SCCM 2303 KB21010486 Hotfix Rollup – Fixes and Improvements

Microsoft has released the KB21010486 hotfix rollup update for SCCM 2303 to address critical issues with Configuration Manager, current branch version 2303. KB 21010486 is the first hotfix released for SCCM 2303 and is available for both customers who opted in to the early update ring deployment via a PowerShell script and customers who installed the globally available release.

In this article, we will go over the fixes and improvements included in the KB21010486 hotfix. We will then look at the steps for installing the hotfix rollup KB21010486 on our SCCM 2303 setup.

If you are running SCCM 2211 or an older version of Configuration Manager, ensure you upgrade to SCCM 2303 to get the latest hotfixes and security updates. Configuration Manager 2303 brings a set of new features and improvements over the previous release, which makes it worth upgrading to version 2303. Check out all the new features of ConfigMgr 2303 and how to use them.

For environments that were installed using the early update ring or globally available builds of version 2303, the update KB21010486 appears in the updates and servicing node of the Configuration Manager console. This update applies to both customers who opted in to the early update ring deployment via a PowerShell script and customers who installed the globally available release.

To determine which build is in use, add the Package GUID column to the details pane of the Updates and Servicing node in the console. The update is only applicable to packages with the following GUIDs:

• 2B85942D-2F3A-4B8C-AFA7-20C37E3BB266
• 1A251438-E9B5-42EF-8AAC-48B6E1790D9F

If the ConfigMgr Hotfix Rollup KB21010486 doesn’t appear in the Configuration Manager console, ensure you run Check for Updates. Review the dmpdownloader.log in case the update fails to download on the console.

UPDATE: Known issue with KB 21010486 Hotfix Rollup

After the initial KB21010486 update rollup release on July 24, 2023, customers reported the following issue in their Configuration Manager setup:

• After installing KB 21010486, administrators may notice an overall performance degradation in processing data into the site database. For example, collection evaluation, query processing, and site-to-site replication may be affected.

Microsoft will soon make available a revised rollup and a standalone update for customers who have already installed KB 21010486, as the SCCM KB21010486 hotfix is currently unavailable.

Issues Fixed in KB21010486 Hotfix Update

The following issues are fixed in the KB21010486 hotfix update of ConfigMgr version 2303.

1. The Configuration Manager console terminates unexpectedly when saving changes to a custom Software Center client setting that was created prior to version 2111.
2. The Configuration Manager console terminates with a System.ArgumentOutOfRangeException message when comparing string and array data using the Create Scripts feature.
3. Active Directory Group discovery data incorrectly supersedes Azure Active Directory Group discovery data, leading to inconsistencies in reporting and collection structure.
4. The SMS_CLOUD_PROXYCONNECTOR role goes dormant after a cloud management gateway (CMG) is offline for upgrades or maintenance. When this happens, clients are unable to connect to the SCCM CMG until the SMS Executive service is restarted.
5. The SMS Executive service periodically uses 100% of available CPU time on cloud management gateway instances. This sometimes happens after a CMG instance is restarted.
6. After synchronizing collection members to Azure AD groups, subsequent synchronizations may delete group members unexpectedly. Furthermore, in large environments, when both AD user discovery and Azure AD user discovery are enabled and run on overlapping schedules, the synchronization process may fail.
7. The Enable Bitlocker task sequence step fails when used in combination with the PROVISIONTS parameter. This happens if the option to escrow the recovery key is enabled. Errors resembling the following are recorded in the smsts.log file.
   • Failed to CreateRecoveryPassword (0x800401F3)
   • Failed to configure key protection (0x800401F3)
   • Failed to run the action: Enable BitLocker. Error -2147221005
8. Active Directory Group Discovery data records (DDRs) are rejected for clients that are discovered first by the Heartbeat Discovery method. Errors resembling the following are recorded in the ddm.log file on the site server.
   • DDR timestamp of “5/7/2023 3:05:02 AM” for agent “SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT” is older than existing record’s timestamp of “5/7/2023 12:22:15 PM”
9. Windows Defender Exploit Guard – Attach Surface Reduction (ASR) policies don’t apply as expected to Windows Server operating systems.
10. User collections based on Azure Active Discovery won’t contain Hybrid users after a full discovery cycle runs.

More information about the hotfix KB21010486 is documented here: Update Rollup for Microsoft Configuration Manager version 2303.

Steps to Install SCCM 2303 KB21010486 Hotfix Rollup

Perform the below steps to correctly install the SCCM 2303 KB21010486 hotfix.

• Launch the Configuration Manager console.
• Go to Administration\Overview\Updates and Servicing.
• Ensure the status of KB21010486 hotfix rollup update shows as Ready to Install.
• Right-click Configuration Manager 2303 Hotfix Rollup KB21010486 and select Install Update Pack.

The Configuration Manager 2303 hotfix KB21010486 includes site server updates, console updates, and client updates. For prerequisite warnings, you can enable the option “ignore any prerequisite check warnings and install the update” on your production server running SCCM 2303. Click Next.

Client update options allow you to upgrade your client immediately or validate the most recent client version in the pre-production collection before upgrading all of your Configuration Manager clients. Select the appropriate option for your setup and click Next.

On the License Terms page, you must review the license terms and accept them. Click “Next” to continue.

On the Cloud Attach tab, the option Enable uploading Microsoft Defender for Endpoint data for reporting devices to Endpoint Manager is enabled by default. If you have configured the Intune tenant attach for SCCM, this option won’t appear, and you can skip the step. Click Next.

Review the KB21010486 hotfix rollup installation settings on the Summary page and click Next.

Close the Configuration Manager updates wizard. This completes the steps to install the KB21010486 hotfix rollup for ConfigMgr 2303.

Monitor the Installation of KB21010486 Hotfix Update Rollup

On your SCCM 2303 environment, you can monitor the hotfix KB21010486 installation progress by reviewing the cmupdate.log on the site server. When you install the KB21010486 hotfix rollup, any errors you run into are written to the cmupdate.log file. Monitoring Workspace in the Configuration Manager console, on the other hand, allows you to track the progress of a hotfix installation. Take a look at the list of all the helpful SCCM Log Files related to hotfix updates.

The Configuration Manager 2303 Hotfix Rollup KB21010486 update required a total of just 30 minutes to install on the server, and there were no errors encountered at any point in the installation process. There will be a SCCM site reset after the installation of the hotfix, even though it doesn’t require a restart of the computer.

KB21010486 Hotfix Rollup Console Upgrade

The KB21010486 hotfix update requires a console upgrade, and this step should be performed on all the systems installed with the Configuration Manager console. Microsoft recommends upgrading the console to the latest version on the site server. The hotfix installation will usually prompt for the console upgrade, you can proceed with the upgrade by clicking on the install link. The console upgrade window also appears when you close and re-open the SCCM console. Click OK to begin the console upgrade.

The SCCM 2303 KB21010486 hotfix rollup upgrades the existing console version to 5.2303.1089.1300. During the console upgrade, review the console admin upgrade log files in case you encounter any errors.

To our surprise, the KB21010486 hotfix console upgrade requested a reboot. Restart the server and perform the console upgrade.

Verify the KB21010486 Hotfix Installation on Server

You must check and verify if the KB21010486 hotfix update rollup is installed correctly on the SCCM server. There are several ways to confirm the hotfix installation, the simplest of which is directly from the console.

Launch the Configuration Manager console and go to Administration\Overview\Updates and Servicing. Here we see the hotfix KB21010486 update showing as ‘Installed‘. This confirms the KB21010486 hotfix installation is successful, and you can begin to use the console for administrative tasks.

Installing Hotfix KB21010486 on Secondary Sites

After you install the ConfigMgr KB 21010486 hotfix rollup on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM to get an idea on how to install secondary sites in SCCM.

To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

• If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
• If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.