Servicing server group features of Configuration Manager CB 1511 and 1605

Technical Preview for System Center Configuration Manager, version 1511, included the ability to create a collection where all devices in the collection make up a server group. Then, you could configure the server group settings to use when you deploy software updates to the server group, control the percentage of computers that are updated at any given time, and configure pre-deployment and post-deployment PowerShell scripts to run custom actions.

Technical Preview for System Center Configuration Manager, version 1605, adds the ability to update the computers in the server group in a specified order that you define, adds enhanced monitoring to view the status for the computers in the server group, and provides the ability to clear the deployment locks that is useful when clients have failed to install the software updates and are preventing other clients from installing their software updates.

Reference: https://technet.microsoft.com/en-us/library/mt706220.aspx

 

System Center Configuration Manager Vulnerability Assessment Configuration Pack

Configuration Manager Vulnerability Assessment allows to scan managed systems for common missing security updates and misconfigurations which might make client computers more vulnerable to attack.

Download here

This release includes

  • The capability to scan’s for potential security issues that may exist because of misconfigurations on the following Microsoft Product versions
  • New Vulnerability Assessment Overall Report will display
    • List of Security, Administrative and Compliance Vulnerabilities for a specific computer.
    • List of Windows Updates Vulnerabilities (if there are any)
    • List of Windows Server Vulnerabilities (if there are any)
    • List of IIS Vulnerabilities (if there are any)
    • List of SQL Vulnerabilities (if there are any)

Example checks are:

  • Are unnecessary services installed and running?
  • Do shared folders have appropriate permissions?
  • Is Windows Firewall enabled?
  • Are strong passwords enforced?
  • Are unsecured guest accounts enabled?

 

After downloading the pack, you will need to install it which will extract the cab file into C:\Program Files (x86)\VACP (by default).

To import the Configuration Pack

  • In the Configuration Manager console, navigate to Assets and Compliance / Compliance settings / Configuration Baselines.


  • Right-click Configuration Items, Import Configuration Data to load the Import Configuration Data Wizard.


  • Click Add, browse to C:\Program Files (x86)\VACP (unless you specified another path) and select the .cab file in the install location of the .msi, and then click Open.


  • Summary of the 34 configuration Items will be shown. Click Next to continue.


  • Follow the wizard instructions.
  • There are three base lines created from the Configuration Items. The Vulnerability Assessment Configuration Pack.docx files associated highlights the details of each base line.
  • Deploy the baselines to the proper collections as desired.

 

 

Configuration Manager 1602 Changes – Part 1

 

Here are few new items in the 1602 branch of Configuration Manager

 

  1. A new option in the Software Center that allows the user to poll the user and machine policies (without going through the Control Paten applet). In Software Center (after the new client push), a Sync Policy button has been added to the Options > Computer Maintenance page.

  1. Windows 10 Device Health Attestation. This can be enabled in Administration > Overview > Client Settings under Computer Agent

To view the device health attestation view, in the Configuration Manager console go to the Monitoring workspace of, click Security node, and then click Health Attestation.

  1. Configuration Manager sites that run version 1602 or later support the in-place upgrade of the site servers operating system from Windows Server 2008 R2 to Windows Server 2012 R2. Before you upgrade to Windows Server 2012 R2, you must uninstall WSUS 3.2 from the server.
  2. New filter options are available for Windows 10 servicing plans that allow you to filter for Language, Required, and Title. Only upgrades that meet the specified criteria will be added to the associated deployment. Prior this change, all upgrades were being downloaded regardless of language or SKU.

Disable Wi-Fi Sense – Windows 10

Option 1.

Update to registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config

Or via Login Script or during the task sequences in Configuration Manager or MDT (post image install)

reg add HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config /t REG_DWORD /v AutoConnectAllowedOEM /d 0

Option 2.

Modify Unattend.xml to add Microsoft-Windows-WiFiNetworkManager

Set WiFiSenseAllowed to 0

Option 3.

For Windows 10 build 1511 or later

Configure the Group Policy Object Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services under

Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\.

Enabling iOS 9 Extension for Microsoft Intune in System Center 2012 R2 Configuration Manager SP1 CU1

On September 24, 2015 Microsoft announced support for iOS9 through he iOS9 extension for Microsoft Intune in Configuration Manager.

To enable the extension, go to your SCCM console (2012 R2 SP1 CU1).  Under Administration, expand Cloud Services and click Extension for Microsoft Intune.

2015-10-17_11-15-47

In the right pane, right click the iOS 9 Extension and click Enable (or from the toolbar).  If you do not have CU1, this can fail.

2015-10-17_11-06-33

Accept the License Terms – make sure you read all of it first 🙂

2015-10-17_11-19-09

Chicago Systems Management Users Group (CSMUG)

After couple of years of debates to do this or not, we have decided to move forward with this group.  There is no similar group like this in Chicagoland area.  We have done topics with the Chicago Windows User Group in the past and will continue to support them in joint events.  However, the membership for a Windows user group vs. a System Center, EMS, datacenter and client management, is much different.

If you are in the Chicago area, please sign up.

http://www.meetup.com/Chicago-Systems-Management-Users-Group-CSMUG/

The group is co-founded by Rich Lilly.  Check out his blog here and follow him on Twitter

Jay @jparekh_tech

Windows 10 Works with Existing Infrastructure

Deploying and managing Windows 10 in your business does not mean upgrading your client management infrastructure.  Use your existing SCCM and Windows Server investments to deploy and manage the new Windows 10, which has now been officially released.  See the matrix below for compatibility information.  Also note, a new version of System Center Configuration Manager is in the works which will offer new capabilities related to Windows 10 features but is not needed to get Windows 10 out to your users today!

2015-07-29_16-13-21

Twitter: @jparekh_tech