In this article by Samir Hammoudi and Chuluunsuren Damdinsuren, the authors of Microsoft System Center Configuration Manager Cookbook- Second Edition,we will cover the following recipes:

• What's changed from System Center 2012 Configuration Manager?
• System Center Configuration Manager's new servicing models

In this article, we will learn the new servicing model, and walk through the various setup scenarios and configurations for System Center Configuration Manager Current Branch (SCCM CB). Designing and keeping a System Center Configuration Manager (SCCM) infrastructure current by using best practices such as keeping SQL server on the site, offloading some roles as needed, and in-place upgrades from CM12.

What's changed from System Center 2012 Configuration Manager?

We will go through the new features, changes, and removed features in CM since CM 2012.

Getting ready

The following are the new features in CM since CM12:

• In-console updates for Configuration Manager: CM uses an in-console service method called Updates and Servicing that makes it easy to locate and install updates for CM.
• Service Connection Point: The Microsoft Intune connector is replaced by a new site system role named Service Connection Point. The service connection point is used as a point of contact for devices you manage with, upload usage and diagnostic data to the Microsoft cloud service, and makes updates that apply within the CM console.
• Windows 10 Servicing: You can view the dashboard which tracks all Windows 10 PCs in your environment, create servicing plans to ensure Windows 10 PCs are kept up to date, and also view alerts when Windows 10 clients are near to the end of a CB/CBB support cycle.

How to do it...

Whats new in CM Capabilities

This information is based on versions 1511 and 1602. You can find out if the change is made in 1602 or later by looking for the version 1602 or later tag. You can find the latest changes at https://technet.microsoft.com/en-us/library/mt757350.aspx.

• Endpoint Protection anti-malware:
  • Real-time protection: This blocks potentially unwanted applications at download and prior to installation
  • Scan settings: This scans mapped network drives when running a full scan
  • Auto sample file submission settings: This is used to manage the behavior
  • Exclusion settings: This section of the policy is improved to allow device exclusions
• Software updates:
  • CM can differentiate a Windows 10 computer that connects to Windows Update for Business (WUfB) versus the computers connected to SUP
  • You can schedule, or run manually, the WSUS clean up task from the CM console
  • CM has the ability to manage Office 365 client updates by using the SUP (version 1602 or later)
• Application management:
  • This supports Universal Windows Platform (UWP) apps
  • The user-available apps now appear in Software Center
  • When you create an in-house iOS app you only need to specify the installer (.ipa) file
  • You can still enter the link directly, but you can now browse the store for the app directly from the CM console
  • CM now supports apps you purchase in volume from the Apple Volume-Purchase Program (VPP) (version 1602 or later)
  • Use CM app configuration policies to supply settings that might be required when the user runs an iOS app (version 1602 or later)
• Operating system deployment:
  • A new task sequence (TS) type is available to upgrade computers from Windows 7/8/8.1 to Windows 10
  • Windows PE Peer Cache is now available that runs a TS using Windows PE Peer Cache to obtain content from a local peer, instead of running it from a DP
  • You can now view the state, deploy the servicing plans, and get alerts of WaaS in your environment, to keep the Windows 10 current branch updated
• Client deployment:
  • You can test new versions of the CM client before upgrading the rest of the site with the new software
• Site infrastructure:
  • CM sites support the in-place upgrade of the site server's OS from Windows Server 2008 R2 to Windows Server 2012 R2 (version 1602 or later)
  • SQL Server AlwaysOn is supported for CM (version 1602 or later)
  • CM supports Microsoft Passport for Work which is an alternative sign-in method to replace a password, smart card, or virtual smart card
• Compliance settings:
  • When you create a configuration item, only the settings relevant to the selected platform are available
  • It is now easier to choose the configuration item type in the create configuration item wizard and has a number of new settings
  • It provides support for managing settings on Mac OS X computers
  • You can now specify kiosk mode settings for Samsung KNOX devices. (version 1602 or later)
• Conditional access:
  • Conditional access to Exchange Online and SharePoint Online is supported for PCs managed by CM (version 1602 or later)
  • You can now restrict access to e-mail and 0365 services based on the report of the Health Attestation Service (version 1602 or later)
  • New compliance policy rules like automatic updates and passwords to unlock devices, have been added to support better security requirements (version 1602 or later)
  • Enrolled and compliant devices always have access to Exchange On-Premises (version 1602 or later)
• Client management:
  • You can now see whether a computer is online or not via its status (version 1602 or later)
  • A new option, Sync Policy has been added by navigating to the Software Center | Options | Computer Maintenance which refreshes its machine and user policy (version 1602 or later)
  • You can view the status of Windows 10 Device Health Attestation in the CM console (version 1602 or later)
• Mobile device management with Microsoft Intune:
  • Improved the number of devices a user can enroll
  • Specify terms and conditions users of the company portal must accept before they can enroll or use the app
  • Added a device enrollment manager role to help manage large numbers of devices
  • CM can help you manage iOS Activation Lock, a feature of the Find My iPhone app for iOS 7.1 and later devices (version 1602 or later)
  • You can monitor terms and conditions deployments in the CM console (version 1602 or later)
• On-premises Mobile Device Management:
  • You can now manage mobile devices using on-premises CM infrastructure via a management interface that is built into the device OS

Removed features

There are two features that were removed from CM current branch's initial release in December 2015, and there will be no more support on these features. If your organization uses these features, you need to find alternatives or stay with CM12.

• Out of Band Management: With Configuration Manager, native support for AMT-based computers from within the CM console has been removed.
• Network Access Protection: CM has removed support for Network Access Protection. The feature has been deprecated in Windows Server 2012 R2 and is removed from Windows 10.

See also

Refer to the TechNet documentation on CM changes at https://technet.microsoft.com/en-us/library/mt622084.aspx

System Center Configuration Manager's new servicing models

The new concept servicing model is one of the biggest changes in CM. We will learn what the servicing model is and how to do it in this article.

Getting Ready

Windows 10's new servicing models

Before we dive into the new CM servicing model, we first need to understand the new Windows 10 servicing model approach called Windows as a Service (WaaS).

Microsoft regularly gets asked for advice on how to keep Windows devices secure, reliable, and compatible. Microsoft has a pretty strong point-of-view on this: Your devices will be more secure, more reliable, and more compatible if you are keeping up with the updates we regularly release.

In a mobile-first, cloud-first world, IT expects to have new value and new capabilities constantly flowing to them. Most users have smart phones and regularly accept the updates to their apps from the various app stores. The iOS and Android ecosystems also release updates to the OS on a regular cadence.

With this in mind, Microsoft is committed to continuously rolling out new capabilities to users around the world, but Windows is unique in that it is used in an incredibly broad set of scenarios, from a simple phone to some of the most complex and mission critical use scenarios in factories and hospitals. It is clear that one model does not fit all of these scenarios.

To strike a balance between the needed updates for such a wide range of device types, there are four servicing options (summarized in Table 1) you will want to completely understand.

Table 1. Windows 10 servicing options (WaaS)

How to do it...

How will CM support Windows 10?

As you read in the previous section, Windows 10 brings with it new options for deployment and servicing models. On the System Center side, it has to provide enterprise customers with the best management for Windows 10 with CM by helping you deploy, manage, and service Windows 10. Windows 10 comes in two basic types: a Current Branch/Current Branch for Business with fast version model, and the LTSB with a more traditional support model.

Therefore, Microsoft has released a new version of CM to provide full support for the deployment, upgrade, and management of Windows 10 in December 2015. The new CM (simply without calendar year) is called Configuration Manager Current Branch (CMCB), and designed to support the much faster pace of updates for Windows 10, by being updated periodically.

This new version will also simplify the CM upgrade experience itself. One of the core capabilities of this release is a brand new approach for updating the features and functionality of CM. Moving faster with CM will allow you to take advantage of the very latest feature innovations in Windows 10, as well as other operating systems such as Apple iOS and Android when using mobile device management (MDM) and mobile application management (MAM) capabilities.

The new features for CM are in-console Updates-and-Servicing processes that replace the need to learn about, locate, and download updates from external sources. This means no more service packs or cumulative update versions to track. Instead, when you use the CM current branch, you periodically install in-console updates to get a new version. New update versions release periodically and will include product updates and can also introduce new features you may choose to use (or not use) in your deployment.

Because CM will be updated frequently, will be denoted each particular version with a version number, for example 1511 for a version shipped in December 2015. Updates will be released for the current branch about three times a year. The first release of the current branch was 1511 in December 2015, followed by 1602 in March 2016. Each update version is supported for 12 months from its general availability release date.

Why is there another version called Configuration Manager LTSB 2016?

There will be a release named System Center Configuration Manager LTSB 2016 that aligns with the release of Windows Server 2016 and System Center 2016. With this version, as like previous versions 2007 and 2012, you do not have to update the Configuration Manager Site Servers like the current branch.

Table 2. Configuration Manager Servicing Options:

Summary

In this article we learned the new servicing model, and walked through the various setup scenarios and configurations for SCCM CB.

Resources for Article:

Further resources on this subject:

• Getting Started with Pentaho Data Integration [article]
• Where Is My Data and How Do I Get to It? [article]
• Configuring and Managing the Mailbox Server Role [article]