Microsoft System Center Configuration Manager Technical Preview
Applies To: System Center Technical Preview
Welcome to the System Center Configuration Manager Technical Preview. This topic contains information to get you started with some of the new capabilities that are available in the most recent preview release. Each section also includes the release notes or known issues for the described feature.
Note
With the release of System Center Configuration Manager (current branch) in December of 2015, new content for the Technical Preview has been published. The new content is located in the System Center Configuration Manager Documentation Library, and will receive updates for each new release of the System Center Configuration Manager Technical Preview .
Because this is a technical preview, details, functionality, and the product name are subject to change.
This topic includes content for the following releases:
Release |
Date |
Capabilities available with this release |
---|---|---|
May 4th, 2015 |
|
|
July 9th, 2015 |
This release adds the following additional capabilities:
In addition to new capabilities, this release includes several incremental improvements we want you to know about:
|
|
August 19th, 2015 |
This release adds the following additional capabilities:
In addition to new capabilities, this release includes several incremental improvements we want you to know about:
|
|
System Center Configuration Manager update version 1509 for Technical Preview |
September 22th, 2015 |
This update adds the following new capabilities to a previously installed Technical Preview 3 site:
In addition to the new capabilities, this release includes incremental improvements we want you to know about:
|
System Center Configuration Manager update version 1510 for Technical Preview |
October 14th, 2015 |
This update can be applied to a Technical Preview site that runs:
This update adds the following new capabilities:
|
November 12th, 2015 |
This Technical Preview installs as a new site, and cannot be used to upgrade a previous Technical Preview site. In addition to the capabilities found in the previous releases, this Technical Preview includes the following new capabilities:
|
Requirements and Limitations for the Technical Preview
The Technical Preview is intended for use in a lab environment. Because it is a limited build intended for use in a lab environment, it does not include options for support and should not be used in a production environment.
For most product prerequisites, use the information in the System Center 2012 Configuration Manager supported configurations documentation. For general operations and configurations, use the information in the System Center 2012 Configuration Manager Documentation Library.
The following exceptions apply to the Technical Preview releases:
Each install remains active for 60 days before it becomes inactive.
English is the only language supported.
Only a stand-alone primary site is supported. There is no support for a central administration site, multiple primary sites, or secondary sites.
Only the following versions of SQL Server are supported:
SQL Server 2012 with cumulative update 2 or later
SQL Server 2014
The site supports up to 10 clients, which must run one of the following:
Windows 7
Windows 8
Windows 8.1
Windows 10
There is no support for upgrade to this preview build.
There is no support for upgrade to a later build from this preview build.
Only the following install flags (switches) are supported:
/silent
/testdbupgrade
There is no support for migration to or from this preview build.
Providing Feedback
We would love to hear your feedback about our technical previews. To submit feedback about the capabilities in each preview, follow the link to our feedback form on the Configuration Manager feedback program page on the Microsoft Connect site.
And, if you have ideas about new features you would like to see, we want to know that as well. To submit new ideas and to vote on the ideas submitted by others, visit our user voice page.
Capabilities in the Technical Preview
In addition to the capabilities found in System Center 2012 Configuration Manager, the technical preview includes the following.
Windows 10 in-place upgrade
Mobile Application Management
Data protection for mobile devices
Preferred management points
On-premises mobile device management (MDM)
Support for Microsoft Azure virtual machines
Client deployment status in console monitoring
Windows 10 in-place upgrade
This is a new operating system deployment scenario for upgrading computers that run Windows 7, Windows 8, and Windows 8.1 to run Windows 10.
Windows 10 in-place upgrade:
Upgrades the operating system
Retains the applications, settings, and user data on the computer
Has no external dependencies
Is faster and more resilient than traditional operating system deployments
Supplements existing deployment scenarios, which remain supported
Prerequisites for this scenario:
A System Center Configuration Manager Technical Preview site that is installed and configured.
Configuration Manager clients that are deployed and run at least Windows 7.
Windows 10 Technical Preview media is available. This media must be the same edition, architecture, and language as the clients you will upgrade.
Add the Windows 10 Technical Preview media as an Operating System Upgrade Package
- Use the procedure To add an operating system installer from the Configuration Manager documentation to add the Windows 10 media. For the Configuration Manager Technical Preview Operating System Upgrade Package replaces Operating System Installer.
Create the upgrade task sequence
Use the procedure To create a task sequence that installs an existing image package from the Configuration Manager documentation. In the Create Task Sequence Wizard, when you select the task sequence type to create, select the option Upgrade an operating system from an upgrade package.
After the task sequence is created, you can configure additional edits like steps to uninstall applications with known compatibility issues, or add post-processing actions to run after the upgrade to Windows 10 is successful.
Note
Because this new task sequence is not linear, there are conditions on steps that can affect the results of the task sequence, depending on whether it successfully upgrades the client computer or if it has to roll back the client computer to the operating system version it started with.
Additionally, a new and optional step, Download Package Content, can be useful in the following scenarios:
You use a single upgrade task sequence that can work with both x86 and x64 platforms. To accomplish this include two Download Package Content steps in the Preparation group with conditions to detect the client architecture and download only the appropriate Operating System Upgrade Package. Configure each Download Package Content step to use the same variable, and use the variable for the media path on the Upgrade Windows step.
To dynamically download an applicable driver package, use two Download Package Content steps with conditions to detect the appropriate hardware type for each driver package, similar to the preceding example.
Deploy and monitor
To deploy the upgrade task sequence, use the information in the section How to Deploy a Task Sequence from the Configuration Manager documentation.
To monitor the upgrade task, use the information in How to Monitor Applications in Configuration Manager.
Known issues for this release:
Only add task sequence steps that are related to the core task of deploying operating systems and configuring computers after the image is installed. This includes steps that install packages, apps, or updates, and steps that run command lines, PowerShell, or set dynamic variables.
Review drivers and applications that are installed on computers to ensure they are compatible with Windows 10 before deploying the upgrade task sequence.
The following tasks are not compatible with in-place upgrade and require you to use traditional operation system deployment as in a refresh or bare metal scenario, instead of an in-place upgrade:
You must change the computers domain membership or update Local Administrators.
You must implement a fundament change on the computer, including disk partitioning, a change from x86 to x64, implement UEFI, or modify the base operating system language.
You have custom requirements including using a custom base image, using 3rd party disk encryption, or require WinPE offline operations.
Provisioning mode for the Configuration Manager client is still enabled at the end of the task sequence. As a workaround, the following Windows PowerShell command can be used to disable client provisioning mode by using a Run Command Line or Run PowerShell Script step in the task sequence:
- Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList $False
Note
Information related to this scenario can be found in the following System Center Configuration Manager Team Blog, on TechNet: How to upgrade to Windows 10 using the task sequence in System Center 2012 R2 Configuration Manager. While the information in this blog is related to the Windows 10 in-place upgrade, it describes a basic process for upgrading that uses an earlier version of Configuration Manager. Therefore, while the information in the blog might be of use, it should not be used as a guide to this scenario in the Technical Preview, or later releases of Configuration Manager.
Mobile Application Management
Mobile application management policies let you modify the functionality of apps that you deploy to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy, and paste operations within a restricted app, or configure an app to always use a managed web browser when opening web links.
Unlike configuration items and baselines, you do not deploy a mobile application management policy directly. Instead, you associate the policy with the app deployment type (DT) that you want to restrict. When the app DT is deployed and installed on devices, the settings you specify will take effect.
App management policies support:
Devices that run Android 4 and later
Devices that run iOS 7 and later
To create a mobile application management policy
In the Configuration Manager console navigate to Software Library > Application Management > Application Management Policies, and then click Create Application Management Policy.
In the Create Application management Policy Wizard, set the policy type:
The General policy type lets you modify the functionality of apps that you deploy to help bring them into line with your company compliance and security policies. This includes restricting action like cut, copy, and paste, or configuring an app to open all web links inside a managed browser.
The Managed Browser policy type lets you modify the functionality of the Intune Managed Browser app. This is a web browser that lets you manage the actions that users can perform, including the sites they can visit, and how links to content within the browser are opened. For more information on the Intune Managed Browser app, see here for iOS and here for Android.
Next, configure settings for the platform and policy type you selected:
General: View details published in the Intune documentation library for this policy type.
Managed Browser: View details published in the Intune documentation library for this policy type.
Complete the wizard, and click Close to save the policy.
Associate the app management policy with a deployment
For software that is not yet deployed, associate the policy to the software when you deploy the software using the Deploy Software Wizard. To do so, use the wizard to deploy the software, and then create the association when prompted on the Application Management page. (The Managed Browser requires you to associate both a General and a Managed Browser policy.)
For software that you previously deployed before creating the app management policy, make this association on the Application Management tab of the deployments Properties. (Deployments for the new deployment type will fail until you make this association.)
Monitor app management policies
In the Configuration Manager console, navigate to Monitoring > Deployments, and then select the deployment to you want to view.
In the details pane, select App Management.
Data protection for mobile devices
This preview supports the following features from Microsoft Intune that you can use to enhance data protection for mobile devices you manage when you use Intune with Configuration Manager. Click the name of each capability to view available information from the Microsoft Intune documentation library.
Capability |
How to use it with the technical preview |
---|---|
If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new temporary passcode on a device. |
This option can be found in the Configuration Manager console by navigating to Assets and Compliance > Devices:
To monitor the state of this action:
|
If a user loses their device you can lock the device remotely. |
This option can be found in the Configuration Manager console by navigating to Assets and Compliance and then selecting Devices.
To monitor the state of this action:
|
Preferred management points
Preferred management points is a new option that enables clients to identify and prefer to communicate with management points that are associated with the clients current network location (or boundary). When configured, clients attempt to use a preferred management point from their assigned site before using management points from their assigned site that are not configured as preferred.
To use this option you must enable it for the hierarchy, and configure boundary groups at individual primary sites to include the management points that should be associated with that boundary group’s associated boundaries. This is done the same way you would assign distribution points and state migration points to a boundary group.
When preferred management points are configured and a client organizes its list of management points, the client places the preferred management points at the top of its list of Assigned management points (which includes all management points from the client’s assigned site). This enables the client to try to use a preferred management point before using management points from its assigned site that are not configured as preferred.
Note
When a client roams it might use a management point from the local site or a proxy management point before attempting to use one from its assigned site, which includes the preferred management points. See Service Location and how clients determine their assigned management point for more information about how clients identify and select a management point to communicate with.
For more information about configuring boundaries and boundary groups, see the Configuration Manager documentation.
To configure preferred management points
Enable preferred management points for the hierarchy:
In the Configuration Manager console, click Administration > Site Configuration > Sites > Hierarchy Settings.
On the General tab of the Hierarchy Settings, select Clients prefer to use management points specified in boundary groups, and save the configuration.
Add management points to a boundary group:
In the Configuration Manager console, click Administration > Hierarchy Configuration > Boundary Groups and select the group you want to edit.
On the References tab, click Add, select the check box for one or more servers that host management points you want to add as preferred management points, and then save the configuration.
On-premises mobile device management (MDM)
With on-premises mobile device management, you can manage devices that do not connect to the Internet or that are limited to accessing a few Internet resources. This helps your Enterprise meet security and compliance requirements while managing devices that are on-premises.
For example, you can use on-premises MDM to manage devices that perform the following common line-of-business activities. These activities are often regulated by law or enterprise policy that typically include restrictions that prevent the devices from accessing public networks and the Internet:
Perform retail transactions
Conduct investment banking or trading actions
Price lookup
Credit card transactions
On-premises MDM in the Technical Preview:
Supports up to 10 Windows 10 phone devices
Does not require you to use a Microsoft Intune subscription
On-premises MDM in the Technical Preview 2 adds support for the following:
- Supports up to 10 Windows 10 Enterprise (desktop) devices
Prerequisites for on-premises MDM:
You must configure and successfully complete User Discovery
On the site server, restart the SMS_Certificate_Manager thread of the SMS_Executive service, and then install the following site system roles on the site server computer:
The Enrollment point
The Enrollment proxy point
Management point that supports mobile devices
Devices you manage must have certificates and trust the SSL endpoints, the site system roles they connect to. For more information see Prerequisites for Mobile Device Clients in the System Center 2012 Configuration Manager documentation.
If your site server runs Windows Server 2012 R2 or later, you must create and set the following registry key value as a DWORD, on the site server:
Registry key: HKLM/system/currentcontrolset/control/securityproviders/schannel
Name: SendTrustedIssuerList
Value: 1
To configure on-premises MDM
Create an enrollment profile: In the Configuration Manager console, click Administration > Client Settings, and then edit Default Client Settings.
Click Enrollment, and then configure the following:
Set Allow users to enroll Windows Phone and Windows RT devices to equal Yes.
For Windows Phone device enrollment profile, click Set Profile and then complete the enrollment profile. This profile is similar to those you configure for System Center 2012 Configuration Manager. For more information see the Configuration Manager documentation.
Enroll your devices. Because this is a technical preview, it is not expected that you have your enrollment server registered in your DNS. Therefore:
If you’re DNS points to another MDM provider (like Microsoft Intune), then devices you enroll might try to enroll with your production MDM solution. To prevent this, configure the devices to only connect over Wi-Fi to your internal network.
If your DNS does not point to another MDM provider (like Microsoft Intune), after you enter your email address and click sign in the device indicates that it cannot connect to the enrollment server. In the space provided, enter the FQDN of your enrollment server (the site server) and click sign in to complete the device enrollment.
After your device enrolls, you can use Configuration Manager to configure and manage mobile devices, including deploying configuration baselines and related settings like password length and complexity requirements, to your Windows 10 phone devices.
Known limitations in the Technical Preview:
Non–Windows 10 phone devices are not supported
Because Windows 10 phone devices are prelease versions, references to the phone UI might vary.
Support for Microsoft Azure virtual machines
The System Center Configuration Manager Technical Preview is supported to run in virtual machines in Microsoft Azure just as it does when run on-premises within your physical corporate network. You can use the Configuration Manager Technical Preview with Microsoft Azure virtual machines in the following scenarios:
Scenario 1: You can run Configuration Manager in a Microsoft Azure virtual machine and use it to manage clients installed in other Microsoft Azure virtual machines.
Scenario 2: You can run Configuration Manager in a Microsoft Azure virtual machine and use it to manage clients that are not running in Microsoft Azure.
Scenario 3: You can run different Configuration Manager site system roles in Microsoft Azure virtual machines while running other roles in your physical corporate network (with appropriate network connectivity for communications).
The same System Center 2012 Configuration Manager requirements for networks, supported configurations and hardware requirements that apply to installing the Technical Preview on-premises in your physical corporate network also apply to the installation of the Technical Preview in Microsoft Azure. Additionally, Configuration Manager sites and clients that run in Azure virtual machines are subject to the same license requirements as on-premises installations.
Client deployment status in console monitoring
This release includes new monitoring for client deployment status, which provides you feedback on client upgrades. This improved status includes drilling into the different status categories to obtain details about individual devices.
To view this status, in the Configuration Manager console click Monitoring > Client Status > Production client deployment.
Try it out!
Try to complete the following task and then use the feedback information near the top of this topic to let us know how it worked:
- I am able to view and understand the detail status of a client deployment
New capabilities in the Technical Preview 2
In addition to the capabilities found in System Center 2012 Configuration Manager and the System Center Configuration Manager Technical Preview, the System Center Configuration Manager Technical Preview 2 includes new capabilities and an expansion of support for on-premises MDM:
Sideloading apps in Windows 10
Windows PE Peer Cache
On-premises Mobile Device Management (MDM)
Bulk enrollment of Windows 10 devices with on-premises MDM
Support for multiple Automatic Deployment Rules
General improvements in the Technical Preview 2
Sideloading apps in Windows 10
This release supports sideloading Windows 10 apps onto devices that run Windows 10 desktop, and introduces a new client setting that simplifies the process over previous versions of Configuration Manager.
Sideloading is the common reference for directly installing an app on a device, bypassing the Windows Store. Windows 10 apps are also called Universal Windows Platform (UWP) apps.
Windows 10 Apps:
Use the same .appx extension as seen with apps for Windows 8.1.
Will be available for download from the Windows Store at a future date.
Can be your own Line of Business (LOB) apps that you created in-house for the Windows 10 platform.
Unlike apps for Windows 8.1, a single instance of a Windows 10 app can be deployed to any device that runs Windows 10 including mobile devices and devices that run Windows 10 desktop. When you create the deployment for a Windows 10 app, the app manifest identifies that the app can deploy to Windows 10 mobile and higher. Windows 10 apps do not support deployment to earlier versions of Windows.
Note
While Windows 8.1 devices cannot run a Windows 10 app, A Windows 10 device can run a Windows 8.1 app so long as the app is designed to run on the platform you deploy it to. For example, you can deploy a Windows 8.1 app for computers to a Windows 10 desktop device, but cannot successfully deploy an app designed for Windows 8.1 mobile to a Windows 10 desktop.
The high level process to sideload Windows 10 apps:
Provision the Windows 10 clients with the certificate used to sign the Windows 10 apps you deploy.
Use Client Settings to configure the client agent on the device to support sideloading of Windows 10 apps.
Deploy the Windows 10 app as you would any other deployment to computers.
Limitations for this scenario:
To use this scenario with this release you must have access to a Windows 10 app (.appx package designed for Windows 10).
While UWP apps are available from other sources, it is beyond the scope of this technical preview to provide a sample app for use with this scenario.
In addition to a UWP app, you can deploy apps you have created for the Universal Windows Platform.
Prerequisites for this scenario:
You have at least one Configuration Manager client on a device that runs Windows 10 desktop.
You have a Windows 10 .appx package that is signed by a certification authority (CA) that is trusted by the Windows 10 devices that will install the app.
- The publisher name in the package manifest file must match the publisher name in the certificate that signs the app.
Devices must trust the CA that signed the app. To establish this trust you might need to import the certificate that signed the app to the trusted root store on each device:
Apps you download from the Company Store will include the required certificate.
LOB apps you develop must be signed, and you must provide the required certificate.
Try it out!
Try to complete the following task and then use the feedback information near the top of this topic to let us know how it worked:
As an application administrator, you can create, deploy, and monitor the deployment status of an available sideloaded Universal Windows Platform (UWP) application targeted to a Windows 10 client
As an application administrator, you can create, deploy, and monitor the deployment status of a required sideloaded Universal Windows Platform (UWP) application targeted to a Windows 10 client
To sideload a Windows 10 app for desktops
Provision devices with the certificate used to sign the app:
If a device does not yet trust the CA that signed the Windows 10 app, provision the device with the certificate that was used to sign the app by installing the certificate to the devices trusted root store. When you use an app from the Windows Store, the Windows App provides the certificate required by the device. For your LOB apps, you provide this certificate.
On the device, load the Certificate MMC Snap-in: Open the MMC console and load the Certificate plugin > Certificates > Computer account. Then click Next, select Local computer, and then click Finish.
On the device, open the Certificates plugin: Select Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. Next, right-click on Certificates, select All Tasks, and click Import to start the Certificate Import Wizard.
Complete the wizard for the Local Machine and import the certificate for the App you plan to deploy.
Configure client agent settings for sideloading:
In the Configuration Manager console, navigate to Administration > Client Settings, and then edit either the Default Client Settings, or Custom Client Device Settings.
Under Software Deployment, set Allow client to unlock automatically and install appx application to Yes.
Create and deploy the app to devices:
After the devices are provisioned with the certificate and configured to install sideloaded apps, use your normal procedures to create, deploy, and monitor the deployment status of apps. For information on these steps see:
How to Monitor Applications in Configuration Manager
When you create the deployment and direct Configuration Manager to the appx file, the appx file manifest is used to identify the platforms that the app applies to.
After the app is created, you can view the Requirements of the applications Deployment Type to confirm the app targets Windows 10 mobile and higher.
Windows PE Peer Cache
When you deploy a new operating system, computers that run the task sequence can use Windows PE Peer Cache (a new capability in Configuration Manager) to obtain content from a local peer (a peer cache source) instead of downloading content from a distribution point. This helps minimize wide area network (WAN) traffic in branch office scenarios where there is no local distribution point.
Windows PE Peer Cache is similar to Windows BranchCache, but functions in the Windows Preinstallation Environment (Windows PE).
A peer cache client is a computer that is configured to use Windows PE Peer Cache.
A peer cache source is a client that is configured for peer cache and that makes content available to other peer cache clients that request that content.
You enable Windows PE Peer Cache on a client by using Client Settings.
You configure task sequences with a new option that directs a computer to keep the content in the client’s cache after the client runs the task sequence.
You must manage the Configuration Manager cache on clients to ensure they have enough space to hold and store the images you deploy.
A Windows PE Peer Cache task sequence starts from boot media and can get the following content objects using Windows PE:
Operating system (OS) image
Driver package
Packages and Programs (When the client continues to run the task sequence in the full operating system, the client gets this content from a peer cache source if the task sequence was originally configured for peer cache when running in Windows PE. )
Additional boot images
The following content objects never transfer using peer cache, and transfer from a distribution point or by Windows BranchCache if you have configured Windows BranchCache in your environment:
Applications
Software updates
As a simple example, consider a scenario with a branch office that does not have a distribution point but does have several clients enabled to use Windows PE Peer Cache. You deploy the task sequence configured to use peer cache to several of the clients. The first client to run the task sequence broadcasts a request for a peer with the content and not finding one then gets the content from a distribution point across the WAN. The client installs the new image and then stores the content in its Configuration Manager client cache so it can function as a peer cache source to other clients. When the next client runs the task sequence, it broadcasts a request on the subnet for a peer cache source, and that first client responds and makes its cached content available.
The following are methods you can use to provision a client with peer cache content, so it can serve as a peer cache source:
A peer cache client that cannot find a peer cache source with the content will download it from a distribution point. If the client receives client settings that enable peer cache and the task sequence is configured to preserve the cached content, the client becomes a peer cache source.
A peer cache client can get content from another peer cache client (a peer cache source). Because the client is configured for peer cache, when it runs a task sequence that is configured to preserve the cached content, the client becomes a peer cache source.
A client runs a task sequence that includes the optional step, Download Package Content, which is used to prestage the relevant content that is included in the Windows PE Peer Cache task sequence. When you use this method:
The client does not need to install the image that is being deployed.
In addition to the Download Package Content option, the task sequence must also use the Configuration Manager client cache option. You use this option to store the content in the clients cache so the client can act as a peer cache source for other peer cache clients.
This release supports the following scenario:
- Operating system installs from boot media
Prerequisites for this scenario:
The Configuration Manager client must be able to communicate across the following ports on your network:
Default port for the initial network broadcast, to find a peer cache source: 8004
Default Port for content downloading from a peer cache source (HTTP and HTTPS): 8003
Tip
Clients will use HTTPS to download content when it is available, however the same port number is used for either HTTP or HTTPS.
Clients must have a client cache size sufficient to store the full image.
The Deployment options for the task sequence deployment must be configured as Download content locally when needed by task sequence.
Limitations for using Windows PE Peer Cache:
To successfully use Windows PE, you must start the task sequence from boot media. If you start the task sequence from the operating system context, such as from the clients Software Center, Windows PE Peer Cache is not used.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can create and deploy a task sequence that:
Installs an operating system and after the task sequence completes, preserves that image content in the clients CCM cache.
Successfully directs a client to use Windows PE Peer Cache to get the content from a peer cache source on the same subnet that has the content in its CCM cache and that is running in the full operating system environment, not in Windows PE.
Configuring Windows PE Peer Cache
The following procedures will help you configure Windows PE Peer Cache on clients and configure task sequences that support peer cache.
To configure Windows PE Peer Cache
In the Configuration Manager console, navigate to Administration > Client Settings, and then create a new Custom Client Device Settings or edit an existing settings object. You can also configure this for the Default Client Settings object.
Tip
Use a custom settings object to manage which clients receive this configuration. For example, you might want to avoid configuring this on the laptops of users who are frequently on the move. A highly mobile system can be a poor source to provide content to other peer cache clients.
Also remember that when you configure this setting as part of the Default Client Settings, the configuration applies to all clients in your environment.
Under Windows PE Peer Cache, set Enable Configuration Manager client in full OS to share content to Yes.
By default, only HTTP is enabled. If you want to enable clients to download content over HTTPS, set Enable HTTPS for client peer communication to Yes.
By default, the port for broadcasts is set to 8004 and the port for content downloads is set to 8003. You can change both.
Save and deploy the Client Settings to devices.
After a device is configured with this settings object, the device is configured to act as a peer cache source. These settings should be deployed to potential peer cache clients to configure the required ports and protocols.
To configure boot media and a task sequence for Windows PE Peer Cache
To configure boot media to use Windows PE Peer Cache, use your normal process and settings to create a task sequence for boot media. When you configure the task sequence use the following task sequence variables as Collection Variables on the collection to which the task sequence is deployed:
Name |
Value |
Description |
---|---|---|
SMSTSPeerDownload |
TRUE |
This enables the client to use Windows PE Peer Cache. |
SMSTSPeerRequestPort |
<Port number> |
When you do not use the default ports configured in the Client Settings (8003 and 8004), you must configure this Variable with a custom value of the network port to use for the initial broadcast. |
SMSTSPreserveContent |
TRUE |
This flags the content in the task sequence to be retained in the Configuration Manager client cache after the deployment. This is different than using SMSTSPersisContent which only preserves the content for the duration of the task sequence and uses the task sequence cache, not the Configuration Manager client cache. |
Validate the success of using Windows PE Peer Cache
After you use Windows PE Peer Cache to deploy and install a boot media task sequence, you can confirm the process successfully used peer cache by viewing the smsts.log on the client that ran the task sequence.
In the log, locate an entry similar to the following where <SourceServerName> identifies the computer from which the client obtained the content. This computer should be a peer cache source, and not a distribution point server. Other details will vary based on your local environment and configurations.
- <![LOG[Downloaded file from https:// <SourceServerName>:8003/SCCM_BranchCache$/SS10000C/sccm?/install.wim to C:\_SMSTaskSequence\Packages\SS10000C\install.wim ]LOG]!><time="14:24:33.329+420" date="06-26-2015" component="ApplyOperatingSystem" context="" type="1" thread="1256" file="downloadcontent.cpp:1626">
On-premises Mobile Device Management (MDM)
In addition to the capabilities (and prerequisites) from System Center Configuration Manager Technical Preview, System Center Configuration Manager Technical Preview 2 adds support for up to 10 devices that run Windows 10 Enterprise (desktop).
You enroll a computer that runs Windows 10 Enterprise the same way you enroll a Windows 10 mobile device.
Prerequisites for this scenario:
You must configure Configuration Manager to use a Microsoft Intune subscription. (This is a change from the first Technical Preview)
To enable devices you manage with on-premises MDM to use an on-premises distribution point, you must enable support on a per distribution point basis. To do so, edit the properties of each distribution point you want to use with on-premises MDM, and on the General tab select HTTPS, and then check Allow mobile devices to connect to this distribution point.
Bulk enrollment of Windows 10 devices with on-premises MDM
The Technical Preview 2 provides you an early look at support for bulk enrollment of computers that run Windows 10. Bulk enrollment enables administrators to easily enroll devices for on-premises management without requiring end users to work through the device enrollment process.
You can create an enrollment profile and export a package from the profile, but further functionally is not enabled in this preview.
Before you can use bulk enrollment for Windows 10, on the site server you must install the Windows 10 Assessment and Deployment Kit (ADK) with the Windows Imaging and Configuration Designer (Windows ICD) option.
Prerequisites for this scenario:
- You must configure Configuration Manager to use a Microsoft Intune subscription before you can create a bulk enrollment package or enroll a mobile device.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
- I am able to create a bulk enrollment profile and edit it
To bulk enroll Windows 10 devices
In the Configuration Manager console open Assets and Compliance > All Corporate-owned Devices > Windows and select Enrollment Profile.
Use the Wizard to create the enrollment profile.
After the profile is created, you can select the profile and export the package. This action requires you to run the Configuration Manager console as an administrator.
Tip
With Technical Preivew 2, if you cannot successfully export the package, try again but do not encrypt the package during the export.
Support for multiple Automatic Deployment Rules
With this release, Configuration Manager supports multiple deployments for each Automatic Deployment Rules (ADR) you use to deploy software updates. This can help you manage the complexity of deploying different updates to different collections.
After an ADR is created, you can go back and then add additional deployments. To do so, in the Configuration Manager console locate the ADR, right-click on it, and select Add Deployment.
Each new deployment that you add:
Uses the same update group and package which is created when the ADR first runs
Can specify a different collection
Supports unique deployment properties including:
Activation time
Deadline
Show or hide end user experience
Separate alerts for this deployment
How the behavior has changed:
Prior to this release when you ran the Create Automatic Deployment Rule wizard and selected the option Create a new Software Update Group, the ADR created one deployment.
With this release (so long as your environment meets the prerequisites), after the initial run of the Wizard you can go back and add additional deployments that are each associated with the same deployment rule
Each new deployment has the full range of functionality and deployment monitoring experience.
To view all deployments associated with an ADR you have selected in the Configuration Manager console, click the Deployments tab.
For more information, see Automatically Deploy Software Updates in the Configuration Manager documentation library.
Prerequisites for this scenario:
To use multiple ADRs with the Technical Preview 2 release, you must copy three .xml files for Configuration Manager to your site server computer. You can obtain these files by downloading TechPreviewADRFiles.zip from the TechNet Gallery.
Download TechPreviewADRFiles.zip
After you download the .zip file, copy the three .xml files it contains to the following locations on your site server:
MultipleDeploymentProperty.xml - Place a copy of this file in %ConfigMgrPath%\Adminconsole\XmlStorage\Forms
MultipleDeploymentWizard.xml - Place a copy of this file in %ConfigMgrPath%\Adminconsole\XmlStorage\Forms
SoftwareLibraryNode.xml - Replace the original file with this name with this new version in the in %ConfigMgrPath%\Adminconsole\XmlStorage\ConsoleRoot
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
- I can create an Auto deployment rule and add additional deployments for this rule, multiple deployments get created every time rule runs.
General improvements in the Technical Preview 2
Operating system deployment:
Improvements have added more stability to the Windows 10 in-place upgrade scenario
By default, the task sequence step Setup Windows and ConfigMgr now automatically selects a client install package
Improvements have been made to the process for importing drivers, including active feedback on several user interface screens, and when importing Windows 10 applicable drivers
Improvements have been made to the task sequence logging environment
Role-based administration:
- Security scopes can now be used with Endpoint Protection antimalware policies
Software updates:
Improvements include changes to cleanup tasks which run after a scheduled synchronization and improve how expired updates are removed from the Configuration Manager infrastructure:
After a scheduled sync, the wSyncMgr component checks for expired updates in all deployments and software update groups.
Expired updates are removed from these objects which enables the cleanup task to successfully remove the expired updates the next time it runs.
New capabilities in the Technical Preview 3
In addition to the capabilities found in System Center 2012 Configuration Manager and the System Center Configuration Manager Technical Previews 1 and 2, the System Center Configuration Manager Technical Preview 3 includes new capabilities:
Diagnostics and Usage Data
Service a server cluster
Support for SQL Server AlwaysOn for highly available databases
Deploy Windows Business Store applications
App deployment to Windows 10 devices with on-premises MDM
Compliance settings for Windows 10
Improved workflow for creating mobile device configuration items
Updates for Windows 10 in-place upgrade
Updates for bulk enrollment of Windows 10 devices with on-premises MDM
Schedule and run the WSUS clean up task from the Configuration Manager console
General improvements in the Technical Preview 3
Diagnostics and Usage Data
When you install the Technical Preview 3 it automatically installs and configures a new site system role on the site server, the cloud connection point. When this role installs it defaults to:
Online mode
A data collection level of Enhanced
When this role is online, it enables Microsoft to automatically collect diagnostics and usage data over the Internet. Information that is collected helps us identify and troubleshoot problems as well as improve our products and services.
The three levels of data collection that are planned for future releases include:
Basic includes data about setup and upgrade like the number of sites and which Configuration Manager features are enabled. No personally indefinable information will be transmitted.
Enhanced includes the data in the Basic setting plus transmits data about the hierarchy, how each feature is used (frequency and duration), and enhanced diagnostic information like the memory state of your server when a system or app crash occurs. No personally identifiable data will be transmitted.
Full includes the data in the Basic and Enhanced settings and also sends advanced diagnostic information like system files and memory snapshots. This option may include personally identifiably information, but we won’t use that information to identify or contact you, or target advertising to you.
Service a server cluster
You can now create a collection that contains servers in a cluster, and then configure the cluster settings to use when you deploy updates to the cluster. You can control the percentage of servers that are online at any given time, as well as to configure pre-deployment and post-deployment PowerShell scripts to run custom actions.
Known issues for this release:
Reporting is not available to check the status of software updates deployment for cluster servers.
The maintenance sequence option on the Cluster Settings page is disabled and not available in this release.
Try it out!
Try to complete the following task and then use the feedback information near the top of this topic to let us know how it worked:
I can create a collection that represents a cluster of servers. For this test, you can configure your collect membership rules to have 2 machines in this collection.
I can specify that only 50% of servers in the cluster can be offline at any point in cluster servicing. Use the sample scripts in the procedure to specify the pre-deployment and post-deployment scripts.
Deploy an update to this collection. Review the start.txt and end.txt files in C:\temp and verify start and end times for the deployment on the servers in the cluster. Review the UpdatesDeployment.log file for more information.
To create a collection for a server cluster
Create a device collection that contains the servers in the cluster.
In the Assets and Compliance workspace, click Device Collections, right-click the collection that contains the servers in the cluster, and then click Properties.
On the General tab, select All devices are part of the same server cluster, and then click Settings.
On the Cluster Settings page, select the percentage of servers that can be taken offline at the same time to have software updates installed. One cluster server might be taken offline at a time regardless of the percentage that you provide. Configuration Manager will round down when selecting how many servers to service at one time. For example, if you choose 51% and there are 4 servers in the cluster, 2 servers will be taken offline at the same time.
Specify whether to use a pre-deployment (node drain) script or post-deployment (node resume) script.
Tip
The following are examples that you can use in testing for pre-deployment and post-deployment scripts that write the current time to a text file:
Pre-deployment
#Start
$a = Get-Date
Write-Output "Universal Time: " + $a.ToUniversalTime() |
Out-File C:\temp\start.txt
Post-deployment
#End
$a = Get-Date
Write-Output "Universal Time: " + $a.ToUniversalTime() |
Out-File C:\temp\end.txt
To deploy software updates to the server cluster
Deploy software updates to the server cluster collection.
Support for SQL Server AlwaysOn for highly available databases
Configuration Manager now supports using a SQL Server AlwaysOn availability groups to host the site database. When you install a new site, you can direct setup to use the availability group instead of a normal instance of SQL Server.
Note
Successful configuration and use of availability groups requires you to be comfortable with configuring SQL Server availability groups, and relies on documentation and procedures provided in the SQL Server documentation library.
The high level process to configure and use availability groups includes:
Configure the availability group in SQL Server.
Install a new Configuration Manager site and during Setup direct the site to use the availability group by specifying the groups Endpoint.
Prerequisites for this scenario:
Requires a version of SQL Server supported by the Configuration Manager Technical Preview
You must create and configure the SQL Server Availability Group before installing Configuration Manager
The availability group must have one primary replica, and can have up to two synchronous secondary replicas
The availability group must have at least one Endpoint
You must have a network location that each SQL Server in the Availability Group can access. This location is used by Setup when configuring the Availability Group, and can be removed after Setup completes.
Known issues for this release:
You cannot successfully add a new replica member to an Availability Group that is already in use as a site database. Instead, you must reinstall the site after the new replica member is added.
For this scenario you might need to install the SQL Server 2012 native client (from the SQL Server 2012 Feature Pack) on the management point server. This prevents SQL connection errors (which are logged in the mp_getauth.log on the management point server).
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can install a primary site that uses a database server configured for SQL AlwaysOn Availability Groups
I was able to failover my SQL AlwaysOn Availability Group to a new replica in the group and the primary site is still operational
Configuring SQL Server AlwaysOn for Configuration Manager
Use the following procedures to first create and configure the availability group, and then install a new Configuration Manager site that uses the availability group.
To create a SQL Server AlwaysOn availability group
The process to create a SQL Server availability group is documented in the SQL Server documentation library. When you create the availability group, ensure the following requirements for use with Configuration Manager are met:
A maximum of three members:
One primary replica and up to two secondary replicas
Secondary replicas must be synchronous.
Tip
We recommend that secondary replicas be configured to be read only. This enables you to use a secondary replica for functions like reporting while maintaining the performance of the primary replica for site operations.
At least one endpoint. The virtual name of this endpoint will be used when you install the Configuration Manager site.
Tip
Although the group can contain multiple Endpoints, Configuration Manager can only make use of one.
To install a Configuration Manager site that uses the availability group
To install a site that uses a SQL Server availability group:
Substitute the following when prompted by Configuration Manager Setup:
SQL Server name: Enter the virtual name for the Endpoint that you configured when creating the availability group. The virtual name should be a full DNS name, like <endpointServer>.fabrikam.com.
Instance: This value should remain blank. There is no instance in this configuration.
Database: Enter the name of the database you created on the primary replica of the availability group.
Next, you must provide a network location that each SQL Server in the group can access:
The computer account and service account from each SQL Server require full control access to this location.
This location is only used during setup, and can be unshared or deleted after Setup completes and the site is installed.
After you provide this information, complete setup with your normal process and configurations.
Deploy Windows Business Store applications
When you have multiple copies of an app purchased from the Windows Business Store, you can deploy the offline app (and its licenses) to Windows 10 devices that are managed by the Configuration Manager client.
Prerequisites for this scenario:
The device must be run a Windows 10 build from the Windows Insider Program released after August 10th
The device must be managed with the Configuration Manager client from this Technical Preview
You can obtain an offline licensed app in two ways.
You will need the app file (.appx file) and the offline license file ({GUID}.bin file).
If you have an evaluation account for the business store, you can download an app from the Windows Business Store Portal
If you don’t have a business store account, you can download a sample app from the TechNet Gallery
Limitations for this scenario:
This scenario is not supported on Windows 10 RTM or on builds you obtained from the Windows Insider Program prior to August 10th
The sample app will install successfully and supports inventory reports of its license, but is not designed to run correctly on the Windows 10 builds supported by this scenario
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can create a Windows app package deployment type that has requirement rules for the Windows 10 platform
I can deploy the app and have it install on a Windows 10 device
I can collect inventory from the Windows 10 device that shows the app is licensed
To deploy a Business Store app
Use your normal app deployment process with the following details:
Create an application using the Windows app package deployment type and point to the UNC path where you placed the offline licensed app package
Deploy the application to clients that run Windows 10, using a deployment purpose of Required or Available
After the app installs, use inventory to collect and then view information about the app and its license.
App deployment to Windows 10 devices with on-premises MDM
With this preview you can deploy Line Of Business (LOB) applications with a deployment purpose of Required to Windows 10 desktop computers through MDM in the same way you would deploy an application to a computer that runs the Configuration Manager client or a device that is enrolled with Microsoft Intune.
This scenario supports the following deployment types:
Windows app package (.appx, .appxbundle), including Universal Windows Platform (UWP) apps
Web application
Prerequisites for this scenario:
To enable this scenario on a device managed by on-premises MDM, you must do one of the following:
Manually enable the sideloading setting
Deploy the AllowAllTrustedApps registry key to the device (you can use MDM policy or Group Policy for domain joined clients)
The device must run the Windows 10 Pro, Education, or Enterprise edition
The device must be enrolled via on-premises MDM
A distribution point must be configured to allow requests from mobile devices
An app code signing certificate must be deployed to the device
Limitations for this scenario:
The Configuration Manager console might not show installation success correctly for LOB (.appx) applications
Uninstall might not function for LOB (.appx) applications
Currently, only deployments to device collections are supported
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
- I can deploy an app as Required to a device collection that contains devices managed using on-premises MDM, and then view that app as installed on the devices Start menu
To prepare the environment
Follow the steps to configure on-premises mobile device management
Create a device collection that contains the required devices
For LOB (.appx) applications:
Enable the Allow mobile devices to connect to this distribution point setting in the properties of the distribution point
Create an IP address range boundary for the target devices and assign to the boundary group of the MDM-enabled distribution point
Create a certificate profile (Trusted Root Certificate option) for the app signing cert from Company Resource Access node and deploy to the device collection
To prepare the device
Enroll the device following the steps from the on-premises mobile device management documentation
For LOB (.appx) applications:
Ensure the certificate profile is deployed successfully to the device and the app code signing certificate appears in the Trusted Root Certification Authorities store
Enable the Sideload apps option under Windows from Settings > Update and Security > For developers
Create and deploy the app
Create and deploy the application:
Create a new application with the Windows app package (.appx, .appxbundle) or Web Application deployment type
Deploy to the previously created device collection or the All Mobile devices collection with a deployment purpose of Required
Verify the application is installed successfully:
On the device, initiate a sync in Settings > Account > Work access
After the sync is complete, the application should appear in the Start Menu
For a LOB (.appx) application, you can also check if the application is present on the device using the Get-AppxPackage PowerShell cmdlet
Troubleshooting steps if you do not see the application installed on the device
Ensure the device can communicate with the management point:
- Click Info in Settings > Account > Work access on the device to check the status of the last sync.
Ensure the device’s operating system is compatible with the application:
- Navigate to the properties of the deployment type in the Configuration Manager console and ensure the targeted device matches the selected operating system requirements, including the edition of Windows and the OS architecture.
For LOB (.appx) applications:
On the client, verify the app code signing certificate is present in the Trusted Root Certification Authorities store
On the client, verify Sideload apps is selected in Windows settings
Verify the content for the application is distributed successfully
Verify the device falls within the IP range boundaries or the application is configured to support slow boundaries
If application has framework dependencies, ensure dependencies were present in the same folder as the .appx or appxbundle file when the application was created
Note that the Configuration Manager console might show an error for the application deployment status even if the application is successfully installed on the device. This is one of the current limitations for LOB (.appx) applications.
Compliance settings for Windows 10
This release supports compliance settings for Windows 10 in the same way that Windows 8.1 is supported.
When you use the Create Configuration Item Wizard and select Windows 10 as a platform, only the settings that are relevant to Windows 10 are shown.
When you configure password settings, plan to attempt remediation before relying on the resultant status:
Configuration Manager reports this setting as compliant until remediation is attempted
Therefore, initially the status will always be compliant even if the device does not have the right password policy applied
Only after remediation is attempted will the reported status be accurate
If you specify that read-only settings must be remediated, the remediation reports success, but no action will be taken
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can deploy compliance settings to Windows 10 devices
I can view the status of compliance settings deployed to Windows 10 devices
To create a Windows 10 configuration item
In the Create Configuration Item Wizard, under Settings for devices managed with the Configuration Manager client, select Windows 10.
Click Next, then select the specific Windows 10 versions that you want to support
Click Next, then create the settings you require. This works the same as it did in Configuration Manager 2012, but settings are disabled or removed if they are not applicable for the platform you selected
Improved workflow for creating mobile device configuration items
This Technical Preview introduces changes to the Create Configuration Item Wizard that make it easier for you to identify which of the available settings apply to the different mobile device platforms.
In Configuration Manager 2012, you specified settings and values (like Password Quality) and only after you defined the settings were you told which applied to the required platform.
Now, you select the platform you want at the start of the wizard and then you are shown only those settings that apply to that platform.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
- I can create a configuration item and only settings that apply to the platform I select are available
To create a mobile device configuration item
Start the Create Configuration Item Wizard, and select the device platform that you want to define settings for
Click Next, and then select the specific platform versions that you want to support
Click Next, and then create the settings you require. Any settings that do not apply to the selected platform are disabled or not listed
Updates for Windows 10 in-place upgrade
In addition to the capabilities (and prerequisites) for Windows 10 in-place upgrade from the Technical Preview 2, the Technical Preview 3 includes several updates for Windows 10 in-place upgrade.
The following limitations are resolved and do not apply to the Technical Preview 3 release:
Review drivers and applications that are installed on computers to ensure they are compatible with Windows 10 before deploying the upgrade task sequence.
Provisioning mode for the Configuration Manager client is still enabled at the end of the task sequence.
The Upgrade Operating System task sequence step includes several new options. Of note is Perform Windows Setup compatibility scan without starting upgrade. When you use this option, the task sequence includes the /compat ScanOnly parameter for the Windows Setup command line:
This option specifies that Setup runs the standard checks for requirements (like command line parameters, media selection, hardware and power, as well as compatibility of applications and devices), but does not actually start the upgrade process.
Instead, Setup returns known exit codes including a separate code for compatibility “success.”
Important
Make sure you configure the compatibility scan task sequence step the same as the task sequence step you use for upgrade, as this ensures that the scan validates all aspects of the process.
For your reference, the following are the most common exit codes from Windows Setup:
Common return codes
Details
MOSETUP_E_COMPAT_SCANONLY (0xC1900210)
No compatibility issues (success)
MOSETUP_E_COMPAT_INSTALLREQ_BLOCK (0xC1900208)
Actionable compatibility issues, like Apps
MOSETUP_E_COMPAT_MIGCHOICE_BLOCK (0xC1900204)
Selected migration choice is not available, like Enterprise to Professional
MOSETUP_E_COMPAT_SYSREQ_BLOCK (0xC1900200)
Not eligible for Windows 10
MOSETUP_E_INSTALLDISKSPACE_BLOCK (0xC190020E)
Not enough free disk space
Updates for bulk enrollment of Windows 10 devices with on-premises MDM
In addition to the capabilities (and prerequisites) for Bulk enrollment of Windows 10 devices with on-premises MDM from the Technical Preview 2, Technical Preview 3 supports bulk enrollment end-to-end:
You can create an enrolment profile and export a package from the profile
You can take that package and deploy it to a device that runs Windows 10 (pre-release versions of Windows 10 are not supported)
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I am able to create a bulk enrollment profile and edit it (use the procedure provided for Technical Preview 2)
I am able to install the bulk enrollment profile to a device that runs a release build of Windows 10
To install the bulk enrollment profile
Copy the bulk enrollment profile package you created to a folder on the Windows 10 device.
On the Windows 10 device double-click on the package to import (install) the package:
If it was encrypted when exported, enter the package password.
When prompted, confirm the package is from a source you trust.
After the import dialogs close, on the device go to Settings > Accounts > Work access where you can verify the device is now connected (and enrolled with Configuration Manager).
Schedule and run the WSUS clean up task from the Configuration Manager console
You can now manually run the WSUS cleanup task from in Software Update Point Component properties. When you select to run the WSUS cleanup task, it will run at the next software updates synchronization. The expired software updates will be set to a status of declined on the WSUS server and the Windows Update Agent on computers will no longer scan these software updates. By default, the WSUS cleanup job runs every 30 days.
To schedule the WSUS cleanup job to run
In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
Click the Supersedence Rules tab, select Run WSUS cleanup wizard, and then click OK.
General improvements in the Technical Preview 3
Boundary caching and content lookup requests:
- When a client makes a content location request to a management point, that client's boundary information is cached to help improve the performance of the stored procedures for content lookup
Maintenance Windows:
- Maintenance windows now obey UTC configurations regardless of the clients local time
Update 1509 for Technical Preview
The following new capabilities are now ready to use with an existing install, or new install of the Technical Preview 3:
Updates and servicing
Client piloting to preproduction
Software Center
General improvements in Version 1509 for Technical Preview
Prerequisites
Version 1509 for Technical Preview has the following limitations:
This preview is only supported on test environments with single standalone primary site server.
The operating system locale must be English.
The data/time format must be set to MM-DD-YYYY on the standalone primary site server computer or the installation might fail. If you have a different data/time format, you can temporarily change the format to MM-DD-YYYY, download and install the update, and then change the data/time format back to its original state.
The standalone primary site server computer must have internet access to download the update package.
Install Windows 10 ADK components on the site server computer from https://go.microsoft.com/fwlink/?LinkId=529534.
You must have an existing site installed with the Technical Preview 3. To verify, open the Configuration Manager console and go to Administration > Overview > Site Configuration > Sites and check Build Number in the Details Pane. It should read 8287.
You must have the Cloud Connection Point site system role installed on the primary site server. If you do not, install the role by using the Add Site System Roles wizard. Open the Configuration Manager console and go to Administration > Overview > Site Configuration > Servers and Site System Roles > Add Site System Roles.
Updates and servicing
Version 1509 for Technical Preview introduces a new update model that helps keep your Configuration Manager deployment current with the latest updates and features. This model replaces the need to install separate service packs, cumulative updates, or Extensions for Microsoft Intune, to gain new functionality. This service model is similar to those seen with other Microsoft products like Windows 10.
When the Technical Preview 3 installs, it automatically configures a new site system role on the site server, the cloud connection point. This site system role is required for Technical Preview 3 and:
Is used by the site to check for and download updates to Configuration Manager.
Replaces the Microsoft Intune connector, which is used to integrate Intune with Configuration Manager. (You do not need to configure a Intune subscription unless you plan to manage devices using Intune.)
Is used for submitting usage and diagnostic data from Configuration Manager.
Updates for Configuration Manager:
Can include fixes and features that apply to multiple areas or components of Configuration Manager including:
Site servers
The SMS_Provider
Configuration Manager consoles
Configuration Manager clients
Typically, updates are cumulative so you will not need to install each previous update before installing the most recent update. However, it is possible that some updates will have a prerequisite of a previously available update.
Discover new updates:
Every seven days (beginning from the day and time that you installed Technical Preview 3), Configuration Manager checks for new updates that might be available.
Note
If a released update is not displayed in the Updates and Servicing node of the Configuration Manager console, you can restart the SMS_Executive service to force the site server to immediately check for available updates.
When an update is found, Configuration Manager will automatically download the update.
You can check the DMPDownloader.log file to verify that the downloader thread started to download and extract the content. To find DMPDownloader.log file, go to <ConfigMgr_Installation_Directory>\Microsoft Configuration Manager\Logs\DMPDownloader.log.
New updates display as Available in the console under Administration > Cloud Services > Updates and Services. In this same location the updates you have previously installed display as Installed.
Installing updates:
To install an update, in Administration > Cloud Services > Updates and Services, select an Available update and then click Install Update Pack
When installing updates:
You are presented with a wizard that displays a list of the product areas that the update applies to.
If an update applies to the Configuration Manager client, you are presented with the option to test the client update with a limited set of clients. For more information on this, see Client piloting to preproduction.
When you complete the update installation, Configuration Manager:
Reinstalls any affected components like site system roles or the Configuration Manager console.
Updates to clients are managed based on the selections you made for client piloting.
Site system servers do not require a reboot.
You can monitor the progress of the installation in the Configuration Manager console in Monitoring > Overview > Site Servicing Status > Show Status. Or, you can check the CMUpdate.log file in <ConfigMgr_Installation_Directory>\Logs\.
Post installation
An upgrade popup message is displayed in the Configuration Manager console (running Technical Preview 3) to upgrade the console. Click OK to close the current Configuration Manager console and upgrade the console to the 1509 Technical Preview version.
Note
The popup message is displayed as soon as you perform an action in the console (for example, when you open a wizard or open the properties dialog for an object, etc.) or close and restart the console.
After the Configuration Manager console upgrade completes, verify console and site version is correct. Go to About System Center Configuration Manager at the top-left corner of the console. The version should be 1509. The console and site version should be 5.00.8299.1000.
Known issues
This release ignores prerequisite check warnings and will not interrupt the installation. This happens regardless of whether you check the Prerequisite warning in the installation wizard.
There is an option in the Configuration Manager console to Run prerequisite check only prior to the update pack installation. However, this option will run the full installation and not only the prerequisite check.
Troubleshooting
If you run into problems during the installation of Version 1509 for Technical Preview, review the following possible issues:
If your operating system locale is not set to English or your date/time format is not set to MM-DD-YYYY, the installation of Version 1509 for Technical Preview might fail.
Symptom: You might see one of the following symptoms:
An error might occur when Configuration Manager tries to convert the date/time format from DD/MM/YYYY to MM/DD/YYYY . For example, if the date is 20/09/2015 in DD/MM/YYYY format (Sept 20, 2015), Configuration Manager assumes that it is in MM/DD/YYYY format (20th month, 9th day) and there is an error. The error message is written to Hman.log as follows:
*** [42000][8114][Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Error converting data type nvarchar to datetime. : spCMUSetUpdatePackageState
The Configuration Manager console displays a state of Installing and displays a future time for Last Update Time. This error might occur when Configuration Manager tries to convert the date/time format from DD/MM/YYYY to MM/DD/YYYY. For example, if the date is 12/10/2015 in DD/MM/YYYY format (October 12th), Configuration Manager might convert the date to 12/10/2015 (December 10th).
Solution: To work around this issue, run the following SQL statement: EXEC spCMUSetUpdatePackageState N'dcd17922-2c96-4bd7-b72d-e9159582cdf2', 262146, N''
If there is a Prerequisite Check rule failure, the installation will fail for Version 1509 for Technical Preview.
Symptom: The Configuration Manager console displays the rule that failed.
Solution: Fix the Prerequisite Check rule error. For example, if you do not have Windows 10 ADK installed and the associated prerequisite rule fails, install the Windows 10 ADK. Then, re-run <ConfigMgr_installation_folder>\EasySetupPayload\dcd17922-2c96-4bd7-b72d-e9159582cdf2\SMSSETUP\BIN\X64\prereqchk.exe on the site server. Once the check completes without an error, Version 1509 for Technical Preview will automatically restart.
The installation for Version 1509 for Technical Preview stops unexpectedly.
Symptom: The Configuration Manager console displays that the Version 1509 for Technical Preview installation has failed and Configuration Manager console no longer shows the update as available for installation. This might occur if a Configuration Manager service has stopped.
Solution: Identify the error in the CMUpdate.log file and fix the issue, if possible. Then, make sure the Configuration Manager services are running, such as SMS_EXECUTIVE, SMS_SITE_COMPONENT_MANAGER, CONFIGURATION_MANAGER_UPDATE. Then, re-run <ConfigMgr_installation_folder>\EasySetupPayload\dcd17922-2c96-4bd7-b72d-e9159582cdf2\SMSSETUP\BIN\X64\prereqchk.exe on the site server. Once the check completes without an error, Version 1509 for Technical Preview will automatically restart.
Client piloting to preproduction
With client piloting you can easily deploy and test updates to the Windows client using a pre-production collection while leaving your current client version in use by the remainder of your hierarchy. When you pilot a client update, only the clients that are members of the pre-production collection that you selected install the updated client. At a later time, when you're ready, you can move the updated client version from pre-production to production, making it available to all your clients.
Prerequisites for this scenario:
You must use Updates and servicing to install an update that contains a new Configuration Manager client. When you install the update, on the Client Options page you must select the option Test new version in a pre-production collection.
You must configure pre-production client updates for automatic client deployment. The result of doing so is when you choose to test a client update with the pre-production collection, clients in the collection upgrade to the new client version immediately.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can successfully pilot a client upgrade to the pre-production collection
I can promote the pre-production client version to production and deploy it to production clients
Configure client piloting
In the Configuration Manager console open Administration > Site Configuration > Sites, and click Hierarchy Settings.
On the Client Upgrade tab of the Hierarchy Settings Properties:
Select Upgrade all clients in the pre-production collection automatically using pre-production client
Enter the name of a collection to use as a pre-production collection
Click OK to save the Client Upgrade settings and continue.
Use Easy Setup to locate and start the installation of an update that includes a new client.
Note
The first update that is made available after the Technical Preview 3 is released will include an updated client for testing this scenario.
During installation of the update, on the Client Options page of the wizard, select Test in pre-production collection, click Next, and then complete the wizard.
After the wizard complete, clients in the pre-production collection will begin to install the updated client.
Promote a pre-production client to production
When you are ready to move the updated client out of pre-production testing and into general use:
In the Configuration Manager console open Administration > Cloud Services > Updates and Servicing, and click Client Update Options
In Client Update Options, check the option to make the pre-production client version available to production, and then click OK.
After Client Update Options closes, the updated client version will replace the current client version in use in your hierarchy. You can then use your normal procedures to upgrade clients.
Software Center
Software Center has a new, modern look and apps that previously only appeared in the Application Catalog (user-available apps) now appear in Software Center under the Applications tab. This makes these deployments more discoverable to users and removes the need for them to use the Application Catalog. Additionally, a Silverlight enabled browser is no longer required.
Prerequisites for this scenario:
- Both the Application Catalog website point and Application Catalog web service point site system roles are still required for user-available apps to appear in Software Center and for branding settings to be edited.
Note
Branding color choices made in the Application Catalog website point site server role properties will also affect the branding color in the new Software Center. If a Microsoft Intune subscription is set up under Administration > Cloud Services, then the branding settings in the subscription properties take precedence for Software Center branding.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
Try out the new UI, browse device and user-targeted apps in one place
Install a user-available app from Software Center
General improvements in Version 1509 for Technical Preview
In the Setup Windows and Configuration Manager task sequence step, the Use pre-production client package when available setting is now available. When you select this setting, if the computer is a member of the piloting collection and the pre-production client package is available, the computer will install the pre-production client when the task sequence is run.
Passport for Work is an option for key storage when creating a certificate profile using a Simple Certificate Enrollment Protocol (SCEP) certificate. As part of this option, you can also choose to require that the passport on the device was created for a user who was authenticated with multi-factor authentication, before a certificate is issued.
Update 1510 for Technical Preview
Update 1510 introduces the following new capabilities for the System Center Configuration Manager Technical Preview:
Windows 10 servicing
Wipe and Retire for on-premises mobile device management
You can install this update on a System Center Configuration Manager technical preview site that runs:
Technical Preview 3: Enabling 1510 adds the new capabilities found in 1510 as well as those from 1509. You do not need to install 1509 before installing 1510.
Version 1509: Enabling 1510 adds the new capabilities found in 1510
To enable update 1510, go to the Updates and Servicing node in your Configuration Manager console.
Changes in Update 1510
Version 1510 for Technical Preview has the following new requirements and changes:
The cloud connection point is renamed as the service connection point. Only the name has changed. The service connection point is required to:
Upload usage information to Microsoft
Download updates for Configuration Manager
- When you host the site database on a computer that is remote from the site server, you must install the following on the site server: SQL Server 2012 native client (or later). Download the SQL Server 2012 native client
To upgrade to version 1510, use the information in Updates and servicing
Troubleshooting updates between versions of the Technical Preview
Update from Technical Preview 3 to 1510
If you run into problems during the update from Technical Preview 3 to Version 1510, review the following possible issues:
If your operating system locale is not set to English or your date/time format is not set to MM-DD-YYYY, the installation of Version 1510 for Technical Preview might fail.
Symptom: You might see one of the following symptoms:
An error might occur when Configuration Manager tries to convert the date/time format from DD/MM/YYYY to MM/DD/YYYY . For example, if the date is 20/09/2015 in DD/MM/YYYY format (Sept 20, 2015), Configuration Manager assumes that it is in MM/DD/YYYY format (20th month, 9th day) and there is an error. The error message is written to Hman.log as follows:
*** [42000][8114][Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Error converting data type nvarchar to datetime. : spCMUSetUpdatePackageState
The Configuration Manager console displays a state of Installing and displays a future time for Last Update Time. This error might occur when Configuration Manager tries to convert the date/time format from DD/MM/YYYY to MM/DD/YYYY. For example, if the date is 12/10/2015 in DD/MM/YYYY format (October 12th), Configuration Manager might convert the date to 12/10/2015 (December 10th).
Solution: To work around this issue, run the following SQL statement: EXEC spCMUSetUpdatePackageState N'DB316362-77FC-46C9-9984-1BAEB20615F4', 262146, N''
If there is a Prerequisite Check rule failure, the installation will fail for Version 1510 for Technical Preview.
Symptom: The Configuration Manager console displays the rule that failed.
Solution: Fix the Prerequisite Check rule error. For example, if you do not have Windows 10 ADK installed and the associated prerequisite rule fails, install the Windows 10 ADK. Then, re-run <ConfigMgr_installation_folder>\EasySetupPayload\DB316362-77FC-46C9-9984-1BAEB20615F4\SMSSETUP\BIN\X64\prereqchk.exe on the site server. Once the check completes without an error, Version 1510 for Technical Preview will automatically restart.
The installation for Version 1510 for Technical Preview stops unexpectedly.
Symptom: The Configuration Manager console displays that the Version 1510 for Technical Preview installation has failed and Configuration Manager console no longer shows the update as available for installation. This might occur if a Configuration Manager service has stopped.
Solution: Identify the error in the CMUpdate.log file and fix the issue, if possible. Then, make sure the Configuration Manager services are running, such as SMS_EXECUTIVE, SMS_SITE_COMPONENT_MANAGER, CONFIGURATION_MANAGER_UPDATE. Then, re-run <ConfigMgr_installation_folder>\EasySetupPayload\DB316362-77FC-46C9-9984-1BAEB20615F4\SMSSETUP\BIN\X64\prereqchk.exe on the site server. Once the check completes without an error, Version 1510 for Technical Preview will automatically restart.
Update from Technical Preview 1509 to 1510
If you run into problems during the update from Technical Preview version 1509 to Version 1510, review the following possible issues:
If there is a Prerequisite Check rule failure, the installation will fail for Version 1510 for Technical Preview.
Symptom: The Configuration Manager console displays the rule that failed.
Solution: In the Configuration Manager console, right click on the update and click Retry installation
The installation for Version 1510 for Technical Preview stops unexpectedly.
Symptom: The Configuration Manager console displays that the Version 1510 for Technical Preview installation has failed and Configuration Manager console no longer shows the update as available for installation. This might occur if a Configuration Manager service has stopped.
Solution: In the Configuration Manager console, right click on the update and click Retry installation
Windows 10 servicing
In this release, you can view the state of Windows as a service in your environment, create servicing plans to form deployment rings and ensure that Windows 10 current branch systems are kept up to date when new builds are released, and view alerts when Windows 10 clients are near end of support for their build of Current Branch or Current Branch for Business.
Prerequisites for this scenario:
To see data in the Windows 10 Servicing dashboard, you must do the following:
Deploy Windows 10 on at least one computer at your site.
Enable Heartbeat Discovery. The data displayed in the Windows 10 Servicing dashboard is found by using discovery.
Internet Explorer 9 or later must be installed on the computer that runs the Configuration Manager console.
Limitations for this release
Servicing plans will not create deployments until a later release of the Current Branch. However, please send us your feedback on the servicing plan UI and usability to help us continue to improve this feature.
Try it out!
Try to complete the following tasks and then use the feedback information near the top of this topic to let us know how they worked:
I can use the dashboard to view the current state of my Windows 10 computers.
I can easily create a basic servicing plan.
I can modify the advanced properties of a servicing plan.
View the current state of Windows 10 in your environment
After Configuration Manager finds Windows 10 computers through discovery, you can view the current state of Windows 10 in your environment from the Windows 10 Servicing dashboard in the Configuration Manager console.
- In the Configuration Manager console, open Software Library and click Windows 10 Servicing.
The first donut in the dashboard provides a breakdown of public builds of Windows 10. The second donut is a breakdown of Windows 10 by branch and readiness state within the Current Branch.
Create a basic servicing plan
You can create a basic servicing plan from the dashboard.
In the Configuration Manager console, open Software Library, click Windows 10 Servicing, and then click Create Servicing Plan in the dashboard.
On the Create Servicing Plan dialog box, select the name, target collection, deployment package, and Servicing Ring settings for this servicing plan.
Modify the advanced properties of a servicing plan
In the Configuration Manager console, open Software Library, open Windows 10 Servicing, click Servicing Plans, and then select the servicing plan that you want to modify.
On the Home tab, click Properties to open properties for the selected servicing plan.
Wipe and Retire for on-premises mobile device management
System Center Configuration Manager Version 1510 adds support for remotely wiping and retiring devices for on-premises mobile device management (MDM).
About remote wipe and retire
Remotely wiping a device removes all of the company apps, data, and settings, but leaves the user’s personal information, such as contacts and device preferences, on the device. Once a device has been wiped, it’s retired from management, meaning that it is unenrolled from Configuration Manager on-premises MDM. You might choose to wipe and retire a device if an employee who owns the device has left the company.
Latency considerations for on-premises MDM
On-premises MDM with System Center Configuration Manager can be configured in two ways that affect the latency of actions like wipe and retire functions:
Connected – With the “connected” configuration of on-premises MDM, Configuration Manager uses an Intune subscription with the Microsoft Service Connector site system role to immediately “ping” or notify the device that it should check in for management purposes. Assuming the device has Internet connectivity, checking in and subsequent device management occurs fairly quickly with relatively short latency periods.
Disconnected – With the “disconnected” configuration, Configuration Manager manages devices that don’t have or are not allowed to have Internet access. In this configuration, devices communicate with Configuration Manager on a preset polling cycle, and actions are not initiated until the device checks in. Remotely wiping or retiring devices in this way can be more secure, but can also have longer latencies due to the polling cycle.
Prerequisites
You must configure Configuration Manager to use a Microsoft Intune subscription. To do that, you can follow the same instructions for setting up mobile device management with System Center 2012 R2 Configuration Manager and Microsoft Intune. The only significant difference is that for version 1510, the Microsoft Intune Connector site system role is now called the Microsoft Service Connector site system role.
In version 1510, only Windows 10 Enterprise and Windows 10 Mobile devices can be enrolled through System Center Configuration Manager on-premises MDM.
Try it out!
To wipe and retire a device:
In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.
Select the device you want to wipe and retire.
Click Retire/Wipe, and then click OK in the Retire from Configuration Manager dialog box.
The dialog box includes two options, one for wiping only the company content on the device and one for wiping all the content. In Version 1510, only the option for wiping the company content is available.
When the device has been wiped and retired, its device status changes to Marked for deletion.
System Center Configuration Manager Technical Preview 4
System Center Configuration Manager Technical Preview 4 introduces the following new capabilities:
Managing Office 365 ProPlus Client Update through System Center Configuration Manager
Integration with Windows Update for Business in Windows 10
Technical Preview 4 has the following limitations:
- When you use a service connection point on a site system server that is remote from the site server and that site system server requires an authenticated proxy to connect to the Internet, the service connection point fails to download update packages for Configuration Manager. To resolve this issue you must either configure the proxy server setting to not require authentication, or move the service connection point to the site server.
Managing Office 365 ProPlus Client Update through System Center Configuration Manager
System Center Configuration Manager Technical Preview 4 now has the ability to manage Office 365 desktop client updates using the Configuration Manager Software Update Management workflow. When Microsoft publishes a new Office 365 desktop client update to Windows Server Updates Services (WSUS), Configuration Manager will be able to synchronize the update to its catalog if the Office 365 update is configured to be part of the catalog synchronization. The Configuration Manager site server will download the Office 365 client updates and distribute the package to Configuration Manager distribution points. The Configuration Manager client will then inform Office 365 desktop clients where to get the updates and when to start the update installation process.
Prerequisites for this scenario:
- System Center Configuration Manager Technical Preview 4
Try it out!
Try to complete the following task and then use the feedback information near the top of this topic to let us know how it worked:
You can synchronize Office 365 updates to the Configuration Manager site server and view them from the Configuration Manager console.
You can approve and successfully deploy Office 365 updates.
You can download and successfully Office 365 updates to clients.
You can verify compliance for Office 365 updates by using in-console monitoring or reports.
For detailed steps, see Manage Office 365 client updates with System Center Configuration Manager Technical Preview.
Integration with Windows Update for Business in Windows 10
System Center Configuration Manager Technical Preview 4 now has the ability to differentiate a Windows 10 computer that is directly connected via Windows Update for Business (WUfB) versus the ones connected to WSUS for getting Windows 10 updates and upgrades. For computers connected via WUfB, the updates and upgrades can be managed at the cadence set by an administrative user via Group Policies or MDM policies and these updates/upgrades can be installed directly from WUfB. For computers connected via WUfB, Configuration Manager will not be able to report on compliance status (including Windows Updates or Definition Updates). Also Configuration Manager will not be able to deploy Microsoft Updates or 3rd party updates to these computers.
Prerequisites for this scenario:
System Center Configuration Manager Technical Preview 4.
Windows 10 Desktop Pro or Windows 10 Enterprise Edition version 1511 or later
Computers to be managed via Windows Update for Business.
Try it out!
Try to complete the following task and then use the feedback information near the top of this topic to let us know how it worked:
Disable the Windows Update Agent so it doesn't scan against WSUS, if it was previously enabled. The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\useWSUSServer can be set to indicate whether the computer is scanning against WSUS or Windows Update. When the value is 2, it’s not scanning against WSUS.
Take note of the new attribute UseWUServer, under the Windows Update node in Configuration Manager Resource Explorer.
Create a collection based on the UseWUServer attribute for all the computers that are connected via WUfB for updates and upgrades.
Create a client agent setting to disable the software update workflow and deploy the setting to the collection of computers that are connected directly to WUfB.
The computers that are managed via WUfB will display Unknown in the compliance status and won’t be counted as part of the overall compliance percentage.
See Also
Microsoft System Center Endpoint Protection Technical Preview