Configuration Manager 2409 is globally available, what’s in it for you ?

Posted on December 19, 2024 by ncbrady

Introduction

Shortly after Technical Preview 2411 was released I predicted that Configuration Manager 2409 would be released within a couple of days,

and it was more or less, well… 4 days later.

This production release was late and people were waiting to see what the new release offered/fixed. To clarify what i mean by late, if we are going by the release name, it should have technically been released in September 2024 (Configuration Manager 2409) and yet was released in December 2024.

Oh well, at least it’s out.

2409 Release dates

  • Fast Ring: December 03, 2024
  • Slow Ring: December 16, 2024

I upgraded my lab to 2409 using the fast ring script as soon as it was available and I had no issues at all with the upgrade.

Here are the update notes from Microsoft.

What’s new ?

Now that we have 2409 installed, what is new/changed/broken/depreciated. I’ll highlight the important ones, you can get the entire list here.

SQL related

  • Configuration Manager now supports SQL extended protection for authentication. It’s a security feature that enhances protection against MITM attacks, making SQL server more secure when connections are made using extended protection.
  • Starting with version 2409, Configuration Manager no longer supports SQL Server 2012 and 2014. Upgrade to the latest SQL Server version or at least SQL Server 2016. If you don’t upgrade, CM upgrades are blocked, and you see an error during the prereq check. For more information, see Supported SQL Server versions for Configuration Manager.

OSD related

  • MDT is depreciated so it’s time to remove all MDT integration from your task sequences before October 2025.
  • Windows 11 24H2 & Windows Server 2025 are added to the Product lifecycle dashboard and supported platform.
  • Windows 11 24H2 & Windows Server 2025 client support is added.
  • Boot image creation in CM on Windows Server 2025 now supports the latest Windows ADK.
  • The Windows upgrade readiness dashboard now supports Windows 11 24H2 for upgrading clients.
  • Configuration Manager now supports BitLocker task sequence steps for Arm64 devices.

Cloud related

  • The ‘Renew Secret Key‘ feature now opens a dialog with four options for the validity period. This update also prevents applications older than 800 days (approximately two years) from renewing their secret keys. The same options are available when creating a new app.
  • CMG Setup now uses managed Identities and third-party Server App to interact with CMG’s Azure Storage account, instead of storage account keys.

Other

  • In BitLocker Management, policies that include OS drive encryption with a TPM protector and fixed drive encryption with the Auto-Unlock option are supported on Arm64 devices.

 

Issues I observed (post upgrade)

Upgrading to 2409 twice

As I had originally upgraded to 2409 using the fast ring script, I went back to see if any HFRU was released to address any issues, and there wasn’t however there was a new version of Configuration Manager 2409 … not confusing at all.

So before continuing I decided to upgrade my site to 2409 again :-).

After some time (the next day) my site was upgraded again and looking good, this time with version 5.00.9132.1011.

Enabling CMG Enhanced Security

When enabling the CMG enhanced security, using an account that was a Global Admin in Azure, I got the following error:

Subscription Configuration

Error occurred when granting Contributor permission to the Microsoft Entra ID app for resource group cloudattachcmg. For more information, see SmsAdminUI.log.

which pointed me to the SMSAdminUI.log. Here’s a snippet from that log:

[1, PID:3620][12/18/2024 11:21:17] :Hyak.Common.CloudException\r\nFailed to complete the role assignment with status code Forbidden.\r\n at Microsoft.ConfigurationManagement.AdminConsole.AzureServices.EnhanceSecurityDialog.GrantRoleBasedAccessControlToAadAppOnResourceGroup(String subscriptionId, String servicePrincipalId, String resourceGroupName)\r\n

I looked at the user I was logged in as and it was indeed a Global Admin and the role enabled using PIM, however it wasn’t a subscription owner as the following indicates you need to be.

When I originally setup this CMG I used a different Global Admin account which was also the subscription owner.  So I assigned the subscription owner Azure resource role to my new Global Admin user, PIM’d the role and tried again.

This time, it went through the upgrade wizard without a hitch!

I hope this helps someone !

New abilities

Below you can see the new maintenance windows feature which is part of the CMG enhanced security

The renew secret key option for your Cloud Management Server App

opens the following wizard with new options for secret key expiry

Centralized search means you can now decide which node to search in, or choose All Workspaces to search everywhere.

Until the next time,

cheers

niall

This entry was posted in 2409, System Center Configuration Manager (Current Branch). Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.