NTLM connection fallback update for Microsoft Endpoint Configuration Manager
Applies to: Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207)
Summary of KB15498768
Disabling the Allow connection fallback to NTLM option in Client Push Installation Properties is not honored under either of the following conditions:
- If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
- The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
This update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled.
Installation of this update resolves the following security issue:
Beginning with Configuration Manager current branch, version 2207, the Allow connection fallback to NTLM option is disabled by default on new site installations.
It is recommended to disable this option in existing environments, where possible, to increase security.
Refer to the following documents for more detail on client and NTLM security:
- Security and privacy for Configuration Manager clients
- KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Environments using versions of Configuration Manager current branch prior to 2103 are encouraged to update to a later supported version. Administrators can also disable use of automatic and manual client push installation methods to remove the risk of exposure to this issue. For more information, see Support for Configuration Manager current branch versions.
Update information for Microsoft Endpoint Configuration Manager, versions 2103-2207
An update to resolve this issue is available in the Updates and Servicing node of the Configuration Manager console for environments that have versions 2103-2207 installed.
Update replacement information
This update does not replace any previously released updates.
For Configuration Manager versions 2107 and later, this update does not require a computer restart or a site reset after installation.
Configuration Manager version 2103 will require a site reset after update installation.
Additional installation information
After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
No major components are updated with this release.
File information is available in the following version-specific file lists (KB15498768_FileList.txt):
- Configuration Manager 2103
- Configuration Manager 2107
- Configuration Manager 2111
- Configuration Manager 2203
- Configuration Manager 2207
- September 20, 2022: Initial hotfix release
Submit and view feedback for