Update rollup for Microsoft Endpoint Configuration Manager current branch, version 2010

Article
01/12/2024

Applies to: Configuration Manager (current branch, version 2010)

Summary of KB4600089

This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2010. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release. For more information on changes in Configuration Manager version 2010, see:

Issues that are fixed

Configuration Manager console exceptions

The console terminates or generates an exception under any of the following conditions.

If the process to update boot images on distribution points takes longer than eight-minutes exception details resembling the following are shown.

Exception type:   System.ArgumentOutOfRangeException
Message:          Value of '101' is not valid for 'Value'. 'Value' should be between 'minimum' and 'maximum'.

If the tenant onboarding process is completed and device uploads are limited to a specific collection, the user can't modify the limiting collection as the console terminates. This occurs if the user is denied access to if they're denied access to the parent of the limiting collection.
When editing an application deployment type that didn't previously contain a content path.
The console issue detailed in the following article. KB 4599924 Console terminates unexpectedly in Configuration Manager current branch, version 2010

SMS_Executive (smsexec.exe) service exceptions

The SMS_Executive service terminates under any of the following conditions.

On Windows Server 2012 R2 site servers after updating to Configuration Manager version 2010. This occurs if Internet Information Services (IIS) was never previously installed on the server.
If the client installation lock file has an invalid file date.
If the software update point has the “Use a proxy server when downloading content by using automatic deployment rules” setting enabled.

Other issues

The Run PowerShell Script task sequence step doesn't honor the SMSTSDisableStatusRetry variable. This results in multiple attempts to send status messages even when a machine is offline, leading to increasing delays in task sequence completion.
Firewall policies assigned through the Microsoft Intune admin center don't apply on Windows 10, version 20H1 and later clients.
Configuration Manager clients that update their BIOS may be listed in twice in multiple locations in the Configuration Manager console.
Multiple client log files, such as CoManagementHandler.log and execmgr.log, contain the following false negative log entry. This results in potentially valuable troubleshooting information being overwritten.
```
Failed to GetDeviceManagementConfigInfo, honor MEM authority. Error (0x00000000).
```
If you delete downloaded content from the Community Hub, the content isn't deleted from the Community Hub > Your downloads page and you're unable to download the content again.
The Push Update button isn't enabled for revised Community Hub content.
Temporary content isn't always deleted after a task sequence runs.
The Set custom schedule checkbox is cleared and any custom schedule settings removed when the list of partner software update catalogs is refreshed.
Microsoft Entra hybrid joined clients may appear duplicated in the Configuration Manager console, but with different GUIDs (SMSID). The duplication occurs during an operating system deployment to the client where the management point is configured for HTTPS communication.
The CCMDEBUGLOGGING client installation property doesn't work when passed in during the Setup Windows and ConfigMgr task sequence step.
The Office 365 Client Management Dashboard displays all client channels as Other.
Client hardware inventory data isn't replicated from a primary site to the central administration site (CAS) when reporting is enabled for the CCM_SoftwareDistributionClientConfig class in the ROOT\ccm\Policy\Machine\ActualConfig namespace. Errors resembling the following are recorded in the dataldr.log file on the primary site.
```
Column names in each view or function must be unique. Column name 'ADV_RebootLogoffNotification0' in view or function 'v_GS_CCM_SOFTWAREDISTRIBUTIONCLIENTCONFIG' is specified more than once.
```
Software updates deployed via task sequence during a maintenance window may not restart the computer as expected. The Update Deployment.log file contains an error resembling the following.
```
InstallTargetedUpdates failed, error 87d00708
```
A user with read-only access to applications is unable to copy or scroll down through script content in the Script Editor window.
Processing of Automatic Deployment Rules fails after updating to Configuration Manager version 2010. The Last Error Description reads "Auto Deployment Rule download failed". This occurs due to zero-byte temporary files left in the Windows\Temp folder during the download process.
Software Center fails to open on some Configuration Manager current branch, version 2010 clients. The SCClient_<domain>@<username>_1.log contains errors resembling the following. Note the line number may differ from the example below.
```
Call to ExecuteQuery failed, Query: "Select * From CCM_Application WHERE UserUIExperience = TRUE"
Exception caught in ExecuteQuery, line 465...
(Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at ExecuteQuery)
```
The DCMAgent.log also contains an error resembling the following, recorded at the same time as the SCClient log entry. The 0x87d00315 error code translates to "The CI version info data isn't available."
```
ExecuteApplicationQuery - Failed to get machine targeted applications (0x87d00315).
```
Client computers may unexpectedly receive a software update deployment if the target collection is changed from “All Systems” to another collection.
Package content beyond the first package isn't cached locally on the client when the Save path as a variable setting is enabled for the Download Package Content task sequence step.
Computers incorrectly report noncompliance with a BitLocker fixed data drive encryption policy. This occurs for computers with only a single drive and partition, even when encrypted with BitLocker.
Surface driver synchronization fails if the Software Update Point is in a separate untrusted domain from the site server. An error resembling the following is recorded in the wsyncmgr.log file.
```
Sync failed: The request failed with HTTP status 401: Unauthorized. Source: Microsoft.UpdateServices.Internal.ApiRemoting.ExecuteSPSearchUpdates
```
The Deployment Options and Allow clients to use distribution points from the default site boundary group settings on the Content tab of deployment properties may unexpectedly revert to default after saving changes.
Existing co-management policies don't apply to Azure Virtual Desktop.
Domain-joined clients that are connected to the internet, but not connected via VPN to a corporate network, are now able to receive Microsoft Defender policy data.

Hotfixes that are included in this update

KB 4594177 Client notifications sent to all collection members in Configuration Manager current branch, version 2010

Update information for Microsoft Endpoint Configuration Manager current branch, version 2010

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2010.

Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.

To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:

8DD2203C-3250-4FEA-996E-CBB17B96BB7E
D5054056-F41C-4E61-90A7-4F135B76F806
AC764035-EEE2-4E87-A5D2-1F666A328A8D
6B4F84B7-5555-48B0-AECC-74FB5A8AA24B

The update is also applicable to TAP builds with the private TAP rollup (6EB8FDAB-5ECE-4A05-8BDA-E175ED7F12D3) installed.

Restart information

This update doesn't require a computer restart but will initiate a site reset after installation.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site hasn't installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

Version information

The following major components are updated to the versions specified:

Component	Version
Configuration Manager console	5.2010.1093.1000
Client	5.00.9040.1044

File information

File information is available in the downloadable KB4600089_FileList.txt text file.

References

Updates and servicing for Configuration Manager