Roberts Blog

The House of SCCM and Intune on System Center Street

Tag: Current Branch

ConfigMgr CB1906–Management Insights–NTLM Fallback

I remember a few years back at an MVP Summit watching a PG member showing us the mock up’s they had prepared for how Management Insights would “look” in the console, while gauging our response and taking in feedback.

The feature certainly has come along way from then, if’ you’ve not paid much attention to Management Insights, now would be a good time to visit the feature and see what insights it gives you for your site.

From what I can recall the motivating reason for Management Insights was driven by the desire to make administrators lives easier overall, bringing to light the “house chores” needed to keep SCCM running fluidly, highlighting or giving insights into operational capability of a site (Empty collections, Fast Evaluation rules etc), and it has extended out to highlight best practices for certain parts of the product (example being the Site’s current Client Push NTLM Fallback state).

There’s a new Management Insight (MI) in CB 1906, called “NTLM Fallback disabled” which I’ll quickly run over now.

This MI will check the ConfigMgr Site, to see if Client Push Installation property Allow connection fallback to NTLM is enabled:

image

Enabled, the MI will report Action Needed:

image

When Allow connection fallback to NTLM is disabled in Client Installation properties, and when the MI is re-evaluated (right click) the MI reports a Completed state, which means we’re compliant:

image

The reason why you would disable Client Push attempts using NTLM is to force site to client authentication to take place using Kerberos, so as to fall in place with modern security practices, which see NTLM as insecure (rightly so) and something we should all be drifting away from, as partially noted in the docs:

 image

When using the client push method of installing the Configuration Manager client, the site can require Kerberos mutual authentication. This enhancement helps to secure the communication between the server and the client. For more information, see How to install clients with client push.

At a lower lever you can disable NTLM fallback for the Operating System itself, with consequences that should be thought out first, using either domain or local GPO settings. This isn’t something you do without wising up on the consequences.

The new Management Insight is not checking the OS, it isn’t checking IIS or SQL for relevance and state, which have their own options for handling NTLM fallback.

Here’s a shot of local GPO on the site server for tinkering with restricting NTLM:

Note that GPO changes are made, remote devices attempting RDP to the site server that are not patched may encounter the “Encryption Oracle Remediation” issue.

Changing any NTLM setting requires some preparation work, at the least an understanding of what might break in your environment.

ConfigMgr CB1906–Site Maintenance

Now that Current Branch 1906 (5.0.8853.1000) is out, and I have some spare time to chase through some of the features, I thought I’d whack out some mini-posts highlighting various features.

One of the less impactful but interesting features due to what they are tinkering with, is Site Maintenance. This one isn’t going to woo your manager or users, or change your work routine one jot, but it is interesting nonetheless as it touches ‘old ground’.

Other than additions to the site maintenance task list over the last two decades, there hasn’t been any other change made in this space visually.

That changes as of CB 1906.

There hasn’t been much of a need to change something that isn’t broken, we hardly ever visit site maintenance, but it was long overdue a visual overhaul so as to scrub away that Win32 dialog look, as shown below:

image

Now, we have no need for a pop-up dialog, Site Maintenance tasks are listed in the details pane when you visit the Site Configuration > Sites node, and select a new tab called Maintenance Tasks.

image

Double click (Properties) on any of the listed tasks and you get taken back to familiar territory with the tasks properties sheet:

image

A very simple change to an oft-ignored part of the product, I like subtle changes like this, enabled by the fast cadence of ConfigMgr.

I noticed that post-upgrade of CB to 1906 the Last Start Time and Last Completion Time columns were rendering blank.

I chose and ran the Rebuild Indexes maintenance task (changed its scheduled +5 mins into the future) to see if the values are shown once a task runs post-upgrade.

Here’s the task running (SMSDBMON log):

image

And as I thought, well, I got lucky “thinking”, that a nudge would sort it, much like the classic “Have you tried turning it off and on again?” approach, much adored by the mightiest of admins:

image

A simple and as I said subtle change, that has modernised a very boring surface. Nice.

ConfigMgr Current Branch Build 1806–Woot

Current Branch Build 1806 released on the 17th,

Check out the Build 1806 What’s New page for more info:

  • Intune Hybrid is no longer a supported scenario
  • CMPivot is welcomed into the production build, what a smart bit of tech
  • Changes to High Availability, the support of a fully functional additional Primary, we’re closer closer to the day when we can migrate by standing up another Primary and closing down the old one …
  • Management Insights get more loving, this is a handy feature, and good to see it being grown out with even more insights
  • ConfigMgr Toolkit is now included in the build, not as a standalone that requires installation

image

  • Exclude AD Containers, a simple exclusion list which allows us to avoid performing discovery and bringing in data that isn’t required, before this we had to put a deny permission rule on these objects individually so as to stop ConfigMgr messing around with them
  • Tooling to easily relocate a Content Library, in preparation for High Availability and other scenarios
  • Cloud DP creation now uses ARM
  • PDP’s can consume from Cloud DP’s
  • DP’s utilise LEDBAT and makes some changes to Boundary Group behaviour
  • Client Push can now default to using Kerberos for authentication
  • Enhanced HTTP site system, ever iterating towards ease-of-use and tighter security around Azure Identity and the Client Management Gateway
  • Azure AD device identity changes so that devices with no user logged in can still communicate with the Site server
  • CMTrace is now installed as part of the client installation, touch!
  • Cloud management dashboard and improvements for the Client Management Gateway
  • Download from CMG, we can retire those Cloud and IBCM DP’s and go for using the DP located on the CMG
  • Co-Management advances
  • Multiple instances of ConfigMgr can now be used on a single Azure tenant, big progress for hosting
  • Phased App deployment, worth checking out and fitting into your app release process, allow a deployment to move through ever-widening stages
  • The Office365 experience has changed, the Office Customization Tool is now integration, this opens up the configuration of O365 way beyond what was capable using the ConfigMgr wizard, it will give administrators access to up to date metadata so as to orchestrate setup better
  • MSIX is here. We’re witnessing the contraction of multiple ways of installing products into one way, or bundle, obfuscating and helping to standardise and lead towards modern apps without sacrificing Win32 apps along the way. It took the Intune PG a very long time to give up and start supporting Win32 apps, and from that we now have a new packaging format
  • Application approval behaviour changes
  • PCM is now integrated, not a huge amount of us use this but when it is used, it’s quite handy to soak up package upgrades to become applications
  • Phased deployment has also been introduced into OSD, check that out, ever widening tiers that let you stop the process at any point along the way, this would definitely have saved a few companies that hit the news due to FORMAT C: /Q accidents
  • Tweaks to the Windows 10 in-place Task Sequence
  • PXE can now be enabled on a DP without the need for WDS, another victim of progress, classy!
  • More progress in dropping the NAA account, in some scenarios it isn’t being used
  • OSD enhancements, around driver package usage and BitLocker
  • Software Center can now handle User apps allowing the App Catalog to be dropped, really, as well as super sexy custom tab
  • WSUS Maintenance now declines updates that are expired, removing them from the scan catalog sent down to the clients, one more helpful aid in reducing the WSUS noise on network
  • And so much more

Check out the What’s New page to see what else the PG gave us at this release.

Powered by WordPress & Theme by Anders Norén