Release notes for Configuration Manager

Applies to: Configuration Manager (current branch)

With Configuration Manager, product release notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a troubleshooting article.

Feature-specific documentation includes information about known issues that affect core scenarios.

This article contains release notes for the current branch of Configuration Manager. For information on the technical preview branch, see Technical Preview.

For information about the new features introduced with different versions, see the following articles:


You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Client management

Some policies may not apply to upgraded clients

Applies to version 2107 early update ring

When you upgrade the client from versions 2010 or 2103 to version 2107, the following policies may not apply on some devices:

  • Co-management policies on Windows 10 Enterprise multi-session devices such as Azure Virtual Desktop, and Windows 11 Insider Preview devices
  • Desktop Analytics on any Windows version
  • Windows Update for Business policies on Windows 10 x86 and ARM
  • Microsoft Edge browser profiles on Windows 10 x64 and x86


The timing of how clients apply and evaluate these policies is non-deterministic. Even if you have these policies and these supported platforms, they may not immediately experience this issue.

When you look at the Configurations tab of the Configuration Manager control panel on the client, it will be blank.

This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107, early update ring.

Set up and upgrade

Version 2107 update fails to download

Applies to: version 2107 and later

The update for Configuration Manager version 2107 is available to download, but it fails to download. The dmpdownloader.log on the service connection point has entries similar to the following:

Download large file with BITs
WARNING: EasySetupDownloadSinglePackage Failed with exception: The remote name could not be resolved: ''
WARNING: Retry in the next polling cycle

This failure happens because the service connection point can't communicate with the required internet endpoint, Confirm that the site system that hosts the service connection point role can communicate with this internet endpoint. It was already required, but its use is expanded in version 2107. The site system can't download version 2107 or later unless your network allows traffic to this URL.

For more information, see internet access requirements for the service connection point.

Management point installation or update fails because of later Visual C++ version

Applies to: version 2107 early update ring

If the site system server has a version of the Visual C++ redistributable later than 14.28.29914, Configuration Manager setup will fail to install or update the management point role.

To work around this issue, temporarily uninstall the later version of Visual C++ redistributable. When you install Configuration Manager version 2107, it will install version 14.28.29914.

OS deployment

Image servicing with Windows Server 2022

Applies to: version 2107

If you try to apply software updates to an image for Windows Server 2022, no updates display as available to install.

This issue is caused by a change to the Windows update category for Server 2022.

To resolve this issue, install the update rollup for Configuration Manager version 2107.

Task sequence and application policy issue

Applies to: version 2107 early update ring installed between August 2, 2021 and August 6, 2021

If you have all of the following conditions:

  • Task sequence A

    • Includes the Install Application step with app X
    • Deployed and made available to either type that includes Configuration Manager clients
  • Task sequence B

    • Includes the Install Application step with the same app X
    • Deployed and made available to either Only media and PXE option

After you update to version 2107, if you make any change to app X, then task sequence A will fail to run on clients that receive the deployment policy after the site update. The Configuration Manager client can't get all of the policies for the task sequence and referenced applications. For clients that already had the deployment policy for task sequence A before the site update, the task sequence will run, but clients won't have the revised application policy.

You can run the following SQL script on a primary site database to determine if your site has this issue:

select COUNT(*) from Policy where PolicyID like '%/VI%' 
  AND ((ISNULL(PolicyFlags, 0) & 4096 = 4096) 
  OR (ISNULL(PolicyFlags, 0) & 2048 = 2048))

If this query returns 0, there's currently no issue. If the query returns a non-zero value, the issue only exists given the above conditions.


If there are many media and PXE task sequences that reference an application that you revise, the site will take longer to update these task sequence policies. During this time, some media and PXE task sequence deployments may fail. There's no workaround for this timing issue.

Workaround for task sequence and application policy issue in version 2107 early update ring

This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107, early update ring.

For OS deployment task sequences to existing clients not with PXE, you may see entries similar to the following strings in the ExecMgr.log on the client:

cannot load compressed XML policy
Failed to load policy from XML ''
Could not find the policy in WMI for Application ScopeId_88A86770-F44E-47C8-BF8D-3C1B8A5DF3AA/Application_b711f24c-f766-41e0-9c41-02313b2c8be3
Unable to find application policy for [advertisement: PR220005 appid: ScopeId_88A86770-F44E-47C8-BF8D-3C1B8A5DF3AA/Application_b711f24c-f766-41e0-9c41-02313b2c8be3]
Fail to initialize TS member info, error 0x87d02004

For this issue, after you install the update for version 2107 early update ring, run the following SQL query on the primary site to which the client is assigned:

select distinct ci.CI_ID from vSMS_ConfigurationItems ci
join CI_ConfigurationItemRelations_Flat cir on cir.ToCI_ID = ci.CI_ID and cir.RelationType = 11
join vSMS_ConfigurationItems intent_ci on intent_ci.CI_ID = cir.FromCI_ID
join policy p on p.PolicyID = intent_ci.ModelName+'/VI' and ((p.PolicyFlags & 0x800) > 0 or (p.PolicyFlags & 0x1000) > 0)
where ci.CIType_ID = 10 and ci.IsLatest = 1 and ci.IsTombstoned = 0

For each CI_ID that this query returns, create a 0-KB file named <ci_id>.cit. For example, 16777225.cit. Move the file to the directory on the primary site server. For example, \\\SMS_PR1\inboxes\\.

Software updates

Security roles are missing for phased deployments

The OS Deployment Manager built-in security role has permissions to phased deployments. The following roles are missing these permissions:

  • Application Administrator
  • Application Deployment Manager
  • Software Update Manager

The App Author role may appear to have some permissions to phased deployments, but can't create deployments.

A user with one these roles can start the Create Phased Deployment wizard, and can see phased deployments for an application or software update. They can't complete the wizard, or make any changes to an existing deployment.

To work around this issue, create a custom security role. Copy an existing security role, and add the following permissions on the Phased Deployment object class:

  • Create
  • Delete
  • Modify
  • Read

For more information, see Create custom security roles

Configuration Manager console

Intune RBAC for tenant attached devices

Applies to: version 2207

[Updated]: There is a checkbox for a role-based access control (RBAC) setting in the cloud attach configuration wizard in the console. By default, Configuration Manager RBAC is enforced along with Intune RBAC when you're uploading your Configuration Manager devices to the cloud service. This checkbox is selected by default.

You can now configure Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Intune admin center. For more information, see Intune role-based access control for tenant-attached clients.

Unable to open console because extension installation loops

Applies to: version 2111

In certain circumstances, you'll be unable to open the console due to an extension installation loop. This issue occurs when two or more versions of a single extension were marked as required for installation. This issue occurs for extensions imported through the wizard, from a PowerShell script, or through Community hub. If you use the Make optional setting before importing a new version of the extension, this issue doesn't occur.

When you encounter this issue, it initially appears as a normal console extension installation. After the extension finishes installing, you select Close to restart the Configuration Manager console. When the console restarts, you're prompted to install the console extension again. The extension installation will continue to loop and the Configuration Manager console doesn't fully open.

To both prevent and work around this issue, run the below SQL script on your CAS database and all of your primary site databases:

ALTER VIEW vSMS_ConsoleExtensionMetadata
    WITH m AS(
       SELECT *,
       FROM ConsoleExtensionMetadata
        CASE m.IsRequired 
            WHEN 0 THEN ''  
                SELECT top(1) author FROM ConsoleExtensionRevisionHistory h 
                WHERE m.ID=h.ExtensionId AND m.Version=h.Version AND h.Changes & 1=1 
                ORDER BY h.RevisionTime DESC 
        END AS RequiredBy, 
    FROM m
    WHERE RN = 1

Supported platform conditions don't update for some objects

Applies to version 2107

You can select supported platforms on many objects such as applications, task sequences, and configuration items. Starting in version 2107, these lists are updated to include categories for Windows 11. After you update the primary site to version 2107, there are different behaviors depending upon the type of object:

  • Within 24 hours of updating the site, the supported platforms for the following objects will automatically update:

    • Packages and programs
    • Task sequences
    • Compliance settings, for example, endpoint protection

    In that initial 24-hour period, existing policies with Windows 10 conditions also apply to Windows 11. After the site updates the objects, they only apply to Windows 10. You can select Windows 11 as a supported platform at any time.

  • You need to manually review and update the supported platforms for the following objects:

    • Applications
    • Configuration items
    • Objects referenced in a task sequence

    For these objects, existing policies with Windows 10 conditions also apply to Windows 11. You need to manually revise the supported platform list.

Configuration Manager console settings aren't saved

Applies to version 2107

When you install the 2107 version of the Configuration Manager console, settings such as column changes, window size, and searches aren't saved. When you first open the upgraded console, it will appear as if it was never previously installed on the device. Any console settings made after installing the 2107 version of the Configuration Manager console will persist when you reopen it.

Console extensions

Applies to version 2103

There's a new hierarchy setting that allows for only using the new style of console extensions. If this setting is enabled, you can't use any old style extensions that aren't approved through the Console Extensions node. The setting, Only allow console extensions that are approved for the hierarchy, is enabled by default if you installed from the 2103 baseline build. If you update the site from version 2010 or earlier, it's disabled by default.

If the setting was enabled in error, disabling the setting allows the old style extensions to be used again.


Favorite queries lose line breaks or are truncated

Applies to: version 2107 early update ring

After you update the site to version 2107, there are two issues with CMPivot queries that you saved as a favorite:

  • When you edit the query, you may see unexpected characters like \r or \t.

  • The query after the last comma (,) is removed.

This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107, early update ring.