What's new in version 1706 of System Center Configuration Manager
Applies to: System Center Configuration Manager (Current Branch)
Update 1706 for System Center Configuration Manager current branch is available as an in-console update for previously installed sites that run version 1606, 1610, or 1702.
To install a new site, you must use a baseline version of Configuration Manager.
Learn more about:
The following sections provide details about changes and new capabilities introduced in version 1706 of Configuration Manager.
Client Peer Cache support for express installation files for Windows 10 and Office 365
Beginning with this release, Peer Cache supports distribution of content express installation files for Windows 10, and of update files for Office 365. No additional configurations are required to support this change.
Updates for the data warehouse
The data warehouse is no longer a pre-release feature. We have also updated the prerequisites to include support for the database on SQL Server Always on availability groups, and failover clusters. For more information, see The Data Warehouse service point.
We have added additional improvements to accessibility for the Configuration Manager console. For details, see Accessibility features.
Improvements for SQL Server Always On Availability Groups
With this release, you can now use asynchronous commit replicas in the SQL Server Always On availability groups you use with Configuration Manager. This means you can add additional replicas to your availability groups to use as off-site (remote) backups, and then use them in a disaster recovery scenario.
- Configuration Manager supports using the asynchronous commit replica to recover your synchronous replica. See site database recovery options in the Backup and Recovery topic for information on how to accomplish this.
- This release does not support failover to use the asynchronous commit replica as your site database. For more information, see Prepare to use Always On Availability Groups.
Update reset tool
Beginning with version 1706, Configuration Manager primary sites, and central administration sites include the Configuration Manager Update Reset Tool, CMUpdateReset.exe. Use this tool with any version of the current branch that remains in support, to fix issues when in-console updates have problems downloading or replicating. For more information, see Update reset tool.
High DPI console support
With this release, issues with how the Configuration Manager console scales and displays different parts of the UI when viewed on high DPI devices (like a Surface book) should be fixed.
Improved boundary groups for software update points
This release includes improvements for how software update points work with boundary groups. The following summarizes the new fallback behavior:
- Fallback for software update points now uses a configurable time for fallback to neighbor boundary groups.
- Independent of the fallback configuration, a client attempts to reach the last software update point it used for 120 minutes. After failing to reach that server for 120 minutes, the client then checks its pool of available software update points, so it can find a new one.
- After failing to reach its original server for two hours, the client switches to a shorter cycle for contacting a new software update point. This means if a client fails to connect with a new server, it quickly selects the next server from its pool of available servers and attempts to contact that one.
For more information, see software update points in the Boundary Groups topic for the Current Branch.
Azure AD integration with Configuration Manager
With this release, we have improved the integration of Configuration Manager and Azure Active Directory (Azure AD). These improvements streamline how you configure the Azure services you use with Configuration Manager, and help you to manage clients and users who authenticate though Azure AD.
The improved integration makes the following possible:
- Azure Services Wizard – This Wizard provides a common configuration experience that replaces the individual workflows to set up the following Azure services you use with Configuration Manager.
- Cloud Management Enable clients to authenticate by using Azure Active Directory (Azure AD). You can also configure Azure AD User Discovery.
- Log Analytics Connector Connect to Azure Log Analytics and sync collection data.
- Upgrade Readiness Connect to Upgrade Readiness and view client upgrade-compatibility data.
- Windows Store for Business Connect to the on-line store for Windows Store for Business and get apps for your organization that you can deploy with Configuration Manager.
This is done by using an Azure server web app to provide the subscription and configuration details that you otherwise enter each time you set up a new Configuration Manager component or service with Azure. For more information, see Azure Services Wizard.
Use Azure AD to authenticate clients on the internet to access your Configuration Manager sites. Azure AD replaces the need to configure and use client authentication certificates. This requires the cloud management gateway site system role. For more information, see Install and assign Configuration Manager clients from the internet using Azure AD for authentication.
Install and manage the Configuration Manager client on computers that are located on the internet. This requires the use of the cloud management gateway site system role. For more information, see Install and assign Configuration Manager clients from the internet using Azure AD for authentication.
Configure Azure AD User Discovery. Use the Azure Services Wizard to configure this new discovery method. This new method queries your Azure AD for user data you can then use along-side traditional discovery data. Both full and delta synchronization are supported. For more information see Azure AD User Discovery.
Peer cache improvements
Peer cache no longer uses the Network Access Account to authenticate download requests from peers. There is one caveat to this when the account remains required by clients. This remains a requirement for clients that boot in to WinPE and then access content from a peer cache source. For more information, see requirements and considerations for peer cache.
New configuration settings for Windows 10 devices that are not managed with the Configuration Manager client
In this release, we've added new configuration item settings for Windows 10 devices that are enrolled with Intune, or managed on premises by Configuration Manager. The settings are:
- Device Encryption
- Region settings modification (desktop only)
- Power and sleep settings modification
- Language settings modification
- System time modification
- Device name modification
- Auto-update apps from store
- Use private store only
- Store originated app launch
- Microsoft Edge
- Block access to about:flags
- SmartScreen prompt override
- SmartScreen prompt override for files
- WebRTC localhost IP address
- Default search engine
- OpenSearch XML URL
- Homepages (desktop only)
For details of all Windows 10 settings, see How to create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client.
New device compliance policy rules
Required password type. Specify whether the user must create an alphanumeric password or a numeric password. For alphanumeric passwords, you also specify the minimum number of character sets that the password must have. The four character sets are: Lowercase, uppercase letters, symbols and numbers.
- Windows Phone 8+
- Windows 8.1+
- iOS 6+
Block USB debugging on device. You do not have to configure this settings as USB debugging is already disabled on Android for Work devices.
- Android 4.0+
- Samsung KNOX Standard 4.0+
Block apps from unknown sources. Require that devices prevent installation of apps from unknown sources. You do not have to configure this setting as Android for Work devices always restrict installation from unknown sources.
- Android 4.0+
- Samsung KNOX Standard 4.0+
Require threat scan on apps. This setting specifies that the Verify apps feature is enabled on the device.
- Android 4.2 through 4.4
- Samsung KNOX Standard 4.0+
See create and deploy a device compliance policy to try the new device compliance rules
Run PowerShell scripts from the Configuration Manager console
In Configuration Manager, you can deploy scripts to client devices using packages and programs. In this release, we've added new functionality that lets you take the following actions:
- Import PowerShell Scripts to Configuration Manager
- Edit the scripts from the Configuration Manager console (for unsigned scripts only)
- Mark scripts as Approved or Denied, to improve security
- Run scripts on collections of Windows client PCs, and on-premises managed Windows PCs. You don't deploy scripts, instead, they are run in near real time on client devices.
- Examine the results returned by the script in the Configuration Manager console.
For more information, see Create and run PowerShell scripts from the Configuration Manager console.
New mobile application management policy settings
Beginning with this release, you can use three new mobile application management (MAM) policy settings:
- Block screen capture (Android devices only): Specifies that the screen capture capabilities of the device are blocked when using this app.
See protect apps using app protection policies in Configuration Manager to try the new app protection policy settings.
Operating system deployment
Hardware inventory collects Secure Boot information
Hardware inventory now collects information about whether Secure Boot is enabled on clients. This information is stored in the SMS_Firmware class (introduced in version 1702) and enabled in hardware inventory by default. For more information about hardware inventory, see How to configure hardware inventory.
Collapsible task sequence groups
This version introduces the ability to expand and collapse task sequence groups. You can expand or collapse individual groups or expand or collapse all groups at once.
Reload boot images with current Windows PE version
When you run Update Distribution Points on a selected boot image, you can now choose to reload the latest version of Windows PE (from the Windows ADK installation directory) in the boot image. For more information, see Update distribution points with the boot image.
Improvements to Express Update download time
In this release, we have significantly improved the download time for Express Updates. For more information, see Manage Express installation files for Windows 10 updates.
Manage Microsoft Surface driver updates
You can now use Configuration Manager to manage Microsoft Surface driver updates.
- All software update points must run Windows Server 2016.
- This is a pre-release feature that you must turn on for it to be available. For more information, see Use pre-release features from updates.
To manage Surface driver updates
- Enable Synchronization for Microsoft Surface drivers. Use the procedure in Configure classification and products and select the Include Microsoft Surface drivers and firmware updates checkbox on the Classifications tab to enable Surface drivers.
- Synchronize the Microsoft Surface drivers.
- Deploy synchronized Microsoft Surface drivers
Configure Windows Update for Business deferral policies
You can now configure deferral policies for Windows 10 Feature Updates or Quality Updates for Windows 10 devices managed directly by Windows Update for Business. You can manage the deferral policies in the new Windows Update for Business Policies node under Software Library > Windows 10 Servicing.
For details, see Integration with Windows Update for Business in Windows 10.
Improved user notifications for Office 365 updates
Improvements have been made to leverage the Office Click-to-Run user experience when a client installs an Office 365 update. This includes pop-up and in-app notifications, and a countdown experience. For more information, see Restart behavior and client notifications for Office 365 updates
Use Windows Analytics with Configuration Manager
Windows Analytics is a set of solutions that allow you to form insight into the current state of your environment. Devices in your environment report Windows telemetry data. The data can be accessed through the Azure portal. In the case of Upgrade Readiness the data is directly available in the monitoring node of the Configuration Manager console.
For more information, see Use Windows Analytics with Configuration Manager.
Mobile device management
Updates to Android for Work sharing configuration
With this release, the values for the Allow data sharing between work and personal profile setting in the Work Profile setting group have been updated. We’ve also added a custom setting to block copy-paste between work and personal profiles.
For more information, see Configuration items for Android for Work devices.
Android and iOS enrollment restrictions
With this release, you can now specify that users cannot enroll personal Android or iOS devices. New device restriction settings let you limit Android device enrollment to predeclared devices. For iOS devices, you can block enrollment of all devices except those enrolled with Apple's Device Enrollment Program, Apple Configurator, or the Intune device enrollment manager account.
- For more information about Android enrollment restrictions, see Set up Android device management.
- For more information about iOS enrollment restrictions, see Configure iOS enrollment restrictions.
Include trust for specific files and folders in a Device Guard policy
In this release, we’ve added further capabilities to Device Guard policy management.
You can now optionally add trust for specific files for folders in a Device Guard policy. This lets you:
- Overcome issues with managed installer behaviors
- Trust line-of-business apps that cannot be deployed with Configuration Manager
- Trust apps that are included in an operating system deployment image
For more details, see Device Guard management with Configuration Manager.