The ConfigMgr Hotfix KB15599094 update prevents any attempt at NTLM authentication for SCCM client push installation when the Allow connection fallback to NTLM option is disabled. The SCCM KB15599094 NTLM client installation hotfix replaces the previously released update KB15498768 for SCCM.
The client push installation account always attempts an NTLM connection to a client to retrieve WMI query results during the installation process. This NTLM connection only applies to computers in a trusted domain, and happens even if the Allow connection fallback to NTLM option is disabled in Client Push Installation Properties.
The Configuration Manager KB15599094 hotfix is applicable to 2103–2207. The SCCM KB15599094 update (NTLM client installation update) is available in the Updates and Servicing node of the Configuration Manager console for environments that have versions 2103-2207 installed.
Last week, Microsoft released the SCCM Hotfix KB15498768 for the NTLM Connection Fallback Update. Prior to that, the KB14959905 hotfix for SCCM 2207 was released for the early update ring. Read more details about the hotfix in the NTLM client installation update for Microsoft Endpoint Configuration Manager.
The ConfigMgr hotfix KB15498768 replaces the previously released hotfix KB15498768 for Configuration Manager. If you haven’t installed KB15498768 yet, you can skip the hotfix installation and directly install the KB15599094 hotfix for SCCM.
Summary of SCCM KB15599094 Hotfix
During the installation process, the client push installation account always attempts an NTLM connection to a client to retrieve WMI query results. This NTLM connection applies only to machines in a trusted domain and occurs even if the Allow connection fallback to NTLM option in Client Push Installation Properties is disabled.
Environments utilizing Configuration Manager current branch versions prior to 2103 are urged to upgrade to a later supported version which is SCCM 2207. Administrators can also disable the usage of automatic and manual client push installation methods to eliminate the risk of exposure to both this and the KB15498768 issue.
Note: For Configuration Manager versions 2107 and later, the KB15599094 update does not require a computer restart or a site reset after installation. Configuration Manager version 2103 will require a site reset after update installation.
Install ConfigMgr Hotfix KB15599094 – NTLM Client Installation Update
Use the following steps to install the ConfigMgr Hotfix KB15599094:
- Launch the Microsoft Endpoint Configuration Manager console.
- Browse to Administration\Overview\Updates and Servicing.
- Right-click on Configuration Manager 2207 Hotfix KB15599094 and select Install Update Pack.
The Configuration Manager KB15599094 hotfix includes only site server updates. For prerequisite warnings, you can enable the option “Ignore any prerequisite check warnings and install the update” on your production server running SCCM 2207. Click Next.
Accept the license terms for installing the Configuration Manager KB15599094 hotfix. Click Next.
On the Summary page, confirm the settings and click Next. Close the Configuration Manager updates wizard. This completes the steps to install KB15599094 hotfix for SCCM 2207.
Monitor the KB15599094 Hotfix Installation Progress
You can monitor the KB15599094 hotfix installation progress by reviewing the cmupdate.log on the site server. Alternatively, the Monitoring workspace provides information on the progress of hotfix installation. Have a look at the list of all the SCCM Log Files for hotfix updates.
The hotfix KB15599094 took only 10 minutes to install, and there were no issues at any point in the process. There will be a SCCM site reset after the installation of the hotfix even though it doesn’t require a restart of the computer. Note that KB15599094 hotfix will not require console upgrade nor client agent upgrade. Only site server updates are included with this hotfix.
Verify the KB15599094 Installation on the SCCM Server
Let’s check if the KB15599094 hotfix is installed. Launch the Configuration Manager console and go to Administration\Overview\Updates and Servicing. We see the Configuration Manager 2207 hotfix KB15599094 shows as Installed. This confirms the hotfix installation is successful.
Notice that after you install the hotfix KB15599094, the previous update KB15498768 disappears from the list. That’s because the KB15599094 hotfix replaces the previously released hotfix KB15498768 for Configuration Manager.
Install Hotfix KB15599094 on Secondary Sites
After you install SCCM 2207 hotfix KB15599094 update on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM.
To update a secondary site in the Configuration Manager console, select Administration > Site Configuration> Sites. Right click Secondary site server and click Recover Secondary Site.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.