Introduction
Another month has passed by and on June 23rd, finally we get to play with the latest Technical Preview release of System Center Configuration Manager from Microsoft. I didn’t blog it immediately (like I normally do) because my Computer was sitting in a car rental office over the weekend, so I had no access to my lab, however I got my computer back on Monday and updated the lab remotely.
There are two main versions (of Configuration Manager) available:
- System Center Configuration Manager (Current Branch)
- System Center Configuration Manager (Technical Preview)
System Center Configuration Manager (Current Branch) is designed for use in production, for managing anything from small to very large Enterprises whereas System Center Configuration Manager (Technical Preview) is for lab environments only and is limited to 10 clients. The Technical Preview releases are released monthly, and contain the latest and greatest features being trialed in the product, and usually these new features are the result of feedback from uservoice.
Current Branch releases on the other hand are released only a few times per year and contain stable, tested features that are mature enough to release into production environments.
System Center Configuration Manager Technical Preview 1706 is now available. This release offers the following new features:
Client
- Include trust for specific file paths in Device Guard policies – Optionally, include trust for a specific local file or folder path on clients running a Device Guard policy. Any binaries at the locations specified in the policy can run on targeted clients when enforcement is enabled in the policy.
- Register Windows 10 devices with Azure Active Directory – A new client setting (in Cloud Services group) is enabled by default to automatically register new Windows 10 domain joined devices with Azure AD.
Application Lifecycle and Content
- Specify a different install content location and uninstall content location for a deployment type – You can now specify a different install content location and uninstall content location for a deployment type. Additionally, you can also leave the uninstall content location empty.
- Improvements for Software Update Points in Boundary Groups – Boundary groups now support configuring the time for fallback for software update points.
Operating System Deployment
- PXE network boot support for IPv6 – In an IPv6-only network, boot a device via PXE to start a task sequence OS deployment.
- Hide task sequence progress – Easily toggle when the task sequence progress is or is not displayed to the end user, on a granular step-by-step basis.
Conditional Access
- Device Health Attestation assessment for compliance policies for conditional access – Use Device Health Attestation status as a compliance policy rule for conditional access to company resources.
Software Updates
- Manage Microsoft Surface driver updates – You can now use Configuration Manager to manage Microsoft Surface driver updates.
- Windows Update for Business policy setting configuration – Use configuration items to configure deferral settings for Windows Update for Business.
Core Infrastructure
- Site Server Role High Availability – You can now add a primary site server in ‘passive mode’ to your standalone site to increase availability.
- Create and run scripts – Create and run scripts from Configuration Manager.
- Upgrade Readiness added to Azure Services Wizard – You can now use Azure Services Wizard to connect ConfigMgr to Upgrade Readiness in Windows Analytics to synchronize data to assess device compatibility with Windows 10.
- Accessibility improvements in the Configuration Manager console – This preview introduces several improvements to the accessibility features in the Configuration Manager console.
This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:
- Android and iOS Enrollment Restrictions – Admins can now specify that users cannot enroll personal Android or iOS devices in their hybrid environment, limiting enrollment to predeclared company-owned devices or DEP-enrolled devices only.
- New options for compliance policies – You can now configure new options for compliance policies that were previously only available in Intune standalone.
- New compliance policy actions – You can now configure actions for compliance policies. These actions include setting a grace period for devices that are noncompliant before they lose access to company resources, and creating emails to be sent to users with noncompliant devices.
- New settings for Windows configuration items – You can now configure new Windows configuration item settings that were previously only available in Intune standalone.
- Cisco (IPsec) support for iOS VPN Profiles – Admins can now use Cisco (IPsec) as a connection type for VPN profiles for iOS.
- App Protection settings to block printing and contact sync – Additional settings have been added to block printing and contact sync on Intune-enlightened applications.
- PFX certificate creation and distribution and S/MIME support – Admins can create and deploy PFX certificates to users utilizing an Entrust certification authority. These certificates can then be used for S/MIME encryption, decryption, and authentication by devices that the user has enrolled.
Installing this release
So how do you get Technical Preview installed ? There are two methods:
- Upgrade from a previous installation of Technical Preview (as shown in this guide).
- Do a clean install of Technical Preview 1703 (the latest TP baseline) by using the following guide and replace the base version in that guide with the TP1703 release and then upgrade.
Upgrading to this release
Once you have a Technical Preview release installed, in the Configuration Manager console browse to Administration, Overview, Updates and Servicing as shown below and click on Check for Updates (in the ribbon), followed by clicking on the OK button.
As instructed, read the DMPDownloader.log available in <drvletter>:\Program Files\Microsoft Configuration Manager\Logs, you can use CMTrace to do so.
And refresh the console by clicking on the Refresh icon in the ribbon, you should see the update pack is available to download, So right click and choose Download, then refresh the console again, the state should change to Downloading.
Once downloaded, it will be listed with a state of Ready to Install
right click the update pack and choose Install Update Pack.
A wizard appears. Click Next.
the Features included in the update pack will be listed.
Select your client update settings and click Next
accept the EULA and configure the software assurance expiration date
and click through to the summary
Monitoring the Upgrade
At this point you should monitor the CMUpdate.log available in <drvletter>:\Program Files\Microsoft Configuration Manager\Logs, you can use CMTrace to do so. This log will detail the installation of the update pack. You should also pay attention to the following log files present in the root of C:\.
- CompMgrProv.Log
ConfigMgrPrereq.log
ConfigMgrSetup.log
and after refreshing the console, the state of the update pack will change to Installing.
Clicking on Show Status will give you detailed info about the state the Installation is in, it is broken down into 5 distinct phases in the top pane:
- Download
- Replication
- Prerequisite Check
- Installation
- Post Installation
Selecting the phase will highlight what state the update is in, including what (if any) problems it has.
and after some time it has moved on, click on the Refresh button to update the status, until finally it’s all complete and you are notified of a new console version available
and after its’ installed, the new console appears.
This release also contains some new features such as the ability to run scripts (right click in the console) which has been documented excellently by Ryan here.
Also in this release you can get around the Windows 7 driver bugs by using the DISM workaround shown here (thanks Aaron).