CHAPTER 2
Configuration Manager Overview

Chapter 1, “Configuration Management Basics,” discusses the challenges of systems and configuration management. This chapter covers the history of System Center Configuration Manager (ConfigMgr). This chapter also discusses key concepts and terminology used in later chapters of this book to help you as a ConfigMgr administrator become familiar with the lexicon.

The current version of System Center Configuration Manager, Current Branch, includes a significant number of changes. Even seasoned ConfigMgr administrators will discover that concepts they were once familiar with are now different. This chapter covers those changes. To assist in planning a new ConfigMgr implementation or migration of an existing infrastructure, this chapter also outlines feature dependencies.

However, version 1.x of the product failed to receive wide adoption. Requirements such as installing the site server on a Windows NT backup domain controller (BDC) made deployment cumbersome. In addition, the management scope of SMS 1.x only supported control of an entire domain. Inventory functions were executed using login scripts. Administrators received numerous complaints from end users about prolonged logon times—yet another reason for the product’s slow adoption.

SMS 2.0 addressed many concerns Microsoft’s customers had with SMS 1.x. It allowed installation of a site server on a member server instead of a domain controller. The inventory process was moved to agent components rather than running in login scripts. In addition, the management scope was defined by subnets instead of the entire domain. Despite these enhancements, the product had several significant failings:

The client agent was not designed for a mobile workforce and did not consider low-bandwidth situations, and at this time, laptops were becoming prevalent.

It did not allow for Active Directory (AD) integration, even though the product was released just before Active Directory became available with Windows 2000.

Neither SP 4 (released in 2002) nor SP 5 (2003) addressed these areas, as they primarily provided bug fixes rather than new functionality. However, the shortcomings in SMS 2.0 positioned Microsoft to release a product that addressed them: SMS 2003.

The SMS server infrastructure remained largely the same, with the inclusion of Internet Information Server (IIS), which arguably raised complexity but brought significant benefits (such as communication over HTTP and the use of the Background Intelligent Transfer System [BITS]). In addition, SMS 2003 included significant improvements to the SMS agent, as discussed in the section “Configuration Manager Agent” later in this chapter. A legacy client was maintained to support older operating systems, such as Windows 98 and Windows NT 4.0. Windows 95 support was dropped entirely. Another significant change was a revamp of the reporting interface into SMS Web Reporting, which removed the complicated and obtuse Crystal reports.

Most of the changes in this version were not noticeable in the console. The UI looked almost identical to that of SMS 2.0.

One substantial change in SMS 2003 from its predecessor was the introduction of a concept called roaming. Roaming came in two flavors:

Global Roaming: Clients could retrieve site information from AD, enabling them to know the site they were in, communicate with the resident management point (MP) for that site, and receive information pertaining to the distribution points (DPs) of that site. Global roaming was only available to organizations that extended the AD schema.

Regional Roaming: Clients were unaware of any site they may have roamed into and continued speaking to their default MP. As long as the client had roamed into a site lower in the hierarchy than its assigned site, the default MP could inform the client of the closest DPs.

The first two service packs (released in 2004 and June 2006), were largely hotfix rollups with performance optimization. Functional changes were minor, adding support for newer operating systems. Microsoft announced that rather than adding new capabilities in service packs, it would include new functionality in feature packs, an example being the Operating System Deployment (OSD) Feature Pack released as a free download in November 2004.

Microsoft released the first full update to SMS 2003 with an R2 release in late 2006. SMS 2003 R2 was built on SMS 2003 SP 2, with two additional features:

Scan Tool for Vulnerability Assessment

Inventory Tool for Custom Updates (ITCU)

SMS 2003 SP 3, released in 2007, was the last maintenance release for the product. Along with another hotfix rollup, SP 3 included Asset Intelligence (a product developed from Microsoft’s acquisition of AssetMatrix). Asset Intelligence normalized more than 400,000 software titles into a legible format, easing the burden of tracking and reporting on licensing data. SP 3 also included an extension to OSD for deploying the Vista operating system, though considering the adoption rate of Vista, that is hardly worth noting!

In this version, the legacy client was finally dropped, along with support for operating systems prior to Windows 2000. All of the familiar feature packs released for SMS 2003 were included as part of ConfigMgr 2007, removing the requirement to layer installation after installation to get all the features.

ConfigMgr 2007 was the first version to use public key infrastructure (PKI) for securing client-to-server communications. This security mode was known as native mode. With the use of native mode and PKI, it was possible to manage clients that rarely connected over virtual private networks (VPNs) or came into the office. The utilization of Internet-based client management (IBCM) enabled management of ConfigMgr 2007 clients over a regular Internet connection.

Out-of-band (OOB) management and improved asset intelligence functionality were the highlights of the first service pack, released in May 2008. Just a year after the release to manufacturing (RTM) of ConfigMgr 2007, Microsoft released ConfigMgr 2007 R2, which included a number of changes:

Application Virtualization: This feature supported running virtual applications sequenced through the Application Virtualization (App-V) platform.

Client Status Reporting (CSR): This separate tool analyzed and reported on client health.

OSD Improvements: OSD enhancements included support for unknown computers, improvements to task sequences that allowed alternate credentials for running command lines, and network bandwidth efficiency gains with multicast deployments.

SQL Server Reporting Services (SSRS) Support: This enhancement enabled the use of SSRS for ConfigMgr reports, including the ability to convert most reports to the SSRS format.

Microsoft released ConfigMgr 2007 R3 in late 2010, introducing another wave of new features and improvements. This release included power management, eliminating the need to use third-party products to manage and report on computer power consumption. There were also several other improvements:

Performance: Performance in scalability was improved to support up to 100,000 clients per primary site and 300,000 clients in a hierarchy.

Delta Discovery: AD discovery was modified to provide a delta discovery method that only picked up changes such as additions, deletions, and modifications, reducing the load on the site server running the discovery.

Dynamic Collection Updates: Under certain conditions (first-time discovery, OSD provisioned, initial hardware inventory scan, or ConfigMgr client upgrade), collections can be enabled to dynamically add new resources as they are discovered.

Prestaged Media: Prestaging media allows a PC manufacturer to load a custom image to a PC during the build process in the manufacturing facility.

In December 2010 (post R3), Microsoft released Forefront Endpoint Protection 2010 and integrated it into ConfigMgr to provide malware and security protection.

ConfigMgr is a system that continuously improves and evolves. The requirement to support every new Windows operating system is difficult enough to manage; in addition, a configuration management system developed by Microsoft is expected to manage (to some extent) every product Microsoft ever released! From the 1.x releases that installed software and ran inventory by login script to the most advanced agent capable of installing the latest security updates, delivering whole operating systems, and self-healing, ConfigMgr has had a long career managing the rich Microsoft ecosystem.

The product has grown immensely complex over the years. At one point, it was expected that a ConfigMgr administrator could learn the entire product to an expert level. Today, with all the features that extend ConfigMgr beyond simple inventory management and software delivery, it is easy to become buried in the details.

Central Administration Site (CAS): The CAS, introduced for large environments, was primarily used for reporting and facilitating communication between primary sites in the hierarchy. Using the CAS requires a bit more SQL skills because database replication occurs between the CAS and primary sites.

Administration Console: The new administration console was a welcome update to the old MMC-style console. This new console allowed more flexible add-ins, a ribbon bar, objects filtered by role-based administration, search capabilities, and temporary nodes to help with navigation.

Improved IBCM: IBCM kicked up a notch or two, supporting user-based policies, task sequences (external to OSD), and smarter software updates downloads.

Software Center and Application Catalog: Previously, Run Advertised Programs was the only end-user interface for installing optional programs (other than a hook on Add/Remove Programs). Software Center (machine-based) and Application Catalog (user-based) provided a two-stop shop, which improved the end-user experience.

Multiple Management Points per Site: Multiple management points allow the client to select a MP based on network location, enabling a larger number of clients per site, as well as redundancy that was previously available only with a network load balancing (NLB) cluster.

Boundary and Boundary Group Improvements: Boundaries were no longer site specific, and connection speeds could be configured at the boundary group as a content location server.

Fallback Site for Client Assignment: As an optional setting for the hierarchy, you could set a fallback site so that if a client was not in a boundary group, automatic site assignment would assign the client to the fallback site.

Discovery Improvements: Discovery is processed only one time, at the primary sites, and shared among all primary sites. Active Directory Forest Discovery was also added, allowing discovery of subnets and AD sites and optionally allowing them to be added as boundaries.

Client Settings: Previously, client settings were configured per site. With ConfigMgr 2012, client agent settings could be grouped into centrally configured client settings groups and applied to collections with precedence.

Role-Based Administration (RBA): RBA enabled simpler configuration of rights, based on roles, scopes, and collections. RBA settings apply across the entire hierarchy.

Collection Improvements: ConfigMgr 2012 brought multiple improvements to collections. Include and exclude rules enabled easy alteration of collection membership based on other collections. Incremental collection member evaluation significantly improved software delivery by populating query-based collections with new members much faster than previously. Collection limiting was required on every collection, reducing risk and simplifying RBA.

Application Management: Applications were introduced, allowing for requirement rules, along with multiple deployment types to add enhanced detection and deployment, as well as a simplified end-user experience.

OSD Enhancements: OSD improvements included applying offline updates, prestart command files, mandatory deployment, cross-hierarchy media, relating of users to computers during operating system deployment for proper software delivery, and more.

Distribution Point Enhancements: The content library provided a single-instance store for content on distribution points. Distribution point groups allowed logical grouping and management of content. In-console monitoring of distribution status and content validation simplified the administrative experience. BranchCache was also integrated so that it became possible to manage BranchCache settings and configure per-deployment type for applications and per-deployment type for packages.

Reporting: The Reporting Point was removed, encouraging administrators to learn more about SSRS. Leveraging SSRS for reporting is more extensible, provides graphical capabilities, and allows for easier integration of data from other sources than with the old Reporting Point.

System Center 2012 R2 Configuration Manager brought support for new devices as well as improvements in the core platform, including the following:

OSD: Support for the latest Windows operating systems (Windows 8.1 and Server 2012 R2) was added, as well as some features inherited from the Microsoft Deployment Toolkit (MDT), such as Run PowerShell Script, Check Readiness, and Set Dynamic Variables. Also, new task sequence variables were added to improve resiliency and improve status.

Mobile Device Management (MDM): Support was added for enrollment of Android and iOS for MDM with Intune Extensions.

Profile Management: Support included remote connection profiles, certificate profiles, VPN profiles, Wi-Fi profiles, and email profiles to simplify the end-user experience.

Content Management: R2 included enhancements in pull-distribution points, such as support for prioritization of source DPs, improved status reporting, and much-requested support in the Monitoring node to redistribute failed distributions. The Distribution Point Usage Summary report helped in understanding how each distribution point was being utilized.

Role-Based Administration Reporting: Report data could now be automatically filtered for content based on RBA configurations.

Previous versions of ConfigMgr gave the site hierarchy the flexibility to be immensely deep and complex (although this was not recommended). ConfigMgr 2012 enabled using a simplistic, flat hierarchy, and ConfigMgr Current Branch takes that even further, improving scalability. Starting from the top, the hierarchy for a large organization generally goes three tiers deep, as shown in Figure 2.2.

It is important to note that a secondary site can exist in a tiered hierarchy with another secondary site, effectively creating more than three tiers. However, all secondary sites communicate with their primary site for database replication. While you can adopt this topology, there are very few reasons for secondary sites in ConfigMgr. Chapter 4, “Architecture Design Planning,” provides details on creating an optimized hierarchy.

In versions of the product previous to System Center 2012 Configuration Manager, this concept was known as a central site, although it was not technically restricted from supporting clients. A central site was the top-level primary site of a site hierarchy.

Following are areas to consider when planning for additional primary sites:

Scale: A standalone primary site supports 150,000 desktops/laptops, plus 25,000 devices running Mac and Windows CE 7.0. A primary site under a CAS supports 150,000 total clients and devices. A secondary site supports 15,000 desktops/laptops. Review the current scaling numbers at https://docs.microsoft.com/sccm/core/plan-design/configs/size-and-scale-numbers.

Complexity: When using a CAS, additional troubleshooting steps are required for database replication.

A secondary site requires a SQL Server database. You can install SQL prior to installing the secondary site, or SQL Express will automatically install during secondary site installation.

Secondary sites automatically receive the proxy management point and distribution point roles.

Scalability has increased to 15,000 devices in ConfigMgr Current Branch.

A secondary site is always a child site of a primary site and can only be administered by a primary site. Clients cannot be assigned directly to secondary sites. Because the administration consoles can only connect to a CAS or a primary site, secondary sites are typically used in locations that do not have administrators.

Secondary sites can help control bandwidth utilization by managing the flow of client information sent up the hierarchy. In addition, secondary sites can be tiered to help control content distribution to remote sites. The Software Update Point (SUP) role can be positioned on a secondary site server to provide local access to clients scanning for compliance without needing to talk to a primary site server. However, a hierarchy with secondary sites adds a layer of complexity that often is not necessary.

Carefully consider whether to use a secondary site. Simplicity is best when designing your hierarchy. More information on secondary sites is available in Chapter 4.

Component Server: This is any server running the ConfigMgr Executive service.

Site Database Server: This is a server with Microsoft SQL Server installed, hosting the ConfigMgr site database.

Site Server: This main role contains components and services required to run a central administration, primary, or secondary site.

Site System: This role supports both required and optional site system roles. Any server (or share) with an assigned role automatically receives this role.

SMS Provider: This is a Windows Management Instrumentation (WMI) provider operating as an interface between the ConfigMgr console and the site database.

In addition to default roles, System Center Configuration Manager includes optional roles to support other capabilities:

Application Catalog Web Service Point: This role relays software information from the Software Library to the Application Catalog website.

Application Catalog Website Point: This is an optional role required for presenting available software to users.

Asset Intelligence Synchronization Point: This role synchronizes Asset Intelligence data from System Center Online by downloading Asset Intelligence catalog data and uploading custom catalog data.

Distribution Point: The DP holds application source files for clients to access.

Fallback Status Point (FSP): The FSP provides an alternate location for clients to send up status messages during installation when they are unable to communicate with their management point.

Management Point: The MP facilitates communication between a client and a site server by storing and providing policy and content location information to the client and receiving data from the client, such as status messages and inventory.

Mobile Device Enrollment Proxy Point: This role allows the management of mobile device enrollment through ConfigMgr.

Service Connection Point (SCP): This role enables the ConfigMgr hierarchy to send anonymous usage data to Microsoft, as well as provide the channel for downloading and installing updates to Current Branch.

Reporting Services Point: This role is used to integrate reporting through SSRS and is required if you are using reports.

Software Update Point: The SUP provides software update management for ConfigMgr clients by integrating with Windows Server Update Services (WSUS).

State Migration Point: When using OSD, the state migration point holds the user state data for migration to the new operating system.

System Health Validator Point: This role previously validated Network Access Protection (NAP) policies from the ConfigMgr client. Although it is still visible in the console, the role is no longer used. See https://docs.microsoft.com/sccm/core/plan-design/hierarchy/plan-for-site-system-servers-and-site-system-roles for more information.

Managing Content (File) Replication

File replication (which was updated in ConfigMgr 2012 SP 1 to use replication routes rather than addresses to configure replication between sites) helps manage communication between two sites by controlling data flow through schedules and bandwidth rate limits. By default, an entry (shown in Figure 2.4) is created from the parent to child and child to parent whenever a site server is added to the hierarchy.

Discovering Resources

Knowing the available resources in a network is one of the benefits of having a configuration management system. Configuration Manager uses a variety of discovery methods to gather resource information. Following are the seven types of discovery methods:

Active Directory Forest Discovery

Active Directory Security Group Discovery

Active Directory System Discovery

Active Directory System Group Discovery

Active Directory User Discovery

Heartbeat Discovery

Network Discovery

The Active Directory Forest Discovery method, the newest type of discovery and introduced in ConfigMgr 2012, discovers trusted forests, AD sites, and Internet Protocol (IP) subnets. In addition, this discovery method can automatically create Active Directory site boundaries as well as IP subnet boundaries as they are discovered.

Active Directory discovery methods can target specific LDAP paths, and can be configured to recursively search those paths. Optionally, ConfigMgr can expand groups and discover members of groups. With certain Active Directory object types, you can specify attributes of the discovered resources as part of the information to retrieve.

Polling schedules are defined to run at set intervals. By default, most discovery methods run once a week. Active Directory discovery methods also support delta discovery to help get newly discovered resources into the ConfigMgr database quickly.

Figure 2.5 shows the available discovery methods in the Details pane.

You can deploy the client in a number of ways. A common method of deployment is to prestage the client into an operating system image. However, many other methods also exist, such as manually installing, automatically pushing installs with the ConfigMgr server, using software updates, using group policy, and using scripts (logon or machine).

The ConfigMgr client performs a wide range of actions. It is responsible for collecting computer inventory, checking for security update compliance, facilitating remote control, managing the computer’s power state, managing application state (installing or uninstalling software), reimaging the computer, and managing computer settings. The client also downloads and applies policies received from the ConfigMgr server and sends up status and state messages. The client is discussed further in Chapter 9, “Client Management.”

The console has a Navigation pane to help you navigate quickly between the following operational groupings:

Administration

Software Library

Monitoring

Assets and Compliance

An Outlook-style ribbon provides access to common administrative tasks (see Figure 2.6). As the object focus changes, the options available on the ribbon bar adapt to the object type, displaying relevant tasks in the console.

When you select an object that contains details, the Details pane displays tabs pertinent to the object that help further categorize information to reduce overall clutter. Furthermore, the entire console is security context aware. Role-based administration uses the assigned role and scope to display only the features available to the user. The Details pane in Figure 2.7 shows details and statistics for a security update.

For additional information on security and role-based administration, see Chapter 23, “Security and Delegation in Configuration Manager.” The console is discussed in Chapter 8, “Using the Configuration Manager Console.”

A collection rule defines the membership of a collection. There are several different types of rules:

Direct Rule: An object is added directly to the collection.

Query Rule: An object is added to the collection, based on the result of a query.

Include Rule: Objects in other collections can be can be added using this rule.

Exclude Rule: Objects in other collections can be excluded using this rule.

In addition to collection rules, every collection requires a limited collection, which is basically a global filter for a collection. Collections eventually roll up to one of the built-in collections; however, you can (for example) create a collection named All Test Servers and leverage role-based administration to limit a team’s scope to that collection. If you do this, any collection the team creates is limited to All Test Servers (or any child collection of All Test Servers). Collections are discussed further in Chapter 14, “Distributing and Deploying Applications and Packages.”

Click here to view code image

SELECT
    SMS_R_System.Name,
    SMS_G_System_X86_PC_MEMORY.TotalPhysicalMemory
FROM
    SMS_R_System
    INNER JOIN SMS_G_System_X86_PC_Memory ON
    SMS_G_System_X86_PC_Memory.ResourceID = SMS_R_System.ResourceId
WHERE
    SMS_G_System_X86_PC_Memory.TotalPhysicalMemory > 4192000

Packages were used as the primary tool for software deployment in ConfigMgr 2007 and SMS. With the introduction of applications in System Center 2012 Configuration Manager, the intent for packages was to be legacy functionality, used predominantly for scripting situations. However, many companies still use packages for software deployment. Packages are described in Chapter 13, “Creating and Managing Packages and Programs.”

The application model of Configuration Manager Current Branch significantly improves software deployment and the life cycle compared to the traditional packages and programs model (the only software distribution model used in versions of ConfigMgr and SMS prior to ConfigMgr 2012). For example, the evaluation processing that occurred in ConfigMgr 2007 operated at the collection level, with complex queries driving the intelligence behind targeting software to the right devices. With ConfigMgr applications, much of that intelligence occurs at the client, via requirement rules. Collections are still a necessary part of targeting; however, because the evaluation is no longer at the collection level, complex collection queries are not required for application management.

Applications are models of software that contain far more than source files and program execution instructions. Models define the properties of software. They contain the deployment types to support local installations, virtual applications, and mobile applications. Because these models are state based, the “state” of the application can be detected. This means ConfigMgr can detect if the software is installed before attempting an installation and can detect whether the software has been uninstalled and needs to be reinstalled. The inverse is also true if the requirement is to uninstall software.

Application dependencies

Command for installation

Command for uninstallation

Content source location

Detection method for verifying whether the application is installed

Installation method

Requirement rules

Configuration Manager uses the following deployment types:

Windows Installer (MSI)

Windows App Package

Application Virtualization

Window Phone App Package

Windows Mobile Cabinet (CAB)

App Package for iOS

App Package for iOS from App Store

App Package for Android (.apk file)

App Package for Android on Google Play

Mac OS X

Web Application

Windows Installer through MDM

A global condition is the foundation of a requirement rule. It can be defined by script, WMI query, registry, and much more. ConfigMgr comes with a handful of defined global conditions, such as CPU speed, operating system, total physical memory, and AD site.

For example, let’s say an application requires a minimum of 500MB to install. You could add a requirement rule that uses the provided Free disk space global condition. The rule would specify the condition as requiring at least 500MB. When the client is instructed to install the software, it first evaluates its available drive space, and, if it meets the conditions, it installs the software. Figure 2.9 illustrates how a requirement rule is constructed.

For example, if all the computers in your finance department were in the same OU, you could create a global expression named Finance Dept, require the device to belong to the Finance Dept OU, and require the device to be the primary device. Following is what this expression would look like:

Click here to view code image

Organizational unit (OU) One of {OU=Finance,DC=odyssey,DC=com} AND Primary device Equals True

Available deployment types are constrained based on the type of collection targeted. For example, if the target collection is a user collection, the software update deployment type is not an available option because software updates are targeted to devices.

In bandwidth-sensitive locations, content distribution to a DP can be throttled. In addition, you can schedule DPs to transfer content during optimal times of day. You can also prestage content to the distribution point.

Branch DPs, PXE shares, and DP shares from previous versions of ConfigMgr no longer exist. However, the standard DP is now much more robust, supporting additional options that to enable it to handle PXE, multicast, and pull DPs, which can pull content from one or more other DPs. Cloud DPs (in Microsoft Azure) are also a new feature; they help your clients access content from around the globe and outside your corporate network.

Collections can also be associated to distribution point groups. Whenever content is distributed to the collection, all associated DPs of the DP group receive the content. See Chapter 14 for additional information.

Windows 10

Mac OS X

Windows Desktops and Servers (with optional application-specific filters)

In addition, the following configuration item types are also supported through a hybrid connection to devices managed in Intune:

Windows 8.1 and Windows 10

Windows Phone

iOS and Mac OS X

Android and Samsung Knox

Android for Work

In addition, BITS supports checkpoint restarts. If a network connection is lost during transfer, BITS stops the transfer and resumes where it left off when the connection is available again.

The count of a software program actively in use

The most active time of day for software use

The regular users of software

Whether software is still in use

Say you are deploying an application to a group of computers in a remote office. When BranchCache is utilized, the first client to retrieve the application content from a BranchCache-enabled DP caches it locally, making it available to other clients in its local subnet. Whenever another client requests the same content, it refers to the first client for the application, reducing the requirement to traverse the WAN to retrieve the same content. Once that client retrieves the content, it caches the content for other local clients.

Peer Cache is another software-based WAN optimization technology used to reduce bandwidth usage. It supports standard application and software deployments, as well as OSD.

Replaces the Microsoft Intune Connector for mobile device management integration with Intune

Uploads usage data (described in the next section)

Makes updates for ConfigMgr Current Branch available for download and installation

Operating System Upgrade Task Sequence: This task sequence is used to upgrade from previous versions of Windows to Windows 10.

Windows Preinstallation Environment (WinPE) Peer Cache: WinPE Peer Cache can be used with OSD to enable systems to pull content from a local peer instead of downloading from a DP. This is a great alternative to placing a DP in each remote office.

Windows as a Service Visibility: You can track and manage the servicing plans for Windows 10 in your environment and create deployment rings as well as alerts to be notified when you have versions of Windows 10 that are nearing end-of-support.

Universal Windows Platform (UWP) Support: You can deploy UWP apps to Windows 10 devices.

Improved Software Center: Software Center now displays both machine- and user-targeted software, allowing you to (finally) have one location for all available software in your environment. As an added bonus, Silverlight is no longer required for Software Center.

Install Windows Installer-based Software through the MDM Channel: The title says it all: You can now deploy MSI files to MDM devices that support Windows Installer. Note that currently this feature only supports installation through the logged-in user context.

Browse the Windows Store for Approved Applications: Previously, you had to specify a direct link to an application or browse to a computer that already had the application installed. Now, you can easily browse the Windows Store to obtain the application link.

Support for Windows Update for Business (WUfB): You can use this client setting to target a collection to remove clients from using WSUS for software update management.

WSUS Clean-up Task: The WSUS Clean-up task is now available directly in the ConfigMgr console. It sets expired software updates to a status of declined on the WSUS server, which prevents the Windows Update Agent from scanning for these old updates.

Windows 10 devices managed with the ConfigMgr client

Mac OS X devices managed with the ConfigMgr client

Windows desktop and server computers managed with the ConfigMgr client

Windows 8.1 and Windows 10, Windows Phone, iOS, and Mac OS X devices managed without the ConfigMgr client (These are managed with the MDM client.)

Android and Samsung Knox devices without the ConfigMgr client (These are also managed with the MDM client.)

Support for managing settings on Mac OS X enrolled in either Intune or ConfigMgr

The ability to set a limit for the number of devices a user can enroll

The ability to set the terms and conditions that a user must accept in the company portal in order to use the portal

A new Device Enrollment Manager role

Version 1602 also introduced features to caution administrators with high-risk deployments, such as operating system deployments. (Review https://docs.microsoft.com/sccm/protect/understand/settings-to-manage-high-risk-deployments for more information.) This version improved the end-user experience for operating system upgrades, providing more visibility into what is occurring.

More installation status details are available, allowing you to view separate details for the download, replication, prerequisite check, and installation stages.

A retry option was added for prerequisite check failures.

The admin console was updated to provide a cleaner view of updates by showing only the most recent (by simply clicking the History button to see the update history). The pre-production client upgrade feature was also renamed Promote Pre-production Client.

You can now connect to the Windows Store for Business to synchronize the list of apps purchased with ConfigMgr, as well as view and deploy them from ConfigMgr.

The Software Center interface was improved so that the Installed Software tab is collapsed to the Installation Status tab. Also, Updates, Operating Systems, and Applications have been separated onto three separate tabs. Another sorely missed feature from ConfigMgr 2012 that was restored in ConfigMgr Current Branch version 1606 is the ability to install all software updates with a simple selector.

From the properties of an application or package, you can now click on a link to show the content status for the object.

Client settings were introduced to support management of the Office 365 client agent.

You can now manually trigger clients to switch to a new software update point on the next scan.

Two new well-requested features were added for update behavior starting with Windows 10. You can now choose Update and Restart or Update and Shutdown, which provide an experience similar to the native Windows Update experience.

A new option for software update deployments (on the User Experience tab) allows you to choose the option to perform a new scan and deployment evaluation after patch restart. This is helpful for patching newly applicable updates (based on the updates just installed) in the same patch window.

You now have the option to perform a full scan during the Install Software Updates step instead of using cached results.

You can customize the RamDisk TFTP window size for PXE-enabled DPs, which enables you to optimize TFTP traffic on your network.

You can manage the iOS Activation Lock feature, with which you can require the user’s Apple ID and password before erasing or reactivating the device.

Support for Windows Defender Advanced Threat Protection was added.

Devices with IMEI or iOS serial numbers can be predeclared.

On-premise support for health attestation was added.

Users can now request apps from Software Center (which is similar to the Application Catalog experience).

Indicators in Software Center identify new software.

Customizable branding for all Software Center dialog boxes provides a more consistent experience.

The Snooze and remind me option allows a user to defer software until Later or until a fixed time.

Most objects now support a column named Object Path, which is helpful when performing searches as it allows you to see the full path to the object.

Search text is preserved when you switch between the current node and sub-nodes.

The setting to search sub-nodes is also preserved when you switch to a new node.

The Updates and Servicing node is now a top-level node under Administration.

There are two new update states in the console, Available for Install and Ready for Download.

Update choices have been simplified. By default, ConfigMgr shows the latest update available instead of all potential updates. (Most of the time, you want to install the latest update.)

Support is now provided for improved cleanup of older updates, with a new automatic cleanup function that deletes unneeded downloads from the EasySetupPayload folder on the site server.

Expiration of standalone media: This functionality allows you to optionally set start and end dates for your media.

New content in standalone media: Previously, only content referenced in the TS could be included. Now you can specify additional packages, driver packages, and applications to be staged.

Improvements to Software Center warning messages for high-impact task sequences: You can now configure any task sequence as a high-risk deployment. You can also choose the default notification message or create your own custom notification message.

Returning to the previous page when a task sequence fails: Previously, this required you to completely restart OSD. Now you can simply click the Back button.

Support for pre-caching of content for available deployments and task sequences.

Support to convert from BIOS to UEFI during an in-place upgrade to Windows 10.

Improvements to the Install Applications task sequence step: You can now allow up to 99 applications in the Install Applications step. The wizard also supports multi-select, which simplifies the administrative experience.

New variables for the Auto Apply Drivers task sequence: New variables available allow you to control the timeout for resolving, connecting, sending, and receiving driver requests.

You can now deploy Office 365 applications to clients. You can configure installation settings, download Office 365, and deploy Office 365 as an application from ConfigMgr.

You can now manage express installation files for Windows 10 updates.

You can now set ConfigMgr to smartly download only the changes between the current month’s cumulative update for Windows 10 and the previous month’s update. The express installation files significantly reduce the amount of content required to be downloaded each month for Windows 10 Updates.

You can now create version-agnostic installations for Intune-managed devices. Simply choose Android, Samsung Knox, iPhone, or iPad for a simplified administrative experience.

Enrollment and management in Android for Work is now supported. You can enroll devices, approve and deploy work applications, create and deploy configuration items, perform selective wipe, configure email profiles, and configure compliance policies.

Deploying volume-purchase iOS apps to device collections is another long-awaited feature that is now supported.

Support for the iOS Volume Purchase Program for Education allows you to track applications purchased through the education program.

Support for multiple volume-purchase program tokens has been added.

You can now synchronize custom line-of-business apps from the Windows Store for Business.

Improvements to conditional access include blocking access to corporate resources (that support conditional access) when users are using applications that are part of a noncompliant list of applications. This helps mitigate data leakage through unsecured applications.

You can detect outdated antimalware client versions by configuring alerts to identify when Endpoint Protection clients are out-of-date.

Updates to device health attestation updates allow on-premise clients to now be configured and managed from the management point.

Windows Hello for Business enhancements enable you to manage certificate profiles, as well as provide additional notification to end users when additional actions are required to be completed for Windows Hello for Business configuration.

Peer Cache supports express installation files for Windows 10 and Office 365. Also, Peer Cache no longer uses the Network Access account to download requests from peers (except while in WinPE).

Data Warehouse is now a fully released product, and it supports SQL Server AlwaysOn availability groups, as well as failover clusters.

SQL Server AlwaysOn availability groups includes new features such as asynchronous commit replicas, which can be used in disaster recovery scenarios.

The Update Reset Tool (CMUpdateReset.exe) can reset any failed attempts in downloading or replicating content.

Improved boundary groups for software update points provide the ability to configure a time for fallback to neighbor boundary groups, as well as shorter cycles to quickly select the next server from the pool of available servers.

Azure integration includes multiple improvements with Azure AD:

Azure Services Wizard simplifies configuration for Cloud Management, OMS Connector, Upgrade Readiness, and Windows Store for Business.

Azure AD authentication can be used for clients on the Internet to access ConfigMgr sites. With this feature, client authentication certificates are no longer required.

Azure AD User Discovery is a new discovery method to support users in Azure AD. Both full and delta synchronizations are supported.

There are new configuration item settings for Windows 10 devices enrolled with Intune, such as regional settings, power and sleep, language, store, and Microsoft Edge.

New device compliance policy rules specify password types and restrictions, blocking of USB debugging, blocking of apps from unknown sources, and more.

The ability to run PowerShell scripts from the ConfigMgr console means you can import and edit scripts, require approval for deployment, and run scripts on collections or devices and quickly examine the results.

Mobile application management policy settings allow you to block screen capture (Android), disable contacts synchronization, and disable printing.

Secure boot status is collected in hardware inventory and enabled by default.

Task sequences can be very long; you can now collapse sub-areas as desired. This is a long-requested feature request from the community.

You can now reload boot images with the current Windows PE version, which previously could only be accomplished by calling a WMI method. Now you can choose to reload whenever you update DPs.

The download time for Express Updates has been significantly improved.

Microsoft Surface drivers can be updated through the Software Updates process.

You can now configure Windows Update for Business deferral policies for Windows 10 Feature Updates or Quality Updates for Windows 10 devices that are managed by Windows Update for Business.

ConfigMgr now leverages the Office Click-to-Run user experience for Office 365 updates, including pop-up and in-app notifications and countdowns.

Peer Cache is now a fully released product. It has been a pre-release product for the past several releases but is now fully released.

Cloud distribution points are now available in the Azure government cloud.

Co-management for Windows 10 devices: Starting with ConfigMgr Current Branch version 1710 and Windows 10 1607, devices joined to hybrid Azure AD can be co-managed with both Intune and ConfigMgr. This is a significant milestone that enables ConfigMgr customers to migrate from ConfigMgr to Intune on a per-feature level instead of making a single cutover from ConfigMgr to Intune. For additional information, see Appendix B, “Co-Managing Microsoft Intune and ConfigMgr.”

Identifying and restarting computers: You can add the column Pending Restart to the device collection view to show systems requiring a restart and then use the client notification channel to restart systems.

Improvements to the new Scripts node support security scopes, real-time monitoring, and better visibility for parameters.

New mobile application management policies enable you to disable printing and synchronization of contacts.

By using Endpoint Protection, you can create and deploy the Windows Defender Application Guard policy.

Policy changes for Device Guard let you set devices to automatically run software that is trusted by the Intelligent Security Graph.

SQL Server 2008 R2 is no longer supported.

Windows Server 2008 R2 is no longer supported as a site system, and site roles have also been deprecated (except the Distribution Point role, which is still supported in 2008 R2). 2008 R2 continues to be supported as a managed client.

Windows Server 2008 is no longer supported as a site system or site role but is still supported as a managed client.

Windows XP Embedded is no longer supported.

Network Access Protection has been deprecated.

OOB management has been deprecated.

Older versions of Software Center (those that are dependent on Silverlight) are in the process of being deprecated.

The capability to create virtual hard disks (.vhds) has been deprecated.

The System Center Configuration Manager Upgrade Assessment Tool (which uses the Application Compatibility Toolkit) has been deprecated.

As ConfigMgr Current Branch is a living release, check out https://docs.microsoft.com/sccm/core/plan-design/changes/removed-and-deprecated-features to see new information on deprecated items.