ConfigMgr BitLocker Management Reports | SCCM

[New Post] #ConfigMgr BitLocker Management Reports | #SCCM #MEMCM #MEMPowered

Let’s understand which are the ConfigMgr BitLocker Management Reports (default) available. You can use ConfigMgr to manage BitLocker Drive Encryption (BDE) for on-premises Windows 10 clients to Active Directory. SCCM Bitlocker management provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). Microsoft introduced…

View On WordPress

Configuration Manager Technical Preview 2005

Configuration Manager Technical Preview 2005. You can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center. Helpdesk users can initiate real-time queries and run PowerShell scripts from the cloud against an individual Configuration Manager managed device and return the results to the admin center. Additionally, you can now see a timeline of events that shows past activity on the device that can help you troubleshoot problems for each device. Tenant attach: Device timeline in the admin center When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach, you can now see a timeline of events. This timeline shows past activity on the device that can help you troubleshoot problems. Tenant attach: Install an application from the admin center You can now initiate an application install in real time for a tenant attached device from the Microsoft Endpoint Management admin center. Tenant attach: CMPivot from the admin center Bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr managed device and return the results back to the admin center. This gives all the traditional benefits of CMPivot, which allows IT Admins and other designated personas the ability to quickly assess the state of devices in their environment and take action. Tenant attach: Run Scripts from the admin center Bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device. This gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment. VPN boundary type To simplify managing remote clients, you can now create a new boundary type for VPNs. Previously, you had to create boundaries for VPN clients based on the IP address or subnet. This configuration could be challenging or not possible because of the subnet configuration or the VPN design. Now when a client sends a location request, it includes additional information about its network configuration. Based upon this information, the server determines whether the client is on a VPN. All clients that connect through a VPN automatically belong to the boundary group associated with this new boundary type. Azure AD authentication in Software Center This release fixes an issue with Software Center and Azure Active Directory (Azure AD) authentication. For a client detected as on the intranet but communicating via the cloud management gateway (CMG), previously Software Center would use Windows authentication. When it tried to get the list of user available apps, it would fail. It now uses Azure Active Directory (Azure AD) identity for devices joined to Azure AD. These devices can be cloud-joined or hybrid-joined. Install and upgrade the client on a metered connection Previously, if the device was connected to a metered network, new clients wouldn't install. Existing clients only upgraded if you allowed all client communication. For devices that are frequently roaming on a metered network, they would be unmanaged or on an older client version. Starting in this release, client install and upgrade both work when you set the client setting Client communication on metered internet connections to Allow. To define the behavior for a new client installation, there's a new ccmsetup parameter /AllowMetered. When you allow client communication on a metered network for ccmsetup, it downloads the content, registers with the site, and downloads the initial policy. Any further client communication follows the configuration of the client setting from that policy. Task sequence media support for cloud-based content Even though there are more remote devices to manage these days, you may still have business processes to recover devices using task sequence media. For example, you send a USB key to a remote user to reimage their device. Or a remote office that has a local PXE server, but devices mainly connect to your main network over the internet. Instead of further taxing the VPN to download large OS deployment content, boot media and PXE deployments can now get content from cloud-based sources. For example, a cloud management gateway (CMG) that you enable to share content. Improvements to cloud management gateway cmdlets With more customers managing remote devices now, this release includes several new and improved Windows PowerShell cmdlets for the cloud management gateway (CMG). You can use these cmdlets to automate the creation, configuration, and management of the CMG service and Azure Active Directory (Azure AD) requirements. For example, an Azure administrator first creates the two required apps in Azure Active Directory (Azure AD). Then you write a script that uses the following cmdlets to deploy a CMG: Import-CMAADServerApplication: Create the Azure AD server app definition in Configuration Manager.Import-CMAADClientApplication: Create the Azure AD client app definition in Configuration Manager.Use Get-CMAADApplication to get the app objects, and then pass to New-CMCloudManagementAzureService to create the Azure service connection in Configuration Manager.New-CMCloudManagementGateway: Create the CMG service in Azure.Add-CMCloudManagementGatewayConnectionPoint: Create the CMG connection point site system. Community hub and GitHub The IT Admin community has developed a wealth of knowledge over the years. Rather than reinventing items like Scripts and Reports from scratch, we've built a Configuration Manager Community hub where IT Admins can share with each other. By leveraging the work of others, you can save hours of work. The Community hub fosters creativity by building on others' work and having other people build on yours. GitHub already has industry-wide processes and tools built for sharing. Now, the Community hub will leverage those tools directly in the Configuration Manager Console as foundational pieces for driving this new community. For the initial release, the content made available in the Community hub will be uploaded only by Microsoft. Currently, you can't upload your own content to GitHub for use by Community hub. Community hub supports the following objects: PowerShell ScriptsReportsTask sequencesApplicationsConfiguration items Microsoft 365 Apps for enterprise Office 365 ProPlus was renamed to Microsoft 365 Apps for enterprise on April 21, 2020. Starting in this technical preview the following changes have been made: The Configuration Manager console has been updated to use the new name.This change also includes update channel names for Microsoft 365 Apps.A banner notification was added to the console to notify you if one or more automatic deployment rules reference obsolete channel names in the Title criteria for Microsoft 365 Apps updates. If you use Title as criteria for Microsoft 365 Apps updates in your automatic deployment rules, use the next section to help modify them. Update channel information for Microsoft 365 Apps When Office 365 ProPlus was renamed to Microsoft 365 Apps for enterprise, the update channels were also renamed. If you use an automatic deployment rule to deploy updates, you'll need to make changes to your rules if they rely on the Title property. That's because the name of update packages in the Microsoft Update Catalog is changing. Currently, the title of an update package for Office 365 ProPlus begins with "Office 365 Client Update" as seen in the following example:     Office 365 Client Update - Semi-annual Channel Version 1908 for x64 based Edition (Build 11929.20648) For update packages released on and after June 9, the title will begin with "Microsoft 365 Apps Update" as seen in the following example:     Microsoft 365 Apps Update - Semi-annual Channel Version 1908 for x64 based Edition (Build 11929.50000) New Channel namePrevious Channel nameSemi-Annual Enterprise ChannelSemi-Annual ChannelSemi-Annual Enterprise Channel (Preview)Semi-Annual Channel (Targeted)Monthly Enterprise ChannelNACurrent ChannelMonthly ChannelCurrent Channel (Preview)Monthly Channel (Targeted)Beta ChannelInsider Report setup and upgrade failures to Microsoft If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. If a failure occurs, the Report update error to Microsoft button is enabled. When you use the button, an interactive wizard opens allowing you to provide more information to us. In technical previews, this button is always enabled even when the setup completes successfully. When running setup from the media rather than the console, you'll also be given the Report update error to Microsoft option if setup fails. Notification for Azure AD app secret key expiration Based on your UserVoice feedback, if you Configure Azure services to cloud-attach your site, the Configuration Manager console now displays notifications for the following circumstances: One or more Azure AD app secret keys will expire soonOne or more Azure AD app secret keys have expired Improvements to BitLocker task sequence steps Based on your UserVoice feedback, you can now specify the Disk encryption mode on the Enable BitLocker and Pre-provision BitLocker task sequence steps. The Enable BitLocker step also now includes the setting to Skip this step for computers that do not have a TPM or when TPM is not enabled.  Improvements to the content library cleanup tool If you remove content from a distribution point while the site system is offline, an orphaned record can exist in WMI. Over time, this behavior can eventually lead to a warning status on the distribution point. The content library cleanup tool in delete mode could remove orphaned files from the content library. It can now also remove orphaned content records from the WMI provider on a distribution point.  Remove command prompt during Windows 10 in-place upgrade During a task sequence to upgrade a device to Windows 10, during one of the final Windows configuration phases a command prompt window opens. The window is on top of the Windows out-of-box experience (OOBE), and users can interact with it to disrupt the upgrade process. Starting in this release, the SetupCompleteTemplate.cmd and SetupRollbackTemplate.cmd scripts from Configuration Manager include a change to hide the command prompt window. Read the full article

Configuration Manager Technical Preview 2002

Configuration Manager Technical Preview 2002. In this technical preview added the following improvements to Orchestration Groups: Clear the state, such as *Complete or Failed, for an Orchestration Group member so you can rerun the orchestration. Right-click on the Orchestration Group member and select Reset Orchestration Group Member. Start some basic operations like Resource Explorer and Enable Verbose Logging for selected members.Updates requiring restarts now work with orchestration.

This preview release also includes:

Evaluate software updates after a servicing stack update Configuration Manager now detects if a servicing stack update (SSU) is part of an installation for multiple updates. When an SSU is detected, it’s installed first. After install of the SSU, a software update evaluation cycle runs to install the remaining updates. This change allows a dependent cumulative update to be installed after the servicing stack update. Disconnected WSUS support for Office 365 updates You can use a new tool to import Office 365 updates from an internet connected WSUS server into a disconnected Configuration Manager environment. Improvements to Microsoft Edge management You can now create a Microsoft Edge application that's set up to receive automatic updates rather than having automatic updates disabled. This change allows you to choose to manage updates for Microsoft Edge with Configuration Manager or allow Microsoft Edge to automatically update. Proxy support for Azure Active Directory discovery and group sync The site system's proxy settings, including authentication, are now used by: Azure Active Directory (Azure AD) user discoveryAzure AD user group discoverySynchronizing collection membership results to Azure Active Directory groups Log files SMS_AZUREAD_DISCOVERY_AGENT.log Improvements to BitLocker management The BitLocker management policy now includes additional settings, including policies for fixed and removable drives: Global policy settings on the Setup page: Prevent memory overwrite on restartValidate smart card certificate usage rule complianceOrganization unique identifiers OS drive settings: Allow enhanced PINS for startupOperating system drive password policyReset platform validation data after BitLocker recoveryPre-boot recovery message and URLEncryption policy enforcement settings Fixed drive settings: Fixed data drive encryptionDeny write access to fixed drives not protected by BitLockerAllow access to BitLocker fixed data drives from earlier versions of WindowsFixed data drive password policyEncryption policy enforcement settings Removable drive settings: Removable drive data encryptionDeny write access to removable drives not protected by BitLockerAllow access to BitLocker protected removable drives not protected by BitLockerRemovable drive password policy Client management settings: User exemption policyCustomer experience improvement program BitLocker management known issues The following new settings don't work in this technical preview version: Fixed drive settings: Deny write access to fixed drives not protected by BitLockerRemovable drive settings: Deny write access to removable drives not protected by BitLockerClient management policy: Customer experience improvement program BitLocker reports don't work in this release Additional improvements to task sequence progress Based on continued feedback from the community, this release includes further improvements to task sequence progress. Now the count of total steps doesn't include the following items in the task sequence: Groups. This item is a container for other steps, not a step itself.Instances of the Run task sequence step. This step is a container for other steps, so are no longer counted.Steps that you explicitly disable. A disabled step doesn't run during the task sequence, so is no longer counted. Improvements to the ConfigMgr PXE Responder The ConfigMgr PXE Responder now sends status messages to the site server. This change makes troubleshooting operating system deployments easier. Token-based authentication for cloud management gateway This feature appears in the What's New workspace of the Configuration Manager console for the technical preview branch version 2002, but it released with version 2001.2.

General known issues

Can't delete collections In this version of the technical preview branch, you can't delete collections. To work around this issue, use the following Configuration Manager PowerShell cmdlet to delete collections: Remove-CMCollection Read the full article

System Center Configuration Manager current branch Update 1906 released

System Center Configuration Manager current branch Update 1906 released. Version 1906 client requires SHA-2 code signing support Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs Configuration Manager binaries using the more secure SHA-2 algorithm. The following Windows OS versions require an update for SHA-2 code signing support: Windows 7 SP1Windows Server 2008 R2 SP1Windows Server 2008 SP2 Use Desktop Analytics with Configuration Manager to: Create an inventory of apps running in your organization.Assess app compatibility with the latest Windows 10 feature updates.Identify compatibility issues and receive mitigation suggestions based on cloud-enabled data insights.Create pilot groups that represent the entire application and driver estate across a minimal set of devices.Deploy Windows 10 to pilot and production-managed devices using Configuration Manager.Minimize deployment risks by monitoring the health state of your devices during and after the deployment.Ensure your devices are still supported with security and feature updates status. Management insights rule for NTLM fallback Management insights includes a new rule that detects if you enabled the less secure NTLM authentication fallback method for the site: NTLM fallback is enabled. Improvements to support for SQL Always On Add a new synchronous replica from setup: You can now add a new secondary replica node to an existing SQL Always On availability group. Instead of a manual process, use Configuration Manager setup to make this change.Multi-subnet failover: You can now enable the MultiSubnetFailover connection string keyword in SQL Server. You also need to manually configure the site server.Support for distributed views: The site database can be hosted on a SQL Server Always On availability group, and you can enable database replication links to use distributed views. This change doesn't apply to SQL Server clusters. Site recovery can recreate the database on a SQL Always On group. This process works with both manual and automatic seeding. New setup prerequisite checks: SQL availability group replicas must all have the same seeding modeSQL availability group replicas must be healthy This release also includes:

Cloud Value

Multiple pilot groups for co-management workloads - You can now configure different pilot collections for each of the co-management workloads. Using different pilot collections allows you to take a more granular approach when shifting workloads. Improvements to co-management auto-enrollment - A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token. Azure Active Directory user group discovery - You can now discover user groups and members of those groups from Azure Active Directory (Azure AD). Synchronize collection membership results to Azure Active Directory groups (Pre-release) - You can now enable the synchronization of collection memberships to an Azure Active Directory (Azure AD) group. Support for Windows Virtual Desktop - Windows Virtual Desktop is a preview feature of Microsoft Azure and Microsoft 365. You can now use Configuration Manager to manage these virtual devices running Windows in Azure.

Customer Voice

Site infrastructure Site server maintenance task improvements - Site server maintenance tasks can now be viewed and edited from their own tab on the details view of a site server. The new Maintenance Tasks tab gives you information such as: If the task is enabledThe task scheduleLast start timeLast completion timeIf the task completed successfully Configuration Manager update database upgrade monitoring – Improved progress monitoring in the installation status window and information about blocking tasks. When applying a Configuration Manager update, you can now see the state of the Upgrade ConfigMgr database task in the installation status window. If the database upgrade is blocked, then you'll be given the warning, In progress, needs attention. The cmupdate.log will log the program name and sessionid from SQL that is blocking the database upgrade. When the database upgrade is no longer blocked, the status will be reset to In progress or Complete. When the database upgrade is blocked, a check is done every 5 minutes to see if it's still blocked. Application management Application groups (Pre-release) - Create a group of applications that you can send to a user or device collection as a single deployment.Filter applications deployed to devices - User categories for device-targeted application deployments now show as filters in Software Center. This release includes the following infrastructure improvements to Software Center: Software Center now communicates with a management point for apps targeted to users as available. It doesn't use the application catalog anymore. This change makes it easier for you to remove the application catalog from the site. Previously, Software Center picked the first management point from the list of available servers. Starting in this release, it uses the same management point that the client uses. This change allows Software Center to use the same management point from the assigned primary site as the client. These iterative improvements to Software Center and the management point are to retire the application catalog roles. The Silverlight user experience isn't supported as of current branch version 1806.Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can't install new application catalog roles.In the first current branch release after October 31, 2019, support will end for the application catalog roles. Operating System Deployment Task sequence debugger (Pre-release) - The task sequence debugger is a new troubleshooting tool. You deploy a task sequence in debug mode to a collection of one device.Multiple improvements based on UserVoice feedback – This includes the ability to clear app content from client cache, reclaim SEDO lock for task sequences, pre-cache driver packages and OS images, and more. Improvements to OS deployment This release includes the following improvements to OS deployment: Use the following two PowerShell cmdlets to create and edit the Run Task Sequence step: New-CMTSStepRunTaskSequence Set-CMTSStepRunTaskSequence It's now easier to edit variables when you run a task sequence. After you select a task sequence in the Task Sequence Wizard window, the page to edit task sequence variables includes an Edit button.The Disable BitLocker task sequence step has a new restart counter. Use this option to specify the number of restarts to keep BitLocker disabled. This change helps you simplify your task sequence. You can use a single step, instead of adding multiple instances of this step. Use the new task sequence variable SMSTSRebootDelayNext with the existing SMSTSRebootDelay variable. If you want any later reboots to happen with a different timeout than the first, set this new variable to a different value in seconds.The task sequence sets a new read-only variable _SMSTSLastContentDownloadLocation. This variable contains the last location where the task sequence downloaded or attempted to download content. Inspect this variable instead of parsing the client logs. Software updates Additional options for WSUS maintenance - You now have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software update points. This release includes the following infrastructure improvements to Software Center: Software Center now communicates with a management point for apps targeted to users as available. It doesn't use the application catalog anymore. This change makes it easier for you to remove the application catalog from the site. Previously, Software Center picked the first management point from the list of available servers. Starting in this release, it uses the same management point that the client uses. This change allows Software Center to use the same management point from the assigned primary site as the client. These iterative improvements to Software Center and the management point are to retire the application catalog roles. The Silverlight user experience isn't supported as of current branch version 1806.Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can't install new application catalog roles.In the first current branch release after October 31, 2019, support will end for the application catalog roles. Configuration Manager Console Role-based access for folders - You can now set security scopes on folders. If you have access to an object in the folder, but don't have access to the folder, you'll be unable to see the object.Multiple improvements based on UserVoice feedback – This includes adding a collections tab in devices node, adding a task sequences tab in applications node, and improved multi-select support. Real-time management Add joins, additional operators, and aggregators in CMPivot – For CMPivot, you now have additional arithmetic operators, aggregators, and the ability to add query joins such as using Registry and File together.CMPivot standalone (Pre-release) - You can now use CMPivot as a standalone app outside of the Administrative Console. This enables you to share the power of CMPivot with other personas, such as helpdesk or security admins, who don’t have the console installed on their computer. Added permissions to the Security Administrator role The following permissions have been added to Configuration Manager's built-in Security Administrator role: Read on SMS ScriptRun CMPivot on CollectionRead on Inventory Report Office 365 ProPlus upgrade readiness dashboard To help you determine which devices are ready to upgrade to Office 365 ProPlus, there's a new readiness dashboard. It includes the Office 365 ProPlus upgrade readiness tile that released in Configuration Manager current branch version 1902. In the Configuration Manager console, go to the Software Library workspace, expand Office 365 Client Management, and select the Office 365 ProPlus Upgrade Readiness node.

Protection

Windows Defender Application Guard file trust criteria There's a new policy setting that enables users to trust files that normally open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host device instead of in WDAG.

Protection

Windows Defender Application Guard file trust criteria There's a new policy setting that enables users to trust files that normally open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host device instead of in WDAG.

Deprecated features and operating systems

Version 1906 drops support for the following features: Classic service deployment to Azure for cloud management gateway and cloud distribution point.You can't install new application catalog roles. Updated clients automatically use the management point for user-available application deployments. Version 1906 deprecates support for the following products: Windows CE 7.0Windows 10 MobileWindows 10 Mobile Enterprise Support Center OneTrace (Preview) OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with the following improvements: A tabbed viewDockable windowsImproved search capabilitiesAbility to enable filters without leaving the log viewScrollbar hints to quickly identify clusters of errorsFast log opening for large files Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.   Read the full article

System Center Configuration Manager Technical Preview 1906 available

System Center Configuration Manager Technical Preview 1906 available. User categories for device-targeted application deployments now show as filters in Software Center. You can now specify a user category for an application on the Software Center page of its properties.

This preview release also includes: Improvements to maintenance tasks - Site server maintenance tasks can now be viewed and edited from their own tab on the details view of a site server. Configuration Manager update database upgrade monitoring - When applying a Configuration Manager update, you can now see the state of the Upgrade ConfigMgr database task in the installation status window. Redesigned notification logic for newly available software - The New Software is Available notification will only show once for a user for a given application and revision. The user will no longer see the notification each time they logon. RBAC on Folders - you can now set security scopes on folders. Azure Active Directory user group discovery - You can now discover user groups and members of those groups from Azure Active directory (Azure AD). Remote control anywhere using cloud management gateway – An admin or helpdesk operator connect to a client via remote control over the Internet via cloud management gateway. Improvements to Community Hub - Aside from the existing support for scripts and reports, the Community Hub now supports the following objects: PowerShell Scripts, Reports, Task sequences, Applications and Configuration items. There is now the ability to consume updated hub items. Add joins, additional operators, and aggregators in CMPivot - Based on your UserVoice feedback for CMPivot, you now have additional arithmetic operators, aggregators, and the ability to add query joins such as using Registry and File together. CMPivot standalone improvements - To enable more people, such as security admins, to use CMPivot, we've expanded the ability for CMPivot to be run outside the console. We've also expanded the Security Admin role’s default permissions. These changes give you the benefits of real-time queries across the organization. CMPivot standalone improvements - You can now connect to CMPivot Standalone without using the command line.Added CMPivot permissions to the Security Administrator role - The following permissions have been added to Configuration Manager's built-in Security Administrator role: Read on SMS Script; Run CMPivot on Collection; and Read on Inventory Report. Improvements to Configuration Manager console - You can now enable some nodes of the Configuration Manager console to use the administration service. This change allows the console to communicate with the SMS Provider over HTTPS instead of via WMI. Support for Windows Virtual Desktop - Windows Virtual Desktop is a preview feature of Microsoft Azure and Microsoft 365. You can now use Configuration Manager technical preview to manage these virtual devices running Windows in Azure. More frequent countdown notifications for restarts – You now specify snooze duration and increase the restart interval. Co-management auto-enrollment using device token - A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token. Multiple pilot groups for co-management workloads - You can now configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. Additional options for third-party update catalogs ­- You now have additional configuration options for how third-party update catalogs are synchronized into Configuration Manager. Clear app content from client cache during task sequence - In the Install Application task sequence step, you can now delete the app content from the client cache after the step runs. This behavior is beneficial on devices with small hard drives or when installing lots of large apps in succession. Management insight rule for NTLM fallback - Management insights includes a new rule that detects if you enabled the less secure NTLM authentication fallback method for the site: NTLM fallback is enabled. Improvements to OS deployment including It's now easier to edit variables when you run a task sequence.The task sequence sets a new read-only variable _SMSTSLastContentDownloadLocation.This release further iterates on the improvement to the Disable BitLocker step from technical preview version 1905. It resolves the known issue with the client-side functionality, and adds a new variable, OSDBitLockerRebootCountOverride. Read the full article