Blog Post

Configuration Manager Blog
5 MIN READ

Update 2207 for Microsoft Endpoint Configuration Manager current branch is now available

Bala_Delli's avatar
Bala_Delli
Icon for Microsoft rankMicrosoft
Aug 12, 2022

 

Cloud-attached management

 

Enhanced security for Configuration Manager administration service

 

We're introducing a new cloud application with limited access to the administration service. This feature allows cloud management gateway (CMG) to segment the admin privileges between a management point, and the administration service. This enables CMG to restrict access to the administration service. This feature gives admins granular access controls through which users can have access to the administration service and to enforce MFA if necessary.

 

For more information, see Configure Azure services for use with Configuration Manager.

 

Simplified application deployment approval

 

An administrator can now approve or deny the request for deploying an application on a device from anywhere they have internet access by selecting a link in the email notification. This feature requires admins to manually add the CMG URL in the Azure Active Directory app as single page application redirect URI.

 

For more information, see Create an app registration in Azure AD for your app service app.

 

Include and prefer a cloud source for a management point in a default boundary group

 

Until 2203 current branch, you didn’t have an option to prefer a CMG as a management point in a default boundary group. The clients falling back to a default boundary group could only communicate to non-cloud-based management points.

When a site is initially installed, there's a default site boundary group created for each site, and all the clients use it by default until they're assigned to a custom boundary group.

Starting in Configuration Manager 2207, you can add options via PowerShell to include and prefer cloud sources. For instance, you can set the CMG as the preferred management point for the clients in the default boundary group.

 

For more information, see Default site boundary group behavior supports cloud source selection.

 

Client management

 

Granular control over compliance settings evaluation

 

You can now define a Script Execution Timeout (seconds) when configuring client settings for compliance settings. The timeout value can be set from a minimum of 60 seconds to a maximum of 600 seconds. This new setting allows you more flexibility for configuration items when you need to run scripts that may exceed the default of 60 seconds.

 

For more information, see the compliance settings group of client settings.

 

Software updates

 

Improved manageability of automatic deployment rules (ADRs)

 

You'll now be able to organize ADRs with folders. This improvement helps you with better categorization and management of ADRs across your organizational hierarchy by having a structured view across your phased deployments. Folder can also be created with PowerShell cmdlets.

 

For more information, see Process to create a folder for automatic deployment rules.

 

Enhanced control over monthly maintenance windows

 

Based upon your feedback, we have enhanced monthly maintenance windows scheduling. You can now set monthly maintenance window schedules to better align deployments with the release of monthly software updates by configuring offsets. For example, using an offset of two days after the second Tuesday of the month, sets the maintenance window for Thursday.

 

 

For more information, see How to use maintenance windows in Configuration Manager.

 

Endpoint Protection

 

Improved Microsoft Defender for Endpoint (MDE) onboarding for Windows Server 2012 R2 and Windows Server 2016

 

Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint onboarding policy will use the unified agent versus the existing Microsoft Monitoring Agent based solution, if configured through Client Settings.

 

 

For more information, see Microsoft Defender for Endpoint onboarding.

 

Enhanced protection for untrusted environments

 

  1. Windows Defender Application Guard is now called Microsoft Defender Application Guard in the console.

  2. The General settings page in the Microsoft Defender Application Guard now allows you to create policies within Configuration Manager to protect your employees using Microsoft Edge and isolated Windows environments.

  3. The Application Behavior settings page allows you to enable or disable cameras and microphones, along with certificate matching of the thumbprints to the isolated container.

  4. The following items were removed:

    • The Enterprise sites can load non-enterprise content, such as third-party plug-in settings, under the Host interaction page.
    • The file trust criteria policy, under the File Management page.

 

 

For more information, see Create and deploy Microsoft Defender Application Guard policy.

 

Configuration Manager console

 

Improvements to the console

 

  • When performing a search on any node in the console, the search bar will now include a Path criteria to show that subfolders in the node are included in the search.

    • The path criteria is informational and can’t be edited.

    • By default, all subfolders will be searched when you perform a search in any node that contains subfolders. You can narrow down the search by selecting the “Current Node” option from the search toolbar.

 

Improvements to the dark theme

 

The dark theme has been available as a pre-release feature since 2203. In this release we've extended the dark theme to additional components such as buttons, context menus, and hyperlinks. Enable this pre-release feature to experience the dark theme.

 

For more information, see Console changes and tips.

 

Preview only feature

 

Distribution point content migration

 

Distribution point content migration support is now available for migrating content from one distribution point to another distribution point using PowerShell cmdlets. You can also monitor the distribution point migration status using these PowerShell cmdlets.

 

There are multiple scenarios where the content of one distribution point needs to be migrated to another distribution point.

 

  1. Cloud distribution points (CDP) hosted on Azure classic services will be unsupported in 2024. You need to migrate CDP content to another distribution point.
  2. Migration of cloud migration gateway (Classic CMG) hosted with *.cloudapp.net domain will also be unsupported. You may need to migrate CMG classic content to another distribution point.
  3. You may need to migrate local distribution point content to other local distribution point or CMG.

 

Prerequisites

 

  1. The user's security role permission should have "Copy to Distribution Point" enabled under Distribution Point.
  2. If you want to deprecate the source distribution point, make sure that the source and destination distribution points have the same boundary group.
  3. The destination distribution point should be installed already and able to receive the content.

 

Note: You can't currently configure this behavior from the Configuration Manager console. For more information on configuring this behavior with PowerShell, see the cmdlet details.

 

For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version 2207 release notes.

 

For more details and to view the full list of new features in this update, check out our What’s new in version 2207 of Microsoft Endpoint Configuration Manager documentation. 

 

For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Feedback in the Configuration Manager console.  Continue to share and vote on ideas about new features in Configuration Manager.

 

Thank you, 

The Configuration Manager team 

 

Additional resources: 

 

Updated Aug 13, 2022
Version 2.0
  • Michael-CM's avatar
    Michael-CM
    Iron Contributor

    Thanks for this Release.

     

    The amount of new features is slowing down in TPs and Release Versions in the last months.

    Would be nice to see a little bit more again in future.

     

    Bugs like the issue with the built-in Windows Server 2019 Requirement (Global Condition), which still matches on Windows Server 2022 by misstake should be fixed very soon please. I mentioned this multiple times now in all available channels and nobody takes realy care about. Instead of taking care you get back "this is by design" which makes absolutley no sense for me in this case, sorry.

  • MelleMollema's avatar
    MelleMollema
    Copper Contributor

    Hey Configuration Manager team ,

     

    I am really looking forward to this update, we are going to implement Defender for Endpoint on our 2012R2 en 2016 servers. Doing it with client settings instead of a package is so much easier! When is the update GA? I think it taking longer than usual. 

     

    Hope to hear from you 🙂

     

    Kind regards,

    Melle