Microsoft Endpoint Configuration Manager Update 1910 Released
Microsoft announced last week that it is starting to deliver Update 1910 for Microsoft Endpoint Configuration Manager users.
Endpoint Configuration Manager is the client and server deployment and management solution formerly known as "System Center Configuration Manager" (SCCM). Last month, Microsoft had announced a new product brand called "Microsoft Endpoint Manager" that combines SCCM, Microsoft Intune, Desktop Analytics, Device Management Admin Center and the comanagement feature.
Microsoft Endpoint Manager also includes the Windows Autopilot service, according to this Microsoft document on Update 1910. That detail wasn't previously noted in Microsoft's November announcements. Windows Autopilot is a Microsoft program and collection of technologies that enables new PCs to get provisioned by end users.
Update 1910 will be arriving worldwide in the "coming weeks." It'll appear in the Endpoint Configuration Manager console when it's ready to install. Microsoft's document described needing to opt into the early update ring to get it, though.
Desktop Analytics Added
Update 1910 seems to be unlocking elements of the combined Microsoft Endpoint Manager product. For instance, it adds the Desktop Analytics service, which is now built into Endpoint Configuration Manager. Desktop Analytics, which reached "general availability" commercial release status in October, replaces Windows Analytics, which will hit its end of life on Jan. 31, 2020.
Windows Virtual Desktop Support
On the client management side, Update 1910 lets Windows Virtual Desktop service users set user policies for Windows 10 Enterprise Multisession, the new operating system that supports multiple users on a single virtual machine. Windows Virtual Desktop is Microsoft's virtual desktop infrastructure service, used for accessing applications remotely, that went live back in September.
Dashboard for Office 365 ProPlus Pilots
Microsoft added a dashboard view with Update 1910 that shows "health insights" associated with Office 365 ProPlus deployments. It's designed to spot issues beforehand, and help with the deployment planning.
OS Upgrades Using a Cloud Management Gateway
With Update 1910, Microsoft added task-sequence support for delivering Windows 10 in-place upgrades to Internet-connected devices using a cloud management gateway or cloud distribution point. What's new specifically is that these upgrades can happen by downloading packages "on demand."
This approach is an alternative to the preboot execution environment (PXE) approach to upgrading the operating systems of Windows devices. Organizations might use a cloud management gateway for Windows 10 upgrades to support "roaming devices," "remote/branch office devices" not supported by a wide area network or virtual private network, or in cases of mergers and acquisitions, according to this Microsoft document.
It's possible to deploy BitLocker drive encryption to Windows devices with Update 1910. IT pros can also manage BitLocker policies, get compliance reports and set up a "user self-service portal."
Client Baselines and Compliance
It's also possible with Update 1910 to evaluate custom configuration baselines for client devices, which might be done for compliance purposes. IT pros can edit the compliance rules and add a new condition called "Include configured baselines in compliance policy assessment." The steps to make that happen are described here.
Microsoft Edge Support
On the application management side, Update 1910 adds the ability to deploy the Chromium-based Microsoft Edge browser, "version 77 and later." IT pros can currently opt to get a Beta or Dev channel release of the browser. Microsoft is planning a "general availability" commercial release of the new Microsoft Edge browser on Jan. 15.
Windows Updates and Delivery Optimization
On the software updates side, Microsoft is promising that Update 1910 will let IT pros use "Delivery Optimization for all Windows Updates." Microsoft is renaming the cache used for these software updates, which also can be used by Microsoft Intune to update Win32 apps. The name of the cache with Update 1910 is the "Microsoft Connected Cache." Here's an explanatory note in Microsoft's document in that regard:
Configuration Manager current branch version 1906 included Delivery Optimization In-Network Cache (DOINC), an application installed on Windows Server that's still in development. Starting in current branch version 1910, this feature is now called Microsoft Connected Cache.
When you install Connected Cache on a Configuration Manager distribution point, it offloads Delivery Optimization service traffic to local sources. Connected Cache does this behavior by efficiently caching content at the byte range level.
Update 12/5: Microsoft Connected Cache was introduced as a private preview back in November during the Ignite event. It'll require having an E3/A3 subscription to use when commercially released. A few more details can be found in this Nov. 5 Microsoft blog post.
Last year, Microsoft had explained that it was working on new quality updates that would replace the Full Updates, Express Updates and Delta Updates types. These new quality updates were expected to reduce organizational bandwidth demands when getting Windows updates. It's not clear if this scheme got implemented by Microsoft, though possibly the new Microsoft Connected Cache is part of the plan.
In February, Microsoft had warned organizations that deployed "security only" Windows updates could inadvertently miss getting certain security patches. Microsoft advised accepting patches labeled simply as "Update" as a solution.
Microsoft also promised that Update 1910 is bringing "more granular controls over synchronization of third-party updates catalogs." IT pros can synchronize the delivery of "specific categories of updates" instead of the whole catalog, for instance.
One of the highlights of the Update 1910 release is the ability for IT pros to use the CMPivot query feature of SCCM independently of the SCCM console. This standalone version runs via a CMPivot.msi file installed on PCs. It's for users who don't have access to the SCCM console, opening up CMPivot for use by "security administrators, helpdesk technicians and managers," per the announcement. CMPivot also now includes a "query shortcuts" feature that permits the copying and sharing of queries with collaborators. These shared queries will automatically launch when clicked.
CMPivot, which was first added to the console with SCCM Update 1806, lets IT pros troubleshoot the status of devices using queries. It can be used to check if device firmware is subject to various speculative execution side-channel attacks, for instance, according to this document. In addition, the status of devices in that respect can be checked with Windows Analytics and PowerShell tools.
Transferring Roles to Azure Virtual Machines
The server roles that are used in an organization's datacenter can be extended to virtual machines in Microsoft Azure datacenters via a "new tool" available with Update 1910. The tool can transfer "default settings site roles like a passive site server, management points and distribution points" from on-premises machines to Azure virtual machines, Microsoft explained.
Lots more Update 1910 details were described in Microsoft's document and announcement.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.