Microsoft recently released the SCCM Hotfix KB15498768 NTLM connection fallback update. Configuration Manager KB15498768 hotfix is available only for the SCCM (a.k.a ConfigMgr), versions 2103, 2107, 2111, 2203, and 2207.
The KB15498768 update prevents any attempt at NTLM authentication for SCCM client push installation when the Allow connection fallback to the NTLM option is disabled. Administrators can also disable the use of automatic and manual client push installation methods to remove the risk of exposure to this issue.
The update KB15498768 will be listed in the Updates and Servicing node of the Configuration Manager console If you are running Configuration Manager, versions 2103 – 2207. This update does not replace any previously released updates.
Microsoft Released another hotfix for the client side to cater to NTLM related https://aka.ms/KB15599094. The client push installation account always attempts an NTLM connection to a client to retrieve WMI query results during the installation process. This NTLM connection only applies to computers in a trusted domain and happens even if the Allow connection fallback to NTLM option is disabled in Client Push Installation Properties.
If you are using the SCCM current branch version prior to 2103 are encouraged to update to a later supported version. The latest SCCM 2207 update is available globally; Admins can apply this update to the sites running on version 2103 or later.
Microsoft added many new features and improvements to SCCM latest version 2207 and fixes a lot of existing (known or unknown) issues with the latest version of SCCM, here, you can check the Top 10 New Features Of SCCM 2207.
Summary of Hotfix KB15498768
Disabling the Allow connection fallback to NTLM option in Client Push Installation Properties is not honored under either of the following conditions:
- If there are Kerberos authentication failures, the client push account will attempt an NTLM connection instead.
- The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
This update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to the NTLM option is disabled. Installation of this update resolves the security issue CVE-2022-37972.
Beginning with Configuration Manager current branch, version 2207, the Allow connection fallback to NTLM option is disabled by default on new site installations. It is recommended to disable this option in existing environments, where possible, to increase security.
NOTE! – Administrators can also disable the use of automatic and manual client push installation methods to remove the risk of exposure to this issue. Refer to Support for SCCM CB versions.
Install SCCM Hotfix KB15498768
Let’s follow the steps below to Install ConfigMgr Hotfix KB15498768. The Hotfix applies to Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207), and the installation process is straightforward. The summary of the hotfix KB15498768 installation is given below.
- Launch the SCCM console. Navigate to Administration > Updates and Servicing.
- The update Configuration Manager 2207 Hotfix (KB15498768) is Ready to install stage.
- Right-click Configuration Manager 2207 Hotfix KB15498768 and click Install Update Pack.
The Configuration Manager 2207 Hotfix (KB15498768) includes Configuration Manager site server updates. For prerequisite warnings, you can check the option “Ignore any prerequisite check warnings and install the update”. Click Next.
Review and Accept the license for this update pack and click Next to continue.
Check the Summary of updated package installation and Click on Close to complete Configuration Manager Updates Wizard.
Summary of update package installation Install Update Package Configuration Manager 2207 Hotfix (KB15498768), Prerequisite warnings will be ignored.
Verification of Successful Installation of KB15498768 Hotfix
Following are the verification steps for SCCM 2207 Hotfix KB15498768.
- In Configuration Manager Console, Navigate to the Monitoring workspace.
- \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 2207 Hotfix (KB15498768).
You can also review the cmupdate.log to know the hotfix installation progress.
You can confirm the successful installation of Configuration Manager 2207 Hotfix (KB15498768) from the console, \Administration\Overview\Updates and Servicing.
NOTE! SCCM versions 2107 and later, this update does not require a computer restart or a site reset after installation. Configuration Manager version 2103 will require a site reset after update installation.
Install KB15498768 Hotfix on Secondary Server
To install and validation of Hotfix KB15498768 on ConfigMgr (a.k.a SCCM) secondary servers, you can follow the below steps. The following blog posts provide more details about the secondary server installation, troubleshooting, and update installation.
Run the following SQL Server command on the site database to check whether the updated version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option in the ConfigMgr console. Click Administration, Site Configuration, select Secondary Sites and click Recover Secondary Site.