Update 2107 for Microsoft Endpoint Configuration Manager current branch is now available

This post has been republished via RSS; it originally appeared at: Configuration Manager Blog articles.

Update 2107 for Microsoft Endpoint Configuration Manager current branch is now available. Microsoft Endpoint Manager is an integrated solution for managing all your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.


Many customers have lots of collections because for every application they need at least two collections: one for install and another for uninstall. This practice adds overhead of managing more collections and can reduce site performance for collection evaluation.


Starting in this release, you can enable an application deployment to support implicit uninstall. If a device is in a collection, the application installs. Then when you remove the device from the collection, the application uninstalls.


For more information, see Uninstall applications.


This release also includes:

Cloud-attached management

Convert a CMG to virtual machine scale set - Starting in current branch version 2010, you could deploy the cloud management gateway (CMG) with a virtual machine scale set in Azure. This support was primarily to unblock customers with a Cloud Solution Provider (CSP) subscription.

In this release, any customer with a CMG that uses the classic cloud service deployment can convert to a virtual machine scale set. Microsoft recommends that new CMG deployments use a virtual machine scale set.


Select VM size for CMG - When you deploy a CMG with a virtual machine scale set, you can now choose the virtual machine (VM) size. The following three options are available:

  • Lab (B2s)
  • Standard (A2_v2). This size continues to be the default setting.
  • Large (A4_v2)

This control gives you greater flexibility with your CMG deployment. You can adjust the size for test labs or if you support large environments.


Tenant attach support for US Government cloud - United States Government customers can now use the following Microsoft Endpoint Manager tenant attach features in the US Government cloud:

  • Account onboarding
  • Tenant sync to Intune
  • Device sync to Intune
  • Device actions in the Microsoft Endpoint Manager admin center

Renamed Co-management node to Cloud Attach - To better reflect the additional cloud services Configuration Manager offers, the Co-management node has been renamed to the Cloud Attach node. Other changes you may notice include the ribbon button being renamed from Configure Co-management to Configure Cloud Attach and the Co-management Configuration Wizard was renamed to Cloud Attach Configuration Wizard.


Desktop Analytics

Support for the Windows diagnostic data processor configuration

Desktop Analytics now supports the new Windows diagnostic data processor configuration. This configuration provides you greater control of your Windows diagnostic data. Microsoft acts as a data processor, processing Windows diagnostic data on behalf of the controller.


Site infrastructure

Support for Windows Server 2022 and the ADK for Windows 11 - Configuration Manager now supports Windows Server 2022 as site systems and clients. For more information, see the following articles:

It also supports the Windows ADK for Windows 11 and Server 2022.


Microsoft .NET requirements - Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart the system. If possible in your environment, install the latest version of .NET version 4.8. There's also a new management insight to recommend site systems that don't yet have .NET version 4.8 or later.


New prerequisite check for SQL Server 2012 - When you install or update the site, it now warns for the presence of SQL Server 2012. The support lifecycle for SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in your environment, including SQL Server Express at secondary sites.


External notifications - In a complex IT environment, you may have an automation system like Azure Logic Apps. Customers use these systems to define and control automated workflows to integrate multiple systems. You could integrate Configuration Manager into a separate automation system through the product's SDK APIs. But this process can be complex and challenging for IT professionals without a software development background.

Starting in this release, you can enable the site to send notifications to an external system or application. This feature simplifies the process by using a web service-based method. You configure subscriptions to send these notifications. These notifications are in response to specific, defined events as they occur. For example, status message filter rules.


Internet access requirements - Before you update to version 2107, if you restrict internet access, confirm that the site system that hosts the service connection point role can communicate with the following internet endpoint: configmgrbits.azureedge.net. This endpoint was already required, but its use is expanded in this release. The site system can't download version 2107 or later unless your network allows traffic to this URL.


Real-time management

Simplified CMPivot permissions requirements - We've simplified the CMPivot permissions requirements. The new permissions are applicable for CMPivot standalone and CMPivot in the on-premises console. The following changes have been made:

  • CMPivot no longer requires SMS Scripts read permission
    • The SMS Provider still requires this permission if the administration service falls back to it due to a 503 (Service Unavailable) error, as seen in the CMPivot.log.
  • The default scope permission isn't required.

Improvements to CMPivot - We've made the following improvements to CMPivot:

  • Added a Key value to the Registry entity
  • Added a new RegistryKey entity that returns all registry keys matching the given expression
  • Added maxif and minif aggregators that can be used with the summarize operator
  • Improvements to query autocomplete suggestions in the query editor

Client management

Custom properties for devices - Many customers have other data that's external to Configuration Manager but useful for deployment targeting, collection building, and reporting. This data is typically non-technical in nature, not discoverable on the client, and comes from a single external source. For example, a central IT Infrastructure Library (ITIL) system or asset database, which has some of the following device attributes:

  • Physical location
  • Organizational priority
  • Category
  • Cost center
  • Department

Starting in this release, you can use the administration service to set this data on devices. You can then use the custom properties in Configuration Manager for reporting or to create collections.


Client encryption uses AES-256 - Starting in this release, when you enable the site to Use encryption, the client uses the AES-256 algorithm. This setting requires clients to encrypt inventory data and state messages before it sends to the management point.


Updated client deployment prerequisite - The Configuration Manager client requires the Microsoft Visual C++ Redistributable component (vcredist_x*.exe). When you install the client, it automatically installs this component if it doesn't already exist. Starting in this release, it now uses the Microsoft Visual C++ 2015-2019 Redistributable version 14.28.29914.0. This version improves stability in Configuration Manager client operations.


Hardware inventory for client log settings - You can now inventory client log file settings such as log levels and size. This behavior allows you to track settings that you change by the Client Diagnostics actions. This new inventory class isn't enabled by default.


Support for macOS Big Sur - Configuration Manager now supports the macOS Big Sur version 11.


Software Center

Support for enhanced HTTP - When you enable the site for enhanced HTTP, Software Center and the Company Portal now prefer secure communication over HTTPS to get user-available applications from the management point.


Operating system deployment

Support layered keyboard driver during OS deployment - This release adds support for layered keyboard drivers during OS deployment. This driver specifies other types of keyboards that are common with Japanese and Korean languages.



Audit mode for potentially unwanted applications - An Audit option for potentially unwanted applications (PUA) was added in the Antimalware policy settings. Use PUA protection in audit mode to detect potentially unwanted applications without blocking them. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.


Software updates

Run software updates evaluation from deployment status - You can now right-click and notify devices to run a software updates evaluation cycle from the software update deployment status. You can target a single device under the Asset Details pane or select a group of devices based on their deployment status.


Management insights rule for TLS/SSL software update points - Management insights has a new rule to detect if your software update points are configured to use TLS/SSL. To review the Configure software update points to use TLS/SSL rule, go to Administration > Management Insights > All Insights > Software Updates.


List third-party updates catalogs - To help you find custom catalogs that you can import for third-party software updates, there's now a documentation page with links to catalog providers. Choose More Catalogs from the ribbon in the Third-party software update catalogs node. Right-clicking on Third-Party Software Update Catalogs node also displays a More Catalogs menu item. Selecting More Catalogs opens a link to a documentation page containing a list of additional third-party software update catalog providers.


Improvements for managing automatic deployment rules - The following items were added to help you better manage your automatic deployment rules:

  • Updated Product parameter for New-CMSoftwareUpdateAutoDeploymentRule cmdlet - The -Product parameter for New-CMSoftwareUpdateAutoDeploymentRule was updated. When there are multiple products with the same name, -Product now selects all of them.
  • Script to apply deployment package settings for automatic deployment rule - If you create an ADR with the No deployment package option, you're' unable to go back and add one later. To help you resolve this issue, we've uploaded a script into Community hub.

Configuration Manager console

Enhanced code editor - Building on improvements in Configuration Manager 2010 for syntax highlighting and code folding, you now have the ability to edit scripts in an enhanced editor. The new editor supports syntax highlighting, code folding, word wrap, line numbers, and find and replace. The new editor is available in the console wherever scripts and queries can be viewed or edited.


Send product feedback from error windows - Previously, if the Configuration Manager console reported an error in a separate window, you had to go back to the main console window to send feedback. In some cases, this action isn't possible with other console windows open.

Starting in this release, error messages include a link to Report error to Microsoft. This action opens the standard "send a frown" window to provide feedback. It automatically includes details about the user interface and the error to better help Microsoft engineers diagnose the error. Aside from making it easier to send a frown, it also lets you include the full context of the error message when you share a screenshot.


Hierarchy approved console extensions don't require signing - Starting in this release, you can choose to allow unsigned hierarchy approved console extensions. You may need to allow unsigned console extensions due to an unsigned internally developed extension, or for testing your own custom extension in a lab.


Console improvements - In this release we've made the following improvements to the Configuration Manager console:

  • Status message shortcuts: Shortcuts to status messages were added to the Administrative Users node and the Accounts node. Select an account, then select Show Status Messages.
  • Navigate to collection: You can now navigate to a collection from the Collections tab in the Devices node. Select View Collection from either the ribbon or the right-click menu in the tab.
  • Added maintenance window column: A Maintenance window column was added to the Collections tab in the Devices node.
  • Display assigned users: If a collection deletion fails due to scope assignment, the assigned users are displayed.
  • You can now use the All Subfolders search option from the Boot ImagesOperating System Upgrade Packages, and Operating System Images nodes.

Support Center

Improvements to Support Center - Starting in this release, the Content view in the Support Center Client Tools has been renamed to Deployments. From Deployments, you can review all of the deployments currently targeted to the device. The new view is grouped by Category and Status. The view can be sorted and filtered to help you find the deployments you're interested in. Select a deployment in the results pane to display more information in the details pane.



Improvements to CMTrace - This release includes multiple performance improvements to the CMTrace log viewer. Configuration Manager automatically installs this tool in the following locations:

  • The site server's tools directory. For example: cd.latest\SMSSETUP\Tools\CMTrace.exe
  • The Management point's installation directory. For example: C:\SMS_CCM\CMTrace.exe
  • The client installation directory. For example: C:\Windows\CCM\CMTrace.exe
  • OS deployment boot images. For example: X:\sms\bin\x64\CMTrace.exe

RBAViewer location change - RBAViewer has moved from <installdir>\tools\servertools\rbaviewer.exe. It's now located in the Configuration Manager console directory. After you install the console, RBAViewer.exe will be in the same directory. The default location is C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\rbaviewer.exe.


Deprecated features

Learn about support changes before they're implemented in removed and deprecated items.

  • The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To provide content to internet-based devices, enable the CMG to distribute content.

As previously announced, version 2107 drops support for the following features:

  • Log Analytics connector for Azure Monitor. This feature was called the OMS Connector in the Azure Services node.


Starting with this version, the following features are no longer pre-release:

For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version 2107 release notes.

For more details and to view the full list of new features in this update, check out our What’s new in version 2107 of Microsoft Endpoint Configuration Manager documentation. 


Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.  


For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Send-a-Smile in the Configuration Manager console.  Continue to share and vote on ideas about new features in Configuration Manager.


Thank you, 

The Configuration Manager team 


Additional resources: 


REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.