So last Thursday 16th November the guys at Microsoft released the next version of Configuration Manager Technical Preview. This was a slightly different release as they were assisted in pushing the big red button by a number of MVPs and special invite attendees who were in Redmond for the week for a mini-summit. I’m pleased to say that friend and long-time WMUG’r Robert Marshall was in amongst the crowd and if you look closely you’ll see him just to the left of Kim Oppalfens and Jörgen Nilsson who are hitting the button. A nice bit of fun for those guys I’m sure.

So enough fun and games, what’s new?

Well here is the official link – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1711

I’m pleased to say I’ve managed to work through them and I can show you here what is new.

There are relatively few items in here compared to some previous releases but these are the headline items.

Allow user interaction when installing applications as system

This new setting is within the deployment type of an application and you can simply tick the box to allow a user to interact with the application installer even though the application is being installed as the local system account I.e. an administrator. This could be useful for many software applications where there are maybe user specific details to be entered such as a user name or license code etc. I’m sure there are many people with use cases for this one and I’d love to hear more about their examples.

New compliance policy options for Windows 10

As a quick summary for those who may not have used compliance policies, here is what Microsoft say.

“Compliance policies in Configuration Manager define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. You can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.”

The new options are specifically for devices that do NOT run the Configuration Manager client I.e. Intune enrolled devices. They are specific to Windows 10 and are listed here:

• Require Firewall. Specify whether a device must have a firewall enabled and monitoring all networks.
• Require User Account Control. Specify that a device must have User Account Control enabled.
• Defender:
  • Require Windows Defender Antivirus. Require a device to have Windows Defender Antivirus enabled.
  • Windows Defender Antivirus version. Specify the minimum version of spyware definitions a device must have installed.
  • Require current Windows Defender Antivirus signature. Verify that a devices Window Defender Antivirus signature is up-to-date.
  • Require Real-Time Protection. Specify whether a device must have Windows Defender Antivirus Real-Time Protection enabled.
• Valid operating system builds. Specify minimum and maximum operating system build requirements.

To create a policy with these options, you must go to Assets and Compliance > Compliance Settings > Compliance Policies. Now hit the Create Compliance Policy on the ribbon.

You need to give the policy a name and a description as you see fit. Ensure that you select “Compliance rules for devices managed without the Configuration Manager client” in order to see these new TP1722 Windows 10 options. Now hit Next.

Now you may want to create a policy for multiple Operating Systems but for this example you should select the appropriate versions of Windows 10 that you require. Note that the list of Windows 10 versions is different from that if you were to select managed with a CM client. Hit Next again.

Here we can now add policy items by hitting New and dropping down the condition drop down box.

Looking at the new options specifically we have Require Firewall which is a single option item with value True.

We also have Require User Account Control again with a single value of True.

Require Windows Defender Antivirus gives us several options that are maybe not quite clear in the documentation.

Finally we have Valid operation system builds. This allows us to specify a minimum and a maximum OS build version. This could be useful for preventing users running insider builds for example. You must set a minimum and a maximum value here so there is some ongoing maintenance in this option as time and indeed Windows 10 builds progress.

I created a uservoice item for this setting to be able to have a drop down or reference table of build numbers to plain text names. A look up table for this is available here – https://technet.microsoft.com/en-us/windows/release-info.aspx

If you want to vote this idea up then go here – https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/32323003-populate-os-versions-for-valid-operating-system-b

Improvements to Run Task Sequence

The team have made some further improvements to the Run task sequence step with a task sequence, a hot topic for most CM users. This is a progression from the initial features seen in TP 1704 for running a child task sequence. This effectively means that there is now a wider scope for you to use a child task sequence as there are more scenarios now covered. Microsoft list these improvements as the following:

• Support for all operating system deployment scenarios from Software Center, PXE, and media.
• Improvements to console actions such as copy, import, export, and warning during object deletion.
• Support for the Create Prestage Content wizard.
• Integration with deployment verification.
• The Run Task Sequence step can now be used across multiple levels of task sequences, not just a single parent-child relationship. Multi-level relationships increase the complexity, so use with caution. These relationships are still checked for circular references.

So there you go, that’s it for this month. I hope to cover the next TP release too but first up is the small matter of the 1710 production (current branch) release which just landed whilst I was writing this.

Check that one out here – https://cloudblogs.microsoft.com/enterprisemobility/2017/11/20/now-available-update-1710-for-system-center-configuration-manager/

/Peter