Update rollup for Microsoft Configuration Manager version 2309
Applies to: Configuration Manager (current branch, version 2309)
Summary of KB25858444
This article describes issues that are fixed in the update rollup for Microsoft Configuration Manager current branch, version 2309. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
For more information on changes in Configuration Manager version 2309, see:
- What’s new in version 2309 of Configuration Manager current branch
- Summary of changes in Microsoft Configuration Manager current branch, version 2309
Known issue in this release
May 8, 2024
Microsoft Defender security configurations are no longer managed with Microsoft Intune after updating to Configuration Manager version 2403, or installing the Update Rollup for 2309.
The symptom is seen as a drop in the Microsoft Security Score values when viewed in Intune. This issue happens because security policy configuration data is incorrectly removed from clients after Configuration Manager clients are upgraded.
The drop in security scores for clients happens under the following conditions:
- The Configuration Manager clients are co-managed with Microsoft Intune.
- The Device Configuration -> Endpoint Protection workload is actively managed in Intune. For more information, see How to switch workloads.
- The Manage Endpoint Protection client on client computers value is set to Yes in client settings. For more information, see To enable Endpoint Protection and configure custom client settings.
Customers that have a potentially affected environment should wait to deploy version 2403 or the 2309 Update Rollup until a fix is available. See the details below if the environment is already updated, but the new clients aren't yet installed.
- If enabled, disable the hierarchy setting to Upgrade all clients in the pre-production collection automatically using the pre-production client. For more information, see Configuration automatic client upgrades to use a pre-production collection.
- Avoid using the Promote Pre-production Client action. For more information, see Promote a new client to production.
If clients are already updated, set the Manage Endpoint Protection client on client computers value to No in client settings. This can be done only for collections with co-managed clients. Microsoft Intune policy will reapply, and the clients will again be managed as expected.
This note will be updated when additional information is available.
Issues that are fixed
The Configuration Manager Prerequisite Checker process fails to connect to the site SQL server after upgrading to ODBC Driver version 18.0. Errors similar to the following are recorded in the ConfigMgrPrereqCheck.log file.
[Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The target principal name is incorrect.~~ Client unable to establish connection Failed to connect to the SQL Server, connection type: SMS ACCESS
- Due to a timing issue, a double reboot can still prevent a Task Sequence from running, even when the SMSTSWaitForSecondReboot variable is set. This problem can happen during an operating system deployment, combined with an update that requires two reboots.
- The BitLocker management agent might incorrectly assign a key protector for a client when the key escrow process failed.
Clients might be unable to download software from a cloud management gateway (CMG) after updating to Configuration Manager 2303 or later. Errors similar to the following are recorded in the MP_Location.log file.
The SELECT permission was denied on the object 'vSMS_DefaultBoundaryGroup', database 'CM_{SideCode}', schema 'dbo'.
- If the BitLocker recovery key escrow process fails due to a SQL exception, such as a timeout or deadlock, the process isn't retried automatically. The SMS_Message_Processing_Engine is updated to retry these failures for BitLocker recovery keys.
If multiple packages are uploaded to a distribution point on the same CMG instance, the upload process can fail. This scenario occurs after updating to Configuration Manager current branch, version 2303 or later. Errors resembling the following are recorded in the pkgxfermgr.log file.
ERROR: Operation GetStorageAccountBlobContainerIds for StorageAccount:{name} failed with Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (404) Not Found. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.~~
- The upgrade experience indicators on the Windows 11 Readiness dashboard incorrectly list Windows 11 versions as "22H2" when they're a different version.
- Collection updates may be delayed in large environments that collect frequently changing hardware inventory data, such as recently used applications. This occurs due to triggers on the CollectionNotifications table that run when processing hardware inventory.
This issue was first corrected on Configuration Manager current branch, version 2010, for new site installations. It's now revised to apply to existing sites.
Hotfixes that are included in this update
- KB 26129847: Client discovery data update for Microsoft Configuration Manager version 2309
Update information for Microsoft Configuration Manager current branch, version 2309
This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using the globally available build of version 2309.
To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUID:
- FD3D0214-F4DC-4664-B6BB-997E381B7C9D
Restart information
This update doesn't require a computer restart but will initiate a site reset after installation.
Additional installation information
After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
Version information
The following major components are updated to the versions specified:
| Component | Version |
|---|---|
| Configuration Manager console | 5.2309.1113.1900 |
| Client | 5.0.9122.1018 |
File information
File information is available in the downloadable KB25858444_FileList.txt text file.
Release history
- March 4, 2024: Initial hotfix release
References
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for