SCCM Hotfix KB15498768 NTLM Connection Fallback Update

The SCCM hotfix KB15498768 update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled. This hotfix is applicable to ConfigMgr versions 2103 to 2207.

The KB15498768 (NTLM connection fallback update) hotfix update is available in the Updates and Servicing node of the Configuration Manager console for environments that have versions 2103-2207 installed.

Last week, Microsoft released the KB14959905 hotfix for SCCM 2207 early update ring. The KB14959905 hotfix update addresses important, late-breaking issues that were resolved after Configuration Manager version 2207 became available globally.

The hotfix KB15498768 applies to Configuration Manager versions 2103 to 2207. This update does not replace any previously released updates. Read more details about the hotfix in the NTLM connection fallback update for Microsoft Endpoint Configuration Manager.

Summary of Hotfix KB15498768

Disabling the Allow connection fallback to NTLM option in Client Push Installation Properties is not honored under either of the following conditions:

  • If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
  • The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.

The ConfigMgr hotfix KB15498768 update prevents any attempt at NTLM authentication for client push installation when the Allow connection fallback to NTLM option is disabled.

Installation of KB15498768 update resolves the following security issue:

Beginning with Configuration Manager 2207, the Allow connection fallback to NTLM option is disabled by default on new site installations. It is recommended to disable this option in existing environments, where possible, to increase security.

Allow connection fallback to NTLM
Allow connection fallback to NTLM

For Configuration Manager versions 2107 and later, the KB15498768 update does not require a computer restart or a site reset after installation. Configuration Manager version 2103 will require a site reset after update installation.

Install SCCM Hotfix KB15498768 NTLM Connection Fallback Update

Perform the following steps to install SCCM Hotfix KB15498768 NTLM Connection Fallback Update:

  • Launch the Microsoft Endpoint Configuration Manager console.
  • Browse to Administration\Overview\Updates and Servicing.
  • Right-click on Configuration Manager 2207 Hotfix KB15498768 and select Install Update Pack.
Install SCCM Hotfix KB15498768
Install SCCM Hotfix KB15498768

The Configuration Manager 2207 Hotfix KB15498768 includes only site server updates. For prerequisite warnings, you can enable the option “Ignore any prerequisite check warnings and install the update” on your production server running SCCM 2207. Click Next.

Install SCCM Hotfix KB15498768
Install SCCM Hotfix KB15498768

Accept the license terms for installing KB 15498768 hotfix. Click Next.

Install SCCM Hotfix KB15498768
Install SCCM Hotfix KB15498768

On the Summary page, confirm the settings and click Next.

Close the Configuration Manager updates wizard. This completes the steps to install KB15498768 Hotfix for SCCM 2207.

Install SCCM Hotfix KB15498768
Install SCCM Hotfix KB15498768

Monitor the KB15498768 Hotfix Installation Progress

You can monitor the KB15498768 hotfix installation progress by reviewing the cmupdate.log on the site server. Alternatively, the Monitoring workspace provides information on the progress of hotfix installation. Have a look at the list of all the SCCM Log Files for hotfix updates.

Monitor the KB15498768 Hotfix Installation Progress
Monitor the KB15498768 Hotfix Installation Progress

Hotfix KB15498768 required a total of just 10 minutes to install, and there were no issues at any point in the process. There will be a SCCM site reset after the installation of the hotfix update KB15498768 even though it doesn’t require a restart of the computer.

Note that KB15498768 hotfix will not require console upgrade nor client agent upgrade. Only site server updates are included with KB15498768.

Verify the KB15498768 Installation on the SCCM Server

Let’s check if the KB15498768 hotfix is installed. Launch the Configuration Manager console and go to Administration\Overview\Updates and Servicing. We see the Configuration Manager 2207 hotfix KB15498768 shows as Installed. This confirms the hotfix installation is successful.

Verify the KB15498768 Installation
Verify the KB15498768 Installation

Updating the Secondary Sites with Hotfix KB15498768

After you install SCCM 2207 hotfix KB15498768 update on a primary site, pre-existing secondary sites must be manually updated. Read more about secondary site installation in SCCM.

To update a secondary site in the Configuration Manager console, select Administration > Site ConfigurationSites > Recover Secondary Site, and then select the secondary site.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
  • If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
  • If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

8 Comments

  1. Is there a standalone version of this hotfix? I don’t have a connection to download it through MECM

  2. Is a site reset required on the primary site for 2203 after the KB15498768 hotfix is installed?

  3. Prajwal,
    After I upgrade Configuration Manager from 2111 to 2207, most of our devices show offline, even I can ping and remote to them. will this KB15498768 fix the issue?
    Thanks

  4. Per https://learn.microsoft.com/en-us/mem/configmgr/hotfix/2207/15498768
    “For Configuration Manager versions 2107 and later, this update does not require a computer restart or a site reset after installation.

    Configuration Manager version 2103 will require a site reset after update installation.”

    In the guide you mention that a site reset is required, was this tested on 2103, or is the microsoft article incorrect?

    Thanks!

    1. Honestly, I haven’t tested the hotfix installation on version 2103. My lab is running the latest version of Configuration Manager. Any reason why you are concerned about the site reset thing?.

Leave a Reply

Your email address will not be published. Required fields are marked *