folder paths" It permits trust for line-of-business apps and apps included with an operating system image, for instance.
The update also permits SCCM to inventory device hardware to check whether it has Trusted Platform Module properties enabled, and whether Secure Boot is enabled.
SCCM update 1706 adds some integration improvements with Azure Active Directory. For instance, it permits data synchronization with the Operations Management Suite (OMS). SCCM users can synchronize with the Log Analytics feature of OMS. They can also connect with Upgrade Readiness OMS data.
SCCM with update 1706 has three new mobile application management policies. One of them will block screen captures by Android devices. Another prevents applications from saving data to the Contacts app on a device. The third addition disables the ability of an application to print data.
Microsoft added a lot of mobile device management improvement that come with the combination of SCCM version 1607 with Microsoft Intune, which is Microsoft's mobile management service. The improvements include checking for device conditional access compliance, support for Entrust as a Certificate Authority and the addition of some Android for Work features, and a lot more. The mobile improvements are nicely highlighted in this blog post by Peter Daalmans, a Microsoft MVP with CT Global.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.