Update rollup for Microsoft Configuration Manager version 2309
Applies to: Configuration Manager (current branch, version 2309)
Summary of KB25858444 / KB27863823
This article describes issues that are fixed in the update rollup for Microsoft Configuration Manager current branch, version 2309. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
For more information on changes in Configuration Manager version 2309, see:
- What’s new in version 2309 of Configuration Manager current branch
- Summary of changes in Microsoft Configuration Manager current branch, version 2309
Known issues in this release
- May 22, 2024
If the site server is installed using a local named instance of SQL Server, and a custom port, the prerequisite checker fails with the following errors in the ConfigMgrPrereq.log.
Named Pipes Provider: Could not open a connection to SQL Server [2].
Login timeout expired
A network-related or instance-specific error has occurred while establishing a connection to {SQL_Server_Name}. Server is not found or not accessible.
Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.
*** Failed to connect to the SQL Server, connection type: SMS Master.
ERROR: SQL is not connected.
A revised version of the update rollup is released to prevent this issue.
The revision appears in the console as KB 27863823 for customers using Configuration Manager version 2309 that didn't install the original release of the update rollup, KB 25858444. The original release is now expired.
- May 22, 2024
Site recovery or installation fails if the Force Encryption flag is set to Yes in the protocol properties for the SQL Server Network Configuration. The issue is resolved either by setting the Force Encryption flag to No, or adding the self-signed certificate, ConfigMgr SQL Server Identification Certificate, to the list of Trusted Root Certification Authorities for the server.
- May 13, 2024
An updated version of the Microsoft Security Client Policy Configuration Tool, ConfigSecurityPolicy.exe, is available to resolve the Endpoint Protection policy issue described in this note.
The updated tool, version 4.18.24040.4, is distributed with the April 2024 monthly Microsoft Defender platform update. At the time of this writing, the platform update is in the process of global distribution, and should be broadly available in all regions by May 17, 2024.
Once the platform update is installed on affected clients, Endpoint Protection policies are reapplied from Intune within 8 hours. The "Manage Endpoint Protection client on client computers" setting in Configuration Manager can be changed back to "Yes" as required.
Additional references
- Monthly platform and engine versions
- Microsoft Defender update for Windows operating system installation images.
- Sync devices to get the latest policies and actions with Intune
Symptoms
Microsoft Defender security configurations are no longer managed with Microsoft Intune after updating to Configuration Manager version 2403, or installing the Update Rollup for 2309.
The symptom is seen as a drop in the Microsoft Security Score values when viewed in Intune. This issue happens because security policy configuration data is incorrectly removed from clients after Configuration Manager clients are upgraded.
The drop in security scores for clients happens under the following conditions:
- The Configuration Manager clients are co-managed with Microsoft Intune.
- The Device Configuration -> Endpoint Protection workload is actively managed in Intune. For more information, see How to switch workloads.
- The Manage Endpoint Protection client on client computers value is set to Yes in client settings. For more information, see To enable Endpoint Protection and configure custom client settings.
Issues that are fixed
The Configuration Manager Prerequisite Checker process fails to connect to the site SQL server after upgrading to ODBC Driver version 18.0. Errors similar to the following are recorded in the ConfigMgrPrereqCheck.log file.
[Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The target principal name is incorrect.~~ Client unable to establish connection Failed to connect to the SQL Server, connection type: SMS ACCESS
- Due to a timing issue, a double reboot can still prevent a Task Sequence from running, even when the SMSTSWaitForSecondReboot variable is set. This problem can happen during an operating system deployment, combined with an update that requires two reboots.
- The BitLocker management agent might incorrectly assign a key protector for a client when the key escrow process failed.
Clients might be unable to download software from a cloud management gateway (CMG) after updating to Configuration Manager 2303 or later. Errors similar to the following are recorded in the MP_Location.log file.
The SELECT permission was denied on the object 'vSMS_DefaultBoundaryGroup', database 'CM_{SideCode}', schema 'dbo'.
- If the BitLocker recovery key escrow process fails due to a SQL exception, such as a timeout or deadlock, the process isn't retried automatically. The SMS_Message_Processing_Engine is updated to retry these failures for BitLocker recovery keys.
If multiple packages are uploaded to a distribution point on the same CMG instance, the upload process can fail. This scenario occurs after updating to Configuration Manager current branch, version 2303 or later. Errors resembling the following are recorded in the pkgxfermgr.log file.
ERROR: Operation GetStorageAccountBlobContainerIds for StorageAccount:{name} failed with Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (404) Not Found. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.~~
- The upgrade experience indicators on the Windows 11 Readiness dashboard incorrectly list Windows 11 versions as "22H2" when they're a different version.
- Collection updates can be delayed in large environments that collect frequently changing hardware inventory data, such as recently used applications. This occurs due to triggers on the CollectionNotifications table that run when processing hardware inventory.
This issue was first corrected on Configuration Manager current branch, version 2010, for new site installations. It's now revised to apply to existing sites.
Hotfixes that are included in this update
- KB 26129847: Client discovery data update for Microsoft Configuration Manager version 2309
Update information for Microsoft Configuration Manager current branch, version 2309
This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using the globally available build of version 2309.
To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUID:
- FD3D0214-F4DC-4664-B6BB-997E381B7C9D
Restart information
This update doesn't require a computer restart but will initiate a site reset after installation.
Additional installation information
After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site hasn't installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
Version information
The following major components are updated to the versions specified:
Original release
Component | Version |
---|---|
Configuration Manager console | 5.2309.1113.1900 |
Client | 5.0.9122.1018 |
Revised release
Component | Version |
---|---|
Configuration Manager console | 5.2309.1113.1900 |
Client | 5.0.9122.1019 |
File information
File information for the original release is available in the downloadable KB25858444_FileList.txt text file.
The revised release is available in KB27863823_FileList.txt.
Release history
- March 4, 2024: Initial hotfix release
- May 22, 2024: Update revised to address SQL custom port installation issue