Blog Post

Configuration Manager Blog
4 MIN READ

Update 2409 for Microsoft Configuration Manager current branch is now available.

Bala_Delli's avatar
Bala_Delli
Former Employee
Dec 03, 2024

 

Update 2409 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2303 or later. This article summarizes the changes and new features in Configuration Manager, version 2409.

 

Configuration Manager now supports SQL Extended Protection for Authentication

 

Configuration Manager now supports SQL extended protection for authentication. It's a security feature that enhances protection against MITM attacks, making SQL server more secure when connections are made using extended protection. These enhancements collectively reduce the risk of unauthorized access and protect sensitive data managed by the SQL Server database engine.

 

For more information, see Connect to the Database Engine Using Extended Protection.

 

Introducing Centralized Search - Desired Workspace Selection

The centralized search box now enables the option to select the desired workspace for searching. Users can easily refine their search results by selecting the desired workspace from the dropdown menu.

 

 

Configuration Manager does not support SQL Server 2012 and 2014

 

Starting with version 2409, Configuration Manager no longer supports SQL Server 2012 and 2014. Upgrade to the latest SQL Server version or at least SQL Server 2016. If you don’t upgrade, CM upgrades are blocked, and you see an error during the pre-req check.

 

For more information, see Supported SQL Server versions for Configuration Manager.

 

Operating System support added for Windows 11 24H2 and Windows Server 2025

With this version of Configuration Manager, support is added for Windows 11 24H2 and Windows Server 2025.

  • Windows 11 24H2 & Windows Server 2025 are added to the Product lifecycle dashboard and supported platform.
  • Windows 11 24H2 & Windows Server 2025 client support is added.
  • Boot image creation in CM on Windows Server 2025 now supports latest Windows ADK.
  • Windows upgrade readiness dashboard now supports Windows 11 24H2 for upgrading clients.

 Note: Windows Server and Windows 11 24H2 do not support Firewall Rules. This will result in a non-compliant status in the Configuration Manager applet.

 

Software metering support in Arm64 devices

The Configuration Manager now supports Software metering for Arm64 devices. Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe.

 

For more information, see Software metering in Configuration Manager.

 

BitLocker support in Arm64 devices

Configuration Manager now supports BitLocker task sequence steps for Arm64 devices. In BitLocker Management, policies that include OS drive encryption with a TPM protector and fixed drive encryption with the Auto-Unlock option are supported on Arm64 devices.

 

For more information, see Bitlocker Supported configurations.

CMG Entra Application secret key renewal 

 

The 'Renew Secret Key' feature now opens a dialog with four options for the validity period. This update also prevents applications older than 800 days (approximately two years) from renewing their secret keys. The same options are available when creating a new app.

 

 

 Note: The admin must sign in using tenant global administrator credentials and then click on the Renew button.

 

CMG Enhanced security option

 

CMG Setup now uses managed Identities and third-party Server App to interact with CMG's Azure Storage account, instead of storage account keys.

 

  • Hence storage account key access is disabled for new CMG setup.
  • For sessions upgrading from earlier versions to 2409, the 'CMG enhanced security' button is shown as enabled.

 

 

Known Issues

 

 

Other Updates

Performance Enhancement of policy processing and collection evaluation

 

The performance of policy processing and collection evaluation has been enhanced. Previously, blocking chains from sp_ProcessPolicyChanges, called by PolicyPv, would run for hours, disrupting multiple workloads including collection management and policy processing.

Deprecated features

 

Learn about support changes before they're implemented in removed and deprecated items.

  • The MDT Integration with CM and Standalone is no longer supported with Configuration Manager. Customers should remove MDT TS steps, followed by removing MDT integration, to avoid TS corruption and modification failures

 

For more information, see Removed and deprecated features for Configuration Manager.

 

Next steps

As of December 16, 2024, version 2409 is globally available for all customers to install.

 

Note: For existing Fast ring current branch 2409 customers, you will see Slow ring upgrade package in console. Install 2409 Slow ring package to be in production current branch.

 

When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for installing update 2409.

 

 Tip : To install a new site, use a baseline version of Configuration Manager.

 

For known significant issues, see the Release notes. After you update a site, also review the Post-update checklist.

 

Thank you, 

The Configuration Manager team 

  

Additional resources: 

Updated Dec 16, 2024
Version 3.0

5 Comments

  • Ronan_Fahy's avatar
    Ronan_Fahy
    Brass Contributor

    ORCHESTRATION GROUPS - are there plans to improve, as in "fix" these?  We are trying to move away from WSUS for server patching.  We've been using SCCM and ADRs for PC / laptop patching for years and it's great. Have moved to SCCM for servers recently, few teething problems with maintenance windows and patch installs not starting etc but we're dealing with them.

    But clusters.......christ.

    This weekend our DR hyper-v cluster orchestration kicked off at 12.  Group is configured for 1 member at a time.  2 locks were assigned at the exact same time.  Both failed, hung the entire orchestration group. Today i tried to reset the state.  There's no "just stop orchestration for this group" option.  Per-member reset is iffy. But it appeared to work. So then i right clicked the group, start orchestration, and ticked the "ignore maintance windows" box.  First node sat "in progress" for ages but nothign actually happening. Logs indicated the task was not passing the maintenance window check, even though i told it to ignore maintenance windows. 

    Tried to reset state a few times again but all that happened was all 8 nodes were showing "waiting" and nothing I could do would stop it.

    Eventually i just added a once off maintenance window for "now plus a few hours" and that seemed to kick it in, one node went to "in progress".  as i write, though, still nothing actually happening.

    You have no actual native way to patch clusters with SCCM. Cluster Aware Updating was fine with WSUS but we're trying to remove WSUS and don't want to have to run a WSUS server just for cluster patching when everything else is using SCCM.  And we do NOT intend to allow our servers all pull from Windows Update directly so don't go there...

    Orchestration groups kinda sorta work but we had to write scripts to pause the nodes first and drain them, which isn't as easy as it sounds as drain time can exceed the max wait time of the suspend-clusternode command, and using move-vm etc doesnt' work as the orchestration account doesn't have rights.

    To make these things truly enterprise ready we'd need at minimum:

    • Ability to say "stop" on a group as a whole basis
    • Native cluster integration. Whether that's the orchestration feature itself recognising that it's a cluster and acting accordingly, or whether that's allowing hte existing cluster aware updating tool plug into SCCM / see the patches made available in software center i don't know but we need something.
    • Better logging - tracing an update process not to mention an orchestration process through SCCMs 4 million log files is painful.  One log that says "this is what i'm doing second by second" would be so much more useful.  That could be as simple as a log file that pulls entries from the other log files to one place BUT there's a lot of the language in the log files that's clear as mud and doesn't actually tell you much.
    • Better linkage between deploymetn and maintenance windows. We've found that orchestration just doesn't kick in unless the maintenance window is directly applied to the same collection that the update is actually deployed to.  And we couldn't find that documented anywhere - copilot figured it out.  So for example we have updates deployed via ADR to wide collections like "Test Group", "Group 1", "Group 2" covering servers across multiple teams. and then we deploy maintenance windows to different collections that are basically "system" server groups.  But orchestration doesn't see it.
    • Consistent behaviour from the "ignore maintenance windows" button.  Here i am 20 minutes after writing the "i've just triggered it again" bit and it's still saying it doesn't pass the maintenance window check. I suspect that's because it's seeing that the server is ALSO in the "wide" collection to which the update is deployed via the ADR (with a 2nd deployment then specifically to a collection for this orchestration group) but that that collection has no maintenance window on it.  So not enough that it must deploy to a collection with a maintenance window configured but it seems like maybe it must ONLY deploy to collections with maintenance windows and the local agent is not figuring out that "i am in an orchestration group, i have this patch deployed, i have a maintenance window".
  • TECHSCCM's avatar
    TECHSCCM
    Copper Contributor

     

    Good afternoon, 

    I have an issue with Configuration manager 2409 not being able to satisfied the prerequisite check 

    I have a single site which is my CAS and Primary for the infrastructure. How I can solved or bypass this prerequisite? 

    Thank you so much!

     

     

    • Bala_Delli's avatar
      Bala_Delli
      Former Employee

      All ASR rule works well with Intune and in Tenant attach scenarios for servers. New MDE changes lands in Intune and not on CM. 

  • when will open feedback on the  feedbackportal.microsoft.com being updated? Its been a couple years and nothing is marked as completed, very few things have comments or feedback from the team on them. The prior uservoice was fare more active can we please see some movement on items?