Servicing server group features of Configuration Manager CB 1511 and 1605

Technical Preview for System Center Configuration Manager, version 1511, included the ability to create a collection where all devices in the collection make up a server group. Then, you could configure the server group settings to use when you deploy software updates to the server group, control the percentage of computers that are updated at any given time, and configure pre-deployment and post-deployment PowerShell scripts to run custom actions.

Technical Preview for System Center Configuration Manager, version 1605, adds the ability to update the computers in the server group in a specified order that you define, adds enhanced monitoring to view the status for the computers in the server group, and provides the ability to clear the deployment locks that is useful when clients have failed to install the software updates and are preventing other clients from installing their software updates.

Reference: https://technet.microsoft.com/en-us/library/mt706220.aspx

 

System Center Configuration Manager Vulnerability Assessment Configuration Pack

Configuration Manager Vulnerability Assessment allows to scan managed systems for common missing security updates and misconfigurations which might make client computers more vulnerable to attack.

Download here

This release includes

  • The capability to scan’s for potential security issues that may exist because of misconfigurations on the following Microsoft Product versions
  • New Vulnerability Assessment Overall Report will display
    • List of Security, Administrative and Compliance Vulnerabilities for a specific computer.
    • List of Windows Updates Vulnerabilities (if there are any)
    • List of Windows Server Vulnerabilities (if there are any)
    • List of IIS Vulnerabilities (if there are any)
    • List of SQL Vulnerabilities (if there are any)

Example checks are:

  • Are unnecessary services installed and running?
  • Do shared folders have appropriate permissions?
  • Is Windows Firewall enabled?
  • Are strong passwords enforced?
  • Are unsecured guest accounts enabled?

 

After downloading the pack, you will need to install it which will extract the cab file into C:\Program Files (x86)\VACP (by default).

To import the Configuration Pack

  • In the Configuration Manager console, navigate to Assets and Compliance / Compliance settings / Configuration Baselines.


  • Right-click Configuration Items, Import Configuration Data to load the Import Configuration Data Wizard.


  • Click Add, browse to C:\Program Files (x86)\VACP (unless you specified another path) and select the .cab file in the install location of the .msi, and then click Open.


  • Summary of the 34 configuration Items will be shown. Click Next to continue.


  • Follow the wizard instructions.
  • There are three base lines created from the Configuration Items. The Vulnerability Assessment Configuration Pack.docx files associated highlights the details of each base line.
  • Deploy the baselines to the proper collections as desired.

 

 

Configuration Manager 1602 Changes – Part 1

 

Here are few new items in the 1602 branch of Configuration Manager

 

  1. A new option in the Software Center that allows the user to poll the user and machine policies (without going through the Control Paten applet). In Software Center (after the new client push), a Sync Policy button has been added to the Options > Computer Maintenance page.

  1. Windows 10 Device Health Attestation. This can be enabled in Administration > Overview > Client Settings under Computer Agent

To view the device health attestation view, in the Configuration Manager console go to the Monitoring workspace of, click Security node, and then click Health Attestation.

  1. Configuration Manager sites that run version 1602 or later support the in-place upgrade of the site servers operating system from Windows Server 2008 R2 to Windows Server 2012 R2. Before you upgrade to Windows Server 2012 R2, you must uninstall WSUS 3.2 from the server.
  2. New filter options are available for Windows 10 servicing plans that allow you to filter for Language, Required, and Title. Only upgrades that meet the specified criteria will be added to the associated deployment. Prior this change, all upgrades were being downloaded regardless of language or SKU.

Chicago Systems Management Users Group (CSMUG)

After couple of years of debates to do this or not, we have decided to move forward with this group.  There is no similar group like this in Chicagoland area.  We have done topics with the Chicago Windows User Group in the past and will continue to support them in joint events.  However, the membership for a Windows user group vs. a System Center, EMS, datacenter and client management, is much different.

If you are in the Chicago area, please sign up.

http://www.meetup.com/Chicago-Systems-Management-Users-Group-CSMUG/

The group is co-founded by Rich Lilly.  Check out his blog here and follow him on Twitter

Jay @jparekh_tech

Enroll Windows 10 Enterprise Preview to Hybrid ConfigMgr + Microsoft Intune

The following are quick steps to enroll the Microsoft Windows 10 Insiders Preview (as of build 10130) to Microsoft Intune in a hybrid environment with Microsoft System Center 2012 R2 SP1 Configuration Manager (SCCM).

This assume you have already configured Microsoft Intune into your SCCM environment.

  1. In the SCCM console, navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscriptions.
  2. On the top ribbon bar, click the Configure Platforms button. Click Windows in the drop down

  3. From the Microsoft Intune Subscription Properties, click the Enable Windows enrollment.

  1. Log onto your Windows 10 desktop, go to Settings and choose Network and Internet

  2. Click on Accounts and then Work access. On the Connect to work or school section, click the + Connect

  3. Enter your work email address that are Intune enabled (an account that has synchronization between your on-premise Active Directory and Windows Azure Active Directory). After you click continue, you will be sent to the Microsoft site to authenticate.

  4. Once done, you see the connected account on the main section.

  5. In the SCCM console, you will now be able to see your newly enrolled device as a Mobile device. You will be able to deploy applicable compliance policies just like any other mobile devices in your organization.

-Jay

Hybrid – Intune Mobile Application Management and Conditional Access for Outlook blog NOTE

As most have seen the blog announcing the Intune Mobile Application Management and Conditional Access for Outlook.  At the very bottom, there is a Note about the hybrid customers (SCCM) availability that seems to be missed by few folks when they update to SP1.

Note: These features are currently available in Intune standalone (cloud only) and will be made available to hybrid customers by July 2 as part of an upcoming Intune service update.