<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Enterprise Mobility and Security Blog &#187; Products &#187; System Center Configuration Manager</title> <atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=system-center-configuration-manager" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/enterprisemobility</link> <description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description> <lastBuildDate>Fri, 08 Jul 2016 16:00:13 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <generator>http://wordpress.org/?v=4.3.4</generator> <item> <title>FAQ: System Center Configuration Manager (Current Branch)</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/24/faq-system-center-configuration-manager-current-branch/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/24/faq-system-center-configuration-manager-current-branch/#comments</comments> <pubDate>Fri, 24 Jun 2016 21:00:21 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Application Compatibility]]></category> <category><![CDATA[Cumulative Updates]]></category> <category><![CDATA[Public Preview]]></category> <category><![CDATA[Windows]]></category> <category><![CDATA[Windows Server]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=20265</guid> <description><![CDATA[In December 2015, we made some major changes to System Center Configuration Manager (ConfigMgr) when we introduced our current branch model. This new model transformed the way we deliver ConfigMgr, moving from longer release cycles to regular updates designed to support the faster pace of updates for Windows 10 and Microsoft Intune. We’re flattered by <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/24/faq-system-center-configuration-manager-current-branch/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>In December 2015, we made <a href="https://blogs.technet.microsoft.com/enterprisemobility/2015/10/27/system-center-configuration-manager-support-for-windows-10-and-microsoft-intune/"><u>some major changes</u></a> to System Center Configuration Manager (ConfigMgr) when we introduced our current branch model. This new model transformed the way we deliver ConfigMgr, moving from longer release cycles to regular updates designed to support the faster pace of updates for Windows 10 and Microsoft Intune.</p> <p>We’re flattered by the overwhelmingly positive response from our community of users and proud to share that today more than 25 million devices are being managed in our current branch model.</p> <p>With all this change and momentum, we’ve received a number of questions from across our customer base about the current branch model and how we work with the new Windows 10 servicing model. Here are answers to the most frequently asked questions about ConfigMgr.</p> <p>&nbsp;</p> <h1>Product Roadmap</h1> <h2>How does the ConfigMgr release cadence align with current Microsoft Intune and Windows 10 Current Branch release cadences?</h2> <p>ConfigMgr is designed to support the faster pace of updates for Windows 10 and Microsoft Intune. It allows quick and easy delivery of updates, so you can always have the latest Windows management features available. All Windows branches are supported on the ConfigMgr Current Branch, including CB, CBB and LTSB. See the “Application Compatibility” section of this FAQ for support provided on the various Windows builds in each branch.</p> <h2>I’m not managing Windows 10 Current Branch or Current Branch for Business. Do I still need to stay current with Configuration Manager?</h2> <p>Yes, the updates for ConfigMgr Current Branch contain critical non-security and security fixes plus new or improved management features. Many of these fixes and features are unrelated to Windows 10 management. Also, the latest ConfigMgr update version is required to receive critical non-security fixes.</p> <h2>Is there a ConfigMgr Current Branch and Current Branch for Business?</h2> <p>No, there is no “Current Branch for Business” for ConfigMgr, which . is by nature all “for business.” Updates to its current branch are released after having been stabilized through internal validation, escrow builds, technical previews, and Technology Adoption Program.</p> <h2>What’s the story with technical previews?</h2> <p>Technical previews are distinct from the current release of ConfigMgr. They are intended for early validation in a lab environment, and allow you to validate new features before they are available on current branch. Technical previews are also a way for us to get early feedback before we release a feature to the current branch. You can think of technical previews as parallel branches to the ConfigMgr current branch. There is no way to switch between the two; i.e., you cannot “upgrade” a technical preview to a current branch, or “downgrade” a current branch deployment to the technical preview branch.</p> <p>To use technical previews, first install a <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>baseline version</u></a> of the technical preview build. You can then use in-console updates to bring your installation up to date with the most recent preview version. Typically, new versions of the technical preview are available each month. In the admin console, new versions appear as “Configuration Manager Technical Preview YYMM.”</p> <p><img class="alignnone size-full wp-image-20285" src="https://msdnshared.blob.core.windows.net/media/2016/06/ConfigMgrFAQ1.jpg" alt="ConfigMgrFAQ1" width="378" height="100" /></p> <p>Learn more about technical previews in this <a href="https://technet.microsoft.com/library/mt595861.aspx?f=255&amp;MSPPError=-2147217396#bkmk_install"><u>article</u></a>.</p> <h2>Will Microsoft release a ConfigMgr product update in alignment with System Center 2016?</h2> <p>Yes, there will be a release of ConfigMgr that aligns with the release of Windows Server 2016 and System Center 2016. We’ll share more details on this release in the near future.</p> <p>&nbsp;</p> <h1>Incremental Update Versions</h1> <h2>How often will updates be released for ConfigMgr?</h2> <p>We plan to release updates for the current branch about three times a year. The first release of the current branch was 1511 in December 2015, followed by 1602 in March 2016. There may be cases when we need to release a critical update urgently, like the <a href="https://support.microsoft.com/en-us/kb/3155482"><u>1602 update rollup</u></a>. Some updates on the current branch will be available as full media, allowing a clean installation so that new deployments won’t always have to start from 1511 and then be updated.</p> <h2>How long is each update version supported?</h2> <p>Each update version is supported for 12 months from its general availability release date. Technical support and security updates are provided for the entire 12 months. However, the latest update version is required to receive critical non-security fixes.</p> <h2>Is extended interop or mixed version hierarchies recommended or supported?</h2> <p>Running in interop mode or a mixed version hierarchy for a prolonged period is not recommended. The results can be unpredictable. Please see <a href="https://technet.microsoft.com/en-us/library/mt622773.aspx"><u>Interoperability between different versions of System Center Configuration Manager</u></a> and <a href="https://technet.microsoft.com/en-us/library/mt613175.aspx"><u>Planning for operating system deployment interoperability in System Center Configuration Manager</u></a> for general information on interop.</p> <h2>What’s the difference between current branch’s incremental update versions and cumulative updates released with System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager?</h2> <p>The only difference is that incremental update versions can include new features. Otherwise, they are very similar, where the current branch’s incremental updates can be more easily distributed and deployed through the “Updates and Servicing” channel, leveraging in-console updating.</p> <p>&nbsp;</p> <h1>Application Compatibility (AppCompat)</h1> <h2>Will previous update versions support newer builds of Windows 10?</h2> <p>The current update version (N) of ConfigMgr will provide AppCompat support for a newly released Windows 10 Current Branch build. This means that existing client management features (hardware inventory, software inventory, software updates, etc.) should work with the new Windows 10 Current Branch build. Any known issues or caveats will be documented.</p> <p>The next update version (N+1) of ConfigMgr will provide full support (including management support of new Windows 10 features) of the new Windows 10 Current Branch for Business build and LTSB, if released. This approach gives you the ability to deploy and manage new Windows 10 CB builds on day 1 with AppCompat support and without requiring a new ConfigMgr update version. You can benefit from full support of the declared business ready build (CBB) once your ConfigMgr infrastructure is updated to the next update version. Older update versions (N-1 and older) may not receive any AppCompat support for newer Windows 10 builds. For example:</p> <p><img class="alignnone size-full wp-image-20295" src="https://msdnshared.blob.core.windows.net/media/2016/06/ConfigMgrFAQ2new.jpg" alt="ConfigMgrFAQ2new" width="396" height="179" /></p> <p>*Future update versions are shown for illustration purposes only. The exact release dates are TBD.</p> <p><strong>NOTE: There may be rare occurrences when the engineering required to support a new Windows 10 feature takes more than one update version to implement. </strong></p> <h2>What can I expect in regard to support for Windows Server 2016? Which update version will add support?</h2> <p>This will depend on release timing. We’ll provide exact support details in the near future.</p> <h2>Which update versions will add support for updates or upgrades to product dependencies (like SQL or .Net)?</h2> <p>Typically, the ConfigMgr update version released after the product dependency update or upgrade will add support. For example, if SQL 2014 Service Pack 2 is released after update version 1602 but before update version 1606, 1606 would add the necessary support.</p> <p>&nbsp;</p> <p>&#8212;<strong>Michael Cureton</strong>, Principal Group Engineering Manager, Enterprise Client and Mobility<br /> &#8212;<strong>Maayan Bar-Niv</strong>, Principal Program Manager, Enterprise Client and Mobility</p> <p>&nbsp;</p> <h5> <strong>Additional resources:</strong></h5> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx"><u><span style="color: #0066cc">What’s New in System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx"><u><span style="color: #0066cc">Get Ready for System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx"><u><span style="color: #0066cc">Start Using System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx"><u><span style="color: #0066cc">Upgrade to System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx"><u><span style="color: #0066cc">Technical Documentation for System Center Configuration Manager</span></u></a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u><span style="color: #0066cc">System Center Configuration Manager Forums</span></u></a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><u><span style="color: #0066cc">System Center Configuration Manager Support</span></u></a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/24/faq-system-center-configuration-manager-current-branch/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Live Q&#038;A with ConfigMgr</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/23/live-qa-with-configmgr/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/23/live-qa-with-configmgr/#comments</comments> <pubDate>Thu, 23 Jun 2016 19:00:56 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=19995</guid> <description><![CDATA[When: June 29, 2016, 1:00 &#8211; 5:00 PM PST Where: www.reddit.com/r/sccm Did you know the Configuration Manager team boasts one of the most active and dedicated user communities within Microsoft? Our community consistently inspires us to deliver the best PC management experience available. We’re always looking for new ways to interact with you, which is <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/23/live-qa-with-configmgr/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><span style="color: #000000;font-family: Calibri;font-size: medium">When: June 29, 2016, 1:00 &#8211; 5:00 PM PST</span></p> <p><span style="color: #000000;font-family: Calibri;font-size: medium">Where: </span><a href="http://www.reddit.com/r/sccm"><u><span style="color: #0563c1;font-family: Calibri;font-size: medium">www.reddit.com/r/sccm</span></u></a></p> <p><span style="color: #000000;font-family: Calibri;font-size: medium">Did you know the Configuration Manager team boasts one of the most active and dedicated user communities within Microsoft? Our community consistently inspires us to deliver the best PC management experience available. We’re always looking for new ways to interact with you, which is why we’re excited to announce a live Ask Me Anything event that we’ll be hosting on </span><a href="https://www.reddit.com/r/sccm"><u><span style="color: #0563c1;font-family: Calibri;font-size: medium">reddit.com/r/sccm</span></u></a><span style="color: #000000;font-family: Calibri;font-size: medium"> on June 29, from 1:00 &#8211; 5:00 PM PST.  </span></p> <p><span style="font-family: Calibri"><span style="font-size: medium"><span style="color: #000000">An Ask Me Anything event is a live Q&amp;A forum, where the<b> </b></span></span><span style="color: #000000;font-size: medium">entire Configuration Manager engineering team will be available to answer your questions about features new and old. That’s four hours of live chat time with the ConfigMgr team! And when we say ask us </span><i><span style="color: #000000;font-size: medium">anything</span></i><span style="color: #000000;font-size: medium">, we mean it. We’ll chat about everything from the upcoming 1606 release to the esoteric SMS 4.0. Bring ‘em on!</span></span></p> <p><span style="color: #000000;font-family: Calibri;font-size: medium">All team responses will be from “TheConfigMgrTeam.” </span></p> <p><span style="color: #000000;font-family: Calibri;font-size: medium">Spread the word! If we have a strong turnout and we like this format, we’re confident we can convince </span><a href="https://twitter.com/djammmer"><u><span style="color: #0563c1;font-family: Calibri;font-size: medium">@djammmer</span></u></a><span style="color: #000000;font-family: Calibri;font-size: medium"> to host a live Q&amp;A for every release. If you can’t make it, we’d still love to hear from you. Post your question in the Comments section, and check back for responses. </span><span style="color: #000000;font-family: Calibri;font-size: medium"> </span></p> <p><span style="color: #000000;font-family: Calibri;font-size: medium">Mark your calendars. We’re looking forward to a great discussion!</span></p> <p>&nbsp;</p> <p><strong>Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx"><u><span style="color: #0066cc">What’s New in System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx"><u><span style="color: #0066cc">Get Ready for System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx"><u><span style="color: #0066cc">Start Using System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx"><u><span style="color: #0066cc">Upgrade to System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx"><u><span style="color: #0066cc">Technical Documentation for System Center Configuration Manager</span></u></a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u><span style="color: #0066cc">System Center Configuration Manager Forums</span></u></a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><u><span style="color: #0066cc">System Center Configuration Manager Support</span></u></a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/23/live-qa-with-configmgr/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Update 1606 for Configuration Manager Technical Preview – Available Now!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/#comments</comments> <pubDate>Mon, 20 Jun 2016 21:40:47 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Public Preview]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=19515</guid> <description><![CDATA[Hello everyone! Update 1606 for Configuration Manager Technical Preview has been released. New and improved features in this update include: ConfigMgr as a managed installer for easier application whitelisting on Windows10: You can now configure clients so that ConfigMgr-deployed software is automatically trusted, but software from other sources is not. Read more in this blog <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Hello everyone! Update 1606 for Configuration Manager Technical Preview has been released. New and improved features in this update include:</p> <ul> <li><i><strong>ConfigMgr as a managed installer for easier application whitelisting on Windows10:</strong> </i>You can now configure clients so that ConfigMgr-deployed software is automatically trusted, but software from other sources is not. Read more in <a href="http://go.microsoft.com/fwlink/?LinkId=808432"><u>this blog post</u></a>.</li> <li><strong>Cloud Proxy Service:</strong> This technical preview provides a simple way to manage ConfigMgr clients on the Internet. The Cloud Proxy Service, which is deployed to Microsoft Azure and requires an Azure subscription, connects to your on-premises ConfigMgr infrastructure using a new role called the cloud proxy connector point. You can use the ConfigMgr console to deploy the service to Azure and configure the supported roles to allow cloud proxy traffic.</li> <li><strong>Grace period for application and software update deployments:</strong> You are now able to give users a grace period to install required applications or software updates beyond any deadlines you configured. This can be useful for when a computer has been turned off for an extended period of time like when an end user has just returned from vacation.</li> <li><strong>Multiple device management points for Windows 10 Anniversary Edition devices: </strong>On-premises Mobile Device Management (MDM) supports a new capability in Windows 10 Anniversary Edition that automatically configures an enrolled device to have more than one device management point available for use. This capability allows the device to fall back to another device management point when the one it was using is not available.</li> </ul> <p>This release also includes the following new feature for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:</p> <ul> <li><strong>Device categories: </strong>You can create device categories, which can be used to automatically place devices in device collections when used in hybrid environments. Users are then required to choose a device category when they enroll a device in Intune.</li> </ul> <p>Update 1606 for Technical Preview is available directly in the Configuration Manager console. If you want to install Configuration Manager Technical Preview for the first time, the installation bits (currently based on Technical Preview 1603) are <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>available on TechNet Evaluation Center</u></a>.</p> <p><span style="color: #ff0000"><strong>Note:</strong> </span>There is a known issue updating to Update 1606 after sequentially updating from Update 1604 and Update 1605 for Configuration Manager Technical Preview. Please view the workaround in the <a href="https://technet.microsoft.com/en-us/library/mt732696.aspx">Known Issues in this Technical Preview</a> section on TechNet.</p> <p>We would love to get your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use <a href="https://connect.microsoft.com/ConfigurationManagervnext/Feedback"><u>Connect</u></a>. If there’s a new feature or enhancement you want us to consider including in future updates, please use the <a href="http://configurationmanager.uservoice.com/"><u>Configuration Manager UserVoice site</u></a>.</p> <p>Thanks,</p> <p>The System Center Configuration Manager team</p> <p><strong>Configuration Manager Resources:</strong></p> <p><a href="https://technet.microsoft.com/en-US/library/mt595861(TechNet.10).aspx"><u>Documentation for System Center Configuration Manager Technical Previews </u></a><br /> <a href="https://technet.microsoft.com/en-us/library/mt346023.aspx"><u>Documentation for System Center Configuration Manager </u></a><br /> <a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u>System Center Configuration Manager Forums </u></a><br /> <a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><u>System Center Configuration Manager Support</u></a><br /> <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>System Center Configuration Manager Technical Preview 5</u></a> (v1603)</p> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/feed/</wfw:commentRss> <slash:comments>19</slash:comments> </item> <item> <title>Simplify application whitelisting with Configuration Manager and Windows 10</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/#comments</comments> <pubDate>Mon, 20 Jun 2016 21:40:46 +0000</pubDate> <dc:creator><![CDATA[Dune Desormeaux (ConfigMgr PM)]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=19525</guid> <description><![CDATA[Updated 6/28/2016 Introduction Windows 10 introduced a new set of features called Device Guard that helps enterprises protect their business critical machines against malware and other unwanted software. Key amongst these is a new application and software whitelisting technology known as configurable code integrity that, together with AppLocker, enables enterprises to strongly control what is <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><span style="color: #ff0000"><strong>Updated 6/28/2016</strong></span></p> <h2><strong>Introduction</strong></h2> <p>Windows 10 introduced a new set of features called Device Guard that helps enterprises protect their business critical machines against malware and other unwanted software. Key amongst these is a new application and software whitelisting technology known as configurable code integrity that, together with AppLocker, enables enterprises to strongly control what is allowed to run in their environment.</p> <p>Like all whitelisting solutions, configurable code integrity and AppLocker policies can be complex to set up and difficult to maintain, particularly for enterprises whose software catalogs are large, ever-changing, and include applications from a variety of internal and 3^rd-party software developers. Enter the concept of the Managed Installer.</p> <p>As of Windows 10 Enterprise Anniversary Edition, administrators can configure a new type of AppLocker rule that identifies a specific trusted installation authority, or Managed Installer. Any applications or other software (executables and .dll’s) that are installed by that specified installation authority will be automatically trusted by AppLocker and allowed to run without needing to create any other rules. Applications and software that are installed using any other mechanism will not pass the Managed Installer rule and will only run if explicitly allowed by another AppLocker rule. This will drastically reduce the overhead required to maintain whitelisting policy when deploying applications and software to systems protected by Windows AppLocker.</p> <p>Managed Installer functionality is still in a prototype phase at the moment and does not yet have any associated user interface screens within Windows. However, thanks to collaboration between the ConfigMgr and Windows engineering teams it can be set up today and tested in any environment on machines with the<a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/update-1606-for-configuration-manager-technical-preview-available-now/"> ConfigMgr 1606 Technical Preview </a>client that are running Windows 10 Enterprise with Windows Insider Program build 14367 or later with some caveats explained below. The Windows version and ConfigMgr client version are the only two prerequisites for this functionality. As noted, Managed Installer functionality currently only applies to AppLocker, but the Windows engineering team intends to integrate the functionality with Device Guard’s configurable code integrity feature in a later release. The remainder of this blog will provide detailed instructions on how clients can leverage this new functionality.</p> <p>For additional reading about Device Guard and AppLocker, please consult the following resources:</p> <p><a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-certification-and-compliance"><u>Device Guard Documentation</u></a></p> <p><a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide"><u>Device Guard Deployment Guide</u></a></p> <p><a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview"><u>AppLocker Documentation</u></a></p> <p><a href="https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/"><u>Blog: Managing Device Guard Configurable Code Integrity with existing ConfigMgr functionality</u></a></p> <h2><strong>Creating the Custom AppLocker Policy </strong></h2> <p>Creating an AppLocker Policy that contains a Managed Installer is most easily done in the Local Security Policy snap-in in Microsoft Management Console (MMC), then moving to the XML editor of your choice. This can be done with similar workflows on any recent version of Windows, but in this example a Windows 10 client is used.</p> <ol> <li>From the Windows Start menu, type “secpol.msc” and then press enter to launch the Local Security Policy MMC snap-in. Once the console opens, navigate to <strong>Application Control Policies &gt; AppLocker &gt; Executable Rules</strong>.<br /> <img class=" size-full wp-image-19535 alignnone" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard1.jpg" alt="SCCM_DeviceGuard1" width="911" height="574" /></li> <li>Right click <strong>Executable Rules</strong> and create a new rule that allows “Everyone” to run CCMExec.exe based on a condition of your choice. For this example, a File Path condition has been selected (this is the least secure option but it should allow readers to copy the policy used here for basic testing).<br /> <img class="alignnone size-full wp-image-19625" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard2.jpg" alt="SCCM_DeviceGuard2" width="774" height="654" /></li> <li>Once the rule has been created it will appear in the console. Now, export the policy XML for editing. Right-click <strong>Applocker</strong> in the navigation pane and select <strong>Export Policy…</strong> highlighted below.<br /> <img class="size-full wp-image-19615 alignnone" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard3.jpg" alt="SCCM_DeviceGuard3" width="752" height="574" /><br /> The exported policy XML will look similar to the example below. The new file rule for CCMExec.exe is highlighted in yellow.<img class="alignnone size-large wp-image-19605" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard4-1024x367.jpg" alt="SCCM_DeviceGuard4" width="1024" height="367" /></li> <li>Next, duplicate the entire EXE rule collection via copy-paste, and then remove all rules other than the new file path rule in the duplicate version. The original CCMExec.exe file path rule in the EXE rule collection can also be deleted at this point. Change the value of the <strong>Type</strong> attribute on the new rule collection to “ManagedInstaller”. What remains is a new Rule Collection of type “ManagedInstaller” and an EXE rule collection that contains only the original (in this case default) rules.<br /> <img class="alignnone size-large wp-image-19595" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard5-1024x392.jpg" alt="SCCM_DeviceGuard5" width="1024" height="392" /></li> <li>Now that the Managed Installer rule collection has been created, the Services Enforcement extension that was introduced in the first release of Windows 10 must be added. To add the extension, that allows for the enforcement of AppLocker policies against Windows Services, paste the below into your policy inside the EXE rule collection. You can see the result highlighted in green in the below.Insert this text: <pre><em><em>        &lt;RuleCollectionExtensions&gt;             &lt;ThresholdExtensions&gt;                 &lt;Services EnforcementMode="Enabled" /&gt;             &lt;/ThresholdExtensions&gt;         &lt;/RuleCollectionExtensions&gt; </em></em></pre> <p><img class="alignnone size-large wp-image-19585" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard6-1024x457.jpg" alt="SCCM_DeviceGuard6" width="1024" height="457" /></li> <li>Finally, select the Enforcement mode for the EXE and Managed Installer rule collections. The possible options are “Notconfigured”, “AuditOnly”, or “Enabled”. They have the following significance: <ul> <li><strong>NotConfigured </strong>– No enforcement or auditing occurs.</li> <li><strong>AuditOnly </strong>– Applications and executables are not blocked from running by AppLocker, but logging occurs in the client event logs (visible in <strong>Event Viewer</strong> under <em>Applications and Services Logs &gt; Microsoft &gt; Windows &gt; AppLocker</em>) whenever an application or executable is allowed to run or would have been blocked if enforcement mode had been enabled. <p><strong>Note</strong>: Logging for Managed Installer rules is shared with the logging for EXE rules. Logging for both can be found in Event Viewer under <em>Applocker &gt; EXE and DLL. </em>In the client event logs, there will be two new events for each executable that is run in addition to the existing EXE rule events.</p> <p>The first event is the Managed Installer rule that will show that it would block any software other than the designated Managed Installer itself. Software is never blocked simply for not being the Managed Installer so this shouldn&#8217;t be cause for concern.</p> <p>The second new event will have Event ID 8030 that has information about the status of AppID verification. This is the relevant event for determining whether software would be blocked based on Managed Installer behavior. The status displayed at the end of the event text in the <strong>General</strong> tab in Event Viewer will show &#8220;STATUS SUCCESS&#8221; if the executable passes the verification and show &#8220;The object was not found&#8230;&#8221; for software that would be blocked by the Managed Installer functionality.</li> <li><strong>Enabled</strong> – Applications and executables in violation of the AppLocker policies are blocked from running. <p><strong>Note</strong>: The Managed Installer rule will only be enforced for software that is not allowed by existing EXE rules and that was not already present on the device when the Application Identity service was started (see Configuring Client Devices, below). </li> </ul> <p>The recommended way of configuring AppLocker is to set up your policy and first set the enforcement mode to <strong>AuditOnly </strong>and then examine the event logs on the client machine to assess whether the policy is working correctly. Once the correctness of the policy has been adequately verified, then enforcement mode can be changed to <strong>enabled</strong>. Extreme care should be taken when auditing AppLocker policies because if they are configured incorrectly it can cause severe instability on affected machines.</p> <p>To complete this example, the policy enforcement mode will be changed to <strong>AuditOnly</strong> in this case. The change is highlighted in blue.</p> <p>With this final change the policy is ready to be saved and subsequently deployed. Once the policy has been validated and client event logs appear to be exhibiting the desired behavior, then the values of <strong>EnforcementMode </strong>highlighted below in blue can be changed to <strong>Enabled</strong> to enforce the new AppLocker policy (the policy must also be redeployed for the changes to take effect).<br /> <img class="alignnone size-large wp-image-19575" src="https://msdnshared.blob.core.windows.net/media/2016/06/SCCM_DeviceGuard7-1024x458.jpg" alt="SCCM_DeviceGuard7" width="1024" height="458" /></li> </ol> <h2><strong>Configuring Client Devices</strong></h2> <p>Four steps are required to configure clients to treat ConfigMgr as a Managed Installer. These can be accomplished with via Group Policy or using ConfigMgr’s configuration Items, programs, or task sequences, and PowerShell. In this example a short PowerShell script is used and can be deployed in a package containing both the script and the <a href="https://gallery.technet.microsoft.com/Technical-preview-1606-7485ff82" target="_blank">AppLocker policy XML file</a>. The script must be run with Administrative privileges to have the desired result. Note that these commands can be run from any folder except for the step to set the AppLocker policy, which needs to be run from the folder where the policy XML file is located.</p> <ol> <li><strong>Start Windows Application Identity services </strong><br /> The PowerShell command to accomplish this is as follows:</p> <pre>PS C:\WINDOWS\system32&gt; AppIdtel start -mionly</pre> <p>Once this command is run, all software that is already on the device will automatically be trusted, regardless of whether or not that software would be allowed by existing AppLocker EXE rules. This means that the policy used could be much shorter than the simple on provided for this example, though one arbitrary EXE rule is required for Managed Installer functionality to take effect. Software that is new to the device will be subject to existing AppLocker rules and if it is not allowed by the existing EXE rules then it will be allowed to run only if it was installed by a Managed Installer.</p> <p><strong>Note:</strong> Managed Installer Functionality will never override an explicitly &#8220;Deny&#8221; AppLocker rule, meaning that if these rules exist the specified software will still not be allowed to run.</li> <li><strong>Create a custom DWORD in the client registry</strong><br /> To configure the ConfigMgr client to behave as a Managed Installer, the following registry DWORD must be added with a value of “1”.</p> <pre><em>HKLM\SOFTWARE\Microsoft\CCM\EnableManagedInstaller</em></pre> <p>This mechanism for changing the client behavior is subject to change in subsequent releases once this functionality has its own Configuration Manager Console user interface screen. This can be accomplished using reg.exe that can be executed from PowerShell as follows:</p> <pre>PS C:\WINDOWS\system32&gt; reg.exe add HKLM\SOFTWARE\Microsoft\CCM /v EnableManagedInstaller /t REG_DWORD /d "1" /f</pre> </li> <li><strong>Deploy the custom AppLocker policy that was created above</strong><br /> AppLocker policies are often deployed via Group Policy, but in this example the policy will be applied using one of the AppLocker PowerShell cmdlets to apply policy from the policy XML file distributed in the same package as the script. The PowerShell command for this is:</p> <pre>PS C:\WINDOWS\system32&gt; set-ApplockerPolicy -XmlPolicy AuditPolicy.xml</pre> </li> <li><strong>Restart the client SMS Host Agent service (CCMExec), or restart the device</strong><br /> The final step to configure clients is to restart the CCMExec service that can be accomplished by executing the net.exe command from PowerShell as follows:</p> <pre>PS C:\WINDOWS\system32&gt; net stop ccmexec PS C:\WINDOWS\system32&gt; net start ccmexec</pre> </li> </ol> <p>These four sets of commands can be combined into a simple PowerShell script by copying the lines from above into a text file and naming the file with a .ps1 file extension. The resulting script looks like the below.</p> <pre>AppIdtel start -mionly reg.exe add HKLM\SOFTWARE\Microsoft\CCM /v EnableManagedInstaller /t REG_DWORD /d "1" /f set-ApplockerPolicy -XmlPolicy AuditPolicy.xml net stop ccmexec net start ccmexec</pre> <p>The above should be saved to a .ps1 PowerShell script file and that file can then be distributed along with the policy XML file created above to be run on clients using a required package and program. Clients that have run the script will treat ConfigMgr as a Managed Installer. At time of writing, when using Windows Insider Preview build 14367, packages and programs deployed from ConfigMgr 1606 Technical Preview with programs set to run with administrative privileges will be trusted automatically. All other deployments from the same ConfigMgr version will be automatically trusted by clients running an upcoming Windows Insider Program Fast Ring build. This blog will be updated to reflect this upon the release of that build of Windows. To validate the policy once it has been deployed, normal application, update, and package deployments should be made to the clients (taking the aforementioned caveats into consideration) and then the local client event logs should be examined to ensure that no trusted software is in violation of both the EXE and Managed Installer AppLocker rules. Software that is allowed by at least one of these rules will be allowed to run. Once the policy has been validated, the AppLocker policy should be edited so that <strong>EnforcementMode</strong> is set to “Enabled”, and then the AppLocker policy deployment step (and only this step) should be re-run to update the policy on the client.</p> <p>Once this is complete then the original goal has been accomplished! The client has been locked down and only existing software and new software deployed from ConfigMgr will be allowed to run on the client device.</p> <p>Let us know what you think about the Managed Installer functionally with Configuration Manager Technical Preview. To provide feedback or report any issues with the functionality included in this Technical Preview, please use <a href="https://connect.microsoft.com/ConfigurationManagervnext/Feedback"><u>Connect</u></a>. If there’s a new feature or enhancement you want us to consider including in future updates, please use the <a href="http://configurationmanager.uservoice.com/"><u>Configuration Manager UserVoice site</u></a>.</p> <p>Thanks,</p> <p>Dune Desormeaux, Program Manager, Enterprise Client and Mobility<br /> Jeffrey Sutherland, Principal Lead Program Manager OS Enterprise and Security</p> <p><strong><br /> Configuration Manager Resources:</strong></p> <p><a href="https://technet.microsoft.com/en-US/library/mt595861(TechNet.10).aspx"><u>Documentation for System Center Configuration Manager Technical Previews </u></a><br /> <a href="https://technet.microsoft.com/en-us/library/mt346023.aspx"><u>Documentation for System Center Configuration Manager </u></a><br /> <a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u>System Center Configuration Manager Forums </u></a><br /> <a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><u>System Center Configuration Manager Support</u></a><br /> <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>System Center Configuration Manager Technical Preview 5</u></a> (v1603)</p> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Refresh of the 1604 Update to the Configuration Manager Cmdlet Library</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/09/refresh-of-the-1604-update-to-the-configuration-manager-cmdlet-library/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/09/refresh-of-the-1604-update-to-the-configuration-manager-cmdlet-library/#comments</comments> <pubDate>Thu, 09 Jun 2016 21:06:06 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Powershell]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=19265</guid> <description><![CDATA[We wanted to let you know that we have refreshed the 1604 release of the Configuration Manager Cmdlet Library previously announced here. This updated version (5.0.8373.1189) replaces the previous version (5.0.8373.1182) and you may download it here. Additional fixes in this release include: Add/Set-CMGooglePlayDeploymentType and Add/SetCMIosDeploymentType not adding MAM details on Configuration Manager current branch v1511 <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/06/09/refresh-of-the-1604-update-to-the-configuration-manager-cmdlet-library/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>We wanted to let you know that we have refreshed the 1604 release of the Configuration Manager Cmdlet Library previously announced <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/05/17/the-1604-update-to-the-configuration-manager-cmdlet-library-is-now-available/">here</a>. This updated version (5.0.8373.1189) replaces the previous version (5.0.8373.1182) and you may download it <a href="https://www.microsoft.com/download/details.aspx?id=46681">here</a>.</p> <p>Additional fixes in this release include:</p> <ul> <li>Add/Set-CMGooglePlayDeploymentType and Add/SetCMIosDeploymentType not adding MAM details on Configuration Manager current branch v1511 and above</li> <li>Add/Set-CMMsiDeploymentType not having option to configure InstallationBehaviorType</li> <li>Add-CMCollectionToAdministrativeUser UserId parameter not recognized</li> <li>Get/New/Remove/Set-CMDeviceVariable not working with pipelined objects</li> <li>Move-CMObject and New/Set-CMSoftwareUpdateAutoDeploymentRule fixes</li> <li>New-CMWindowsServicingPlan unable to set AvailableTime or SuccessPercentage</li> <li>Remove-CMAutoDeploymentRuleDeployment missing Force parameter</li> <li>Remove-CMIntuneSubscription not working</li> <li>Set-CMConditionalAccessPolicy not recognizing Add/RemoveExcludedCollectionName/Id</li> <li>Set-CMIntuneSubscriptionAppleMdmProperty and Set-CMIntuneSubscriptionWindowsPhoneProperty NullReferenceException failures</li> </ul> <p>You will find information about the new cmdlets and other enhancements in the Cmdlet Library for the 1604 update in the Release notes <a href="https://www.microsoft.com/download/details.aspx?id=46681">here</a>. For additional information about the Cmdlet Library, please refer to the <a href="https://technet.microsoft.com/en-us/library/dn958404"><u><span style="color: #0066cc">Configuration Manager Cmdlet Library Documentation</span></u></a> and the <a href="https://technet.microsoft.com/en-us/library/jj821831.aspx"><u><span style="color: #0066cc">Configuration Manager Cmdlet Help Reference</span></u></a>.</p> <p>Please keep the feedback coming. You can provide product requests for the Cmdlet Library on the UserVoice site for Configuration Manager: <a href="https://configurationmanager.uservoice.com/"><u><span style="color: #0066cc">https://configurationmanager.uservoice.com/</span></u></a>. You may report issues on the Connect site for Configuration Manager: <a href="https://connect.microsoft.com/ConfigurationManagervnext"><u><span style="color: #0066cc">https://connect.microsoft.com/ConfigurationManagervnext</span></u></a>.</p> <p>-Yvette O&#8217;Meally</p> <p><strong><br /> Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx"><u><span style="color: #0066cc">What’s New in System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx"><u><span style="color: #0066cc">Get Ready for System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx"><u><span style="color: #0066cc">Start Using System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx"><u><span style="color: #0066cc">Upgrade to System Center Configuration Manager</span></u></a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx"><u><span style="color: #0066cc">Technical Documentation for System Center Configuration Manager</span></u></a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u><span style="color: #0066cc">System Center Configuration Manager Forums</span></u></a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><u><span style="color: #0066cc">System Center Configuration Manager Support</span></u></a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/06/09/refresh-of-the-1604-update-to-the-configuration-manager-cmdlet-library/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Important changes to Microsoft Active Protection Service (MAPS) endpoint</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/#comments</comments> <pubDate>Tue, 31 May 2016 16:00:12 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/configmgrteam/?p=9206</guid> <description><![CDATA[Background Windows Defender, System Center Endpoint Protection and our other realtime protection products can offer better user protection by enabling the Microsoft Active Protection Service (MAPS) service. In order to successfully connect, enterprise or advanced users with managed networks may need to allow specific domain names so that connectivity to MAPS functions properly. Who does <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<h4><strong>Background</strong></h4> <p>Windows Defender, System Center Endpoint Protection and our other realtime protection products can offer better user protection by enabling the Microsoft Active Protection Service (MAPS) service. In order to successfully connect, enterprise or advanced users with managed networks may need to allow specific domain names so that connectivity to MAPS functions properly.</p> <h4><strong>Who does this affect?</strong></h4> <p>Typically, these changes affect our enterprise customers and advanced users.</p> <h4><strong>Why are you blogging?</strong></h4> <p>We are slowly rolling out a service endpoint name change for the MAPS service over the next two months, with a complete switch planned by July 30 2016.</p> <p>The change is automatically configured by the product via normal definition updates, there is no need for the user or administrator to take any direct action in the product.</p> <p>The new endpoint URI domains begin with “<a href="https://wdcp.microsoft.com/">https://wdcp.microsoft.com</a>” and &#8220;<a href="https://wdcpalt.microsoft.com">https://wdcpalt.microsoft.com</a>&#8220;, so any filtering by domain name that omits these from an allow list will break connectivity to MAPS.</p> <p>Breaking connectivity to MAPS can result in loss of protection delivered by our real-time signature delivery service that uses this channel.</p> <h4><strong>Recommendation</strong></h4> <p>Allow <a href="https://wdcp.microsoft.com/*">https://wdcp.microsoft.com/*</a> and <a href="https://wdcpalt.microsoft.com/*">https://wdcpalt.microsoft.com/*</a> if there are any firewall or network filtering rules in place that would otherwise deny connectivity to MAPS.</p> <p>&#8211;Microsoft Malware Protection Center</p> <p><strong><br /> Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx">What’s New in System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx">Get Ready for System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx">Start Using System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx">Upgrade to System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx">Technical Documentation for System Center Configuration Manager</a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB">System Center Configuration Manager Forums</a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983">System Center Configuration Manager Support</a></li> <li><a href="https://connect.microsoft.com/ConfigurationManagervnext">Report an issue</a></li> <li><a href="https://configurationmanager.uservoice.com/">Provide suggestions</a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>1605 Update to the SCAP Extensions for Configuration Manager</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/19/1605-update-to-the-scap-extensions-for-configuration-manager/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/19/1605-update-to-the-scap-extensions-for-configuration-manager/#comments</comments> <pubDate>Thu, 19 May 2016 21:47:59 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <guid isPermaLink="false">https://blogs.technet.microsoft.com/configmgrteam/?p=9195</guid> <description><![CDATA[We have released an updated version of the SCAP Extensions 3.0 for System Center Configuration Manager which improves performance in large domains. You can download this update from the Microsoft Download Center here. We fixed the following issues: Some OVAL tests such as user_test, user_sid_test, user_sid_55_test, sid_test, group_test, access_token_test will take a long time to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/05/19/1605-update-to-the-scap-extensions-for-configuration-manager/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>We have released an updated version of the SCAP Extensions 3.0 for System Center Configuration Manager which improves performance in large domains. You can download this update from the Microsoft Download Center <a href="https://www.microsoft.com/en-us/download/details.aspx?id=48741">here</a>.</p> <p>We fixed the following issues:</p> <ul> <li>Some OVAL tests such as user_test, user_sid_test, user_sid_55_test, sid_test, group_test, access_token_test will take a long time to complete in environments with large domains.</li> <li>During conversion of content containing a regex_capture function within a local_variable OVAL object, SCAPToDCM throws a null reference exception.</li> <li>The PowerShell script might throw an arithmetic exception in the access_token_test on a 64-bit operating system.</li> </ul> <p>We have also updated the supported platforms to include the current branch of System Center Configuration Manager.</p> <p>For more information about the SCAP Extensions for System Center Configuration Manager, please see the <a href="https://technet.microsoft.com/en-US/library/mt228311(TechNet.10).aspx">user guide</a> on TechNet.</p> <p>We welcome your feedback about the SCAP Extensions. You can provide product requests for the SCAP Extensions on the UserVoice site for Configuration Manager: <a href="https://configurationmanager.uservoice.com/">https://configurationmanager.uservoice.com/</a>. You may report issues on the Connect site for Configuration Manager: <a href="https://connect.microsoft.com/ConfigurationManagervnext">https://connect.microsoft.com/ConfigurationManagervnext</a>.</p> <p>–Yvette O’Meally</p> <p>&nbsp;</p> <p><strong>Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx">What’s New in System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx">Get Ready for System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx">Start Using System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx">Upgrade to System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx">Technical Documentation for System Center Configuration Manager</a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB">System Center Configuration Manager Forums</a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983">System Center Configuration Manager Support</a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/19/1605-update-to-the-scap-extensions-for-configuration-manager/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>The 1604 Update to the Configuration Manager Cmdlet Library is now available.</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/17/the-1604-update-to-the-configuration-manager-cmdlet-library-is-now-available/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/17/the-1604-update-to-the-configuration-manager-cmdlet-library-is-now-available/#comments</comments> <pubDate>Tue, 17 May 2016 20:17:00 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Powershell]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/configmgrteam/?p=9185</guid> <description><![CDATA[The Configuration Manager Sustained Engineering team is pleased to release the 1604 update to the System Center Configuration Manager Cmdlet Library. It can be downloaded on the Microsoft Download Center here. In addition to fixes and enhancements to specific cmdlets, this update includes the following important changes. General Changes Detection and error reporting when passing an <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/05/17/the-1604-update-to-the-configuration-manager-cmdlet-library-is-now-available/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>The Configuration Manager Sustained Engineering team is pleased to release the 1604 update to the System Center Configuration Manager Cmdlet Library. It can be downloaded on the Microsoft Download Center <a href="https://www.microsoft.com/en-us/download/details.aspx?id=46681">here</a>. In addition to fixes and enhancements to specific cmdlets, this update includes the following important changes.</p> <h3>General Changes</h3> <ul> <li>Detection and error reporting when passing an IResultObject value into a string parameter</li> <li>Improved error reporting for permissions-related failures</li> <li>Support for “Fast” mode for some Get cmdlets</li> <li>Changes to the Update Check logic</li> </ul> <h3>New Cmdlets for:</h3> <ul> <li>multiple auto deployment rule deployments</li> <li>configuring a certificate registration point site role</li> <li>working with collections and collection members</li> <li>configuring conditional access policies for on-premises Exchange</li> <li>configuring a service connection point</li> <li>importing a wireless profile, e-mail profile creation, certificate profile creation, user client certificate private key import</li> <li>simplifying performing ad-hoc functions against the SMS Provider from the CMSite drive</li> <li>new cmdlets for creating task sequence media</li> <li>configuring a Windows servicing plan</li> </ul> <h3>New Hybrid management cmdlets for:</h3> <ul> <li>remote lock and PIN reset</li> <li>configuring an Intune subscription</li> <li>configuring device support for an Intune subscription</li> <li>configuring device management enrollment managers</li> <li>Apple device management key generation</li> </ul> <h3>Changes to specific cmdlets:</h3> <ul> <li>Improved performance for collection member cmdlets and Driver related cmdlets.</li> <li>Several cmdlets that worked with lockable objects (applications, software updates) were updated to ensure proper locking and reporting. This includes the following cmdlet families: CMApplication, CMSoftwareUpdate, CMBaseline, CMDriver, CMPackage, and CMTaskSequence</li> </ul> <h3>General issues fixed:</h3> <ul> <li>Site role cmdlets may not validate that a specified connection account user is valid and present in the site.</li> <li>Some Application and Certificate cmdlets may silently fail if no matching results are found (regression from Fall 2015 release).</li> </ul> <p><strong>Note:</strong> Some of these changes apply only to the current branch of System Center Configuration Manager.</p> <p>You will find more details in the release notes on the Microsoft Download Center <a href="https://www.microsoft.com/en-us/download/details.aspx?id=46681">here</a>.</p> <p>As a heads up we would like to let you know that starting with the next update, the Cmdlet Library will be released with the current branch of System Center Configuration Manager instead of as a standalone package. This will allow us to take advantage of the current branch shipping cadence and update channel, to keep you up to date with new cmdlets.</p> <p>For additional information about the Cmdlet Library, please refer to the <a href="https://technet.microsoft.com/en-us/library/dn958404">Configuration Manager Cmdlet Library Documentation</a> and the <a href="https://technet.microsoft.com/en-us/library/jj821831.aspx">Configuration Manager Cmdlet Help Reference</a>.</p> <p>Let us know what you think about this latest update to the Cmdlet Library. You can provide product feedback for the Cmdlet Library on the UserVoice site for Configuration Manager: <a href="https://configurationmanager.uservoice.com/">https://configurationmanager.uservoice.com/</a>. You may report issues on the Connect site for Configuration Manager: <a href="https://connect.microsoft.com/ConfigurationManagervnext">https://connect.microsoft.com/ConfigurationManagervnext</a>.</p> <p>–Yvette O’Meally</p> <p>&nbsp;</p> <p><strong>Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx">What’s New in System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx">Get Ready for System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx">Start Using System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx">Upgrade to System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx">Technical Documentation for System Center Configuration Manager</a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB">System Center Configuration Manager Forums</a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983">System Center Configuration Manager Support</a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/17/the-1604-update-to-the-configuration-manager-cmdlet-library-is-now-available/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Update 1605 for Configuration Manager Technical Preview – Available Now!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/16/update-1605-for-configuration-manager-technical-preview-available-now/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/16/update-1605-for-configuration-manager-technical-preview-available-now/#comments</comments> <pubDate>Mon, 16 May 2016 15:00:04 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <guid isPermaLink="false">https://blogs.technet.microsoft.com/configmgrteam/?p=9165</guid> <description><![CDATA[We are happy to announce that Update 1605 for Configuration Manager Technical Preview is now available. New and updated features include: Windows Defender Advanced Threat Protection &#8211; You can now manage Windows Defender Advanced Threat Protection (ATP) policies for onboarding and off-boarding Windows 10 clients to the cloud service and view agent health in the <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/05/16/update-1605-for-configuration-manager-technical-preview-available-now/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>We are happy to announce that Update 1605 for Configuration Manager Technical Preview is now available. New and updated features include:</p> <ul> <li><strong>Windows Defender Advanced Threat Protection</strong> &#8211; You can now manage <a href="https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-protection/">Windows Defender Advanced Threat Protection (ATP)</a> policies for onboarding and off-boarding Windows 10 clients to the cloud service and view agent health in the monitoring dashboard. Note: This requires a subscription to the Windows Defender ATP online service.</li> <li><strong>Enterprise data protection (EDP) policy settings</strong> – With this Technical Preview, you can create and deploy <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/edp-whats-new-overview">EDP policies</a> for devices running Windows 10 Insider Preview and Windows 10 Mobile Preview builds. This includes specifying apps, defining network boundaries, choosing the restriction modes, and other EDP settings.</li> <li><strong>Windows Store for Business integration</strong> – The 1605 Technical Preview adds the ability to create both online and offline apps with the ability to deploy offline apps to Intune and ConfigrMgr managed devices. You can view video walkthroughs of how to <a href="http://go.microsoft.com/fwlink/?LinkID=786453">set up </a>and <a href="http://go.microsoft.com/fwlink/?LinkID=797591">create apps</a> for Windows Store for Business.</li> <li><strong>Server groups (previously known as “Cluster Patching”)</strong> &#8211; You can now control settings for software updates in server groups, including the order and percentage of devices that can be updated at any one time. These capabilities introduce some enhancements over our <a href="https://technet.microsoft.com/en-us/library/mt592024.aspx">pre-release “Servicing a cluster aware collection” feature</a>, including the ability to control the order and better monitoring.</li> <li><strong>Software Center experience</strong> &#8211; Software Updates and Operating Systems now have their own respective tabs in Software Center, rather than being accessible via the categories dropdown in the Applications tab.</li> <li><strong>Changes in the Client Data Sources dashboard</strong> &#8211; You will now find the Client Data Sources dashboard in a new location under “Distribution Status&#8221;. We added new tiles that show you the amount of clients, distribution points and PeerCache enabled clients. The tiles will show a warning icon if the client to PeerCache enabled clients ratio is less than 50%. We also added a new stacked bar graph that shows the top distributed content in your environment.<br /> <a href="https://msdnshared.blob.core.windows.net/media/2016/05/ClientDataSourcesDashboard.jpg"><img class=" size-mediumlarge wp-image-9175 alignnone" src="https://msdnshared.blob.core.windows.net/media/2016/05/ClientDataSourcesDashboard-500x278.jpg" alt="ClientDataSourcesDashboard" width="500" height="278" /></a></li> <li><strong>More progress based on your feedback in User Voice!</strong> This release includes improvements to the Install Software Updates task sequence step, including enhanced logging and a new task sequence variable to control the timeout on the software updates scan.</li> </ul> <p>This release also includes the following new features for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:</p> <ul> <li><strong>Pre-declare corporate-owned devices</strong> -You can now identify corporate-owned devices by importing their international station mobile equipment identity (IMEI) numbers. You can upload a comma-separated values (.csv) file containing device IMEI numbers or you can manually enter device information. You can also import serial numbers for iOS devices. Imported information will set ownership of the devices that enroll as “Corporate”. An Intune license is still required for each user that accesses the service. View a <a href="http://go.microsoft.com/fwlink/?LinkID=797593">video walkthrough</a> of this feature.</li> <li><strong>Remote device actions experience update</strong> &#8211; The admin experience for wiping, resetting the passcode, remote locking, and bypassing iOS Activation Lock on mobile devices has been adjusted. The states of these actions are now part of the devices&#8217; details and properties.</li> <li><strong>Remote full wipe for Windows 10 desktop devices</strong> &#8211; Support for remotely wiping and resetting Windows 10 desktop devices to factory settings.</li> <li><strong>Auto-connect app list in Windows 10 VPN profiles</strong> &#8211; Admins can specify desktop and universal applications in Windows 10 VPN profiles that automatically establish a connection with the VPN when launched on the client. Admins can decide whether or not to limit VPN traffic to the apps in the list.</li> </ul> <p>Please let us know what you think about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use <a href="https://connect.microsoft.com/ConfigurationManagervnext/Feedback">Connect</a>. If there’s a new feature or enhancement you want us to consider including in future updates, please use the <a href="http://configurationmanager.uservoice.com/">Configuration Manager UserVoice site</a>.</p> <p>Thanks,</p> <p>The System Center Configuration Manager team</p> <p><strong>Configuration Manager Resources:</strong></p> <p><a href="https://technet.microsoft.com/en-US/library/mt595861(TechNet.10).aspx"><span style="color: #0563c1">Documentation for System Center Configuration Manager Technical Previews<br /> </span> </a><a href="https://technet.microsoft.com/en-us/library/mt346023.aspx"><span style="color: #0563c1">Documentation for System Center Configuration Manager<br /> </span> </a><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><span style="color: #0563c1">System Center Configuration Manager Forums<br /> </span> </a><a href="http://support.microsoft.com/oas/default.aspx?prid=15983"><span style="color: #0563c1">System Center Configuration Manager Support</span></a></p> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/05/16/update-1605-for-configuration-manager-technical-preview-available-now/feed/</wfw:commentRss> <slash:comments>3</slash:comments> </item> <item> <title>Release Announcement &#8211; Vulnerability Assessment Configuration Pack</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/04/28/release-announcement-vulnerability-assessment-configuration-pack/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/04/28/release-announcement-vulnerability-assessment-configuration-pack/#comments</comments> <pubDate>Thu, 28 Apr 2016 18:30:28 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Security]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/configmgrteam/?p=9135</guid> <description><![CDATA[Author: Raghu Kethineni, Senior Program Manager, Enterprise Client and Mobility Today we are announcing the release of a new Vulnerability Assessment Configuration Pack for System Center Configuration Manager. You can download it here. Configuration Manager Vulnerability Assessment allows you to scan managed systems for common missing security updates and misconfigurations which might make client computers more vulnerable <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/04/28/release-announcement-vulnerability-assessment-configuration-pack/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><strong>Author:</strong> Raghu Kethineni, Senior Program Manager, Enterprise Client and Mobility</p> <p>Today we are announcing the release of a new Vulnerability Assessment Configuration Pack for System Center Configuration Manager. You can download it <a href="https://www.microsoft.com/en-us/download/details.aspx?id=51948">here</a>. Configuration Manager Vulnerability Assessment allows you to scan managed systems for common missing security updates and misconfigurations which might make client computers more vulnerable to attack.</p> <p>Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. System Center Configuration Manager Vulnerability Assessment Configuration Pack can help prevent errors and security risks, increase your organizational uptime and help you to build a more secure infrastructure. This configuration pack provides vulnerability assessment reporting for common missing security updates and misconfigurations by using the configuration baselines in Configuration Manager. You can use it to monitor the configuration of Microsoft Windows operating systems, Internet Explorer, Microsoft Office, SQL Server, and Internet Information Services (IIS).</p> <h2>What’s New</h2> <p>This release includes:</p> <ul> <li>The capability to scan for potential security issues that may exist because of misconfigurations on the following Microsoft Product versions <ul> <li>Windows 2008 and later versions</li> <li>Windows Server 2008 and later versions</li> <li>Internet Information Server 7.x and 8.x versions</li> <li>Microsoft Office 2010 or later versions</li> <li>Internet Explorer 9, 10 and 11 versions for <a href="https://support.microsoft.com/en-us/lifecycle">supported operating systems</a>.</li> <li>PowerShell 3.0, 4.0 and 5.0 versions</li> </ul> </li> <li>New Vulnerability Assessment Overall Report will display <ul> <li>List of Security, Administrative and Compliance Vulnerabilities for a specific computer.</li> <li>List of Windows Updates Vulnerabilities (if there are any)</li> <li>List of Windows Server Vulnerabilities (if there are any)</li> <li>List of IIS Vulnerabilities (if there are any)</li> <li>List of SQL Vulnerabilities (if there are any)</li> </ul> </li> </ul> <h2>To use this Configuration Pack</h2> <ul> <li>First import the three configuration baselines (Vulnerability Assessment: IIS Baseline, Vulnerability Assessment: SQL Server Baseline, Vulnerability Assessment: Windows Baseline). To understand in detail what each configuration item will be evaluating, review the properties of the configuration item.</li> <li>Next target the baselines to a collection containing the computers you want to monitor. Policies will be evaluated and reported back to the site server. Note: you may need to wait for 24-48 hours depending on your inventory cycles.</li> <li>The run the report and review the compliance results.</li> </ul> <h2>Prerequisites</h2> <p>The following are prerequisites for Vulnerability Assessment Configuration Pack:</p> <ul> <li>The site server must be running one of the following: <ul> <li>System Center 2012 R2 Configuration Manager SP1 CU3 with Hotfix <a href="https://support.microsoft.com/en-us/kb/3153628">KB3153628</a> (A new Vulnerability Assessment Overall Report is available for System Center 2012 Configuration Manager)</li> <li>System Center 2012 Configuration Manager SP2 CU3 with Hotfix <a href="https://support.microsoft.com/en-us/kb/3153628">KB3153628</a></li> <li>System Center Configuration Manager current branch &#8211; <strong>Note:</strong> The Configuration Pack can be imported to System Center Configuration Manager but the reports are not included. Reports will be released along with the next released update version of the current branch of System Center Configuration Manager.</li> </ul> </li> </ul> <ul> <li>The Configuration Manager clients require: <ul> <li>PowerShell 3.0 or later</li> <li>The IIS feature: &#8220;IIS Management Scripts and Tools&#8221; installed</li> <li>.NET Framework 4.5.2 or later</li> </ul> </li> </ul> <h2>Download</h2> <p>To download the latest release of the Vulnerability Assessment Configuration Pack, visit <a href="https://www.microsoft.com/en-us/download/details.aspx?id=51948">https://www.microsoft.com/en-us/download/details.aspx?id=51948</a>. We appreciate your feedback for this Configuration Pack! If you have a feature request, please share your ideas with us on the <a href="http://configurationmanager.uservoice.com/">Configuration Manager UserVoice site</a>. You can report issues with the Vulnerability Assessment Configuration Pack on the Connect site for Configuration Manager here: <a href="https://connect.microsoft.com/ConfigurationManagervnext">https://connect.microsoft.com/ConfigurationManagervnext</a>.</p> <p>-Raghu Kethineni</p> <p><strong>Additional resources:</strong></p> <ul> <li><a href="https://technet.microsoft.com/library/mt622084.aspx">What’s New in System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608540.aspx">Get Ready for System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt608544.aspx">Start Using System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt627853.aspx">Upgrade to System Center Configuration Manager</a></li> <li><a href="https://technet.microsoft.com/library/mt346023.aspx">Technical Documentation for System Center Configuration Manager</a></li> <li><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB">System Center Configuration Manager Forums</a></li> <li><a href="http://support.microsoft.com/oas/default.aspx?prid=15983">System Center Configuration Manager Support</a></li> <li><a href="https://connect.microsoft.com/ConfigurationManagervnext">Report an issue</a></li> <li><a href="https://configurationmanager.uservoice.com/">Provide suggestions</a></li> </ul> ]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/04/28/release-announcement-vulnerability-assessment-configuration-pack/feed/</wfw:commentRss> <slash:comments>4</slash:comments> </item> </channel> </rss>