Update 2409 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2303 or later. This article summarizes the changes and new features in Configuration Manager, version 2409.
Configuration Manager now supports SQL Extended Protection for Authentication
Configuration Manager now supports SQL extended protection for authentication. It's a security feature that enhances protection against MITM attacks, making SQL server more secure when connections are made using extended protection. These enhancements collectively reduce the risk of unauthorized access and protect sensitive data managed by the SQL Server database engine.
For more information, see Connect to the Database Engine Using Extended Protection.
Introducing Centralized Search - Desired Workspace Selection
The centralized search box now enables the option to select the desired workspace for searching. Users can easily refine their search results by selecting the desired workspace from the dropdown menu.
Configuration Manager does not support SQL Server 2012 and 2014
Starting with version 2409, Configuration Manager no longer supports SQL Server 2012 and 2014. Upgrade to the latest SQL Server version or at least SQL Server 2016. If you don’t upgrade, CM upgrades are blocked, and you see an error during the pre-req check.
For more information, see Supported SQL Server versions for Configuration Manager.
Operating System support added for Windows 11 24H2 and Windows Server 2025
With this version of Configuration Manager, support is added for Windows 11 24H2 and Windows Server 2025.
- Windows 11 24H2 & Windows Server 2025 are added to the Product lifecycle dashboard and supported platform.
- Windows 11 24H2 & Windows Server 2025 client support is added.
- Boot image creation in CM on Windows Server 2025 now supports latest Windows ADK.
- Windows upgrade readiness dashboard now supports Windows 11 24H2 for upgrading clients.
Note: Windows Server and Windows 11 24H2 do not support Firewall Rules. This will result in a non-compliant status in the Configuration Manager applet.
Software metering support in Arm64 devices
The Configuration Manager now supports Software metering for Arm64 devices. Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe.
For more information, see Software metering in Configuration Manager.
BitLocker support in Arm64 devices
Configuration Manager now supports BitLocker task sequence steps for Arm64 devices. In BitLocker Management, policies that include OS drive encryption with a TPM protector and fixed drive encryption with the Auto-Unlock option are supported on Arm64 devices.
For more information, see Bitlocker Supported configurations.
CMG Entra Application secret key renewal
The 'Renew Secret Key' feature now opens a dialog with four options for the validity period. This update also prevents applications older than 800 days (approximately two years) from renewing their secret keys. The same options are available when creating a new app.
Note: The admin must sign in using tenant global administrator credentials and then click on the Renew button.
CMG Enhanced security option
CMG Setup now uses managed Identities and third-party Server App to interact with CMG's Azure Storage account, instead of storage account keys.
- Hence storage account key access is disabled for new CMG setup.
- For sessions upgrading from earlier versions to 2409, the 'CMG enhanced security' button is shown as enabled.
Known Issues
- Upgrade SQL 2012 or 2014 Express, Standard, Enterprise edition to SQl 2016 or latest version. VC++ Redistributable Version need to be upgraded to latest version on Secondary sites. Download Latest Microsoft Visual C++ Redistributable Version.
- Site base bootable media in SSL & Non-SSL session using CMG cert will not work. For more information, see Create boot media to use a CMG
Other Updates
Performance Enhancement of policy processing and collection evaluation
The performance of policy processing and collection evaluation has been enhanced. Previously, blocking chains from sp_ProcessPolicyChanges, called by PolicyPv, would run for hours, disrupting multiple workloads including collection management and policy processing.
Deprecated features
Learn about support changes before they're implemented in removed and deprecated items.
- The MDT Integration with CM and Standalone is no longer supported with Configuration Manager. Customers should remove MDT TS steps, followed by removing MDT integration, to avoid TS corruption and modification failures
For more information, see Removed and deprecated features for Configuration Manager.
Next steps
At this time, version 2409 is released for the early update ring. To install this update, you need to opt in. For more information, see Early update ring.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for installing update 2409.
Tip : To install a new site, use a baseline version of Configuration Manager.
For known significant issues, see the Release notes. After you update a site, also review the Post-update checklist.
Thank you,
The Configuration Manager team
Additional resources:
- What’s New in Configuration Manager
- Documentation for Configuration Manager
- Microsoft Configuration Manager announcement
- Microsoft Configuration Manager vision statement
- Evaluate Configuration Manager in a lab
- Upgrade to Configuration Manager
- Configuration Manager Forums
- Configuration Manager Support
- Report an issue
- Provide suggestions
Microsoft
