System Center Configuration Manager and Windows 10: Better Together?

By Bethan Kelly, Technology Solutions Professional at Microsoft

System Center Configuration Manager has undoubtedly come a long way since its Systems Management Server (SMS) days, but now the changes are coming fast, with new updates and features being released several times a year. Configuration Manager purists will surely find many features to enhance their experience, but temporarily, so for the purposes of this article we are switching focus to good old Operating System Deployment. Rather than asking “What’s new with System Center Configuration Manager?”, let’s focus in on what features in the new releases can assist with a Windows 10 migration.

Windows Analytics: Upgrade Readiness

Preparation for your upgrade is key – whether that means checking the kitchen to make sure there’s enough coffee or, perhaps more importantly, working out how many of your bespoke applications might cause you a headache during a planned migration. The challenge is gathering that sort of insight data and transforming it into information. Windows Analytics: Upgrade Readiness is a cloud service which is available as a free element of Operations Management Suite (OMS), with the aim of helping people understand the compatibility of their applications and drivers with Windows 10. Not only does this mean that the initial jump from a historical client platform, such as Windows 7, becomes slightly more fathomable, but continued usage of the tool also lets you monitor the potential impact of future updates of Windows 10. Upgrade Readiness Connector, which was included in the 1610 update of System Center Configuration Manager, allows you to pull the data from your Upgrade Readiness tenant into the console. Using that data, you can create a dynamic device collection containing all devices which are ready for an upgrade and has a task sequence to do the upgrade attached.

Windows 10 Version Support

Deploying and managing the feature updates of Windows 10 isn’t something that just any management product can do. In line with the new servicing model of Windows, System Center Configuration Manager Current Branch aligns to the Windows 10 Current Branch releases, and, as a result, the two versions must be in line with each other in order be supported for deployment. For more detail on the compatibility, check out the FAQ for more information on how this works.

Servicing Plans

Possibly the most significant feature within System Center Configuration Manager includes the capability to create Servicing Plans. These allow you to define which computers in the estate get which release of Windows 10 and set up a schedule for when they get it. Servicing Plans can be used to stagger updates for a defined period of time, so instead of the Current Branch release going out to the whole Accounting department immediately, you can now set controls within the console to wait 30 days when you’ve had a chance to test it out. In addition, it removes the element of manually deploying the updates. Once an upgrade meets the requirements of a Servicing Plan, it is automatically distributed and deployed to the relevant collection.

Device Guard Policy

Device Guard is an Enterprise feature of Windows 10 which allows organisations to restrict what can run on the desktop down to only trusted applications and code, based on a Code Integrity policy. If you are already using System Center Configuration Manager in your environment, it can be used to assist with the configuration of Device Guard, whether that involves checking prerequisites for the feature based on WMI filters or enabling the Device Guard feature as part of a task sequence. Exactly how this can be done can be found here.

Windows Defender Advanced Threat Protection (WDATP)

Released with the Windows 10 1607 (Anniversary Update), WDATP is Microsoft’s new post-breach investigation and response security feature which monitors behaviour on the client endpoint and looks for indicators of zero-day attacks, explained in more detail here. ConfigMgr 1606 brought with it a new feature which allows administrators to create client onboarding policies for WDATP to begin the communication of data between the client and the cloud service. In addition, you can monitor compliance across the estate to understand which devices may not be enrolled yet. If you’re turning WDATP on after rolling out 1607, then applying a policy helps make the process seamless. You can sign up for a trial of WDATP here.