Microsoft released another hotfix KB15599094 NTLM Client Installation Update. The KB15599094 update prevents any attempt at NTLM authentication for SCCM client push installation when the Allow connection fallback to the NTLM option is disabled.
The update KB15599094 will be listed in the Updates and Servicing node of the Configuration Manager console If you are running Configuration Manager, versions 2103 – 2207. The KB15599094 hotfix replaces the previously released hotfix KB15498768 for Configuration Manager.
Configuration Manager KB15599094 hotfix is available only for the SCCM (a.k.a ConfigMgr), versions 2103, 2107, 2111, 2203, and 2207.
If you are using the SCCM current branch version prior to 2103 are encouraged to update to a later supported version. The latest SCCM 2207 update is available globally; Admins can apply this update to the sites running on version 2103 or later.
Summary of Hotfix KB15599094
The client push installation account always attempts an NTLM connection to a client to retrieve WMI query results during installation.
This NTLM connection only applies to computers in a trusted domain, and happens even if the Allow connection fallback to NTLM option is disabled in Client Push Installation Properties.
Environments using versions of Configuration Manager current branch prior to 2103 are encouraged to update to a later supported version. Administrators can also disable the use of automatic and manual client push installation methods to remove the risk of exposure to both this issue and the issue described in KB 15498768.
Install SCCM Hotfix KB15599094
Let’s follow the steps below to Install ConfigMgr Hotfix KB15599094. The Hotfix applies to Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207), and the installation process is straightforward. The summary of the hotfix KB15599094 installation is given below.
- Launch the SCCM console. Navigate to Administration > Updates and Servicing.
- The update Configuration Manager 2207 Hotfix (KB15599094) is Ready to install stage.
- Right-click Configuration Manager 2207 Hotfix KB15599094 and click Install Update Pack.
The Configuration Manager 2207 Hotfix (KB15599094) includes Configuration Manager site server updates. You can check the option “Ignore any prerequisite check warnings and install the update” for prerequisite warnings. Click Next.
The next step is to Review and Accept the license for this update pack and click Next to continue.
Here you can check the Summary of the updated package installation and Click on Close to complete Configuration Manager Updates Wizard.
Summary of update package installation Install Update Package Configuration Manager 2207 Hotfix (KB15599094), Prerequisite warnings will be ignored.
Verification of Successful Installation of KB15599094 Hotfix
Let’s check the detailed status for the Hotfix Installation, following are the verification steps for SCCM 2207 Hotfix KB15599094.
- In Configuration Manager Console, Navigate to the Monitoring workspace.
- \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 2207 Hotfix (KB15599094).
You can also review the cmupdate.log to know the hotfix installation progress.
You can confirm the successful installation of Configuration Manager 2207 Hotfix (KB15498768) from the console, \Administration\Overview\Updates and Servicing.
NOTE! SCCM versions 2107 and later, this update does not require a computer restart or a site reset after installation. Configuration Manager version 2103 will require a site reset after update installation.
Install KB15599094 Hotfix on Secondary Server
To install and validate Hotfix KB15599094 on ConfigMgr (a.k.a SCCM) secondary servers, you can follow the steps below. The following blog posts provide more details about the secondary server installation, troubleshooting, and update installation.
Run the following SQL Server command on the site database to check whether the updated version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option in the ConfigMgr console. Click Administration, Site Configuration, select Secondary Sites and click Recover Secondary Site.
after installing this, does the console installation have to be updated on end-user machines? any sitebackup or other precautions needed before applying this update to the site?