Release notes for Configuration Manager

Applies to: Configuration Manager (current branch)

With Configuration Manager, product release notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a troubleshooting article.

Feature-specific documentation includes information about known issues that affect core scenarios.

This article contains release notes for the current branch of Configuration Manager. For information on the technical preview branch, see Technical Preview.

For information about the new features introduced with different versions, see the following articles:

Tip

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Set up and upgrade

Version 2107 update fails to download

Applies to: version 2107 and later

The update for Configuration Manager version 2107 is available to download, but it fails to download. The dmpdownloader.log on the service connection point has entries similar to the following:

Download large file with BITs
WARNING: EasySetupDownloadSinglePackage Failed with exception: The remote name could not be resolved: 'configmgrbits.azureedge.net'
WARNING: Retry in the next polling cycle

This failure happens because the service connection point can't communicate with the required internet endpoint, configmgrbits.azureedge.net. Confirm that the site system that hosts the service connection point role can communicate with this internet endpoint. It was already required, but its use is expanded in version 2107. The site system can't download version 2107 or later unless your network allows traffic to this URL.

For more information, see internet access requirements for the service connection point.

Software updates

Reset default value of superseding age in months for software updates

Applies to: version 2303

Removing SUP role in Admin Console does not reset the superseding age property in WMI. As a result, while reconfiguring the role, the previously configured value is shown in the configuration window. This property needs to be reset to default value on role removal. For more information, see supersedence rules for installing a software update point.

Security roles are missing for phased deployments

The OS Deployment Manager built-in security role has permissions to phased deployments. The following roles are missing these permissions:

  • Application Administrator
  • Application Deployment Manager
  • Software Update Manager

The App Author role may appear to have some permissions to phased deployments, but can't create deployments.

A user with one these roles can start the Create Phased Deployment wizard, and can see phased deployments for an application or software update. They can't complete the wizard, or make any changes to an existing deployment.

To work around this issue, create a custom security role. Copy an existing security role, and add the following permissions on the Phased Deployment object class:

  • Create
  • Delete
  • Modify
  • Read

For more information, see Create custom security roles

Configuration Manager console

Intune RBAC for tenant attached devices

Applies to: version 2207

[Updated]: There is a checkbox for a role-based access control (RBAC) setting in the cloud attach configuration wizard in the console. By default, Configuration Manager RBAC is enforced along with Intune RBAC when you're uploading your Configuration Manager devices to the cloud service. This checkbox is selected by default.

You can now configure Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Intune admin center. For more information, see Intune role-based access control for tenant-attached clients.

Unable to open console because extension installation loops

Applies to: version 2111

In certain circumstances, you'll be unable to open the console due to an extension installation loop. This issue occurs when two or more versions of a single extension were marked as required for installation. This issue occurs for extensions imported through the wizard, from a PowerShell script, or through Community hub. If you use the Make optional setting before importing a new version of the extension, this issue doesn't occur.

When you encounter this issue, it initially appears as a normal console extension installation. After the extension finishes installing, you select Close to restart the Configuration Manager console. When the console restarts, you're prompted to install the console extension again. The extension installation will continue to loop and the Configuration Manager console doesn't fully open.

To both prevent and work around this issue, run the below SQL script on your CAS database and all of your primary site databases:

ALTER VIEW vSMS_ConsoleExtensionMetadata
AS
    WITH m AS(
       SELECT *,
           RN = ROW_NUMBER()OVER(PARTITION BY ID ORDER BY Version DESC)
       FROM ConsoleExtensionMetadata
    ) 
    SELECT 
        m.ID, 
        m.Name, 
        m.Description, 
        m.Author, 
        m.Version, 
        m.IsEnabled, 
        m.IsApproved, 
        m.CreatedTime, 
        m.CreatedBy, 
        m.UpdateTime, 
        m.IsTombstoned, 
        m.IsRequired, 
        m.IsSigned, 
        m.IsUnsignedAllowed, 
        CASE m.IsRequired 
            WHEN 0 THEN ''  
            ELSE  
            ( 
                SELECT top(1) author FROM ConsoleExtensionRevisionHistory h 
                WHERE m.ID=h.ExtensionId AND m.Version=h.Version AND h.Changes & 1=1 
                ORDER BY h.RevisionTime DESC 
            ) 
        END AS RequiredBy, 
        m.IsSetupDefined 
    FROM m
    WHERE RN = 1
GO

Boundaries and Boundary groups

Clients not belonging to any boundary group may fail to download due to SQL issue

Applies to: version 2303, 2309 RTM

Consider ConfigMgr hierarchy with a remote MP and CMG and you deploy an app to a device collection. The Clients cannot download app, and reflect the below SQL permissions issue in MP_Location.log.

   The SELECT permission was denied on the object 'vSMS_DefaultBoundaryGroup', database 'CM_xxx', schema 'dbo'.

To workaround the issue run the below SQL script on the SQL database on the primary sites where the MP reports.

    GRANT SELECT ON vSMS_DefaultBoundaryGroup To smsdbrole_MP