What's new in version 2107 of Configuration Manager current branch

Applies to: Configuration Manager (current branch)

Update 2107 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2002 or later. This article summarizes the changes and new features in Configuration Manager, version 2107.


To better align with other releases within Microsoft Endpoint Manager, starting this year the current branch version names will be 2103, 2107, and 2111. They will still release every four months, and release at the same time of the year.

Always review the latest checklist for installing this update. For more information, see Checklist for installing update 2107. After you update a site, also review the Post-update checklist.

To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest version. While new functionality appears in the Configuration Manager console when you update the site and console, the complete scenario isn't functional until the client version is also the latest.

Cloud-attached management

Cloud attach your environment during site update

The Microsoft Intune family of products is an integrated solution for managing all of your devices. Cloud attach brings together Configuration Manager and Intune into a single console called Microsoft Intune admin center. Starting with this release, sites that aren't already onboarded to Microsoft Intune will be prompted to optionally cloud attach as part of the upgrade wizard. Environments are considered cloud attached if at least one of the following features are already enabled:

For more information, see Install in-console updates.

Convert a CMG to virtual machine scale set

Starting in current branch version 2010, you could deploy the cloud management gateway (CMG) with a virtual machine scale set in Azure. This support was primarily to unblock customers with a Cloud Solution Provider (CSP) subscription.

In this release, any customer with a CMG that uses the classic cloud service deployment can convert to a virtual machine scale set. Microsoft recommends that new CMG deployments use a virtual machine scale set.

For more information, see Plan for CMG: virtual machine scale set and Modify a CMG: Convert.

Select VM size for CMG

When you deploy a CMG with a virtual machine scale set, you can now choose the virtual machine (VM) size. The following three options are available:

  • Lab (B2s)
  • Standard (A2_v2). This size continues to be the default setting.
  • Large (A4_v2)

This control gives you greater flexibility with your CMG deployment. You can adjust the size for test labs or if you support large environments. For example, the smaller Lab size is ideal for testing with a smaller number of clients at less cost. For production deployments, either use the default Standard size or add more capacity with the Large size.

For more information, see Cost of CMG: Virtual machine scale set.

Tenant attach: BitLocker recovery keys

Get BitLocker recovery keys for a tenant-attached device from the Microsoft Intune admin center. For example, a help desk technician who doesn't have access to Configuration Manager could use the web-based admin center to help an end user get a recovery key for their device.

For more information, see Tenant attach: BitLocker recovery keys.

Tenant attach support for US Government cloud

United States Government customers can now use the following Microsoft Intune tenant attach features in the US Government cloud:

  • Account onboarding
  • Tenant sync to Intune
  • Device sync to Intune
  • Device actions in the Microsoft Intune admin center

For more information, see Microsoft Intune tenant attach: Prerequisites.

Renamed Co-management node to Cloud Attach

To better reflect the other cloud services that Configuration Manager offers, the Co-management node has been renamed to the Cloud Attach node. Other changes you may notice include the ribbon button being renamed from Configure Co-management to Configure Cloud Attach and the Co-management Configuration Wizard was renamed to Cloud Attach Configuration Wizard.

For more information, see Co-management, Tenant attach, and Endpoint analytics.

Desktop Analytics

Support for the Windows diagnostic data processor configuration

Desktop Analytics now supports the new Windows diagnostic data processor configuration. This configuration provides you greater control of your Windows diagnostic data. Microsoft acts as a data processor, processing Windows diagnostic data for the controller.

For more information, see What's new in Desktop Analytics.

Site infrastructure

Support for Windows Server 2022 and the ADK for Windows 11

Configuration Manager now supports Windows Server 2022 as site systems and clients. For more information, see the following articles:

It also supports the Windows ADK for Windows 11 and Server 2022. For more information, see Support for Windows ADK.


Configuration Manager supports Windows Insider builds, which is a great way to test the latest version of Windows 11 with Configuration Manager version 2107.

Microsoft .NET requirements

Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart the system. If possible in your environment, install the latest version of .NET version 4.8.

There's also a new management insight to recommend site systems that don't yet have .NET version 4.8 or later.

For more information, see the following articles:

Updated Visual C++ prerequisite

The Configuration Manager client and several server components require the Microsoft Visual C++ Redistributable component (vcredist_x*.exe). During Configuration Manager installation, if the VCRedist doesn't already exist, it automatically installs. Starting in this release, Configuration Manager now uses the Microsoft Visual C++ 2015-2019 redistributable version 14.28.29914.0. This version improves stability in Configuration Manager operations.

For more information on client and site system prerequisites, see the following articles:

New prerequisite check for SQL Server 2012

When you install or update the site, it now warns for the presence of SQL Server 2012. The support lifecycle for SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in your environment, including SQL Server Express at secondary sites.

For more information, see Removed and deprecated for site servers: SQL Server.

External notifications

In a complex IT environment, you may have an automation system like Azure Logic Apps. Customers use these systems to define and control automated workflows to integrate multiple systems. You could integrate Configuration Manager into a separate automation system through the product's SDK APIs. But this process can be complex and challenging for IT professionals without a software development background.

You can now enable the site to send notifications to an external system or application. This feature simplifies the process by using a web service-based method. You configure subscriptions to send these notifications. These notifications are in response to specific, defined events as they occur. For example, status message filter rules.

For more information, see External notifications.

Internet access requirements

Before you update to version 2107, if you restrict internet access, confirm that the site system that hosts the service connection point role can communicate with the following internet endpoint: configmgrbits.azureedge.net. This endpoint was already required, but its use is expanded in this release. The site system can't download version 2107 or later unless your network allows traffic to this URL.

For more information, see internet access requirements for the service connection point.

Real-time management

Simplified CMPivot permissions requirements

We've simplified the CMPivot permissions requirements. The new permissions are applicable for CMPivot standalone and CMPivot in the on-premises console. The following changes have been made:

  • CMPivot no longer requires SMS Scripts read permission

    • The SMS Provider still requires this permission if the administration service falls back to it because of a 503 (Service Unavailable) error, as seen in the CMPivot.log.
  • The default scope permission isn't required.

For more information, see permissions for CMPivot.

Improvements to CMPivot

We've made the following improvements to CMPivot:

  • Added a Key value to the Registry entity
  • Added a new RegistryKey entity that returns all registry keys matching the given expression
  • Added maxif and minif aggregators that can be used with the summarize operator
  • Improvements to query autocomplete suggestions in the query editor

For more information, see Changes to CMPivot and CMPivot overview.

Client management

Support for Windows 11

Starting with version 2107, Configuration Manager supports Windows 11. For more information, see Support for Windows 11.

Custom properties for devices

Many customers have other data that's external to Configuration Manager but useful for deployment targeting, collection building, and reporting. This data is typically non-technical in nature, not discoverable on the client, and comes from a single external source. For example, a central IT Infrastructure Library (ITIL) system or asset database, which has some of the following device attributes:

  • Physical location
  • Organizational priority
  • Category
  • Cost center
  • Department

You can use the administration service to set this data on devices. The site stores the property's name and its value in the site database as the new Device Custom Properties class. You can then use the custom properties in Configuration Manager for reporting or to create collections.

For more information, see Custom properties for devices.

Client encryption uses AES-256

Starting in this release, when you enable the site to Use encryption, the client uses the AES-256 algorithm. This setting requires clients to encrypt inventory data and state messages before it sends to the management point.

For more information, see Cryptographic controls technical reference.

Clients store Configuration Manager self-signed certificates in hardware TPM

Configuration Manager uses self-signed certificates for client identity and to help protect communication between the client and site systems. When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0. The certificate is also marked non-exportable.

If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It uses its self-signed certificate for signing messages with the site.

For more information, see Certificates overview.

Hardware inventory for client log settings

You can now inventory client log file settings such as log levels and size. This behavior allows you to track settings that you change by the Client Diagnostics actions. This new inventory class isn't enabled by default.

For more information, see About log files.

Support for macOS Big Sur

Configuration Manager now supports the macOS Big Sur version 11. For more information, see Supported OS versions for clients and devices.

Software Center

Support for enhanced HTTP

When you enable the site for enhanced HTTP, Software Center and the Company Portal now prefer secure communication over HTTPS to get user-available applications from the management point.

For more information, see Plan for Software Center and Use the Company Portal app on co-managed devices.

Application management

Implicit uninstall of applications

Many customers have lots of collections because for every application they need at least two collections: one for install and another for uninstall. This practice adds overhead of managing more collections, and can reduce site performance for collection evaluation.

Starting in this release, you can enable an application deployment to support implicit uninstall. If a device is in a collection, the application installs. Then when you remove the device from the collection, the application uninstalls.

For more information, see Uninstall applications.

OS deployment

Support layered keyboard driver during OS deployment

This release adds support for layered keyboard drivers during OS deployment. This driver specifies other types of keyboards that are common with Japanese and Korean languages.

For more information, see Task sequence steps - Apply OS Image.


Audit mode for potentially unwanted applications

An Audit option for potentially unwanted applications (PUA) was added in the Antimalware policy settings. Use PUA protection in audit mode to detect potentially unwanted applications without blocking them. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.

For more information, see real-time protection settings.

Software updates

Run software updates evaluation from deployment status

You can now right-click and notify devices to run a software updates evaluation cycle from the software update deployment status. You can target a single device under the Asset Details pane or select a group of devices based on their deployment status.

For more information, see Configuration Manager console changes and tips.

Management insights rule for TLS/SSL software update points

Management insights has a new rule to detect if your software update points are configured to use TLS/SSL. To review the Configure software update points to use TLS/SSL rule, go to Administration > Management Insights > All Insights > Software Updates.

For more information, see the Management insights software updates group.

List third-party update catalogs

To help you find custom catalogs that you can import for third-party software updates, there's now a documentation page with links to catalog providers. Choose More Catalogs from the ribbon in the Third-party software update catalogs node. Right-clicking on Third-Party Software Update Catalogs node also displays a More Catalogs menu item. Selecting More Catalogs opens a link to a documentation page containing a list of third-party software update catalog providers.

For more information, see Third-party software updates and list of third-party software update catalog providers.

Improvements for managing automatic deployment rules

The following items were added to help you better manage your automatic deployment rules (ADRs):

Deployment types for automatic deployment rules

You can now specify the deployment type for the software update deployment created by an ADR. Select Required to create a mandatory software update deployment or select Available to create an optional software update deployment.

For more information, see Create an automatic deployment rule.

Updated Product parameter for New-CMSoftwareUpdateAutoDeploymentRule cmdlet

The -Product parameter for New-CMSoftwareUpdateAutoDeploymentRule was updated. When there are multiple products with the same name, -Product now selects all of them.

Script to apply deployment package settings for automatic deployment rule

If you create an ADR with the No deployment package option, you're unable to go back and add one later. To help you resolve this issue, we've uploaded a script into Community hub.

For more information, see Automatic deployment rules.

Community hub

Publish query to Community hub from CMPivot

You can now publish a CMPivot query to the Community hub directly from the CMPivot window. Submitting your queries directly through CMPivot makes contributing to the Community hub easier.

For more information, see Contribute to Community hub and CMPivot.

Support for console extensions in Community hub

When you use Configuration Manager version 2103 or later, you can now download console extensions from the Community hub and have it applied to all consoles connected to a hierarchy. Manage the approval and installation of console extensions used in your environment from the Console extensions node.

For more information, see Console extensions from Community hub.

Configuration Manager console

Enhanced code editor

Building on improvements in Configuration Manager 2010 for syntax highlighting and code folding, you can now edit scripts in an enhanced editor. The new editor supports syntax highlighting, code folding, word wrap, line numbers, and find and replace. The new editor is available in the console wherever scripts and queries can be viewed or edited.

For more information, see the enhanced code editor.

Send product feedback from error windows

Previously, if the Configuration Manager console reported an error in a separate window, you had to go back to the main console window to send feedback. In some cases, this action isn't possible with other console windows open.

Starting in this release, error messages include a link to Report error to Microsoft. This action opens the standard "send a frown" window to provide feedback. It automatically includes details about the user interface and the error to better help Microsoft engineers diagnose the error. Aside from making it easier to send a frown, it also lets you include the full context of the error message when you share a screenshot.

For more information, see Product feedback.

Hierarchy approved console extensions don't require signing

Starting in this release, you can choose to allow unsigned hierarchy approved console extensions. You may need to allow unsigned console extensions because of an unsigned internally developed extension, or for testing your own custom extension in a lab.

For more information, see Allow unsigned console extensions in the hierarchy.

Console improvements

In this release we've made the following improvements to the Configuration Manager console:

  • Status message shortcuts: Shortcuts to status messages were added to the Administrative Users node and the Accounts node. Select an account, then select Show Status Messages.

  • Navigate to collection: You can now navigate to a collection from the Collections tab in the Devices node. Select View Collection from either the ribbon or the right-click menu in the tab.

  • Added maintenance window column: A Maintenance window column was added to the Collections tab in the Devices node.

  • Display assigned users: If a collection deletion fails because of scope assignment, the assigned users are displayed.

  • You can now use the All Subfolders search option from the Boot Images, Operating System Upgrade Packages, and Operating System Images nodes.

For more information about improvements to the console, see Configuration Manager console changes and tips.


Improvements to Support Center

Starting in this release, the Content view in the Support Center Client Tools has been renamed to Deployments. From Deployments, you can review all of the deployments currently targeted to the device. The new view is grouped by Category and Status. The view can be sorted and filtered to help you find the deployments you're interested in. Select a deployment in the results pane to display more information in the details pane.

For more information, see Support Center Client Tools user interface reference.

Improvements to CMTrace

This release includes multiple performance improvements to the CMTrace log viewer. If you have a copy of CMTrace in a non-default location, consider removing it and using a copy in one of the default paths. If it's in a custom location that meets your business requirements, then make sure you have a process to keep it up to date. A script is available in the Community Hub to help you locate and update versions of CMTrace to the latest version.

For more information, see CMTrace.

RBAViewer location change

RBAViewer has moved from <installdir>\tools\servertools\rbaviewer.exe. It's now located in the Configuration Manager console directory. After you install the console, RBAViewer.exe will be in the same directory. The default location is C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\rbaviewer.exe.

For more information, see Configuration Manager tools.

Deprecated features

Learn about support changes before they're implemented in removed and deprecated items.

  • The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To provide content to internet-based devices, enable the CMG to distribute content.

  • The support lifecycle for SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in your environment, including SQL Server Express at secondary sites.

As previously announced, version 2107 drops support for the following features:

  • Log Analytics connector for Azure Monitor. This feature was called the OMS Connector in the Azure Services node.

Other updates

Starting with this version, the following features are no longer pre-release:

For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version 2107 release notes.

Aside from new features, this release also includes other changes such as bug fixes. For more information, see Summary of changes in Configuration Manager current branch, version 2107.

The following update rollup (11121541) is available in the console starting on October 27, 2021: Update rollup for Configuration Manager current branch, version 2107.


The following additional hotfixes are available to address specific issues:

ID Title Date In-console
12636660 Client update for Microsoft Endpoint Configuration Manager version 2107 December 2, 2021 No

Next steps

As of August 23, 2021, version 2107 is globally available for all customers to install.

When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for installing update 2107.


To install a new site, use a baseline version of Configuration Manager.

Learn more about:

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.