What's new in version 1806 of Configuration Manager current branch

Applies to: System Center Configuration Manager (Current Branch)

Update 1806 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 1706, 1710, or 1802.

Important

This article currently lists all significant features in this version. However, not all sections yet link to updated content with further information on the new features. Keep checking this page regularly for updates. Changes are noted with the [Updated] tag. This note will be removed when the content is finalized.

The following sections provide details about the changes and new features in version 1806 of Configuration Manager current branch.

Deprecated features and operating systems

Learn about support changes before they are implemented in removed and deprecated items.

[Updated] As of August 14, 2018, the hybrid mobile device management feature is deprecated. For more information, see What is hybrid MDM.

Site infrastructure

CMPivot

Configuration Manager has always provided a large centralized store of device data, which customers use for reporting purposes. The site typically collects this data on a weekly basis. CMPivot is a new in-console utility that now provides access to real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. You can then filter and group this data in the tool. By providing real-time data from online clients, you can more quickly answer business questions, troubleshoot issues, and respond to security incidents.

For more information, see CMPivot.

Site server high availability

High availability for a standalone primary site server role is a Configuration Manager-based solution to install an additional site server in passive mode. The site server in passive mode is in addition to your existing site server that is in active mode. A site server in passive mode is available for immediate use, when needed.

For more information, see the following articles:

Improvements to management insights

This release includes the following improvements to management insights:

  • Some management insights now have the option to take an action. This action is either navigating to the associated node in the console, or showing a filtered, query-based view.

  • A new group for Proactive Maintenance is available with six new rules, which help highlight potential configuration issues to avoid through regular upkeep.

For more information, see Management insights.

Configuration Manager tools

The Configuration Manager server and client tools are now included on the server. Find them in the CD.Latest\SMSSETUP\Tools folder on the site server. No further installation required.

For more information, see Configuration Manager tools.

Exclude Active Directory containers from discovery

To reduce the number of discovered objects, exclude specific containers from Active Directory system discovery.

Content management

Configure a remote content library for the site server

To configure site server high availability or to free up hard drive space on your central administration or primary site servers, relocate the content library to another storage location. Move the content library to another drive on the site server, a separate server, or fault-tolerant disks in a storage area network (SAN).

For more information, see the following articles:

Cloud distribution point support for Azure Resource Manager

When creating a cloud distribution point, the wizard now provides the option to create an Azure Resource Manager deployment. Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. When deploying a cloud distribution point with Azure Resource Manager, the site uses Azure Active Directory to authenticate and create the necessary cloud resources. This modernized deployment doesn't require the classic Azure management certificate.

The feature documentation for the cloud distribution point is also revised and enhanced. For more information, see the following articles:

Pull-distribution points support cloud distribution points as source

Many customers use pull-distribution points in remote or branch offices, which download content from a source distribution point across the WAN. If your remote offices have a better connection to the internet, or to reduce load on your WAN links, you can now use a cloud distribution point in Microsoft Azure as the source. When you add a source on the Pull Distribution Point tab of the distribution point properties, any cloud distribution point in the site is now listed as an available distribution point. The behavior of both site system roles remains the same otherwise.

For more information, see Use a pull-distribution points.

Enable distribution points to use network congestion control

Windows Low Extra Delay Background Transport (LEDBAT) is a feature of Windows Server to help manage background network transfers. For distribution points running on supported versions of Windows Server, enable an option to help adjust network traffic. Clients only use network bandwidth when it's available.

For more information, see Windows LEDBAT.

Partial download support in client peer cache to reduce WAN utilization

Client peer cache sources can now divide content into parts. These parts minimize the network transfer to reduce WAN utilization. The management point provides more detailed tracking of the content parts. It tries to eliminate more than one download of the same content per boundary group.

For more information, see Partial download support.

Boundary group options for peer downloads

Boundary groups now include additional settings to give you more control over content distribution in your environment. This release adds the following options:

  • Allow peer downloads in this boundary group: This setting is enabled by default. The management point provides clients a list of content locations that includes peer sources. This setting also affects applying Group IDs for Delivery Optimization.

  • During peer downloads, only use peers within the same subnet: This setting is dependent upon the one above. If you enable this option, the management point only includes in the content location list peer sources that are in the same subnet as the client.

Client management

Improvement to client push security

When using the client push method of installing the Configuration Manager client, the site can now require Kerberos mutual authentication. This enhancement helps to secure the communication between the server and the client.

For more information, see How to install clients with client push.

Enhanced HTTP site system

Using HTTPS communication is recommended for all Configuration Manager communication paths, but can be challenging for some customers due to the overhead of managing PKI certificates. The introduction of Azure Active Directory (Azure AD) integration reduces some but not all of the certificate requirements.

This release includes improvements to how clients communicate with site systems. On the site properties, Client Computer Communication tab, select the option for HTTPS or HTTP, and then enable the new option to Use Configuration Manager-generated certificates for HTTP site systems. This feature is a pre-release feature.

This option supports the following primary scenarios:

  • Client to HTTP management point: Azure AD-joined devices can communicate through a cloud management gateway (CMG) with a management point configured for HTTP. The site server generates a certificate for the management point allowing it to communicate via a secure channel.

  • Client to HTTP distribution point: A workgroup or Azure AD-joined client can download content over a secure channel from a distribution point configured for HTTP.

Azure AD device identity

An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can securely communicate with its assigned site. The cloud-based device identity is now sufficient to authenticate with the CMG and management point.

CMTrace installed with client

The CMTrace log viewing tool is now automatically installed along with the Configuration Manager client. It's added to the client installation directory, which by default is %WinDir%\ccm\cmtrace.exe.

For more information, see CMTrace.

Cloud management dashboard

The new cloud management dashboard provides a centralized view for cloud management gateway (CMG) usage. When the site is onboarded with Azure AD, it also displays data about cloud users and devices. In the Configuration Manager console, go to the Monitoring workspace. Select the Cloud Management node, and view the dashboard tiles.

This feature also includes the CMG connection analyzer for real-time verification to aid troubleshooting. The in-console utility checks the current status of the service, and the communication channel through the CMG connection point to any management points that allow CMG traffic. In the Configuration Manager console, go to the Administration workspace. Expand Cloud Services, and select Cloud management gateway. Select the target CMG instance, and then click Connection analyzer in the ribbon.

Improvements to cloud management gateway

Version 1806 includes the following improvements to the cloud management gateway (CMG):

Simplified client bootstrap command line

When installing the Configuration Manager client on the internet via a CMG, the command-line now requires fewer properties. This improvement reduces the size of the command line used in Microsoft Intune when preparing for co-management.

The following command-line properties are required in all scenarios:

  • CCMHOSTNAME
  • SMSSITECODE

The following properties are required when using Azure AD for client authentication instead of PKI-based client authentication certificates:

  • AADCLIENTAPPID
  • AADRESOURCEURI

The following property is required if the client will roam back to the intranet:

  • SMSMP

The following example includes all of the above properties:
ccmsetup.exe CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97 AADRESOURCEURI=https://contososerver SMSMP=https://mp1.contoso.com

Download content from a CMG

Previously, you had to deploy a cloud distribution point and CMG as separate roles. A CMG can now also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. To enable this feature, enable the new option to Allow CMG to function as a cloud distribution point and serve content from Azure storage on the Settings tab of the CMG properties.

Trusted root certificate isn't required with Azure AD

When you create a CMG, you're no longer required to provide a trusted root certificate on the Settings page. This certificate isn't required when using Azure Active Directory (Azure AD) for client authentication, but used to be required in the wizard. If you're using PKI client authentication certificates, then you still must add a trusted root certificate to the CMG.

Co-management

Sync MDM policy from Microsoft Intune for a co-managed device

When you switch a co-management workload, the co-managed devices automatically synchronize MDM policy from Microsoft Intune. This sync also happens when you initiate the Download Computer Policy action from Client Notifications in the Configuration Manager console.

For more information, see Switch Configuration Manager workloads to Intune.

Transition new workloads to Intune using co-management

The following workloads are now able to transition from Configuration Manager to Intune after enabling co-management:

  • Device configuration: This workload lets you use Intune to deploy MDM policies, while continuing to use Configuration Manager for deploying applications.

  • Office 365: Devices don't install Office 365 deployments from Configuration Manager.

  • Mobile apps: Any available apps deployed from Intune are available in the Company Portal. Apps that you deploy from Configuration Manager are available in Software Center. This feature is a pre-release feature.

To transition these workloads, go to the co-management properties page and move the workload slider bar from Configuration Manager to Pilot or All.

For more information, see Co-management for Windows 10 devices.

Support for multiple hierarchies to one Intune tenant

Some customers have several Configuration Manager hierarchies and want to consolidate in the future to a single tenant for Azure Active Directory and Microsoft Intune. Co-management now supports connecting more than one Configuration Manager environment to the same Intune tenant.

For more information, see Prepare Windows 10 devices for co-management.

Compliance settings

Configure Windows Defender SmartScreen settings for Microsoft Edge

The Microsoft Edge browser compliance settings policy adds the following three settings for Windows Defender SmartScreen:

  • Allow SmartScreen
  • Users can override SmartScreen prompt for sites
  • Users can override SmartScreen prompt for files

For more information, see Configure Microsoft Edge settings.

SCAP extensions

Convert Security Content Automation Protocol (SCAP) content to compliance settings baselines and generate SCAP reports using a console extension. This feature also includes a new dashboard to visualize the client compliance as well as XCCDF rule compliance.

For more information, see About the SCAP extensions.

Application management

Phased deployment of applications

Create a phased deployment for an application. Phased deployments allow you to orchestrate a coordinated, sequenced rollout of software based on customizable criteria and groups. For example, deploy the application to a pilot collection, and then automatically continue the rollout based on success criteria.

For more information, see the following articles:

Provision Windows app packages for all users on a device

Provision an application with a Windows app package for all users on the device. One common example of this scenario is provisioning an app from the Microsoft Store for Business and Education, like Minecraft: Education Edition, to all devices used by students in a school. Previously, Configuration Manager only supported installing these applications per user. After signing in to a new device, a student would have to wait to access an app. Now when the app is provisioned to the device for all users, they can be productive more quickly.

For more information, see Create Windows applications.

Office Customization Tool integration with the Office 365 Installer

The Office Customization Tool is now integrated with the Office 365 Installer in the Configuration Manager console. When creating a deployment for Office 365, dynamically configure the latest Office manageability settings. Microsoft updates the Office Customization Tool when they release new builds of Office 365. This integration allows you to take advantage of new manageability settings in Office 365 as soon as they're available.

For more information, see Deploy Office 365 apps.

Support for new Windows app package formats

Configuration Manager now supports the deployment of new Windows 10 app package (.msix) and app bundle (.msixbundle) formats.

For more information, see Create Windows applications.

Uninstall application on approval revocation

The behavior has changed when you revoke approval for an application. Now when you deny the request for the application, the client uninstalls the application from the user's device. This behavior requires that you enable the optional feature Approve application requests for users per device.

For more information, see Deploy applications.

Package Conversion Manager

Package Conversion Manager is now an integrated tool that allows you to convert legacy Configuration Manager 2007 packages into Configuration Manager current branch applications. Then you can use features of applications such as dependencies, requirement rules, and user device affinity.

Start with the following actions from the Packages node in the Configuration Manager console:

  • Analyze Package: Start the conversion process by analyzing the package.

  • Convert Package: Some packages can easily be converted into applications with this action.

  • Fix and Convert: Some packages require issues to be fixed before converting into applications.

Then go to the Package Conversion Status dashboard in the Monitoring workspace. This new dashboard shows the overall analysis and conversion state of packages in the site. This feature is a pre-release feature.

OS deployment

Improvements to phased deployments

This release includes the following improvements to phased deployments:

Create a phased deployment with manually configured phases

For a task sequence, now manually configure the phases when you create a phased deployment. Add up to 10 additional phases from the Phases tab of the Create Phased Deployment wizard. You can still automatically create a default two-phase deployment.

For more information, see Create a phased deployment with manually configured phases.

Phased deployment status

Phased deployments now have a native monitoring experience. From the Deployments node in the Monitoring workspace, select a phased deployment, and then click Phased Deployment Status in the ribbon.

For more information, see Manage and monitor phased deployments.

Gradual rollout during phased deployments

During a phased deployment, the rollout in each phase can now happen gradually. This behavior helps mitigate the risk of deployment issues, and decreases the load on the network caused by the distribution of content to clients. The site can gradually make the software available depending on the configuration for each phase. Every client in a phase has a deadline relative to the time the software is made available. The time window between the available time and deadline is the same for all clients in a phase.

For more information, see Phase settings.

Improvements to Windows 10 in-place upgrade task sequence

The default task sequence template for Windows 10 in-place upgrade now includes another new group with recommended actions to add in case the upgrade process fails. These actions make it easier to troubleshoot. One such tool is Windows SetupDiag. It's a standalone diagnostic tool to obtain details about why a Windows 10 upgrade was unsuccessful.

For more information, see Create a task sequence to upgrade an OS.

Improvements to PXE-enabled distribution points

On the PXE tab of the distribution point properties, check Enable a PXE responder without Windows Deployment Service. This new option enables a PXE responder on the distribution point, which doesn't require Windows Deployment Services (WDS). Because WDS isn't required, the PXE-enabled distribution point can be a client or server OS, including Windows Server Core. This new PXE responder service supports IPv6, and also enhances the flexibility of PXE-enabled distribution points in remote offices.

For more information, see enable PXE on the distribution point.

Network access account not required for some scenarios

The Enhanced HTTP site system feature also removes some dependencies on the network access account. When you enable the new site option to Use Configuration Manager-generated certificates for HTTP site systems, the following scenarios don't require a network access account to download content from a distribution point:

  • Task sequences running from boot media or PXE
  • Task sequences running from Software Center

These task sequences can be for OS deployment or custom. It's also supported for workgroup computers.

Other improvements to OS deployment

Mask sensitive data stored in task sequence variables

In the Set Task Sequence Variable step, select the new option to Do not display this value. For example, when specifying a password.

Mask program name during Run Command Step of a task sequence

To prevent potentially sensitive data from being displayed or logged, set the task sequence variable OSDDoNotLogCommand to TRUE. This variable masks the program name in the smsts.log during a Run Command Line task sequence step.

Task sequence variable for DISM parameters when installing drivers

To specify additional command-line parameters for DISM, use the new task sequence variable OSDInstallDriversAdditionalOptions. Enable the Apply Driver Package step setting to Install driver package via running DISM with recurse option.

Option to use full disk encryption

Both the Enable BitLocker and Pre-provision BitLocker steps now include an option to Use full disk encryption. By default, these steps encrypt used space on the drive. This default behavior is recommended, as it's faster and more efficient. If your organization requires encrypting the entire drive during setup, then enable this option. Windows Setup waits for the entire drive to encrypt, which takes a long time, especially on large drives.

Software Center

Software Center infrastructure improvements

Application catalog roles are no longer required to display user-available applications in Software Center. This change helps you reduce the server infrastructure required to deliver applications to users. Software Center now relies upon the management point to obtain this information, which helps larger environments scale better by assigning them to boundary groups.

Note

The application catalog website point and web service point roles are no longer required in 1806, but still supported roles.

The Silverlight user experience for the application catalog website point is no longer supported. For more information, see Removed and deprecated features.

Use client settings to control whether the link to Open the Application Catalog web site appears in the Installation status node of Software Center.

For more information, see Software Center client settings.

Note

The Silverlight user experience for the application catalog website point is no longer supported. For more information, see Removed and deprecated features.

Custom tab for webpage in Software Center

Use client settings to create a customized tab to open a webpage in Software Center. This feature allows you to show content to your end users in a consistent, reliable way. The following list includes a few examples:

  • Contact IT: information on how to contact your organization's IT department

  • IT Support Center: IT self-service actions such as searching a knowledge base or opening a support ticket.

  • End-user documentation: articles for users in your organization on various IT topics such as using applications or upgrading to Windows 10.

For more information, see Software Center client settings and the Software Center user guide.

Maintenance windows in Software Center

Software Center now displays the next scheduled maintenance window. On the Installation Status tab, switch the view from All to Upcoming. It displays the time range and the list of deployments that are scheduled. If there are no future maintenance windows, the list is blank.

For more information, see How to use maintenance windows and the Software Center user guide.

Software updates

Third-party software updates

Third-party software updates allow you to subscribe to partner catalogs in the Configuration Manager console and publish the updates to WSUS. You can then deploy these updates using the existing software update management process.

For more information, see Enable third-party updates.

Deploy software updates without content

Deploy software updates to devices without first downloading and distributing content to distribution points. This feature is beneficial when dealing with extremely large update content, or when you always want clients to get content from the Microsoft Update cloud service. Clients in this scenario can also download content from peers that already have the necessary content. The Configuration Manager client continues to manage the content download, thus can utilize the Configuration Manager peer cache feature, or other technologies such as Delivery Optimization. This feature supports any update type supported by Configuration Manager software updates management, including Windows and Office updates.

For more information, see the No deployment package option when you Manually deploy software updates or Automatically deploy software updates.

Filter automatic deployment rules by software update architecture

You can now filter automatic deployment rules (ADR) to exclude architectures like Itanium and ARM64. On the Software Updates page of the Create Automatic Deployment Rule Wizard, the Architecture property filter is now available.

For more information, see Automatically deploy software updates.

Improved WSUS maintenance

The WSUS cleanup wizard now declines updates that are expired according to the supersedence rules defined on the software update point component properties.

For more information, see Software updates maintenance.

Reporting

New software updates compliance report

Viewing reports for software updates compliance traditionally includes data from clients that haven't recently contacted the site. A new report, Compliance 9 - Overall health and compliance, lets you filter compliance results for a specific software update group by "healthy" clients. This report shows the more realistic compliance state of the active clients in your environment.

For more information, see Software updates reports.

Inventory

Improvement to hardware inventory for large integer values

Hardware inventory previously had a limit for integers larger than 4,294,967,296 (2^32). This limit could be reached for attributes such as hard drive sizes in bytes. The management point didn't process integer values above this limit, thus no value was stored in the database. Now in this release the limit is increased to 18,446,744,073,709,551,616 (2^64).

For more information, see Use of large integer values.

Hardware inventory default unit revision

In Configuration Manager version 1710, the default unit used in many reporting views changed from megabytes (MB) to gigabytes (GB). Due to improvements to hardware inventory for large integer values, and based on customer feedback, this default unit is now MB again.

Configuration Manager console

Product lifecycle dashboard

The product lifecycle dashboard shows the state of the Microsoft Lifecycle Policy for Microsoft products installed on devices managed with Configuration Manager. It also provides you with information about Microsoft products in your environment, supportability state, and support end dates. Use the dashboard to understand the availability of support for each product. This information helps you plan for when to update the Microsoft products you use before their current end of support is reached.

For more information, see Product lifecycle dashboard.

Copy asset details from monitoring views

The following areas of the Monitoring workspace now support copying text:

  • In the Deployments node, select a deployment, and click View Status. In the Asset Details pane of the Deployment Status view, select one or more devices.

  • Expand the Distribution Status node, and select Content Status. Select a piece of software, and click View Status. In the Asset Details pane of the Content Status view, select one or more distribution points.

Right-click the asset, and select Copy. This action copies the selected assets as a comma-delimited list that includes the full details. The keyboard shortcut CTRL + C also works in these views.

For more information, see Console improvements in version 1806.

Improvements to the Surface dashboard

This release includes the following improvements to the Surface dashboard:

  • The Surface dashboard now displays a list of relevant devices when you select specific graph sections:

    • Clicking on the Percent of Surface Devices tile opens a list of Surface devices.

    • Clicking on a bar in the Top Five Firmware Versions tile opens a list of Surface devices with that specific firmware version.

  • When viewing these device lists from the Surface dashboard, right-click a device to perform common actions.

For more information, see Surface dashboard.

View the currently signed on user for a device

Now by default the Devices node of the Assets and Compliance workspace displays a column for the Currently logged on user. It also displays for any collection-specific device list. This value is as current as the client status. When the user signs off, the client clears this value. If no user is signed on, the value is blank.

For more information, see Console improvements in version 1806.

Submit feedback from the Configuration Manager console

Send a smile! You can now directly tell the Configuration Manager team about your experiences. Sending feedback is easy from the Configuration Manager console. We want to hear all of your feedback: praise, problems, and suggestions. In the Configuration Manager console, click the smile button in the upper right corner above the ribbon. This feedback goes directly to the Microsoft product team for Configuration Manager. While using the Windows 10 Feedback Hub is still supported, you're encouraged to use the in-console feedback mechanism.

For more information, see Console improvements in version 1806 and Product feedback.

Next steps

When you're ready to install this version, see Installing updates for Configuration Manager.

Tip

To install a new site, use a baseline version of Configuration Manager.

Learn more about:

For known, significant issues, see the Release notes.