Handle More Tasks with Configuration Manager
Microsoft System Center Configuration Manager (SCCM) is now easier to use and offers improved mobile device management and support for Office 365
Microsoft typically puts the emphasis on Intune as its PC and mobile device management service these days, but it hasn't abandoned System Center Configuration Manager (SCCM). There's a large base of enterprise customers that rely on SCCM for client management. Microsoft continues to improve SCCM and has made it much easier for administrators to use the premises-based tool, especially with SCCM's spring release.
Microsoft released SCCM 2016 version 1702 shortly before April's rollout of Windows 10 Creators Edition. Among the new features, SCCM was designed to support the latest Windows update and offers improved mobile device management (MDM) for Office 365. And the good news is, moving forward, Microsoft said it will release upgrades of Windows, Office 365 ProPlus and SCCM at the same time -- every March and September.
The list of improvements IT pros will find in SCCM 2016 version 1702 is exhaustive, but there are some key upgrades worth emphasizing.
Content Library Cleanup Tool
SCCM 2016 version 1702 also has a new tool to help clean up orphaned content from a distribution point. The new Content Library Cleanup Tool, which replaces older versions of similar tools offered with SCCM, is a command-line tool that must be run from an administrative Command Prompt. Designed to remove content no longer associated with any package or application from a distribution point, the default location for the tool is C:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\TOOLS\ContentLibraryCleanup.
The tool is run by entering the ContentLibraryCleanup.exe command at the command prompt and then specifying any additional parameters to use. The only required parameter is /dp.
This parameter must be followed by the fully qualified domain name of the distribution point you want to clean up.
The Content Library Cleanup Tool is designed to run in What-If mode unless you specify the /Delete switch. Running the tool in What-If mode causes the tool to provide information about the content that would be deleted had you run the tool using the /Delete switch. This information is written to a log file you can review at your leisure.
The Content Library Cleanup Tool is a little bit quirky when it comes to the permissions required to clean up a distribution point. As you would expect, you'll need administrative permissions to perform a cleanup. However, those permissions must be directly assigned, not inherited from a security group. The documentation warns: "The user account that runs the tool must have direct role-based administration permissions that are equal to a Full Administrator on the Configuration Manager hierarchy. The tool does not work when the account receives these permissions as a member of a Windows security group that has the Full Administrator permissions."
Microsoft has made the Content Library Cleanup Tool relatively easy to use. The tool can run locally on the server that houses the distribution point, or it can be run remotely. The document includes the tool's full syntax (see Figure 1).
Yet another very welcome improvement to SCCM in version 1702 is enhanced support for iOS devices. All the iOS device settings are available through Intune are now exposed through SCCM, as well.
If you want to get a feel for the iOS settings that SCCM supports, you can do so by creating a configuration item. Begin the process by going to the Assets and Compliance workspace, and then expand the Compliance Settings container and click on Configuration Items. Next, click the Create Configuration button on the toolbar. This will cause Windows to launch the Create Configuration Item Wizard.
After the wizard starts running, enter a name and an optional description for the configuration item you're creating. You must also specify the settings for devices managed without the Configuration Manager client. Be sure to choose the iOS and Mac OS X option, and then click Next.
Select the platforms you wish to support using the configuration item, and then select the desired device setting groups from the following screen. Device setting groups are essentially categories of configuration settings. For example, selecting the Password device setting group will expose the password-related settings (see Figure 2).
According to Microsoft, the improved iOS support is just one example of mobile device capabilities added to this new release. Among others, it's no longer necessary to target specific versions of iOS and Android when building new policies and profiles for devices managed by Intune. The choices are narrowed down to Android, Samsung KNOX Standard 4.0 and higher, iPhone, and iPad. This applies to configuration, compliance policy, certificate profiles, e-mail profiles, VPN profiles and Wi-Fi profiles in the wizards.
Deploy Office 365 Apps
SCCM 2016 version 1702 lets you deploy Office 365 apps to clients from the Office 365 Client Management dashboard. To do so, go to the Software library workspace, and then click on the Overview container, followed by Office 365 Client Management. Next, click on the Office 365 Installer button. This button is located on the dashboard's upper-right pane. At this point, Windows will launch the Office 365 Client Installation Wizard (see Figure 3). The wizard is relatively straightforward. It guides you through the process of providing a location for the downloaded files, and specifying the various settings that you want to use with the Office 365 apps.
Peer Cache Upgraded
When Microsoft rolled out version 1610 last year, the company had introduced a new feature called Peer Cache, designed to make it easier for SCCM to deploy content to clients residing in remote locations. If, for example, a branch office contains a large number of clients, you probably don't want those clients tying up the available WAN connectivity with simultaneous SCCM content deployments.
Peer Cache addresses this problem by allowing clients in the remote office to cache content that would otherwise be made available directly from SCCM. That way, other clients in the office can pull content from a client cache, rather than having to download the content from across the WAN link.
With the release of version 1702, Microsoft has made some improvements to Peer Cache. Now, clients in a remote office will no longer be able to indiscriminately download contents from a Peer Cache source (a client computer that's hosting content from its local cache). Instead, a Peer Cache source will automatically deny requests for content if fulfilling those requests is likely to cause problems. For example, a Peer Cache source will deny content requests if the source is low on battery power, is experiencing a high CPU load (greater than 80 percent) is experiencing heavy storage I/O (the AvgDiskQueueLength is greater than 10), or if there are no available connections to the computer.
In addition to the new features, the new version of SCCM is easier to deploy. IT pros don't have to jump through hoops anymore to install it. However, it's worth noting Microsoft has deprecated some features. SCCM 2016 version 1702 doesn't support SQL Server 2008 R2, Windows Server 2008 R2 (or earlier) or Windows XP Embedded. If your organization's servers or devices still run any of that software, you should avoid upgrading to version 1702.
In preparation for this evaluation, I deployed a clean installation of SCCM version 1606. Once the install was complete, I opened the management console, and then clicked on the Administration workspace. From there, I navigated through the console tree to Administration | Overview | Cloud Services | Updates and Servicing. The download began automatically (see Figure 4
If, for some reason, SCCM doesn't automatically start downloading version 1702, you can manually initiate the download process by clicking on the Check for Updates button, located on the toolbar. Incidentally, you'll need to periodically refresh the console to determine whether SCCM has finished downloading the update.
Once SCCM lists Configuration Manager 1702 as Available, you can right-click on the update and choose the option to run a prerequisite check. It takes a while to run the prerequisite check, and you'll have to occasionally refresh the console to determine when the prerequisite check has completed.
When the prerequisite check is complete, right-click on the update once again, but this time choose the Install Update Pack option. This will cause Windows to launch the Configuration Manager Updates Wizard. This simple wizard asks you to choose the components you wish to update, and to accept the license terms.
It's important to know that the wizard's Completion screen can be extremely misleading. When you finish working through the wizard, the Completion screen will display a message that states: "Success: Install Update Package Configuration Manager 1702." However, this message doesn't indicate the update has been successfully deployed. It only means you've successfully completed the wizard. The actual update process may take a few extra minutes.
It has been widely reported that if you reboot the SCCM server or restart any of the SCCM-related services before the update has a chance to complete, you may damage SCCM to the point where it becomes impossible to install this or any future updates. The console will indefinitely display a message indicating that the prerequisite check has passed, but the Install Update Pack option will be grayed out.
During this evaluation, I inadvertently rebooted my SCCM server during the upgrade process. I had intended to reboot a different virtual machine (VM), and accidentally clicked on the wrong VM. Fortunately, I didn't get locked out of the upgrade process. Even so, given the number of reports about the lockout issue, it's advisable to avoid rebooting the server until the upgrade is complete.
The easiest way to determine the state of the upgrade is to click on the Monitoring workspace, and then click on the Updates and Servicing Status container. From there, you'll be able to monitor the update process (see Figure 5). Incidentally, when the update completes, you'll need to close and reopen the SCCM console. Upon doing so, you'll be prompted to use a new version of the console. This new version contains the improvements that Microsoft has introduced in version 1702.
Managing Future Updates
In previous releases, the ability to update SCCM was buried deep within the console. Microsoft has made this easier to find because the container now appears directly beneath Administration, rather than beneath the Cloud Services container.
Microsoft has made the update process more efficient in another way. At the time I created Figure 5, SCCM was downloading multiple updates. Each of the three updates was for a different version of SCCM. Even though my goal was to install version 1702, SCCM also downloaded updates for versions 1606 and 1610.
Starting with version 1702, SCCM only downloads the latest update. There's still a way of getting older updates if you need them, but by default SCCM no longer wastes your time by downloading updates you do not need. The Updates and Servicing container has a new location (see Figure 6), where unnecessary updates are hidden from view.
SCCM 2016 version 1702 contains many additional new features and improvements outlined by Microsoft's documentation. Among them are added search from the console and the ability to share feedback.
Also, IT pros can now use SCCM for application management, including the ability to deploy licensed apps from the Windows Store for Business to Windows 10 PCs from the SCCM interface. SCCM 2016 version 1702 offers support for new device compliance policies to clock access to enterprise resources that support conditional access when employees are using non-compliant apps.