Release notes for Configuration Manager

Applies to: Configuration Manager (current branch)

With Configuration Manager, product release notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a troubleshooting article.

Feature-specific documentation includes information about known issues that affect core scenarios.

This article contains release notes for the current branch of Configuration Manager. For information on the technical preview branch, see Technical Preview.

For information about the new features introduced with different versions, see the following articles:


You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Endpoint Protection

Security configurations removed from Intune

Applies to: version 2309 with KB25858444 and later

Microsoft Defender security configurations are no longer managed with Microsoft Intune after updating to Configuration Manager version 2403, or installing the Update Rollup for 2309.

The symptom is seen as a drop in the Microsoft Security Score values when viewed in Intune. This issue happens because security policy configuration data is incorrectly removed from clients after Configuration Manager clients are upgraded.

An updated version of the Microsoft Security Client Policy Configuration Tool, ConfigSecurityPolicy.exe, is available to resolve the Endpoint Protection policy issue described in this note.

The updated tool, version 4.18.24040.4, is distributed with the April 2024 monthly Microsoft Defender platform update. At the time of this writing, the platform update is in the process of global distribution, and should be broadly available in all regions by May 17, 2024.
Once the platform update is installed on affected clients, Endpoint Protection policies are reapplied from Intune within 8 hours. The "Manage Endpoint Protection client on client computers" setting in Configuration Manager can be changed back to "Yes" as required.

Additional references

Set up and upgrade

Version 2107 update fails to download

Applies to: version 2107 and later

The update for Configuration Manager version 2107 is available to download, but it fails to download. The dmpdownloader.log on the service connection point has entries similar to the following:

Download large file with BITs
WARNING: EasySetupDownloadSinglePackage Failed with exception: The remote name could not be resolved: ''
WARNING: Retry in the next polling cycle

This failure happens because the service connection point can't communicate with the required internet endpoint, Confirm that the site system that hosts the service connection point role can communicate with this internet endpoint. It was already required, but its use is expanded in version 2107. The site system can't download version 2107 or later unless your network allows traffic to this URL.

For more information, see internet access requirements for the service connection point.

Software updates

Reset default value of superseding age in months for software updates

Applies to: version 2303

Removing SUP role in Admin Console does not reset the superseding age property in WMI. As a result, while reconfiguring the role, the previously configured value is shown in the configuration window. This property needs to be reset to default value on role removal. For more information, see supersedence rules for installing a software update point.

Security roles are missing for phased deployments

The OS Deployment Manager built-in security role has permissions to phased deployments. The following roles are missing these permissions:

  • Application Administrator
  • Application Deployment Manager
  • Software Update Manager

The App Author role may appear to have some permissions to phased deployments, but can't create deployments.

A user with one these roles can start the Create Phased Deployment wizard, and can see phased deployments for an application or software update. They can't complete the wizard, or make any changes to an existing deployment.

To work around this issue, create a custom security role. Copy an existing security role, and add the following permissions on the Phased Deployment object class:

  • Create
  • Delete
  • Modify
  • Read

For more information, see Create custom security roles

Configuration Manager console

Intune RBAC for tenant attached devices

Applies to: version 2207

[Updated]: There is a checkbox for a role-based access control (RBAC) setting in the cloud attach configuration wizard in the console. By default, Configuration Manager RBAC is enforced along with Intune RBAC when you're uploading your Configuration Manager devices to the cloud service. This checkbox is selected by default.

You can now configure Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Intune admin center. For more information, see Intune role-based access control for tenant-attached clients.

Unable to open console because extension installation loops

Applies to: version 2111

In certain circumstances, you'll be unable to open the console due to an extension installation loop. This issue occurs when two or more versions of a single extension were marked as required for installation. This issue occurs for extensions imported through the wizard, from a PowerShell script, or through Community hub. If you use the Make optional setting before importing a new version of the extension, this issue doesn't occur.

When you encounter this issue, it initially appears as a normal console extension installation. After the extension finishes installing, you select Close to restart the Configuration Manager console. When the console restarts, you're prompted to install the console extension again. The extension installation will continue to loop and the Configuration Manager console doesn't fully open.

To both prevent and work around this issue, run the below SQL script on your CAS database and all of your primary site databases:

ALTER VIEW vSMS_ConsoleExtensionMetadata
    WITH m AS(
       SELECT *,
       FROM ConsoleExtensionMetadata
        CASE m.IsRequired 
            WHEN 0 THEN ''  
                SELECT top(1) author FROM ConsoleExtensionRevisionHistory h 
                WHERE m.ID=h.ExtensionId AND m.Version=h.Version AND h.Changes & 1=1 
                ORDER BY h.RevisionTime DESC 
        END AS RequiredBy, 
    FROM m
    WHERE RN = 1

Boundaries and Boundary groups

Clients not belonging to any boundary group may fail to download due to SQL issue

Applies to: version 2303, 2309 RTM

Consider ConfigMgr hierarchy with a remote MP and CMG and you deploy an app to a device collection. The Clients cannot download app, and reflect the below SQL permissions issue in MP_Location.log.

   The SELECT permission was denied on the object 'vSMS_DefaultBoundaryGroup', database 'CM_xxx', schema 'dbo'.

To work around the issue run the below SQL script on the SQL database on the primary sites where the MP reports.

    GRANT SELECT ON vSMS_DefaultBoundaryGroup To smsdbrole_MP