I am proud and honored to be renewed as Enterprise Mobility MVP 2017-2018! I was originally to be renewed in October but now that the MVP program is moving to a annual renewal cycle I was renewed in July as well!
Thanks Microsoft and everyone in the community making this possible!
Techdays in Sweden is the biggest event of its kind in Sweden and I always enjoy it. Meeting old colleagues, customers, Microsoft employees, MVP’s and fellow community peers, it is always so much fun! This year I have the great honor to be hosting a pre-conf together with Peter Löfgren at TrueSec “Windows 10 – Client management now and in the future“, we will gather our combined experience around Windows 10 Configuration Manager, UE-V and so on and also try to look in a Crystal ball and look at the future and where we are going with Client Management. Really looking forward to it!!
I will also deliver two sessions:
What’s new on Configuration Manager 17xx and Beyond, Configuration Manager is the leading product when it comes to and on-prem application delivering continuous innovation with 15 releases every year!! 3 Current Branch releases and 12 Technical Preview releases! I will cover the latest features in both Current branch and technical previews!
Windows 10+EMS = Helt fantastiskt!, together with my fellow colleague and MVP Anders Olsson. We will focus on the latest and greatest of features in a Combination of Windows 10 and EMS.
The session are held in Swedish and I hope to see many old and meet new friends at the event! http://tdswe.se/
At MMS 2017 in Minneapolis me and Ryan Ephgrave @EphingPosh had the great honor of doing a session on some of the great Community tools out there for Configuration Manager. We did it last year as well with the help of Kent Agerlund and it is always great fun, just preparing it, researching looking for new tools, what has changed, what is updated is great!
We did some polls as well on Twitter this year on which tools people used for different purposes, the result of these polls is in this post as well together with the links to the tools we talked about and demoed.
Infrastructure
Configuration Items
Applications
Software Updates Reports
Software Update PowerBI
Software Updates
OS Deployment
Frontends
Right – click tools
Troubleshooting tools
In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.
Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.
On the machine the Bluetooth settings is actually gone:
We can also use the Group Policy setting with the “ShowOnly” option as shown below.
On the computer the Settings page will now only show, Colors, Start and Themes
The syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app
Updated after comment on post, the Gaming can be hidden the following needs to be added to hide the group.
hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode
Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.
And Colors is launched.
That is basically it, great for some scenarios!
In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.
Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.
This is highly unsupported so use it at your own risk!
And from the Task Sequence we call it after the Operating System has been applied.
Then the app cannot be installed during setup.
Again this is unsupported use at your own risk!!
I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.
Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1
Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.
If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:
We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)
Select the supported platforms:
Select New in the Settings step
Create a new Configuration Item with following settings:
-Settings Type: Script
-Data type: Boolean
And then click “Add script”
Then we edit the discovery script and paste the script as shown below.
Then we create a compliance rule.
Then we create a compliance rule with the following settings.
Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status
Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!
If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.
You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch
Now let’s look at what is new in 1704 Technical Preview.
Nested Task Sequences
This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.
Android for Work app configuration
Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.
Secure Boot Inventory
We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.
Reload the Boot images with the latest WinPE version
We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.
Powershell support to create advanced detection methods
A long awaited addition, we can now create advanced detection methods for applications using Powershell.
Eliminate Duplicate Records when converting BIOS-UEFI
This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…
High DPI support in the admin console
Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! 
OS version Column in the System Images node
We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.
More efficient logging in SMSTS.log
Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.
Installing the 1704 TP update
Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.
For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704
In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.
Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.
In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.
When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point. At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.
To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.
We add the SQL Database Server Name, database name and Port to be used.
We can then configure how often it should synchronize the data.
We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.
When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.
We grant the SQl Reporting Service user account the data reader role.
After granting the Reporting Services user account permissions to the database the reports now run as they should.
The Data Warehouse role is a great feature so you should try it out!
