What's new in version 1906 of Configuration Manager current branch
Applies to: System Center Configuration Manager (Current Branch)
Update 1906 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 1802 or later. This article summarizes the changes and new features in Configuration Manager, version 1906.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest version. While new functionality appears in the Configuration Manager console when you update the site and console, the complete scenario isn't functional until the client version is also the latest.
To get notified when this page is updated, copy and paste the following URL into your RSS feed reader:
Version 1906 client requires SHA-2 code signing support
Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs Configuration Manager binaries using the more secure SHA-2 algorithm. The following Windows OS versions require an update for SHA-2 code signing support:
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2008 SP2
For more information, see Prerequisites for Windows clients.
Site server maintenance task improvements
Site server maintenance tasks can now be viewed and edited from their own tab on the details view of a site server. The new Maintenance Tasks tab gives you information such as:
- If the task is enabled
- The task schedule
- Last start time
- Last completion time
- If the task completed successfully
For more information, see Maintenance tasks.
Configuration Manager update database upgrade monitoring
When applying a Configuration Manager update, you can now see the state of the Upgrade ConfigMgr database task in the installation status window.
If the database upgrade is blocked, then you'll be given the warning, In progress, needs attention.
- The cmupdate.log will log the program name and sessionid from SQL that is blocking the database upgrade.
When the database upgrade is no longer blocked, the status will be reset to In progress or Complete.
- When the database upgrade is blocked, a check is done every 5 minutes to see if it's still blocked.
For more information, see Install in-console updates.
Management insights rule for NTLM fallback
Management insights includes a new rule that detects if you enabled the less secure NTLM authentication fallback method for the site: NTLM fallback is enabled.
For more information, see Management insights.
Improvements to support for SQL Always On
Add a new synchronous replica from setup: You can now add a new secondary replica node to an existing SQL Always On availability group. Instead of a manual process, use Configuration Manager setup to make this change. For more information, see Configure SQL Server Always On availability groups.
Multi-subnet failover: You can now enable the MultiSubnetFailover connection string keyword in SQL Server. You also need to manually configure the site server. For more information, see the Multi-subnet failover prerequisite.
Support for distributed views: The site database can be hosted on a SQL Server Always On availability group, and you can enable database replication links to use distributed views.
This change doesn't apply to SQL Server clusters.
Site recovery can recreate the database on a SQL Always On group. This process works with both manual and automatic seeding.
New setup prerequisite checks:
- SQL availability group replicas must all have the same seeding mode
- SQL availability group replicas must be healthy
Azure Active Directory user group discovery
You can now discover user groups and members of those groups from Azure Active Directory (Azure AD). Users found in Azure AD groups that the site hasn't previously discovered are added as user resources in Configuration Manager. A user group resource record is created when the group is a security group. This feature is a pre-release feature and needs to be enabled.
For more information, see Configure discovery methods.
Synchronize collection membership results to Azure Active Directory groups
You can now enable the synchronization of collection memberships to an Azure Active Directory (Azure AD) group. This synchronization is a pre-release feature. To enable it, see Pre-release features.
The synchronization allows you to use your existing on-premises grouping rules in the cloud by creating Azure AD group memberships based on collection membership results. Only devices with an Azure Active Directory record are reflected in the Azure AD Group. Both Hybrid Azure AD Joined and Azure Active Directory joined devices are supported.
For more information, see Create collections.
Readiness insights for desktop apps
You can now get more detailed insights for your desktop applications including line-of-business apps. The former App Health Analyzer toolkit is now integrated with the Configuration Manager client. This integration simplifies deployment and manageability of app readiness insights in the Desktop Analytics portal.
For more information, see Compatibility assessment in Desktop Analytics.
Use the DesktopAnalyticsLogsCollector.ps1 tool from the Configuration Manager install directory to help troubleshoot Desktop Analytics. It runs some basic troubleshooting steps and collects the relevant logs into a single working directory.
For more information, see Logs collector.
Add joins, additional operators, and aggregators in CMPivot
For CMPivot, you now have additional arithmetic operators, aggregators, and the ability to add query joins such as using Registry and File together.
For more information, see CMPivot.
You can now use CMPivot as a standalone app. CMPivot standalone is a pre-release feature and is only available in English. Run CMPivot outside of the Configuration Manager console to view the real-time state of devices in your environment. This change enables you to use CMPivot on a device without first installing the console.
You can share the power of CMPivot with other personas, such as helpdesk or security admins, who don’t have the console installed on their computer. These other personas can use CMPivot to query Configuration Manager alongside the other tools that they traditionally use. By sharing this rich management data, you can work together to proactively solve business problems that cross roles.
Added permissions to the Security Administrator role
The following permissions have been added to Configuration Manager's built-in Security Administrator role:
- Read on SMS Script
- Run CMPivot on Collection
- Read on Inventory Report
For more information, see CMPivot.
Delivery Optimization download data in client data sources dashboard
The client data sources dashboard now includes Delivery Optimization data. This dashboard helps you understand from where clients are getting content in your environment.
For more information, see Client Data Sources dashboard.
Use your distribution point as an in-network cache server for Delivery Optimization
You can now install Delivery Optimization In-Network Cache (DOINC) server on your distribution points. By caching this content on-premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect WAN links.
This cache server acts as an on-demand transparent cache for content downloaded by Delivery Optimization. Use client settings to make sure this server is offered only to the members of the local Configuration Manager boundary group.
For more information, see Delivery Optimization In-Network Cache in Configuration Manager.
Support for Windows Virtual Desktop
Windows Virtual Desktop is a preview feature of Microsoft Azure and Microsoft 365. You can now use Configuration Manager to manage these virtual devices running Windows in Azure.
Similar to a terminal server, these virtual devices allow multiple concurrent active user sessions. To help with client performance, Configuration Manager now disables user policies on any device that allows these multiple user sessions. Even if you enable user policies, the client disables them by default on these devices, which include Windows Virtual Desktop and terminal servers.
For more information, see Supported OS versions for clients and devices.
Support Center OneTrace (Preview)
OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with the following improvements:
- A tabbed view
- Dockable windows
- Improved search capabilities
- Ability to enable filters without leaving the log view
- Scrollbar hints to quickly identify clusters of errors
- Fast log opening for large files
For more information, see Support Center OneTrace.
Configure client cache minimum retention period
You can now specify the minimum time for the Configuration Manager client to keep cached content. This client setting defines the minimum amount of time Configuration Manager agent should wait before it can remove content from the cache in case more space is needed. In the Client cache settings group of client settings, configure the following setting: Minimum duration before cached content can be removed (minutes).
In the same client setting group, the existing setting to Enable Configuration Manager client in full OS to share content is now renamed to Enable as peer cache source. The behavior of the setting doesn't change.
For more information, see Client cache settings.
Improvements to co-management auto-enrollment
A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token. It doesn't need to wait for a user to sign in to the device for auto-enrollment to start. This change helps to reduce the number of devices with the enrollment status Pending user sign in.
For customers that already have devices enrolled to co-management, new devices now enroll immediately once they meet the prerequisites. For example, once the device is joined to Azure AD and the Configuration Manager client is installed.
For more information, see Enable co-management.
Multiple pilot groups for co-management workloads
You can now configure different pilot collections for each of the co-management workloads. Using different pilot collections allows you to take a more granular approach when shifting workloads.
In the Enablement tab, you can now specify an Intune Auto Enrollment collection.
- The Intune Auto Enrollment collection should contain all of the clients you want to onboard into co-management. It's essentially a superset of all the other staging collections.
In the Staging tab, instead of using one pilot collection for all workloads, you can now choose an individual collection for each workload.
These options are also available when you first enable co-management.
For more information, see Enable co-management.
Co-management support for government cloud
U.S. government customers can now use co-management with the Azure U.S. Government Cloud (portal.azure.us). For more information, see Enable co-management.
Filter applications deployed to devices
User categories for device-targeted application deployments now show as filters in Software Center. Specify a user category for an application on the Software Center page of its properties. Then open the app in Software Center and look at the available filters.
For more information, see Manually specify application information.
Create a group of applications that you can send to a user or device collection as a single deployment. The metadata you specify about the app group is seen in Software Center as a single entity. You can order the apps in the group so that the client installs them in a specific order.
This feature is pre-release. To enable it, see Pre-release features.
For more information, see Create application groups.
Retry the install of pre-approved applications
You can now retry the installation of an app that you previously approved for a user or device. The approval option is only for available deployments. If the user uninstalls the app, or if the initial install process fails, Configuration Manager doesn't reevaluate its state and reinstall it. This feature allows a support technician to quickly retry the app install for a user that calls for help.
For more information, see Approve applications.
Install an application for a device
From the Configuration Manager console, you can now install applications to a device in real time. This feature can help reduce the need for separate collections for every application.
For more information, see Install applications for a device.
Improvements to app approvals
This release includes the following improvements to app approvals:
If you approve an app request in the console, and then deny it, you can now approve it again. The app is reinstalled on the client after you approve it.
In the Configuration Manager console, Software Library workspace, under Application Management, the Approval Requests node is renamed Application Requests.
There's a new WMI method, DeleteInstance to remove an app approval request. This action doesn't uninstall the app on the device. If it's not already installed, the user can't install the app from Software Center.
Call the CreateApprovedRequest API to create a pre-approved request for an app on a device. To prevent automatically installing the app on the client, set the AutoInstall parameter to
FALSE. The user sees the app in Software Center, but it's not automatically installed.
For more information, see Approve applications.
Task sequence debugger
The task sequence debugger is a new troubleshooting tool. You deploy a task sequence in debug mode to a collection of one device. It lets you step through the task sequence in a controlled manner to aid troubleshooting and investigation.
This feature is pre-release. To enable it, see Pre-release features.
For more information, see Debug a task sequence.
Clear app content from client cache during task sequence
In the Install Application task sequence step, you can now delete the app content from the client cache after the step runs.
For more information, see About task sequence steps.
Update the target client to the latest version to support this new feature.
Reclaim SEDO lock for task sequences
If the Configuration Manager console stops responding, you can be locked out of making further changes to a task sequence. Now when you attempt to access a locked task sequence, you can now Discard Changes, and continue editing the object.
For more information, see Use the task sequence editor.
Pre-cache driver packages and OS images
Task sequence pre-cache now includes additional content types. Pre-cache content previously only applied to OS upgrade packages. Now you can use pre-caching to reduce bandwidth consumption of:
- OS images
- Driver packages
For more information, see Configure pre-cache content.
Improvements to OS deployment
This release includes the following improvements to OS deployment:
Use the following two PowerShell cmdlets to create and edit the Run Task Sequence step:
It's now easier to edit variables when you run a task sequence. After you select a task sequence in the Task Sequence Wizard window, the page to edit task sequence variables includes an Edit button. For more information, see How to use task sequence variables.
The Disable BitLocker task sequence step has a new restart counter. Use this option to specify the number of restarts to keep BitLocker disabled. This change helps you simplify your task sequence. You can use a single step, instead of adding multiple instances of this step. For more information, see Disable BitLocker.
Use the new task sequence variable SMSTSRebootDelayNext with the existing SMSTSRebootDelay variable. If you want any later reboots to happen with a different timeout than the first, set this new variable to a different value in seconds. For more information, see SMSTSRebootDelayNext.
The task sequence sets a new read-only variable _SMSTSLastContentDownloadLocation. This variable contains the last location where the task sequence downloaded or attempted to download content. Inspect this variable instead of parsing the client logs.
When you create task sequence media, Configuration Manager doesn't add an autorun.inf file. This file is commonly blocked by antimalware products. You can still include the file if necessary for your scenario.
Improvements to Software Center tab customizations
You can now add up to five custom tabs in Software Center. You can also edit the order in which these tabs appear in Software Center.
For more information, see Software Center client settings.
Software Center infrastructure improvements
This release includes the following infrastructure improvements to Software Center:
Software Center now communicates with a management point for apps targeted to users as available. It doesn't use the application catalog anymore. This change makes it easier for you to remove the application catalog from the site.
Previously, Software Center picked the first management point from the list of available servers. Starting in this release, it uses the same management point that the client uses. This change allows Software Center to use the same management point from the assigned primary site as the client.
These iterative improvements to Software Center and the management point are to retire the application catalog roles.
- The Silverlight user experience isn't supported as of current branch version 1806.
- Starting in version 1906, updated clients automatically use the management point for user-available application deployments. You also can't install new application catalog roles.
- Support ends for the application catalog roles with version 1910.
Redesigned notification for newly available software
The New Software is Available notification will only show once for a user for a given application and revision. The user will no longer see the notification each time they sign in. They'll only see another notification for an application if it has changed or was redeployed.
For more information, see Create and deploy an application.
More frequent countdown notifications for restarts
End users will now be reminded more frequently of a pending restart with intermittent countdown notifications. You can define the interval for the intermittent notifications in Client Settings on the Computer Restart page. Change the value for Specify the snooze duration for computer restart countdown notifications (minutes) to configure how often a user is reminded about a pending restart until the final countdown notification occurs.
Additionally, the maximum value for Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes) increased from 1440 minutes (24 hours) to 20160 minutes (two weeks).
Direct link to custom tabs in Software Center
You can now provide users with a direct link to a custom tab in Software Center.
Use the following URL format to open Software Center to a particular tab:
CustomTab1 is the first custom tab in order.
For example, type this URL in the Windows Run window.
You can also use this syntax to open default tabs in Software Center:
For more information, see Software Center tab visibility.
Additional options for WSUS maintenance
You now have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software update points. The WSUS maintenance occurs after every synchronization. In addition to declining expired updates in WSUS, Configuration Manager can now:
- Remove obsolete updates from the WSUS database.
- Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance.
For more information, see Software updates maintenance.
Configure the default maximum run time for software updates
You can now specify the maximum amount of time a software update installation has to complete. You can specify the following items in the Maximum Run Time tab on the Software Update Point:
- Maximum run time for Windows feature updates (minutes)
- Maximum run time for Office 365 updates and non-feature updates for Windows (minutes)
For more information, see Plan for software updates.
Configure dynamic update during feature updates
Use a new client setting to configure Dynamic Update during Windows 10 feature update installs. Dynamic Update installs language packs, features on demand, drivers, and cumulative updates during Windows setup by directing the client to download these updates from the internet.
New Windows 10, version 1903 and later product category
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your clients see these updates. We've helped reduce the number of manual steps you have to take for the new product.
When you update to Configuration Manager version 1906 and have the Windows 10 product selected for synchronization, the following actions occur automatically:
- The Windows 10, version 1903 and later product is added for synchronization.
- Automatic Deployment Rules containing the Windows 10 product will be updated to include Windows 10, version 1903 and later.
- Servicing plans are updated to include the Windows 10, version 1903 and later product.
For more information, see Configure classifications and products to synchronize, Servicing plans, and Automatic deployment rules.
Drill through required updates
You can now drill through compliance statistics to see which devices require a specific software update. To view the device list, you need permission to view updates and the collections the devices belong to. To drill down into the device list, select the View Required hyperlink next to the pie chart in the Summary tab for an update. Clicking the hyperlink takes you to a temporary node under Devices where you can see the devices requiring the update.
The View Required hyperlink is available in the following locations:
- Software Library > Software Updates > All Software Updates
- Software Library > Windows 10 Servicing > All Windows 10 Updates
- Software Library > Office 365 Client Management > Office 365 Updates
Office 365 ProPlus upgrade readiness dashboard
To help you determine which devices are ready to upgrade to Office 365 ProPlus, there's a new readiness dashboard. It includes the Office 365 ProPlus upgrade readiness tile that released in Configuration Manager current branch version 1902. In the Configuration Manager console, go to the Software Library workspace, expand Office 365 Client Management, and select the Office 365 ProPlus Upgrade Readiness node.
For more information on the dashboard, prerequisites, and using this data, see Integration for Office 365 ProPlus readiness.
Windows Defender Application Guard file trust criteria
There's a new policy setting that enables users to trust files that normally open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host device instead of in WDAG.
For more information, see Create and deploy Windows Defender Application Guard policy.
Configuration Manager console
Role-based access for folders
You can now set security scopes on folders. If you have access to an object in the folder but don't have access to the folder, you'll be unable to see the object. Similarly, if you have access to a folder but not an object within it, you won't see that object. Right-click a folder, choose Set Security Scopes, then choose the security scopes you want to apply.
Add SMBIOS GUID column to device and device collection nodes
In both the Devices and Device Collections nodes, you can now add a new column for SMBIOS GUID. This value is the same as the BIOS GUID property of the System Resource class. It's a unique identifier for the device hardware.
Administration service support for security nodes
You can now enable some nodes of the Configuration Manager console to use the administration service. This change allows the console to communicate with the SMS Provider over HTTPS instead of via WMI.
For more information, see Administration service.
Starting in version 1906, the Client Computer Communication tab on the site properties is now called Communication Security.
Collections tab in devices node
In the Assets and Compliance workspace, go to the Devices node, and select a device. In the details pane, switch to the new Collections tab. This tab lists the collections that include this device.
- This tab currently isn't available from a devices subnode under the Device Collections node. For example, when you select the option to Show Members on a collection.
- This tab may not populate as expected for some users. To see the complete list of collections a device belongs to, you must have the Full Administrator security role. This is a known issue.
Task sequences tab in applications node
In the Software Library workspace, expand Application Management, go to the Applications node, and select an application. In the details pane, switch to the new Task sequences tab. This tab lists the task sequences that reference this application.
Show collection name for scripts
In the Monitoring workspace, select the Script Status node. It now lists the Collection Name in addition to the ID.
Real-time actions from device lists
There are various ways to display a list of devices under the Devices node in the Assets and Compliance workspace.
In the Assets and Compliance workspace, select the Device Collections node. Select a device collection, and choose the action to Show members. This action opens a subnode of the Devices node with a device list for that collection.
- When you select the collection subnode, you can now start CMPivot from the Collection group of the ribbon.
In the Monitoring workspace, select the Deployments node. Select a deployment, and choose the View Status action in the ribbon. In the deployment status pane, double-click the total assets to drill-through to a device list.
- When you select a device in this list, you can now start CMPivot and Run Scripts from the Device group of the ribbon.
Order by program name in task sequence
In the Software Library workspace, expand Operating Systems, and select the Task Sequences node. Edit a task sequence, and select or add the Install Package step. If a package has more than one program, the drop-down list now sorts the programs alphabetically.
Correct names for client operations
In the Monitoring workspace, select Client Operations. The operation to Switch to next Software Update Point is now properly named.
Deprecated features and operating systems
Learn about support changes before they're implemented in removed and deprecated items.
Version 1906 drops support for the following features:
- You can't install new application catalog roles. Updated clients automatically use the management point for user-available application deployments. For more information, see Plan for Software Center.
Version 1906 deprecates support for the following products:
- Windows CE 7.0
- Windows 10 Mobile
- Windows 10 Mobile Enterprise
As of this version, the following features are no longer pre-release:
Aside from new features, this release also includes additional changes such as bug fixes. For more information, see Summary of changes in Configuration Manager current branch, version 1906.
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see PowerShell version 1906 release notes.
The following update rollup (4517869) is available in the console starting on October 1, 2019: Update rollup for Configuration Manager current branch, version 1906.
As of August 16, 2019, version 1906 is globally available for all customers to install.
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
For known, significant issues, see the Release notes.
After you update a site, also review the Post-update checklist.