SCCM 2303 KB21010486 Hotfix Rollup – Fixes and Improvements
Microsoft has released the KB21010486 hotfix rollup update for SCCM 2303 to address critical issues with Configuration Manager, current branch version 2303. KB 21010486 is the first hotfix released for SCCM 2303 and is available for both customers who opted in to the early update ring deployment via a PowerShell script and customers who installed the globally available release.
In this article, we will go over the fixes and improvements included in the KB21010486 hotfix. We will then look at the steps for installing the hotfix rollup KB21010486 on our SCCM 2303 setup.
If you are runningSCCM 2211or an older version of Configuration Manager, ensure youupgrade to SCCM 2303to get the latest hotfixes and security updates. Configuration Manager 2303 brings a set of new features and improvements over the previous release, which makes it worth upgrading to version 2303. Check out all thenew features of ConfigMgr 2303and how to use them.
For environments that were installed using the early update ring or globally available builds of version 2303, the update KB21010486 appears in the updates and servicing node of the Configuration Manager console. This update applies to both customers who opted in to the early update ring deployment via a PowerShell script and customers who installed the globally available release.
To determine which build is in use,add the Package GUID columnto the details pane of theUpdates and Servicing nodein the console. The update is only applicable to packages with the following GUIDs:
- 2B85942D-2F3A-4B8C-AFA7-20C37E3BB266
- 1A251438-E9B5-42EF-8AAC-48B6E1790D9F
If the ConfigMgr Hotfix Rollup KB21010486 doesn’t appear in the Configuration Manager console, ensure you runCheck for Updates.Review thedmpdownloader.login case the update fails to download on the console.
UPDATE: Known issue with KB 21010486 Hotfix Rollup
After the initial KB21010486 update rollup release on July 24, 2023, customers reported the following issue in their Configuration Manager setup:
- After installing KB 21010486, administrators may notice an overall performance degradation in processing data into the site database. For example, collection evaluation, query processing, and site-to-site replication may be affected.
Microsoft will soon make available a revised rollup and a standalone update for customers who have already installed KB 21010486, as the SCCM KB21010486 hotfix is currently unavailable.
Issues Fixed in KB21010486 Hotfix Update
The following issues are fixed in the KB21010486 hotfix update of ConfigMgr version 2303.
- The Configuration Manager console terminates unexpectedly when saving changes to a custom Software Center client setting that was created prior toversion 2111.
- The Configuration Manager console terminates with aSystem.ArgumentOutOfRangeExceptionmessage when comparing string and array data using the Create Scripts feature.
- Active Directory Group discovery data incorrectly supersedes Azure Active Directory Group discovery data, leading to inconsistencies in reporting and collection structure.
- TheSMS_CLOUD_PROXYCONNECTORrole goes dormant after a cloud management gateway (CMG) is offline for upgrades or maintenance. When this happens, clients areunable to connect to the SCCM CMGuntil the SMS Executive service is restarted.
- TheSMS Executive serviceperiodically uses 100% of available CPU time on cloud management gateway instances. This sometimes happens after a CMG instance is restarted.
- After synchronizing collection members to Azure AD groups, subsequent synchronizations may delete group members unexpectedly. Furthermore, in large environments, when both AD user discovery and Azure AD user discovery are enabled and run on overlapping schedules, the synchronization process may fail.
- TheEnable Bitlocker task sequence stepfails when used in combination with the PROVISIONTS parameter. This happens if the option to escrow the recovery key is enabled. Errors resembling the following are recorded in the smsts.log file.
- Failed to CreateRecoveryPassword (0x800401F3)
- Failed to configure key protection (0x800401F3)
- Failed to run the action: Enable BitLocker. Error -2147221005
- Active Directory Group Discovery data records (DDRs) are rejected for clients that are discovered first by the Heartbeat Discovery method. Errors resembling the following are recorded in the ddm.log file on the site server.
- DDR timestamp of “5/7/2023 3:05:02 AM” for agent “SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT” is older than existing record’s timestamp of “5/7/2023 12:22:15 PM”
- Windows Defender Exploit Guard – Attach Surface Reduction (ASR) policies don’t apply as expected to Windows Server operating systems.
- User collections based on Azure Active Discovery won’t contain Hybrid users after a full discovery cycle runs.
More information about the hotfix KB21010486 is documented here:Update Rollup for Microsoft Configuration Manager version 2303.
Steps to Install SCCM 2303 KB21010486 Hotfix Rollup
执行the below steps to correctly install the SCCM 2303 KB21010486 hotfix.
- Launch the Configuration Manager console.
- Go toAdministration\Overview\Updates and Servicing.
- Ensure the status of KB21010486 hotfix rollup update shows asReady to Install.
- Right-clickConfiguration Manager 2303 Hotfix Rollup KB21010486and selectInstall Update Pack.
配置经理2303热修复补丁KB21010486我ncludes site server updates, console updates, and client updates. For prerequisite warnings, you can enable the option “ignore any prerequisite check warnings and install the update” on your production server running SCCM 2303. ClickNext.
Client update options allow you to upgrade your client immediately or validate the most recent client version in the pre-production collection before upgrading all of your Configuration Manager clients. Select the appropriate option for your setup and clickNext.
On theLicense Termspage, you must review the license terms and accept them. Click “Next” to continue.
On theCloud Attachtab, the option Enable uploading Microsoft Defender for Endpoint data for reporting devices to Endpoint Manager is enabled by default. If you have configured theIntune tenant attach for SCCM, this option won’t appear, and you can skip the step. ClickNext.
Review the KB21010486 hotfix rollup installation settings on theSummarypage and clickNext.
Close the Configuration Manager updates wizard. This completes the steps to install the KB21010486 hotfix rollup for ConfigMgr 2303.
Monitor the Installation of KB21010486 Hotfix Update Rollup
On your SCCM 2303 environment, you can monitor the hotfix KB21010486 installation progress by reviewing thecmupdate.logon the site server. When you install the KB21010486 hotfix rollup, any errors you run into are written to thecmupdate.logfile.监测工作空间in the Configuration Manager console, on the other hand, allows you to track the progress of a hotfix installation. Take a look at the list of all the helpfulSCCM Log Files related to hotfix updates.
The Configuration Manager 2303 Hotfix Rollup KB21010486 update required a total of just 30 minutes to install on the server, and there were no errors encountered at any point in the installation process. There will be aSCCM site resetafter the installation of the hotfix, even though it doesn’t require a restart of the computer.
KB21010486 Hotfix Rollup Console Upgrade
The KB21010486 hotfix update requires a console upgrade, and this step should be performed on all the systems installed with theConfiguration Manager console.微软建议升级th的控制台e latest version on the site server. The hotfix installation will usually prompt for the console upgrade, you can proceed with the upgrade by clicking on the install link. The console upgrade window also appears when you close and re-open the SCCM console. ClickOKto begin the console upgrade.
The SCCM 2303 KB21010486 hotfix rollup upgrades the existing console version to5.2303.1089.1300.During the console upgrade, review theconsole admin upgrade log filesin case you encounter any errors.
To our surprise, the KB21010486 hotfix console upgrade requested a reboot. Restart the server and perform the console upgrade.
Verify the KB21010486 Hotfix Installation on Server
You must check and verify if the KB21010486 hotfix update rollup is installed correctly on the SCCM server. There are several ways to confirm the hotfix installation, the simplest of which is directly from the console.
Launch the Configuration Manager console and go toAdministration\Overview\Updatesand Servicing. Here we see the hotfix KB21010486 update showing as ‘Installed‘. This confirms the KB21010486 hotfix installation is successful, and you can begin to use the console for administrative tasks.
Installing Hotfix KB21010486 on Secondary Sites
After you install the ConfigMgr KB 21010486 hotfix rollup on a primary site, pre-existing secondary sites must be manually updated. Read more aboutsecondary site installation in SCCMto get an idea on how to install secondary sites in SCCM.
To update a secondary site in the Configuration Manager console, selectAdministration>Site Configuration>Sites>Recover Secondary Site, and then select the secondary site. Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value1is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value0is returned, the site has not installed all the fixes that are applied to the primary site, and you should use theRecover Secondary Site optionto update the secondary site.
Microsoft has pulled that update from SCCM, i setup the upgrade activity today just to find that it has disappeared from my SCCM console. Well better than installing and getting into trouble
Known issue: August 2, 2023
The following issue was reported by customers after the initial update rollup release on July 24, 2023:
After installing KB 21010486, administrators may notice an overall performance degradation in processing data into the site database. For example, collection evaluation, query processing, and site to site replication may be affected.
The update rollup is currently unavailable; a revised rollup and a standalone update for customers that already installed KB 21010486 will be referenced here when available.
I wanted to install the hotfix over the weekend, but it disappeared from the SCCM console. It has never happened to me before, and I can’t find a reason for it.