Microsoft Patch Tuesday – July 2017

Microsoft Patch Tuesday

Microsoft Patch Tuesday has released 54 CVE’s for July 2017 which includes 19 CVE’s rated “Critical”, 32 CVE’s rated “Important” and 3 CVE’s rated “Moderate” with an important fix for Windows NTLM. These updates impact products include Edge,.NET Framework, IE , Office, Exchange. Adobe’s got a new version of Adobe Flash Player that address three vulnerabilities.

Across all of these vulnerabilities, security updates for software and services include:

Adobe Flash Player
Microsoft Windows
Microsoft Scripting Engine
Microsoft Edge Browser
Internet Explorer
Microsoft Office
WordPad
Kerberos
HTTP.sys
.NET Framework
HoloLens

Microsoft Office CVE’s listed in July Patch and rated as “Important” including multiple remote code execution vulnerabilities. Windows Powershell and WordPad also expose to Remote Execution vulnerabilities. It is highly recommended to apply all the patches ASAP to avoid any vulnerability attack.

According to Qualys Guard latest blog post:

” Top priority for patching should go to CVE-2017-8589, which is a vulnerability in the Windows Search service. This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1. While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.

Aside from CVE-2017-8589, patching for workstations and multi-user systems should focus on CVE-2017-8463, which is a vulnerability in Windows Explorer, as well as multiple browser vulnerabilities in Internet Explorer and Edge. Exploitation of these vulnerabilities require user interaction, but can easily become targets for Exploit Kits. “

Critical CVEs

July Flash Security Update
ADV170009
Remote Code Execution

Windows Explorer Remote Code Execution Vulnerability
CVE-2017-8463
Remote Code Execution

HoloLens Remote Code Execution Vulnerability
CVE-2017-8584
Remote Code Execution

Windows Search Remote Code Execution Vulnerability
CVE-2017-8589
Remote Code Execution

Internet Explorer Memory Corruption Vulnerability
CVE-2017-8594
Remote Code Execution

Scripting Engine Memory Corruption Vulnerability
CVE-2017-8595
Remote Code Execution

Microsoft Edge Memory Corruption Vulnerability
CVE-2017-8596
Remote Code Execution

Microsoft Edge Remote Code Execution Vulnerability
CVE-2017-8617
Remote Code Execution

Scripting Engine Memory Corruption Vulnerability
CVE-2017-8598, CVE-2017-8601, CVE-2017-8603, CVE-2017-8604, CVE-2017-8605, CVE-2017-8606, CVE-2017-8607, CVE-2017-8608, CVE-2017-8609, CVE-2017-8610, CVE-2017-8618, CVE-2017-8619
Remote Code Execution

Important CVEs

Microsoft Office Remote Code Execution Vulnerability
CVE-2017-0243
Remote Code Execution

Win32k Elevation of Privilege Vulnerability
CVE-2017-8467
Elevation of Privilege

Win32k Information Disclosure Vulnerability
CVE-2017-8486
Information Disclosure

Kerberos SNAME Security Feature Bypass Vulnerability
CVE-2017-8495
Security Feature Bypass

Microsoft Office Memory Corruption Vulnerability
CVE-2017-8501, CVE-2017-8502
Remote Code Execution

Microsoft Graphics Component Elevation of Privilege Vulnerability
CVE-2017-8556
Elevation of Privilege

Windows System Information Console Information Disclosure Vulnerability
CVE-2017-8557
Information Disclosure

Microsoft Exchange Cross-Site Scripting Vulnerability
CVE-2017-8559, CVE-2017-8560
Elevation of Privilege

Windows Kernel Elevation of Privilege Vulnerability
CVE-2017-8561
Elevation of Privilege

Windows ALPC Elevation of Privilege Vulnerability
CVE-2017-8562
Elevation of Privilege

Windows Elevation of Privilege Vulnerability
CVE-2017-8563
Elevation of Privilege

Windows Kernel Information Disclosure Vulnerability
CVE-2017-8564
Information Disclosure

Windows PowerShell Remote Code Execution Vulnerability
CVE-2017-8565
Remote Code Execution

Windows IME Elevation of Privilege Vulnerability
CVE-2017-8566
Elevation of Privilege

SharePoint Server XSS Vulnerability
CVE-2017-8569
Elevation of Privilege

Office Remote Code Execution Vulnerability
CVE-2017-8570
Remote Code Execution

Microsoft Graphics Component Elevation of Privilege Vulnerability
CVE-2017-8573, CVE-2017-8574
Elevation of Privilege

Win32k Elevation of Privilege Vulnerability
CVE-2017-8577, CVE-2017-8578, CVE-2017-8580, CVE-2017-8581
Elevation of Privilege

Https.sys Information Disclosure Vulnerability
CVE-2017-8582
Information Disclosure

.NET Denial of Service Vulnerability
CVE-2017-8585
Denial of Service

Windows Explorer Denial of Service Vulnerability
CVE-2017-8587
Denial of Service

WordPad Remote Code Execution Vulnerability
CVE-2017-8588
Remote Code Execution

Windows CLFS Elevation of Privilege Vulnerability
CVE-2017-8590
Elevation of Privilege

Microsoft Browser Security Feature Bypass
CVE-2017-8592
Security Feature Bypass

Microsoft Edge Security Feature Bypass Vulnerability
CVE-2017-8599
Security Feature Bypass

Microsoft Browser Spoofing Vulnerability
CVE-2017-8602
Spoofing

Moderate CVEs

Windows Performance Monitor Information Disclosure Vulnerability
CVE-2017-0170
Information Disclosure

Microsoft Edge Spoofing Vulnerability
CVE-2017-8611
Spoofing

Microsoft Exchange Open Redirect Vulnerability
CVE-2017-8621
Spoofing

For Complete List of software impacted by July 2017 Patch Tuesday, download the excel sheet:  Security Update – JULY-2017

Known Issues:  As we all are aware Microsoft Patch Tuesday – June 2017 has addressed many issues with respect to Internet Explorer and Office Outlook.

Currently, we have not addressed with major issues but we have one open issue with Internet Explorer for Windows 7 x32 OS Version, after installing KB4025252 the issue addressed was IE not able to start 😦

Reference:https://support.microsoft.com/en-us/help/4025252/cumulative-security-update-for-internet-explorer-july-11-2017

For more updates and known issues with MS Patch Tuesday – July 2017 please tune to my blog, feel free to update known issues in the comment section.

Thanks for reading 🙂

How to keep Personal Computer Secure from malware attack using Secunia Personal Software Inspector 3.0

secunai.pngIt has been very important to keep our Personal computer applications and software up-to-date unless it will be more prone to vulnerabilities and other malware attacks. Recently we have been hearing a lot about Ransomware “Wanna Cry” attack and its impact globally. If we have Personal computer users may be wondering how we can make our computer less prone to these attacks. Because we simply cannot rely on a firewall and antivirus to make our system guarded against all these vulnerabilities.

Application and OS vendors are constantly discovering security holes and releasing patches to fix them, but it’s not very easy for the user to install and update them.  That’s why we need some tool to make the task easy.

How PC users maintain their application with security updates that protect them from exploitation by hackers? Through Automation or tool right 🙂

I have come across tool  “Secunia Personal Computer Inspector (PSI)” from Flexera which is free security tool and the quite decent solution to identifies vulnerabilities in application and program installed on your personal computer where your antivirus solution could not be effective. It identifies programs and application in need of security updates to safeguard your PC against cybercriminals and it will analyze your computer and suggest necessary security updates and latest stable version as well.

Personal Software Inspector is a security scanner which identifies the program that is insecure and needs updates. It helps to automate and update the program and applications make a lot easier to make your system secure. It automatically detects insecure application and program, downloads the required patches and installs them accordingly without user interaction. If in case few updates require user interaction PSI also detects and notify the user about the program and show a notification when programs update are available.We just need to do few clicks with an appropriate icon in result windows to install the latest patches.

Personal Software Inspector (PSI) Features: 

  • Automatic updates of program 

The solution provides auto updates mechanisms to patch approximately 75 programs and application.

Auto_update.png

  • Available in 8 languages.

English, French, German,  Spanish, Arabic, Danish, Norwegian and Dutch.

language-setup

  • Covers programs from thousands of vendors.

Includes 20000+ programs and applications – more non-Microsoftt programs than anyone else vendor in the market.

List of few basic and standard application installed.

appapp-1app-2app-3

  • Integration for development.
  • Comprehensive Management Features

Automatically detect insecure program, download the require patches and install them without user interaction. Average personal computer with around 75 program and applications are covered.

Results-4

  • Reports Security Status for Each Program

Notifies about program and applications that can be automatically updated with the latest patch, notify appropriate icons in result windows when user interaction is required.

Results- filter.png

  • Detects End-of-life Programs

Detects and report End-of-Life programs and plug-ins. End-of- Life (EOL) programs are no longer supported by the vendor. The programs and applications with EOL will no longer receive security updates and treated as insecure, we should immediately remove them to make our PC secure.

Results-6

Download and install the latest version of PSI 3.0!

Microsoft & Non-Microsoft Patch Tuesday – May 2017

Microsoft Patch Tuesday

Microsoft Patch Tuesday released and has 56 CVE’s for the May 2017 which includes 15 CVEs rated “Critical”, 40 CVE’s rated “Important” and one rated “Moderate”. These updates affect software and services like Internet Explorer, Microsoft Edge Browser, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps,.NET Framework, Adobe Flash Player.

Summary :

  • No more Windows Vista patches.
  • Last few Windows 10 RTM release updates, Microsoft won’t be supported any more updates onwards.
  • Updates were released for all supported client and server versions of Windows.
  • Other Microsoft products with patches are Internet Explorer, Microsoft Edge, Microsoft Office, the Microsoft NET Framework, and Adobe Flash Player.

Microsoft also published Security Advisory 4010323 which says they will now deprecate SSL\TLS for IE11 and Edge Browser will no longer load sites with such certificates, you should upgrade from SHA-1 to SHA-2 to avoid warning messages and get the full-fledged use of it.

Microsoft Update: This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.

Security Update List

Cumulative Update for Windows 10 Version 1703 (KB4016871)
Cumulative Update for Windows 10 Version 1607 and Windows Server 2016 (KB4019472)
Cumulative Update for Windows 10 Version 1511 (KB4019473)
Cumulative Update for Windows 10 (KB4019474)
Security Update for Windows Server 2008 (KB4018196)
Cumulative Security Update for Internet Explorer (KB4018271)
Security Update for Windows Server 2008 and Windows XP Embedded (KB4018466)
Security Update for WES09 and POSReady 2009 (KB4018490)
Security Update for Windows Server 2008 and Windows XP Embedded (KB4018556)
Security Update for Windows Server 2008 (KB4018821)
Security Update for Windows Server 2008 (KB4018885)
Security Update for Windows Server 2008 (KB4018927)
May 2017 Security Only Update for.NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded Standard
7, Windows 7, and Windows Server 2008 R2 (KB4019108)
May 2017 Security Only Update for.NET Framework 2.0 on Windows Server 2008 (KB4019109)
May 2017 Security Only Update for.NET Framework 3.5, 4.5.2, 4.6, 4.6.1 on Windows Embedded 8 Standard and
Windows Server 2012 (KB4019110)
May 2017 Security Only Update for.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 8.1 and Windows
Server 2012 R2 (KB4019111)
May 2017 Security and Quality Rollup for.NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded
Standard 7, Windows 7, and Windows Server 2008 R2 (KB4019112)
May 2017 Security and Quality Rollup for.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows Embedded 8
Standard and Windows Server 2012 (KB4019113)
May 2017 Security and Quality Rollup for.NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 8.1, Windows
RT 8.1, and Windows Server 2012 R2 (KB4019114)
May 2017 Security and Quality Rollup for.NET Framework 2.0 on Windows Server 2008 (KB4019115)
Security Update for Windows Server 2008 (KB4019149)
Security Update for Windows Server 2008 and Windows XP Embedded (KB4019204)
Security Update for WES09 and POSReady 2009 and Windows Server 2008 (KB4019206)
2017-05 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2 (KB4019213)
2017-05 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB4019214)
2017-05 Security Monthly Quality Rollup for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
(KB4019215)
2017-05 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4019216)
2017-05 Security Only Quality Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
(KB4019263)
2017-05 Security Monthly Quality Rollup for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2
(KB4019264)
2017-05 Security Update for Adobe Flash Player for Windows 10, Windows 8.1, Windows RT 8.1, Windows Server
2012 R2, Windows Embedded 8 Standard, and Windows Server 2012 (KB4020821)

Non-Security Update List:

Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB3173424)
Dynamic Update for Windows 10 Version 1703 (KB4020007)
Update for Windows 10 Version 1703 (KB4020008)
Update for Windows Server 2008 and Windows XP Embedded (KB4020535)
Windows Malicious Software Removal Tool – May 2017 (KB890830)

Adobe Patches:

Adobe has released small updates consist of 2 updates. The Critical Updates for flash fixes 7 CVEs (CVE-2017-3068, CVE-2017- 3069, CVE-2017-3070, CVE-2017-3071, CVE-2017-3072, CVE-2017-3073, CVE-2017-3074 ) and being listed as priority 1 and under active attack. It is highly recommended to fix all the updates as soon as possible. The other update Security updates for Adobe Experience Manager(AEM) and not being reported as under an active attack so far.

Intel Patches:

Recent few updates have been released from processor giant. There are two ways this vulnerability may be accessed.

1) An unprivileged network attacker could gain system privileges to provisioned Intel manageability.
2) An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability.

Critical severity rating CVE-2017-5689 allow an elevation of privilege vulnerability in AMT portion of the chipset. AMT provides managed client systems through the web interface, AMT is enabled in the BIOS but not provisioned. Neither remotely nor locally can be connected and nor the traffic ports 16992-16995 will be listening. And if you have enabled or using AMT then your system might be in a state of vulnerable.

Once configured, Intel AMT is a network service awaiting an authenticated and authorized request”. Traffic on ports 16992-16995 are directly intercepted by Intel AMT within the chipset before being passed to the host operating system… once Intel AMT is in a configured and accessible state.

Why Must Intel AMT Be Configured, and What is Required?

For more details visit here

Download Excel sheet: Security Update – MAY-2017

Intel Firmware Vulnerability

VulnerabilityIntel has released recommendations to address a vulnerability in the firmware of the following Intel products: Active Management Technology, Standard Manageability, and Small Business Technology firmware versions 6.x, 7.x, 8.x, 9.x, 10.x, 11.0, 11.5, and 11.6. This vulnerability does not affect Intel-based consumer PCs. An attacker could exploit this vulnerability to take control of an affected system.

Users and administrators are encouraged to review Intel Security Advisory INTEL-SA-00075 and updated mitigations and tools:

Users and administrators are encouraged to review Vulnerability Note VU#491375 and the Intel links below and refer to their original equipment manufacturers (OEMs) for mitigation strategies and updated firmware.

Note :  INTEL-SA-00075 Detection Guide , Detection Tool , Intel mitigation document 

References: 

https://www.us-cert.gov/ncas/current-activity/2017/05/07/Intel-Firmware-Vulnerability

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

https://www.kb.cert.org/vuls/id/491375

 

Forgot Local Admin Password and Unable to login with Domain Account

Problem Statement: Suppose you have a Windows server, which is very critical and have loads of critical application running but unfortunately the server cannot able to communicate with Active Directory and you cannot able to login to the server with the domain account.

And here come the real fun, due to some rogue employee, he has set some non-standard administrator password you neither know about of it and he is no longer with your organization.

How to solve this issue?

Solution :

1) We require the Windows Server 2012 R2 boot disc (or an ISO file for the virtual environment). Select the language and click next.

2012 R2 Welcome.png

2) Click the option “Repair your computer“.

Repair Screen

3) Select Troubleshoot – > Advanced Options -> Command Prompt

Troubleshoot Screen

Troubleshoot CMD.png

 

4) We will now take backup of utility manager executable. At the command prompt enter command as:

move d:\windows\system32\utilman.exe d:\windows\system32\utilman.exe.bak      OR”

ren utilman.exe utilman.exe.bak

CMD-1

Note: Windows Installation is now located at D: drive so we would change current drive to D: instead of C:

5) Copy cmd.exe and rename to utilman.exe.

CMD-2

 

copy d:\windows\system32\cmd.exe d:\windows\system32\utilman.exe

6) Remove the boot media and reboot the server.

wpeutil reboot

7) Once the server is up and running click on the utility manager icon.

Go to CMD

8) The Command prompt will be opened and now we will give the below commands to reset the administrator password.

change password

net user administrator *

9) Once the password is reset close the command prompt and reboot the server. Now try to login with the new administrator password it should allow you to log into.

Admin Login Screen.png

10) Now we can troubleshoot why the server is not able to communicate to the domain controller and won’t allow accessing from domain account.

11) Once all set we should reset back the utilman.exe.we will again boot the server setup and follow steps 1-5 and then enter.

move /y d:\windows\system32\ utilman.exe.bak d:\windows\system32\ utilman.exe

12) Remove the boot media and reboot the server.

wpeutil reboot

Internet Information Services (IIS) 6.0 Vulnerability for Windows Server 2003

Vulnerability US-CERT is aware of active exploitation of a vulnerability in Windows Server 2003 Operating System Internet Information Services (IIS) 6.0. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

On June 15, 2015, Microsoft ended support for Windows Server 2003 Operating System, which includes its Internet Information Services (IIS) 6.0 web server. Computers running Windows Server 2003 Operating System and its associated programs will continue to work even after support ends. However, using unsupported software may increase the risks of viruses and other security threats.

US-CERT encourages users and administrators to review the National Vulnerability Database entry on this vulnerability, as well as US-CERT Alert TA14-310A.

For more details click here CVE-2017-7269.

Reference:  https://www.us-cert.gov/ncas/current-activity/2017/03/30/Internet-Information-Services-IIS-60-Vulnerability

Now Available: Update 1702 for System Center Configuration Manager

March 26, Microsoft has announced that they have released SCCM version 1702 for Current Branch (CB) that includes some great new features and product enhancements. If you are running with SCCM environment version 1606 or 1610 the new update will be available as an in-console and can be directly upgraded to SCCM CB 1702. If for some reason it is not visible in our SCCM console,  if yes? Please find the PowerShell script here to ensure that you are in the first wave of the customer to get the update.

SCCM 1702 updates include many new features and enhancement in Windows 10 management and new functionality using Configuration Manager connected with Microsoft Intune. Let’s discuss a few of the enhancement below:

  • Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update. You can upgrade Windows 10 ADK to the latest version for full OS imaging support.
  • Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files.
  • Deploy Office 365 apps to clients – Beginning in version 1702, from Office 365 Client Management dashboard, you can start the Office 365 Installer that lets you configure Office 365 installation settings, download files from Office Content Delivery Networks (CDNs), and deploy the files as an application in Configuration Manager.
  • Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system.
  • Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline.
  • Conditional access for PCs managed by System Center Configuration Manager – Now production ready in update 1702, with conditional access for PCs managed by Configuration Manager, you can restrict access to various applications (including but not limited to Exchange Online and SharePoint online) to PCs that are compliant with the compliance policies you set

Few enhancements included which connected with Microsoft Intune.

  • Android for Work support – You can now enroll devices, approve and deploy apps, and configure policies for devices with Android for Work.
  • Lookout threat details – You can view threat details as reported by Lookout on a device.
  • Apple Volume Purchase Program (VPP) enhancements – You can now request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Additional iOS configuration settings – We added support for 42 iOS device settings for configuration items.

Microsoft has removed and dropped support for following product with the new release of SCCM 1702.

  • SQL Server 2008 R2, for site database servers. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008 R2, for site system servers and most site system roles. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008, for site system servers and most site system roles.
  • Windows XP Embedded, as a client operating system. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

Microsoft has made improvement in-console search as:

  • Object Path:
    Many objects now support a column named Object Path. When you search and include this column in your display results, you can view the path to each object. For example, if you run a search for apps in the Applications node and are also searching sub-nodes, the Object Path column in the results pane will show you the path to each object that is returned.
  • Preservation of search text:
    When you enter text into the search text box, and then switch between searching a sub-node and the current node, the text that you typed will now persist and remain available for a new search without having to re-enter it.
  • Preservation of your decision to search sub-nodes:
    The option that you choose for searching the current node or all sub-nodes now persists when you change the node you are working in. This new behavior means that you do not need to constantly reset this decision as you move around the console. By default, when you open the console the option is to search only the current node.

Send feedback from the Configuration Manager console

You can use the in-console feedback options to send feedback directly to the development team. You can find the Feedback option:

  • In the ribbon, at the far left of the Home tab of each node.
    Ribbon
  • When you right-click on any object in the console.
    Righ-click option

Choosing Feedback opens your browser to the Configuration Manager UserVoice feedback website.

Peer Cache improvements

Beginning with version 1702, a peer cache source computer will reject a request for content when the peer cache source computer meets any of the following conditions:

  • Is in low battery mode.
  • CPU load exceeds 80% at the time the content is requested.
  • Disk I/O has an AvgDiskQueueLength that exceeds 10.
  • There are no more available connections to the computer.

Additionally, three new reports are added to your reporting point. You can use these reports to understand more details about rejected content requests, including which boundary group, computer, and content was involved.

Content library cleanup tool

Use the content library cleanup tool to remove content from distribution points when that content is no longer associated with an application.

Software update points are added to boundary groups

Beginning with version 1702, clients use boundary groups to find a new software update point, and to fall-back and find a new software update point if their current one is no longer accessible. You can add individual software update points to different boundary groups to control which servers a client can find. For more information, see software update points in the configuring boundary groups topic.

Windows 10 ADK tracked by build version

The Windows 10 ADK is now tracked by build version to ensure a more supported experience when customizing Windows 10 boot images. For example, if the site uses the Windows ADK for Windows 10, version 1607, only boot images with version 10.0.14393 can be customized in the console. For details about customizing WinPE versions, see Customize boot images.

Default boot image source path can no longer be changed

Default boot images are managed by Configuration Manager and the default boot image source path can no longer be changed in the Configuration Manager console or by using the Configuration Manager SDK. You can continue to configure a custom source path for custom boot images.

Deploy Office 365 apps to clients

Beginning in version 1702, from the Office 365 Client Management dashboard, you can start the Office 365 Installer that lets you configure Office 365 installation settings, download files from Office Content Delivery Networks (CDNs), and deploy the files as an application in Configuration Manager.

Android for Work support

Starting with 1702, Hybrid mobile device management with Microsoft Intune now supports Android for Work device enrollment and management.

Improvements to certificate profiles

You can now create a PFX certificate profile that supports S/MIME and deploy it to users. The certificate can then used for S/MIME encryption and signing on all iOS devices that the user has enrolled. Additionally, you can now specify multiple certification authorities (CAs) on multiple Certificate registration point site system roles and then assign which CAs process requests as part of the certificate profile.

Please find the complete doc here.