Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Configuration Manager (current branch, version 2403)
Summary of KB26186448
Release version 2403 of Configuration Manager current branch contains fixes and feature improvements. The "Issues that are fixed" list isn't inclusive of all changes. Instead, it highlights changes the product development team believes are most relevant to the broad Configuration Manager customer base. These changes were made in response to direct customer feedback about product issues and improvements.
Notes
Version 2403 is available as an in-console update that can be installed at the top-tier site in a hierarchy.
The globally available version of 2403, released on May 6, 2024, also applies to environments that have the early update ring or Technology Adoption Program (TAP) builds.
For installation information, see Checklist for installing update 2403 for Configuration Manager.
For more information about the changes that are included in version 2403, see What's new in version 2403 of Configuration Manager current branch.
This release contains all of the fixes summarized in the following article.
KB 25858444: Update rollup for Microsoft Endpoint Configuration Manager current branch, version 2309
Known issue in this release
May 13, 2024
An updated version of the Microsoft Security Client Policy Configuration Tool, ConfigSecurityPolicy.exe, is available to resolve the Endpoint Protection policy issue described in this note.
The updated tool, version 4.18.24040.4, is distributed with the April 2024 monthly Microsoft Defender platform update. At the time of this writing, the platform update is in the process of global distribution, and should be broadly available in all regions by May 17, 2024. Once the platform update is installed on affected clients, Endpoint Protection policies are reapplied from Intune within 8 hours. The "Manage Endpoint Protection client on client computers" setting in Configuration Manager can be changed back to "Yes" as required.
Additional references
- Monthly platform and engine versions
- Microsoft Defender update for Windows operating system installation images.
- Sync devices to get the latest policies and actions with Intune
Symptoms
Microsoft Defender security configurations are no longer managed with Microsoft Intune after updating to Configuration Manager version 2403, or installing the Update Rollup for 2309.
The symptom is seen as a drop in the Microsoft Security Score values when viewed in Intune. This issue happens because security policy configuration data is incorrectly removed from clients after Configuration Manager clients are upgraded.
The drop in security scores for clients happens under the following conditions:
- The Configuration Manager clients are co-managed with Microsoft Intune.
- The Device Configuration -> Endpoint Protection workload is actively managed in Intune. For more information, see How to switch workloads.
- The Manage Endpoint Protection client on client computers value is set to Yes in client settings. For more information, see To enable Endpoint Protection and configure custom client settings.
Issues that are fixed
- The 256-bit AES block encryption algorithm (CALG_AES_256) and Elliptic curve Diffie-Hellman key exchange algorithm (CALG_ECDH) are supported starting with this release. The 128-bit AES block encryption (CALG_AES_128) and RSA public key exchange algorithm (CALG_RSA_KEYX) are removed. These changes improve support for environments using the Federal Information Processing Standard (FIPS).
- Content download can fail to resume on a client if the source is a peer computer, and that peer is offline or the download isn't completed within 24 hours.
- Redundant storage checks are removed from the package transfer manager component, which increases the efficiency of transferring content to a cloud management gateway.
- A task sequence now retries if the following error message is encountered in the smsts.log file.
Failed to create an instance of COM progress UI object. Error code 0x8000401a
- The wildcards "?" and "*" are now accepted in the Defender Exploit Guard policy for Controlled Folders.
- The Configuration Manager prerequisite checker incorrectly records the following warning in the ConfigMgrPrereq.log file when co-management isn't configured.
Warning: Co-mgmt slider is not pointed to Intune
- The Enable BitLocker step of an operating system deployment task sequence is now more resilient when verifying the presence of an escrow key. The changes reduce the chance of failure in the task sequence.
- The link "Select the restart experience to be shown to end users" now points to the correct location in the Computer Restart section of the default client settings properties window.
- Content distribution to a cloud management gateway fails when FIPS is enabled on Windows Server 2019. Errors similar to the following are recorded in the Cloudmgr.log file.
ERROR: Exception occured for service cmg : System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
- Multiple accessibility improvements are made to Software Center.
- The Save-CMSoftwareUpdate PowerShell cmdlet doesn't download languages unless they're explicitly selected in the properties of the Software Update Point. This issue affects environments using scripts for downloading update content.
- A task sequence fails if the Install Dynamic Software action is used for multiple packages, and the source version of one of those packages changes while the task sequence is running.
- The Set-CMScript PowerShell cmdlet fails with the "Invalid input argument (ScriptName)" error message, even when a name is provided.
- Enabling the "Stop managing updates" custom client setting doesn't remove the local policy for managing WSUS settings.
- The cloud management gateway provisioning process fails if FIPS policy is enabled for the service connection point.
- Application icons aren't appearing consistently in Software Center for available apps.
- State message processing stored procedures are updated to prevent a flood of client state messages from filling the site server database.
- The Configuration Manager prerequisite checker fails on a primary or secondary site server if a local named instance of SQL server is used with a custom port.
Issues that are fixed in the globally available release
- Searching for software updates can cause the Configuration Manager console to terminate unexpectedly on Windows Server 2022.