Manage Configuration Manager console extensions

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager 2103, the Console extensions node allows you to start managing the approval and installation of console extensions used in your environment. Having extensions in the console doesn't make them immediately available. First, an administrator has to approve the extension for the site and enable notifications. Then console users can install the extension to their local console.

After you approve an extension, when you open the console, you'll see a console notification. From the notification, you can start the extension installer. After the installer completes, the console restarts automatically, and then you can use the extension.

The new style of console extensions has the following benefits:

  1. Centralized management of console extensions for the site from the console instead of manually placing binaries on individual consoles.
  2. A clear separation of console extensions from different extension providers.
  3. The ability for admins to have more control over which console extensions are loaded and used in the environment, to keep them more secure.
  4. A hierarchy setting that allows for only using the new style of console extension.

    Important

    If this setting is used, your old style extensions that aren't approved through the Console Extensions node will no longer be able to be used. The setting, Only allow console extensions that are approved for the hierarchy, is enabled by default if you installed from the 2103 baseline image. The setting remains disabled by default, if you upgraded from a version prior to 2103. If the setting was enabled in error, disabling the setting allows the old style extensions to be used again.

The old style of console extensions may start being phased out in favor of the new style, which is more secure and centrally managed.

About the Console Extensions node

(Introduced in version 2103)

The Console Extensions node is located under Administration > Overview > Updates and Servicing. Actions for console extensions are grouped in the ribbon and the right-click menu. Console extensions downloaded from Community hub will be shown here.

The Console Extensions node in the Configuration Manager console

Actions for All Sites group:

  • Approve Installation: Approves the console extension for installation across all sites. An extension must be approved before notifications are enabled.
  • Revoke Approval:
    • Revokes the ability to install the extension from the Console Extensions node.
    • Notifies then uninstalls existing instances of the extension across the hierarchy at the next launch of a locally installed console.
    • Allows for reapproval of the extension at a later date.
  • Enable Notifications: Upon next launch of the console, notifies users within the security scope that the extension can be installed.
  • Disable Notifications: Disables the console notification messages for the extension. Users within the security scope can still install approved extensions from the Console Extensions node.
  • Delete:
    • Revokes the ability to install the extension from the Console Extensions node.
    • Notifies then uninstalls existing instances of the extension across the hierarchy at the next launch of a locally installed console.
    • Removes the extension from the Console Extensions node so it can't be reapproved later.

Classify group:

  • Set Security Scopes: Set the security scopes to secure the object and limit access.

Local Extension group:

  • Install: Installs the selected extension for the current local console
  • Uninstall: Uninstalls the selected extension from the current local console

Note

  • The WebView2 console extension is approved by default to enable using Community hub. The files are automatically downloaded from https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section with the other redistributable files.
  • When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension again.

Enable or disable hierarchy approved console extensions

  1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select Sites.
  2. Select Hierarchy Settings from the ribbon.
  3. On the General tab, enable or disable the Only allow console extensions that are approved for the hierarchy option.
  4. Select Ok when done to close the Hierarchy Settings Properties.

Important

If this setting is enabled, your old style extensions that aren't approved through the Console Extensions node will no longer be able to be used. The setting, Only allow console extensions that are approved for the hierarchy, is enabled by default if you installed from the 2103 baseline image. The setting remains disabled by default, if you upgraded from a version prior to 2103. If the setting was enabled in error, disabling the setting allows the old style extensions to be used again.

Install and test an extension on a local console

  1. Change the security scope for the extension. Changing the security scope is recommended for initial testing of an extension.

    1. Go to the Console Extensions node under Administration > Overview > Updates and Servicing.
    2. Select the extension, then select Set Security Scopes from the ribbon.
    3. Remove the Default security scope and add a scope that only contains one or two admins for initial testing.
    4. Choose OK to save the security scope for the extension.
  2. Approve the extension by selecting Approve Installation from the ribbon or right-click menu.

    • If the extension isn't approved, you won't be able to install it or enable in-console notifications for it.
    • If you restart your console at this point, a notification about the available extension won't occur since you haven't enabled the option yet.
  3. Install the extension on the local console by choosing Install.

  4. Once the extension is installed, verify it displays and you can use it from the local console.

Enable user notifications for extension installation

  1. If needed, modify the security scopes for the extension to allow access by more admins. These admins will be targeted with the in-console notification for installing the extension.
  2. Select Enable Notifications.
  3. Launch a Configuration Manager console that doesn't have the extension installed. Ideally, use a test account that you gave access to when you modified the security scope.
  4. Verify that the notification for the extension occurs and that you can install the extension.

Console extension installation notifications

Users are notified when console extensions are approved for installation. These notifications occur for users when console extensions are approved and notifications are enabled from Administration > Overview > Updates and Servicing > Console Extensions. When notifications are enabled, users within the security scope for the extension receive the following prompts:

  1. In the upper-right corner of the console, select the bell icon to display Configuration Manager console notifications.

    Notifications in the Configuration Manager console

  2. The notification will say New custom console extensions are available.

    New custom console extensions are available notification

  3. Select the link Install custom console extensions to launch the install.

  4. When the install completes, select Close to restart the console and enable the new extension.

    Console extension completed install

Note

When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension again. For more information about the WebView2 installation, see the WebView2 installation section if the Community hub article.

Import unsigned console extensions for hierarchy approval

(Applies to Configuration Manager version 2107 or later)

Starting in Configuration Manager version 2107, you can choose to allow unsigned hierarchy approved console extensions. It's a best practice to always used signed extensions to minimize security risks and to confirm the authenticity of a console extension. However, in some cases you may need to allow unsigned console extensions due to an unsigned internally developed extension, or for testing your own custom extension in a lab. To import and install an unsigned hierarchy approved console extension, the high-level steps are:

  1. Allow unsigned hierarchy approved console extensions.
  2. Import the unsigned console extension.
  3. Test the unsigned console extension in a local console.
  4. Enable notifications to allow console users to install the unsigned console extension.

Allow unsigned hierarchy approved console extensions

  1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select Sites.
  2. Select Hierarchy Settings from the ribbon.
  3. On the General tab, enable the Hierarchy approved console extensions can be unsigned option.
  4. Select Ok when done to close the Hierarchy Settings Properties.

Import the unsigned console extension

When you have the .cab file for an extension, you can test it in a Configuration Manager lab environment. You'll do this by posting it through the administration service. Once the extension is inserted into the site, you can approve it and install it locally from the Console Extensions node.

Run the following PowerShell script after editing the $adminServiceProvider and $cabFilePath:

  • $adminServiceProvider - The top-level SMSProvider server where the administration service is installed
  • $cabFilePath - Path to the extension's .cab file
$adminServiceProvider = "SMSProviderServer.contoso.com"
$cabFilePath = "C:\Testing\MyExtension.cab"
$adminServiceURL = "https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/AdminService.UploadExtension"
$cabFileName = (Get-Item -Path $cabFilePath).Name
$Data = Get-Content $cabFilePath
$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)
$base64Content = [Convert]::ToBase64String($Bytes)
$Headers = @{
    "Content-Type" = "Application/json"
}
$Body = @{
            CabFile = @{
                FileName = $cabFileName
                FileContent = $base64Content
            }
            AllowUnsigned = $true
        } | ConvertTo-Json
$result = Invoke-WebRequest -Method Post -Uri $adminServiceURL -Body $Body -Headers $Headers -UseDefaultCredentials
if ($result.StatusCode -eq 200) {Write-Host "$cabFileName was published successfully."}
else {Write-Host "$cabFileName publish failed. Review AdminService.log for more information."}

Note

Currently, when an unsigned extension isn't enabled for user notification, in the Console Extensions node, the Required column remains blank instead of populating a value of No.

Next steps