Many reasons to look at ConfigMgr 1511

ConfigMgr1511At this moment Microsoft has just released System Center Configuration Manager (version 1511). This build was released to MSDN subscribers last week and is now general available and publically announced by Microsoft. During this blog post I will refer to this release as ConfigMgr 1511.

In this blog post I will post my five main reasons to start looking at ConfigMgr 1511 as soon as possible. This will be followed by a list with great improvements that could also be good reasons to start looking. Before I start with all those reasons it might be worth mentioning that it’s possible to do an in-place upgrade of ConfigMgr 2012 to ConfigMgr 1511. This process will feel similar to a service pack upgrade.

Main reasons

Lets start with my main reasons to start looking at ConfigMgr 1511 as soon as possible. Of course everybody can have their own main reasons, but I really do think that the following five reasons can be very beneficial to every company.

Reason 1: Full support of Windows 10

R1_Windows10My first reason is, probably for many companies the main driver for upgrading or migrating to ConfigMgr 1511, the Windows 10 servicing support. A great blog post about the Windows 10 support in the different version of ConfigMgr can be found here. A brief summary would be that ConfigMgr 2012 supports servecing Windows 10 LTSB 2015 and Windows 10 CB(B) through February 2016. Everything else would require ConfigMgr 1511 and later. Including support for newly introduced features in Windows 10.

Besides the servicing support, also the upgrade paths are a lot easier via ConfigMgr 1511. This version will also support deploying the upgrades via the software update management flow, it even introduced something new for that named Servicing Plans, while ConfigMgr 2012 can only do an in-place upgrade and of course a fresh installation.

Reason 2: Updates and servicing

R2_ServicingMy second reason is the updates and servicing model of ConfigMgr 1511. It even introduced a new role for that named Service connection point. This role creates a persistent connection with the Configuration Manager cloud services and proactively notifies about updates. When a new update is released, which can be done a lot faster now, it will be made available through this channel. This will be the road to keep as close as possible to the releases of Microsoft Intune and Windows 10.

Also, good to know is that this Service connection point role does more than just that. It also functions as what was previously known as the Microsoft Intune connector role. Besides that another important function is to upload usage data. For more information about this role, please refer to this article.

Reason 3: Latest mobile device management features

R3_LatestMDMMy third reason is the availability of the latest mobile device management features in ConfigMgr 1511. That includes many new settings that are available as a Configuration Item, but also some completely new features like Terms and Conditions, Device Enrollment Manager and Multi-Factor Authentication. These last options are already available in Microsoft Intune for a while and now finally came to ConfigMgr.

As I mentioned before, the Service connection point will allow the environment to stay in par with Microsoft Intune, where possible.

Reason 4: New software center

R4_SoftwareCenterMy fourth reason is the new Software Center in ConfigMgr 1511. This new Software Center is great for two big reasons, 1) it does not require Silverlight anymore and 2) it includes available user-targeted applications. Yes, really, it includes available user-targeted applications!

Good to know is that it does still require the Application Catalog web service point and the Application Catalog website point and, at this moment, it has to be enabled via the Client Settings.

Reason 5: On-premises mobile device management

R5_OnPremMDMMy fifth reason is the introduction of on-premises mobile device management in ConfigMgr 1511. This allows the enrollment of on-premises Windows 10 devices as a mobile device. At this moment only Windows 10 is supported and it’s not possible yet to publish this service externally. In my opinion this is bigger than we might think, as it could be the very first step to agentless management. It simply uses the buildin OMA-DM agent capabilities. The more management capabilities that agent can do the more ConfigMgr can do without it’s own agent.

An important configuration checkbox can be found in the Microsoft Intune Subscription configuration. That checkbox will make sure that no device information is send to the cloud. Keep in mind that the complete configuration also requires certificates, the Enrollment point and the Enrollment proxy point.

Good reasons

That was a great list with reasons to migrate or upgrade to ConfigMgr 1511 as soon as possible. Now lets continue with a list, in no particular order, of great improvements that also could be very good reasons to start thinking about ConfigMgr 1511.

  • Support for 175.000 clients per primary site – ConfigMgr 1511 introduces support in a primary site for up to 175.000 clients;
  • Multiple deployments for an Automatic Deployment Rule – ConfigMgr 1511 introduces the ability to add multiple deployments for each Automatic Deployment Rule
  • Phased client upgrade process – ConfigMgr 1511 introduces client piloting to easily deploy and test updates to the Windows client using a pre-production collection while leaving the current client version in use by the remainder of the hierarchy;
  • Software update management for Office 365 updates – ConfigMgr 1511 introduces the ability to manage Office 365 desktop client updates using the software update management workflow. 
  • WinPE Peer Cache – ConfigMgr 1511 introduces the ability to deploy a new operating system and computers that run the task sequence can use this ability to obtain content from a local peer instead of downloading content from a distribution point.
  • Bulk enrollment for Windows 10 devices – ConfigMgr 1511 introduces bulk enrollment to enable administrators to easily enroll devices for on-premises, or cloud, management without requiring end-users to work through the device enrollment process.
  • Integration with Windows Update for Business – ConfigMgr 1511 introduces the ability to differentiate a Windows 10 computer that is directly connected via Windows Update for Business (WUfB) versus the ones connected to WSUS for getting Windows 10 updates and upgrades.

It could very well be that I even forgot a few new additions to the product, little improvements, like the ability to add the Download Package Content step to a task sequence, or the ability to enable Run WSUS cleanup wizard. I tried to be as complete as possible. For the official list with new features, please refer to this article.

Removed and deprecated features

As with many new releases, it’s also often a moment to remove specific features and to stop supporting specific versions of operating systems and SQL. This article list the removed and deprecated features for ConfigMgr. Make sure to check this list before planning the upgrade or migration to ConfigMgr 1511. A key item in that article is the removal of the Out of Band Management feature.

Manage Windows Defender, of Windows 10, via OMA-DM

A couple of weeks ago I did a blog post about the different management options for Windows 8.1. In that specific post I already mentioned OMA-DM as a very valid method to manage Windows 8.1 and Windows 10 devices. To refresh the memories, OMA Device Management (OMA-DM) is an open management standard designed for mobile devices. The nice thing is that OMA-DM is also fully utilized in Windows 10, even the desktop version. That means that OMA-DM can be used to fully manage specific parts of a Windows 10 device.

In this post I’ll show how OMA-DM can be used to fully manage Windows Defender in Windows 10. For Windows 10 it’s possible to manage all the settings available for Windows Defender. This includes everything, from managing exclusions until blocking the access to the user interface. Managing Windows Defender can be very useful for Windows 10 devices connecting to the work resources. Also, this level of management can be useful for both personal and company owned devices.

Disclaimer: This blog post is based on a technical preview build of Windows 10 (build 10122). The configurations described in this post might change in future releases. I’ll update this post, if needed, with the next release.

Configuration

Now let’s have a look at the configuration. Actually it doesn’t differ a lot from the configurations required for managing settings on Windows Phone 8.1, but I’ll go through the required configurations anyway. I’ll go through the required configurations for both, Microsoft Intune standalone and Microsoft Intune hybrid.

Microsoft Intune standalone

The first configuration steps are for Microsoft Intune standalone. I’ll go through the high-level steps for creating the required policies and the required deployment. It shows the creation of a single OMA-URI setting, which can be used to (not) allow real-time monitoring. The creation of the other OMA-URI settings is similar and can be created by repeating step 2. A complete list of available settings can be found later in this post.

Step Configuration
1 Windows10DefenderBaseline_Conditions_The first step is to create a new Windows Custom Policy (Windows 10 and Windows 10 Mobile). Simply provide a valid name for the new configuration policy and it’s all ready for adding OMA-URI settings.
2 AllowRealtimeMonitoring_SettingThe second step is to add OMA-URI settings. This can be done by clicking the Add button and simply providing the required information. In this example I’ll create an OMA-URI setting for allowing real-time monitoring.
Setting name: Allow Realtime Monitoring
Setting description: Allows or disallows Defender’s Realtime Monitoring functionality.
Data type: Integer
OMA-URI (case sensitive): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
Value: 1
3 Windows10DefenderBaseline_Deployment_The third step is to create a deployment for the configuration policy. The nice thing is that this is simply the last step after providing the right configurations. Simply click the Save Policy button, click Yes and select a group.

Microsoft Intune hybrid

The last configuration steps are for Microsoft Intune hybrid. I’ll go through the high-level steps for creating the required configuration items, the required configuration baseline and the required deployment. It shows the creation of a single configuration item, that’s used for a single OMA-URI setting, which can be used to (not) allow real-time monitoring. The creation of the other configuration items is similar and can be created be repeating step 1 and 2. A complete list of available settings can be found later in this post.

Step Configuration
1 AllowRealtimeMonitoring_GeneralThe first step is to create a Configuration Item that contains the OMA URI setting. Personally, I prefer to use a configuration item per setting. In this example I’ll create an OMA-URI setting for allowing real-time monitoring.
Name: Allow Realtime Monitoring
Description: Allows or disallows Defender’s Realtime Monitoring functionality.
Setting type: OMA URI
Data type: Integer
OMA-URI (case sensitive): ./Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
2 AllowRealtimeMonitoring_RuleThe second step is to add a Compliance Rule for the OMA-URI setting. In this example I’ll also create an compliance rule for allowing real-time monitoring.
Name: Rule for Allow Realtime Monitoring
Description: The following list shows the supported values:
•0 – Not allowed.
•1 (default) – Allowed.
This setting must comply with the following rule: Allow Realtime Monitoring Equals 1
Select Remediate noncompliant rules when supported.
3 Windows10DefenderBaseline_ConditionsThe third step is to create a Configuration Baseline for the created configuration items. Simply provide a valid name and use Add > Configuration Item to add the created configuration items.
4 Windows10DefenderBaseline_DeploymentThe fourth step is to create a deployment for the configuration baseline. Make sure that the configuration has Remediate noncompliant rules when supported and Allow remediation outside maintenance window selected. Also, don’t forget to add a compliance evaluation schedule, but only use every 1 hours for testing purposes.

Result

There is nothing better than looking at the results, especially with something relatively new. Below are two screenshots of the settings of Windows Defender. The first screenshot is before applying the OMA-URI settings and the second screenshot is after applying the configured OMA-URI settings. It shows that every configured setting can also not be changed anymore (besides the configuration of the exceptions). The best thing is that once the Windows 10 device is un-enrolled, the before-state will be applicable again.

Before After
10222_DefenderBefore 10222_DefenderResult

Windows Defender Settings

There are more than 30(!) settings available that can be configured via OMA-URI and are specifically targeted on Windows Defender. All of these settings are configurable via the path of ./Vendor/MSFT/Policy/Config/Defender/<PolicyName>. The following table shows the available policies including the supported and valid values. Many of these values are also available in the documentation, but I’ve noticed that many of the Allowed/ Not allowed values are switched.

PolicyName Values
AllowCloudProtection
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AVGCPULoadFactor
Represents the average CPU load factor for the scan (in percent).
Valid values (Integer): 0–100.
DaysToRetainCleanedMalware
Time period (in days) that quarantine items will be stored on the system.
Valid values (Integer): 0–90.
AllowArchiveScanning
Allows or disallows scanning of archives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowBehaviorMonitoring
Allows or disallows Defender’s Behavior Monitoring functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowEmailScanning
Allows or disallows scanning of email.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowFullScanOnMappedNetworkDrives
Allows or disallows a full scan of mapped network drives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowFullScanRemovableDriveScanning
Allows or disallows a full scan of removable drives.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowIntrusionPreventionSystem
Allows or disallows Defender’s Intrusion Prevention functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowIOAVProtection
Allows or disallows Defender’s IOAVP Protection functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowOnAccessProtection
Allows or disallows Defender’s On Access Protection functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowRealtimeMonitoring
Allows or disallows Defender’s Realtime Monitoring functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowScanningNetworkFiles
Allows or disallows a scanning of network files.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowScriptScanning
Allows or disallows Defender’s Script Scanning functionality.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
AllowUserUIAccess
Allows or disallows user access to the Defender UI. If disallowed, all Defender notifications will also be suppressed.
Supported values (Integer):

  • 0 – Not allowed;
  • 1 (default) – Allowed.
ExcludedExtensions
Allows an administrator to specify a list of file type extensions to ignore during a scan.
Each file type in the list must be separated by | (String). For example, zip|exe.
ExcludedPaths
Allows an administrator to specify a list of directory paths to ignore during a scan.
Each path in the list must be separated by | (String). For example, C:\Data|C:\Temp.
ExcludedProcesses
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
Each file type must be separated by a | (String). For example, C:\Program Files\7-Zip\7zG.exe|C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe.
RealTimeScanDirection
Controls which sets of files should be monitored.
Supported values (Integer):

  • 0 (default) – Monitor all files (bi-directional).
  • 1 – Monitor incoming files.
  • 2 – Monitor outgoing files.
ScanParameter
Selects whether to perform a quick scan or full scan.
Supported values (Integer):

  • 1 (default) – Quick scan;
  • 2 – Full scan.
ScheduleQuickScanTime
Selects the time of day (in minutes) that the Defender quick scan should run.
Valid values (Integer): 0–1380
ScheduleScanDay
Selects the day that the Defender scan should run.
Supported values (Integer):

  • 0 (default) – Every day;
  • 1 – Monday;
  • 2 – Tuesday
  • 3 – Wednesday;
  • 4 – Thursday;
  • 5 – Friday;
  • 6 – Saturday;
  • 7 – Sunday;
  • 8 – No scheduled scan
ScheduleScanTime
Selects the time of day (in minutes) that the Defender scan should run.
Valid values: 0–1380 (Integer).
SignatureUpdateInterval
Specifies the interval (in hours) that will be used to check for signatures.
Valid values: 0–24 (Integer).
SubmitSamplesConsent
Checks for the user consent level in Defender to send data. If the required consent has already been granted, Defender submits them.
Supported values (Integer):

  • 0 – Always prompt;
  • 1 (default) – Send safe samples automatically;
  • 2 – Never send;
  • 3 – Send all samples automatically.

More information

For more information about all the possible configuration policies in Windows 10, see the Policy Configuration Service Provider documentation: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962%28v=vs.85%29.aspx

Windows 10 device enrollment

Updated May 21, 2015: Yesterday Microsoft released a new technical preview build of Windows 10 (build 10122). Within this build the look-and-feel of the enrollment process changed. I’ve updated the enrollment process to reflect these changes.

Windows10_TweetAfter the release of Windows 10 Technical Preview 2 (build 9926) I knew my next blog post would include Windows 10. So far I’m really liking the new start menu, the search, the notifications, the settings and I could go on like that for a while. Blogging about these subjects wouldn’t add something new as it’s already be done by many over the last week. Even the deployments of Windows 10 via MDT and/ or ConfigMgr are already done and covered in blogs. That’s why I looked further, to something that I already tweeted about, to enroll a Windows 10 device in Microsoft Intune (with or without ConfigMgr integration).

Disclaimer: This blog post is based on a technical preview build of Windows 10 (build 10122). The configurations described in this post might change in future releases. I’ll update this post with the next release.

How to enroll a Windows 10 device

A new operating system often means that everything is just in slightly different place. The thing that stayed the same is that the feature is still named Workplace. In Windows 8.1 this feature was located under Network and that’s something that really changed in (the early releases of) Windows 10. Now let’s go through the steps to enroll a Windows 10 device.

Step Action
1 10122_SettingsAccountsAfter logging on to a Windows 10 device, navigate to Settings > Accounts > Work access.
2 10122_ConnectWorkThe Connect to work or school feature provides information about the benefits and restrictions of enrolling your device.

Click Connect.

3 10122_ConnectWork_2The Connect to work or school dialog box will show, asking for your account to enroll the device.

Provide your account and click Continue.

4 YourWorkplace_SSOAs I’ve got AD FS configured with single sign-on I’m redirected to my on-premises AD FS to provide my credentials.

Provide your credentials and click Sign in.

5 10122_ConnectedThe Well done! dialog box will show, stating that your workplace is connected.

Click Done.

6 10122_EnrolledBack in the Connect to work or school feature, it now provides information about the user that enrolled the device.

Click on the user information.

7 10122_EnrolledOptionsThe Connect to work or school feature will now display some additional options to Sync the device, to get Info about the device and to Remove the device.

Clicking on Sync will trigger a synchronization with Microsoft Intune/ ConfigMgr and clicking Remove will trigger the removal of the device.

Click Info.

8 10122_EnrolledSettingsThe Work or school info feature, will provide the basic enrollment information about your device.
9

10122_ClientPropertiesIn this example I enrolled my device in to ConfigMgr, but I’ve could have done the same steps with Microsoft Intune standalone.

Now I can look in ConfigMgr to see the device details. I can see that it recognizes the operating system of Windows 10 and that it enrolled as a mobile device.