Microsoft just released revised hotfix KB29166583 for SCCM that hardens the Management Point server’s security. Installing this update will improve the security of connections between the management point and site server database.
According to Microsoft, the KB29166583 hotfix resolves the security issue described in CVE-2024-43468. The revised hotfix is available for all the customers globally, and I highly recommend installing this Management Point Security Update to harden your Configuration Manager setup.
Before the release of the KB29166583 update, there were two previously released hotfixes for version 2403: KB28290310 and KB28458746. Please note that this new hotfix doesn’t include the fixes contained in the previously released updates.
Why was hotfix KB29166583 revoked?
Microsoft had revoked the hotfix KB29166583 on September 5, 2024, after several customers reported issues with management point. In many environments, the SCCM administrators noticed errors 500 in IIS logs. The Configuration Manager database goes offline when the number of MP database connections exceeds the limit.
Microsoft was working on a fix while providing a temporary workaround to the affected customers. Thankfully, a revised hotfix has fixed the problems that the faulty hotfix had caused, and I hope Microsoft will take steps to prevent similar problems from happening again.
The revised KB29166583 hotfix for SCCM
On September 18, 2024, Microsoft republished the revised KB29166583 hotfix and the existing issues with this update were successfully resolved. If you have previously installed this hotfix, you may see a new update with a different GUID. You must install this update again to resolve the existing issues. The procedure to install this hotfix remains the same as described in this guide.
About KB29166583
- The KB 29166583 hotfix is available for multiple versions of Configuration Manager, which include 2303, 2309, and 2403.
- The package GUID of this hotfix is 6CB068B1-E1D7-4DDC-B0CF-F8C90E1E9D14.
- This update doesn’t require a computer restart or a site reset after installation.
- KB 29166583 hotfix only includes the updates for the site server. Hence, there will be no console upgrade and client upgrade required post-installation of this update.
Install KB29166583 Management Point Security Update for SCCM
I’ll now show you how to install the KB29166583 Management Point Security update in my environment running SCCM version 2403. Follow the same steps to install the hotfix for versions 2303 and 2309.
Launch the Configuration Manager console. Browse to Administration > Overview > Updates and Servicing. Select the Configuration Manage 2403 Hotfix (KB29166583) update and click Install Update Pack.
The hotfix contains the security update for site servers only. Click Next.
Accept the license terms for installing the MP security update and click Next.
On the Completion page, click Close.
While the hotfix is being installed, you can monitor its installation by reviewing the cmupdate.log file. Additionally, Monitoring Workspace in the Configuration Manager console allows you to track the progress of a hotfix installation.
In my lab, the hotfix KB29166583 completed its installation in 13 minutes and I did not encounter any errors during the installation. From the below screenshot, you can see that the KB29166583 update has been installed successfully.
Secondary Sites
After you’ve installed the MP security update KB29166583 on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM to get an idea of how to install secondary sites in SCCM.
To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.