SCCM 1805 ConfigMgr Generated Certificate for HTTP Communication

0
SCCM 1805 TP

I have upgraded SCCM technical preview lab to 1805. SCCM 1804 is the baseline version of SCCM technical preview. If you still don’t have SCCM TP lab, you can download SCCM 1804 from evaluation portal and start playing around new SCCM features. Stay ahead of other SCCM admins! In this post, we will see the upgrade walk through and overview of SCCM 1805 new features.

Download SCCM 1805 and Upgrade

SCCM 1805 download and upgrade is completed via in console “Updates & Servicing”. There are 17 new or enhanced features available in SCCM 1805 preview version. SCCM 1805 preview version is very important as this is the preview version just before the next production version of SCCM CB 1806. If you look at the previous releases of SCCM, 80%  new features of 1805 version will be available in next production version 1806.

Video Tutorial – SCCM 1805 Upgrade & Overview of New Features

Co-Management Device configuration workload transition

You can have Intune deploy MDM polices while using SCCM for Win32 app deployment and configuration baselines on exception bases for co-managed devices. Once you move Configuration policies workload to Intune, Resource Access and Endpoint Protection workloads will automatically get moved. This is because those two(2) workloads are a subset of the device configuration workload.

  1. Move the slider of Device Configuration to Pilot
  2. Create a configuration baseline and select “Always apply this baseline for co-managed clients”
  3. #2 will help you to give priority to SCCM based device configuration policies over Intune based configuration policies

SCCM Console Path – \Administration\Overview\Cloud Services\Co-management

SCCM 1805 Co-Management

Add or Remove Phases in Phased deployments via Task Sequences

You can now add more than two phases in a phased deployment, as well as rearrange or remove phases. I have explained phased deployment options in the video tutorial.

To add or remove phases on existing phased deployment edit phased deployment
To add or remove multiple phases, use phased deployment wizard on task sequence

Client Tools – CMTrace is part of Client Setup

CMTrace tool is now installed by default by client setup. CMTrace is not automatically registered with Windows to open the .log file extension. cmtrace.exe can be found in the client installation directory:-

(%WINDIR%\CCM\cmtrace.exe) – Client Machine

C:\Program Files\SMS_CCM\cmtrace.exe (Client on Site Server)

Cloud DP support for Azure Resource Manager (ARM)

Azure Resource Manager is a modern platform for managing all resources as a single resource group. With this deployment method, Azure AD is used to authenticate and create the cloud resources. It doesn’t require the Azure management certificate. ARM support is already available for Cloud Management Gateway in production version of SCCM 1802.

Onboard the site with Azure AD. 
In the Create Cloud DP Wizard, select ARM deployment, and enter the subscription details. 
On the Settings page, configure the Azure Resource Group.

SCCM 1805 ConfigMgr Server Generated Certificate for HTTP Communication

Improvements to how clients communicate with site systems. This includes improvements for cloud domain joined (AAD) clients. Using HTTPS communication is recommended for all Configuration Manager communication paths, but can be challenging for some customers due to the overhead of managing PKI certificates.

The introduction of Azure Active Directory (Azure AD) integration reduces some but not all of the certificate requirements. This release includes improvements to how clients communicate with site systems. There are two primary goals for these improvements:

You can secure client communication without the need for PKI server authentication certificatesClients can securely access content from distribution points without the need for a network access account

  1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select Sites. Select the site and click Properties in the ribbon.
  2. Switch to the Client Computer Communication tab. Select the option for HTTPS or HTTP and then enable the new option to Use Configuration Manager-generated certificates for HTTP site systems.

On HTTP mode management point & distribution point of the site, open IIS admi console. See generated certificate binding for HTTPS protocol.

Friendly name of the cert – > SMS Role SSL Certificate
Issued by -> SMS Issuing

SCCM Console – \Administration\Overview\Security\Certificates

DP/MP – IIS Binding – View SSL Cert

More details available in the video tutorial.

SCCM 1805 Secured Communication

Cloud management troubleshooting Improvements

The new cloud management dashboard provides a centralized view for cloud management gateway usage. When the site is onboarded with Azure AD, it also displays data about cloud users and devices. This feature also includes the CMG connection analyzer for real-time verification to aid troubleshooting.

CMPivot Introduction via Fast Channel

Allows access to real-time state of devices in your environment via fast channel communication. I’m planning to publish a dedicated post for CMPivot in SCCM in-console tool.

Quickly assess the state of your devices so that you can take immediate actionCurrently logged on user information is shown in the consoleCurrently logged on user information is available to the IT Admin for communication and troubleshooting with the end-user.

Enable third party software update support on clients

You can now enable configuration of ‘Allow signed updates from an intranet Microsoft update service location’ policy and installation of Windows Server Update Services code signing certificate on clients.

Enable third party software updates in Software Update Point top level site component configuration
Allow Configuration Manager to configure WSUS to automatically generate self-signed certificates for signing third-party software updates
Configure (default) Software Updates client agent settings to enable third party software updates on clients
Deploy custom Software Updates client agent setting to enable third party software updates on clients
Successfully import a third party software updates signing certificate from Windows Software Update Services

Enable Windows LEDBAT for Distribution Points

Adjust the download speed between SCCM DPs and clients to use unused network bandwidth by enabling Windows LEDBAT feature. This will replace the use of BITs in the future for SCCM client and DP communication. Will LEDBAT replace BIts?

Enable Windows LEDBAT setting on a SCCM DP site system properties

Improved WSUS maintenance SCCM 1805

The WSUS cleanup wizard now declines updates that are expired according to the supersedence rules defined on the software update point component properties.

Scenarios:Enable the option to Run WSUS cleanup wizard on the Supersedence Rules tab of the software update point component properties

Management insights Improvements – SCCM 1805

Now you can directly take an action after viewing the details of a specific insight.

Scenarios:- Run a management insight rule and observe which corresponding rule needs action. Take action on the rule.

Resources:-

New Capabilities of SCCM 1805 https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1805

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.