Update 2010 for Microsoft Endpoint Configuration Manager current branch is now available

Update 2010 for Microsoft Endpoint Configuration Manager current branch is now available

This article is contributed. See the original author and article here.

Update 2010 for Microsoft Endpoint Configuration Manager current branch is now available. Microsoft Endpoint Manager is an integrated solution for managing all your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.


In this release we continue to build on the tenant attach and work from anywhere themes from earlier releases, making cloud attach and management from the cloud easier and applicable for all. Cloud attach is using any combination of the “Big 3”: cloud management gateway (CMG), tenant attach and co-management.

cloud attach with MEMcloud attach with MEM


Administrators now have more control over use of the cloud, enhancements to tenant attach and additional functionality when managing clients over cloud management gateway.  Additionally, we have introduced CMG support for Azure Cloud Solution Provider (CSP) subscriptions.


Improvements to cloud attach include:


Microsoft Endpoint Manager tenant attach

Troubleshooting portal lists a user’s devices based on usage – The troubleshooting portal in Microsoft Endpoint Manager admin center allows you to search for a user and view their associated devices. Starting in this release, tenant attached devices that are assigned user device affinity automatically based on usage will now be returned when searching for a user.


Enhancements to applications in Microsoft Endpoint Manager admin center

We’ve made improvements to applications for tenant attached devices. Administrators can now do the following actions for applications in the Microsoft Endpoint Manager admin center:

  • Uninstall an application

  • Repair installation of an application

  • Re-evaluate the application installation status

  • Reinstall an application has replaced Retry installation


Cloud-attached management

Cloud management gateway with virtual machine scale set – Cloud management gateway (CMG) deployments now use virtual machine scale sets in Azure. This change introduces support for Azure Cloud Solution Provider (CSP) subscriptions.


Disable Azure AD authentication for onboarded tenants – You can now disable Azure Active Directory (Azure AD) authentication for tenants not associated with users and devices. 


Additional options when creating app registrations in Azure Active Directory – You can now specify Never for the expiration of a secret key when creating Azure Active Directory app registrations.


Validate internet access for the service connection point – If you use Desktop Analytics or tenant attach, the service connection point now checks important internet endpoints. These checks help make sure that the cloud-connected services are available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem.


Cloud management gateway

Improvements to available apps via CMG – An internet-based, domain-joined device that isn’t joined to Azure Active Directory (Azure AD) and communicates via a cloud management gateway (CMG) can now get apps deployed as available. The Active Directory domain user of the device needs a matching Azure AD identity. When the user starts Software Center, Windows prompts them to enter their Azure AD credentials. They can then see any available apps.


Deploy an OS over CMG using boot media – Starting in current branch version 2006, the cloud management gateway (CMG) supports running a task sequence with a boot image when you start it from Software Center. With this release, you can now use boot media to reimage internet-based devices that connect through a CMG. This scenario helps you better support remote workers. If Windows won’t start so that the user can access Software Center, you can now send them a USB drive to reinstall Windows.


Improvements to BitLocker management – You can now manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG). This change also provides support for BitLocker management via internet-based client management (IBCM) and when you configure the site for enhanced HTTP. There’s no change to the setup process for BitLocker management. This improvement supports domain-joined and hybrid domain-joined devices.


This release also includes:


Site infrastructure

Monitor scenario health – You can now use Configuration Manager to monitor the health of end-to-end scenarios. It simulates activities to expose performance metrics and failure points. These synthetic activities are similar to methods that Microsoft uses to monitor some components in its cloud services. Use this additional data to better understand timeframes for activities. If failures occur, it can help focus your investigation.


Report setup and upgrade failures to Microsoft – If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. If a failure occurs, the Report update error to Microsoft button is enabled. When you use the button, an interactive wizard opens allowing you to provide more information to us. 


Delete Aged Collected Diagnostic Files task – You now have a new maintenance task available for cleaning up collected diagnostic files. Delete Aged Collected Diagnostic Files uses a default value of 14 days when looking for diagnostic files to clean up and doesn’t affect regular collected files. The new maintenance task is enabled by default.

Improvements to the administration service – The Configuration Manager REST API, the administration service, requires a secure HTTPS connection. Starting in this release, you no longer need to enable IIS on the SMS Provider for the administration service. When you enable the site for enhanced HTTP, it creates a self-signed certificate for the SMS Provider, and automatically binds it without requiring IIS.


Desktop Analytics

For more information on the monthly changes to the Desktop Analytics cloud service, see What’s new in Desktop Analytics.


Support for new Windows 10 data levels

Microsoft is increasing transparency by categorizing the data that Windows 10 collects:

  • Basic diagnostic data is recategorized as Required diagnostic data

  • Full is recategorized as Optional

If you previously configured devices for Limited or Limited (Enhanced), in an upcoming release of Windows 10, they’ll use the Required level. This change may impact the functionality of Desktop Analytics.


Support for Windows 10 Enterprise LTSC – The Windows 10 long-term servicing channel (LTSC) was designed for devices where the key requirement is that functionality and features don’t change over time. This servicing model prevents Windows 10 Enterprise LTSC devices from receiving the usual feature updates. It provides only quality updates to make sure that device security stays up to date. Some customers want to shift from LTSC to the semi-annual servicing channel, to have access to new features, services, and other major changes. Starting in this release, you can now enroll LTSC devices to Desktop Analytics to evaluate in your deployment plans.


Client management

Wake machine at deployment deadline using peer clients on the same remote subnet – In version 1810, the introduction of peer wake up allowed an administrator to wake a device or collection of devices, on demand using the client notification channel. This latest improvement allows the Configuration Manager site to wake devices at the deadline of a deployment, using that same client notification channel. Instead of the site server issuing the magic packet directly, the site uses the client notification channel to find an online machine in the last known subnet of the target device(s) and instructs the online client to issue the WoL packet for the target device.


Improved Windows Server restart experience for non-administrator accounts – For a low-rights user on a device that runs Windows Server, by default they aren’t assigned the user rights to restart Windows. When you target a deployment to this device, this user can’t manually restart. For example, they can’t restart Windows to install software updates. Starting in this release, you can now control this behavior as needed. In the Computer Restart group of client settings, enable the following setting: When a deployment requires a restart, allow low-rights users to restart a device running Windows Server.


Operating system deployment

Deploy a task sequence deployment type to a user collection – You can now deploy an application with a task sequence deployment type to a user-based collection. A user-targeted deployment still runs in the context of the local System account.

Manage task sequence size – Large task sequences cause problems with client processing. To further help manage the size of task sequences, this release continues to iterate on improvements.

  • Starting in this release Configuration Manager restricts actions for a task sequence that’s greater than 2 MB in size. For example, the task sequence editor will display an error if you try to save changes to a large task sequence.

  • When you view the list of task sequences in the Configuration Manager console, add the Size (KB) column. Use this column to identify large task sequences that can cause problems.


Analyze SetupDiag errors for feature updates – With the release of Windows 10, version 2004, the SetupDiag diagnostic tool is included with Windows Setup. If there’s an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. Configuration Manager now gathers and summarizes SetupDiag results from feature update deployments with Windows 10 servicing.


Improvements to task sequence performance setting – Starting in Configuration Manager version 1910, to improve the overall speed of the task sequence, you could activate the Windows power plan for High Performance. Starting in this release, you can now use this option on devices with modern standby and other devices that don’t have that default power plan.



Expanded Windows Defender Application Control management – Windows Defender Application Control enforces an explicit list of software allowed to run on devices. In this release, we’ve expanded Windows Defender Application Control policies to support devices running Windows Server 2016 or later.



Collection query preview – You can now preview the query results when you’re creating or editing a query for collection membership. Preview the query results from the query statement properties dialog. When you select Edit Query Statement, select the green triangle on the query properties for the collection to show the Query Results Preview window. Select Stop if you want to stop a long running query.


Collection evaluation view – We’ve integrated the functionality of Collection Evaluation Viewer into the Configuration Manager console. This change provides administrators a central location to view and troubleshoot the collection evaluation process.


View collection relationships – You can now view dependency relationships between collections in a graphical format. It shows limiting, include, and exclude relationships.


Configuration Manager console

Product feedback – The Configuration Manager console has a new wizard for sending feedback. The redesigned wizard improves the workflow with better guidance about how to submit good feedback. There’s also a new status message query, Feedback sent to Microsoft. Use this query to easily find feedback status messages.


Improvements to in-console notifications

You now have an updated look and feel for in-console notifications. Notifications are more readable, and the action link is easier to find. Additionally, the age of the notification is displayed to help you find the latest information. If you dismiss or snooze a notification, that action is now persistent for your user across


Improvements to the Configuration Manager console –


  • You can now copy discovery data from devices and users in the console. Copy the details to the clipboard, or export them all to a file. These new actions make it easier for you to quickly get this data from the console. For example, copy the MAC address of a device before you reimage it.

  • Various areas in the Configuration Manager console now use the fixed-width font Consolas. This font provides consistent spacing and makes it easier to read.

  • You now have an easier way to view status messages for objects. Select an object in the Configuration Manager console, and then select Show Status Messages from the ribbon.

  • Now when you import an object in the Configuration Manager console, it imports to the current folder. Previously, Configuration Manager always put imported objects in the root node. This new behavior applies to applications, packages, driver packages, and task sequences.

  • To assist you when creating scripts and queries in the Configuration Manager console, you’ll now see syntax highlighting and code folding, where available.


Content management

Improvements to client data sources dashboard – The client data sources dashboard now offers an expanded selection of filters to view information about where clients get content. These new filters include:

  • Single boundary group

  • All boundary groups

  • Internet clients

  • Clients not associated with a boundary group

The dashboard also includes a new tile for Content downloads using fallback source. This information helps you understand how often clients download content from an alternate source.


Improvements to the content library cleanup tool – If you remove content from a distribution point while the site system is offline, an orphaned record can exist in WMI. Over time, this behavior can eventually lead to a warning status on the distribution point. To mitigate the issue in the past, you had to manually remove the orphaned entries from WMI. The content library cleanup tool in delete mode can now remove orphaned content records from WMI.


Software updates

Enable user proxy for software update scans – Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by default. If you still require a user proxy despite the security trade-offs, a new software updates client setting is available to allow these connections. For more information about the changes for scanning WSUS, see September 2020 changes to improve security for Windows devices scanning WSUS. To ensure that the best security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help secure your software update infrastructure.


Notifications for devices no longer receiving updates – To help you manage security risk in your environment, you’ll be notified in-console about devices with operating systems that are past the end of support date and that are no longer eligible to receive security updates. Additionally, a new Management Insights rule was added to detect Windows 7, Windows Server 2008, and Windows Server 2008 R2 without Extended Security Updates (ESU).


Immediate distribution point fallback for clients downloading software update delta content – There’s a new client setting for software updates. If delta content is unavailable from distribution points in the current boundary group, you can allow immediate fallback to a neighbor or the site default boundary group distribution points. This setting is useful when using delta content for software updates since the timeout setting per download job is five minutes.



For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version 2010 release notes.


Support for PowerShell version 7 – The Configuration Manager PowerShell cmdlet library now offers support for PowerShell 7.


Improvements to cloud management gateway cmdlets – With more customers managing remote devices now, this release includes several new and improved Windows PowerShell cmdlets for the cloud management gateway (CMG). You can use these cmdlets to automate the creation, configuration, and management of the CMG service and Azure Active Directory (Azure AD) requirements.



For more information on changes to the administration service REST API, see Administration service release notes.


For more details and to view the full list of new features in this update, check out our What’s new in version 2010 of Microsoft Endpoint Configuration Manager documentation. 


Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.  


For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Send-a-Smile in the Configuration Manager console.  


Continue to use our UserVoice page to share and vote on ideas about new features in Configuration Manager. 


Thank you, 

The Configuration Manager team 


Additional resources: 

Now That's What I Call .NET 5 on #Dev_Jams

Now That's What I Call .NET 5 on #Dev_Jams

This article is contributed. See the original author and article here.

NOW! DotNET 5 Booklet1024_1.jpg


Do you ever have trouble getting into the coding flow because you just can’t decide what music you want to jam to? Well, we have just the playlist for you: Now That’s What I Call .NET 5! 


To help celebrate the release of .NET 5, I reached out to some .NET devs around the world and asked them about why they love .NET and what their favorite song to listen to while coding is. With that info, we created the #dev_jams playlist on Spotify and created an album booklet with our featured tracks/devs! Check it out below and feel free to download it for yourself at the bottom of the page. 



NOW! DotNET 5 Booklet1024_2.jpg


NOW! DotNET 5 Booklet1024_3.jpg

Scott Hanselman – @shanselman


NOW! DotNET 5 Booklet1024_4.jpg

Amiee Lo – @amiee_lo


NOW! DotNET 5 Booklet1024_5.jpg

Torin Solarin-Sodara – @tonerdo


NOW! DotNET 5 Booklet1024_6.jpg

Aida Crone – @aidapsibr


NOW! DotNET 5 Booklet1024_7.jpg

Rodney Littles, II – @rlittiesii


NOW! DotNET 5 Booklet1024_8.jpg

Bron Thulke – @_bron_


NOW! DotNET 5 Booklet1024_9.jpg

Michael Dera – @michaeldera


NOW! DotNET 5 Booklet1024_10.jpg

Mark Rendle – @markrendle


NOW! DotNET 5 Booklet1024_11.jpg

Jeremy Sinclair – @sinclairinat0r


NOW! DotNET 5 Booklet1024_12.jpg

Jayme Singleton – @jaymesingleton1


NOW! DotNET 5 Booklet1024_13.jpg

+ a special shout out to Marc Duiker (@marcduiker) for creating the amazing pixel art!


What do you think of these featured tracks? Did we miss a song? Let us know your favorite song by using the hashtag #dev_jams on Twitter. Happy jamming!


Also, just in case you missed it – you can download .NET 5 for Windows, macOS, and Linux here. And although .NET Conf 2020 has wrapped up, you can still catch all the sessions on demand and get a head start on all the new features that were introduced with .NET 5!

SQL Server Cumulative Updates (CU) through the end of calendar year 2020

This article is contributed. See the original author and article here.

This has been a tough year and we are supporting our teams to spend time with their families. Due to minimal operations over the upcoming holidays and new year, we will not be releasing any additional SQL Server Cumulative Update (CU) releases for the rest of calendar year 2020.  Applicable to SQL Server mainstream support products: SQL Server 2019, SQL Server 2017, and SQL Server 2016 Service Pack 2 (SP2).


If you have a product issue and you have confirmation a specific fix is scheduled for the next CU release, we encourage you to work with our support channels as documented in our help and feedback page.

Meta-data driven key-value pairs extraction with Azure Form Recognizer

Meta-data driven key-value pairs extraction with Azure Form Recognizer

This article is contributed. See the original author and article here.

Most organizations are now aware of how valuable the forms (pdf, images, videos…) they keep in their closets are. They are looking for best practices and most cost-effective ways and tools to digitize those assets.  By extracting the data from those forms and combining it with existing operational systems and data warehouses, they can build powerful AI and ML models to get insights from it to deliver value to their customers and business users.

With the Form Recognizer Cognitive Service, we help organizations to harness their data, automate processes (invoice payments, tax processing …), save money and time and get better accuracy.

Figure 1-Typical form.png

Figure 1:Typical form


In my first blog about the automated form processing, I described how you can extract key-value pairs from your forms in real-time using the Azure Form Recognizer cognitive service. We successfully implemented that solution for many customers.

Often, after a successful PoC or MVP, our customers realize that, not only they need this real time solution but, they also have a huge backlog of forms they would like to ingest into their relational, NoSQL databases or data lake, in a batch fashion. They have different types of forms and they don’t want to build a model for each type. They are also looking for easy and quick way to ingest the new type of forms.

In this blog, we’ll describe how to dynamically train a form recognizer model to extract the key-value pairs of different type of forms and at scale using Azure services. We’ll also share a github repository where you can download the code and implement the solution we describe in this post.


The backlog of forms maybe in your on-premises environment or in a (s)FTP server. We assume that you were able to upload them into an Azure Data Lake Store Gen 2, using Azure Data Factory, Storage Explorer or AzCopy. Therefore, the solution we’ll describe here will focus on the data ingestion from the data lake to the (No)SQL database.

Our product team published a great tutorial on how to Train a Form Recognizer model and extract form data by using the REST API with Python. The solution described here demonstrates the approach for one model and one type of forms and is ideal for real-time form processing.

The value-add of the post is to show how to automatically train a model with new and different type of forms using a meta-data driven approach, in batch mode.

Below is the high-level architecture.


Figure 2 - High Level Architecture.png

Figure 2:  High Level Architecture


Azure services required to implement this solution

To implement this solution, you will need to create the below services:


Form Recognizer resource: 

Form Recognizer resource to setup and configure the form recognizer cognitive service, get the API key and endpoint URI.

Azure SQL single database:

We will create a meta-data table in Azure SQL Database. This table will contain the non-sensitive data required by the Form Recognizer Rest API. The idea is, whenever there is a new type of form, we just insert a new record in this table and trigger the training and scoring pipeline.
The required attributes of this table are:


  • form_description: This field is not required as part of the training of the model the inference. It just to provide a description of the type of forms we are training the model for (example client A forms, Hotel B forms,…)

  • training_container_name: This is the storage account container name where we store the training dataset. It can be the same as scoring_container_name

  • training_blob_root_folder: The folder in the storage account where we’ll store the files for the training of the model.

  • scoring_container_name: This is the storage account container name where we store the files we want to extract the key value pairs from.  It can be the same as the training_container_name

  • scoring_input_blob_folder: The folder in the storage account where we’ll store the files to extract key-value pair from.

  • model_id: The identify of model we want to retrain. For the first run, the value must be set to -1 to create a new custom model to train. The training notebook will return the newly created model id to the data factory and, using a stored procedure activity, we’ll update the meta data table with in the Azure SQL database.

Whenever you had a new form type, you need to reset the model id to -1 and retrain the model.


  • file_type: The supported types are application/pdf, image/jpeg, image/png, image/tif.

  • form_batch_group_id : Over time, you might have multiple forms type you train against different models. The form_batch_group_id will allow you to specify all the form types that have been training using a specific model.

Azure Key Vault:

For security reasons, we don’t want to store certain sensitive information in the parametrization table in the Azure SQL database. We store those parameters in Azure Key Vault secrets.

Below are the parameters we store in the key vault:

  • CognitiveServiceEndpoint: The endpoint of the form recognizer cognitive service. This value will be stored in Azure Key Vault for security reasons.

  • CognitiveServiceSubscriptionKey: The access key of the cognitive service. This value will be stored in Azure Key Vault for security reasons. The below screenshot shows how to get the key and endpoint of the cognitive service

Figure 3 - Cognitive Service Keys and Endpoint.png

Figure 3: Cognitive Service Keys and Endpoint


  • StorageAccountName: The storage account where the training dataset and forms we want to extract the key value pairs from are stored. The two storage accounts can be different. The training dataset must be in the same container for all form types. They can be in different folders.

  • StorageAccountSasKey : the shared access signature of the storage account

The below screen shows the key vault after you create all the secrets


Figure 4 - Key Vault Secrets.png

Figure 4 : Key Vault Secrets

Azure Data Factory: 

To orchestrate the training and scoring of the model. Using a look up activity, we’ll retrieve the parameters in the Azure SQL Database and orchestrate the training and scoring of the model using Databricks notebooks. All the sensitive parameters stored in Key vault will be retrieve in the notebooks.

Azure Data Lake Gen 2: 

To store the training dataset and the forms we want to extract the key-values pairs from. The training and the scoring datasets can be in different containers but, as mentioned above, the training dataset must be in the same container for all form types.

Azure Databricks:

To implement the python script to train and score the model. Note that we could have used Azure functions.

Azure Key Vault:

To store the sensitive parameters required by the Form Recognizer Rest API.


The code to implement this solution is available in the following GitHub repository.


Additional Resources

Get started with deploying Form Recognizer –






“Reference cannot be resolved” error

“Reference cannot be resolved” error

This article is contributed. See the original author and article here.

While trying to make a WCF service to connect Dynamics 365, I came across to this error message:


Message Metadata contains a reference that cannot be resolved: ‘https://dynamics.com/test.svc?wsdl&sdkversion=9’. >> StackTrace at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)rn




We also saw the error below during testing:


InnerException System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond


Root Cause


Dynamics 365 started requiring TLS 1.2 after version 9.x (Reference). Connections that don’t use TLS 1.2 started failing after this update.




Force WCF service to use TLS 1.2 to solve this issue:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;