The SCCM hotfix KB15498768 update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled. This hotfix is applicable to ConfigMgr versions 2103 to 2207.
The KB15498768 (NTLM connection fallback update) hotfix update is available in the Updates and Servicing node of the Configuration Manager console for environments that have versions 2103-2207 installed.
Last week, Microsoft released the KB14959905 hotfix for SCCM 2207 early update ring. The KB14959905 hotfix update addresses important, late-breaking issues that were resolved after Configuration Manager version 2207 became available globally.
The hotfix KB15498768 applies to Configuration Manager versions 2103 to 2207. This update does not replace any previously released updates. Read more details about the hotfix in the NTLM connection fallback update for Microsoft Endpoint Configuration Manager.
Summary of Hotfix KB15498768
Disabling the Allow connection fallback to NTLM option in Client Push Installation Properties is not honored under either of the following conditions:
- If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
- The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
The ConfigMgr hotfix KB15498768 update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled.
Installation of KB15498768 update resolves the following security issue:
Beginning with Configuration Manager 2207, the Allow connection fallback to NTLM option is disabled by default on new site installations. It is recommended to disable this option in existing environments, where possible, to increase security.
For Configuration Manager versions 2107 and later, the KB15498768 update does not require a computer restart or a site reset after installation. Configuration Manager version 2103 will require a site reset after update installation.
Install SCCM Hotfix KB15498768 NTLM Connection Fallback Update
Perform the following steps to install SCCM Hotfix KB15498768 NTLM Connection Fallback Update:
- Launch the Microsoft Endpoint Configuration Manager console.
- Browse to Administration\Overview\Updates and Servicing.
- Right-click on Configuration Manager 2207 Hotfix KB15498768 and select Install Update Pack.
The Configuration Manager 2207 Hotfix KB15498768 includes only site server updates. For prerequisite warnings, you can enable the option “Ignore any prerequisite check warnings and install the update” on your production server running SCCM 2207. Click Next.
Accept the license terms for installing KB 15498768 hotfix. Click Next.
On the Summary page, confirm the settings and click Next.
Close the Configuration Manager updates wizard. This completes the steps to install KB15498768 Hotfix for SCCM 2207.
Monitor the KB15498768 Hotfix Installation Progress
You can monitor the KB15498768 hotfix installation progress by reviewing the cmupdate.log on the site server. Alternatively, the Monitoring workspace provides information on the progress of hotfix installation. Have a look at the list of all the SCCM Log Files for hotfix updates.
Hotfix KB15498768 required a total of just 10 minutes to install, and there were no issues at any point in the process. There will be a SCCM site reset after the installation of the hotfix update KB15498768 even though it doesn’t require a restart of the computer.
Note that KB15498768 hotfix will not require console upgrade nor client agent upgrade. Only site server updates are included with KB15498768.
Verify the KB15498768 Installation on the SCCM Server
Let’s check if the KB15498768 hotfix is installed. Launch the Configuration Manager console and go to Administration\Overview\Updates and Servicing. We see the Configuration Manager 2207 hotfix KB15498768 shows as Installed. This confirms the hotfix installation is successful.
Updating the Secondary Sites with Hotfix KB15498768
After you install SCCM 2207 hotfix KB15498768 update on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM.
To update a secondary site in the Configuration Manager console, select Administration > Site Configuration> Sites > Recover Secondary Site, and then select the secondary site.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
- If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.