Merge branch 'main' into Erikre-patch-4

autopilot/device-preparation/requirements.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/05/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -64,11 +64,11 @@ Windows Autopilot device preparation depends on specific features available in W
 
 The following editions are supported:
 
-- Windows 11 Pro
-- Windows 11 Pro Education
-- Windows 11 Pro for Workstations
-- Windows 11 Enterprise
-- Windows 11 Education
+- Windows 11 Pro.
+- Windows 11 Pro Education.
+- Windows 11 Pro for Workstations.
+- Windows 11 Enterprise.
+- Windows 11 Education.
 
 ## [:::image type="icon" source="../images/icons/wifi-ethernet-18.svg"::: **Networking**](#tab/networking)
 

autopilot/requirements.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/06/2024
 ms.collection:
   - M365-modern-desktop
   - highpri

autopilot/windows-autopilot-hybrid.md

@@ -6,7 +6,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: jubaptis
-ms.date: 08/22/2024
+ms.date: 09/04/2024
 ms.topic: how-to
 ms.service: windows-client
 ms.subservice: autopilot
@@ -63,19 +63,9 @@ Although not required, configuring Microsoft Entra hybrid join for Active Direct
 
 - To increase scale and availability, multiple connectors can be installed in the environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that needs to be supported.
 
-<!-- MAXADO-8594181 -->
-
-- If the organization has multiple domains and multiple Intune Connectors are installed, a domain service account that can create computer objects in all domains must be used. This requirement is true even if Microsoft Entra hybrid join is only implemented for a specific domain. If these domains are untrusted domains, the connectors must be uninstalled from domains where Windows Autopilot isn't used. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
-
-  This connector service account must have the following permissions:
-
-  - [**Log on as a service**](/windows/security/threat-protection/security-policy-settings/log-on-as-a-service).
-  - Must be part of the **Domain user** group.
-  - Must be a member of the local **Administrators** group on the Windows server that hosts the connector.
-
-  > [!IMPORTANT]
-  >
-  > Managed service accounts aren't supported for the service account. The service account must be a domain account.
+<!-- MAXADO-8594181
+Multi-domain support section removed
+-->
 
 - The Intune Connector requires the [same endpoints as Intune](/mem/intune/fundamentals/intune-endpoints).
 

memdocs/configmgr/core/plan-design/hierarchy/accounts.md

@@ -2,12 +2,12 @@
 title: Accounts used
 titleSuffix: Configuration Manager
 description: Identify and manage the Windows groups, accounts, and SQL Server objects used in Configuration Manager.
-ms.date: 08/08/2024
+ms.date: 09/04/2024
 ms.subservice: core-infra
 ms.service: configuration-manager
 ms.topic: reference
-author: Banreet
-ms.author: banreetkaur
+author: BalaDelli
+ms.author: baladell
 manager: apoorvseth
 ms.localizationpriority: medium
 ms.collection: tier3
@@ -364,7 +364,10 @@ The site server uses the **Exchange Server connection account** to connect to th
 
 ### Management point connection account
 
-The management point uses the **Management point connection account** to connect to the Configuration Manager site database. It uses this connection to send and retrieve information for clients. The management point uses its computer account by default, but you can configure a user account instead. When the management point is in an untrusted domain from the site server, you must specify a user account.
+The management point uses the **Management point connection account** to connect to the Configuration Manager site database. It uses this connection to send and retrieve information for clients. The management point uses its computer account by default, but you can configure an alternate account instead. When the management point is in an untrusted domain from the site server, you must specify a alternate user account.
+
+  > [!NOTE]
+  > For enhanced security posture it is recommended to leverage alternate account rather than Computer account for ‘Management point connection account’.
 
 Create the account as a low-right local account on the computer that runs Microsoft SQL Server.
 

memdocs/configmgr/hotfix/2303/29166583.md

@@ -0,0 +1,62 @@
+---
+title: Management point security update for Microsoft Configuration Manager version 2303
+titleSuffix: Configuration Manager
+description: Management point security update for Configuration Manager 2303
+ms.date: 09/05/2024
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: b8cb0347-a26c-46e2-8ddd-8ddd61cd89a4
+author: baladelli
+ms.author: baladell
+manager: apoorvseth
+---
+
+# Management point security update for Configuration Manager 2303
+
+*Applies to: Configuration Manager (current branch, version 2303)*
+
+## Summary of KB29166583
+<!-- 29166583 -->
+An update is available to harden the security of Configuration Manager environment. The update improves the security of connections between the management point and site server database. 
+
+  > [!NOTE]
+  > For enhanced security posture it is recommended to leverage alternate account rather than Computer account for ‘Management point connection account’.
+
+Installation of this update resolves the following security issue:
+
+•	CVE-2024-43468 
+
+### Known issues
+
+We identified an issue after installing the hotfix. Hence this KB is no longer applicable to install and we republish this once a fix has been identified.
+
+### Update information for Microsoft Configuration Manager current branch, version 2303
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for version 2303 environments.
+
+### Restart information
+
+This update doesn't require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site hasn't installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## File information
+File information is available in the downloadable [KB29166583_FileList.txt](https://aka.ms/KB29166583_FileList_2303) text file.
+
+## Release history
+- September 4, 2024: Initial hotfix release
+- September 5, 2024: Hotfix revoked
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/2309/29166583.md

@@ -0,0 +1,62 @@
+---
+title: Management point security update for Microsoft Configuration Manager version 2309
+titleSuffix: Configuration Manager
+description: Management point security update for Configuration Manager 2309
+ms.date: 09/05/2024
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: 19d171f9-e4fd-4d75-925c-2205be90d76c
+author: Baladelli  
+ms.author: baladell
+manager: apoorvseth
+---
+
+# Management point security update for Configuration Manager 2309
+
+*Applies to: Configuration Manager (current branch, version 2309)*
+
+## Summary of KB29166583
+<!-- 29166583 -->
+An update is available to harden the security of Configuration Manager environment. The update improves the security of connections between the management point and site server database. 
+
+  > [!NOTE]
+  > For enhanced security posture it is recommended to leverage alternate account rather than Computer account for ‘Management point connection account’.
+
+Installation of this update resolves the following security issue:
+
+•	CVE-2024-43468 
+
+### Known issues
+
+We identified an issue after installing the hotfix. Hence this KB is no longer applicable to install and we republish this once a fix has been identified.
+
+### Update information for Microsoft Configuration Manager current branch, version 2309
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for version 2309 environments.
+
+### Restart information
+
+This update doesn't require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site hasn't installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## File information
+File information is available in the downloadable [KB29166583_FileList.txt](https://aka.ms/KB29166583_FileList_2309) text file.
+
+## Release history
+- September 4, 2024: Initial hotfix release
+- September 5, 2024: Hotfix revoked
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/2403/29166583.md

@@ -0,0 +1,62 @@
+---
+title: Management point security update for Microsoft Configuration Manager version 2403
+titleSuffix: Configuration Manager
+description: Management point security update for Configuration Manager 2403
+ms.date: 09/05/2024
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: f558a961-40c8-447b-b25c-f8f2b663cb90
+author: Baladelli
+ms.author: baladell
+manager: Apoorvseth
+---
+
+# Management point security update for Configuration Manager 2403
+
+*Applies to: Configuration Manager (current branch, version 2403)*
+
+## Summary of KB29166583
+<!-- 29166583 -->
+An update is available to harden the security of Configuration Manager environment. The update improves the security of connections between the management point and site server database. 
+
+  > [!NOTE]
+  > For enhanced security posture it is recommended to leverage alternate account rather than Computer account for ‘Management point connection account’.
+
+Installation of this update resolves the following security issue:
+
+•	CVE-2024-43468 
+
+### Known issues
+
+We identified an issue after installing the hotfix. Hence this KB is no longer applicable to install and we republish this once a fix has been identified.
+
+### Update information for Microsoft Configuration Manager current branch, version 2403
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for version 2403 environments.
+
+### Restart information
+
+This update doesn't require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site hasn't installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## File information
+File information is available in the downloadable [KB29166583_FileList.txt](https://aka.ms/KB29166583_FileList_2403) text file.
+
+## Release history
+- September 4, 2024: Initial hotfix release
+- September 5, 2024: Hotfix revoked
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/TOC.yml

@@ -8,13 +8,17 @@ items:
   - name: KB 28290310 CMG update for 2403
     href: 2403/28290310.md
   - name: KB 28458746 Software update client fix for 2403
-    href: 2403/28458746.md 
+    href: 2403/28458746.md
+  - name: KB 29166583 MP security update for 2403
+    href: 2403/29166583.md 
 - name: Version 2309
   items:
   - name: KB 24341484 Summary of changes in 2309
     href: 2309/24341484.md
   - name: KB 25858444 Update rollup for Configuration Manager version 2309
     href: 2309/25858444.md
+  - name: KB 29166583 MP security update for 2309
+    href: 2309/29166583.md
 - name: Version 2303
   items:
   - name: KB 16900870 Summary of changes in 2303
@@ -25,6 +29,8 @@ items:
     href: 2303/24721208.md
   - name: KB 25073607 Client update for Configuration Manager version 2303
     href: 2303/25073607.md
+  - name: KB 29166583 MP security update for 2303
+    href: 2303/29166583.md
 - name: Version 2211
   items:
   - name: KB 15582417  Summary of changes in 2211

memdocs/configmgr/hotfix/index.yml

@@ -26,7 +26,9 @@ landingContent:
           - text: KB 28290310 CMG update for 2403
             url: 2403/28290310.md
           - text: KB 28458746 Software update client fix for 2403
-            url: 2403/28458746.md  
+            url: 2403/28458746.md
+          - text: KB 29166583 MP security update for 2403
+            url: 2403/29166583.md  
   - title: Configuration Manager 2309
     linkLists:
       - linkListType: overview
@@ -37,6 +39,8 @@ landingContent:
             url: 2309/26129847.md
           - text: 25858444 Update rollup for Configuration Manager version 2309
             url: 2309/25858444.md
+          - text: KB 29166583 MP security update for 2309
+            url: 2309/29166583.md  
   - title: Configuration Manager 2303
     linkLists:
       - linkListType: overview
@@ -49,6 +53,8 @@ landingContent:
             url: 2303/24721208.md
           - text: 25073607 Client update for Configuration Manager version 2303
             url: 2303/25073607.md
+          - text: KB 29166583 MP security update for 2303
+            url: 2303/29166583.md  
   - title: Configuration Manager 2211
     linkLists:
       - linkListType: overview