Merge pull request #5948 from MicrosoftDocs/release-cm2107-hfru

Release CM 2107 HFRU

Author: aczechowski

memdocs/configmgr/core/clients/manage/cmg/modify-cloud-management-gateway.md

@@ -2,7 +2,7 @@
 title: Modify a CMG
 titleSuffix: Configuration Manager
 description: If you need to change the configuration, you can modify the cloud management gateway (CMG).
-ms.date: 09/30/2021
+ms.date: 10/25/2021
 ms.prod: configuration-manager
 ms.technology: configmgr-client
 ms.topic: how-to
@@ -39,7 +39,7 @@ After you create a CMG, you can modify some of its settings. Select the CMG in t
 
 - **Verify Client Certificate Revocation**: If you didn't originally enable this setting when you created the CMG, you can enable it afterwards after you publish the CRL. For more information, see [Publish the certificate revocation list](security-and-privacy-for-cloud-management-gateway.md#publish-the-certificate-revocation-list).
 
-- **Enforce TLS 1.2**: The CMG enables this option by default. Require it to use the TLS 1.2 encryption protocol. For more information, see [How to enable TLS 1.2](../../../plan-design/security/enable-tls-1-2.md).
+- **Enforce TLS 1.2**: The CMG enables this option by default. Require it to use the TLS 1.2 encryption protocol. Starting in version 2107 with the [update rollup](../../../../hotfix/2107/11121541.md), this setting also applies to the CMG storage account.<!--10800237--> For more information, see [How to enable TLS 1.2](../../../plan-design/security/enable-tls-1-2.md).
 
 - **Allow CMG to function as a cloud distribution point and serve content from Azure storage**: The CMG enables this option by default. If you plan on targeting deployments with content to clients, you need to configure the CMG to serve content.<!--1358651-->
 

memdocs/configmgr/core/clients/manage/cmg/security-and-privacy-for-cloud-management-gateway.md

@@ -5,7 +5,7 @@ description: Learn about guidance and recommendations for security and privacy w
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
-ms.date: 08/02/2021
+ms.date: 10/25/2021
 ms.topic: conceptual
 ms.prod: configuration-manager
 ms.technology: configmgr-client
@@ -99,6 +99,8 @@ This subset provides administrators with more control over security. The CTL res
 
 Use the CMG setting to **Enforce TLS 1.2**. It only applies to the Azure cloud service VM. It doesn't apply to any on-premises Configuration Manager site servers or clients.
 
+Starting in version 2107 with the [update rollup](../../../../hotfix/2107/11121541.md), this setting also applies to the CMG storage account.<!--10800237-->
+
 For more information on TLS 1.2, see [How to enable TLS 1.2](../../../plan-design/security/enable-tls-1-2.md).
 
 ### Use token-based authentication

memdocs/configmgr/core/clients/manage/cmg/setup-cloud-management-gateway.md

@@ -5,7 +5,7 @@ description: Use this step-by-step process for setting up a cloud management gat
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
-ms.date: 09/20/2021
+ms.date: 10/25/2021
 ms.topic: how-to
 ms.prod: configuration-manager
 ms.technology: configmgr-client
@@ -94,7 +94,7 @@ Do this procedure on the top-level site. That site is either a standalone primar
 
     1. By default, the wizard enables the option to **Verify Client Certificate Revocation**. A certificate revocation list (CRL) must be publicly published for this verification to work. For more information, see [Publish the certificate revocation list](security-and-privacy-for-cloud-management-gateway.md#publish-the-certificate-revocation-list).
 
-    1. By default, the wizard enables the option to **Enforce TLS 1.2**. This setting requires the Azure VM to use the TLS 1.2 encryption protocol. It doesn't apply to any on-premises Configuration Manager site servers or clients. For more information, see [How to enable TLS 1.2](../../../plan-design/security/enable-tls-1-2.md).<!-- SCCMDocs-pr#4021 -->
+    1. By default, the wizard enables the option to **Enforce TLS 1.2**. This setting requires the Azure VM to use the TLS 1.2 encryption protocol. It doesn't apply to any on-premises Configuration Manager site servers or clients. Starting in version 2107 with the [update rollup](../../../../hotfix/2107/11121541.md), this setting also applies to the CMG storage account.<!--10800237--> For more information, see [How to enable TLS 1.2](../../../plan-design/security/enable-tls-1-2.md).<!-- SCCMDocs-pr#4021 -->
 
     1. By default, the wizard enables the option to **Allow CMG to function as a cloud distribution point and serve content from Azure storage**. If you plan on targeting deployments with content to clients, you need to configure the CMG to serve content.
 

memdocs/configmgr/core/plan-design/configs/support-for-windows-11.md

@@ -69,6 +69,16 @@ For more information on Windows lifecycle, see the [Windows lifecycle fact sheet
 
 - OS deployment images and upgrade packages for Windows 11 show the image name as Windows 10. For more information, see [Using deployment tools with Windows 11 images](/windows-hardware/manufacture/desktop/using-deployment-tools-with-windows-11).<!--11128713-->
 
+## Windows 11 on ARM64
+
+<!-- 10589908 -->
+
+Configuration Manager version 2107 with the [update rollup](../../../hotfix/2107/11121541.md) supports the client on Windows 11 ARM64 devices.
+
+The **All Windows 11 (ARM64)** platform is available in the list of supported OS versions on objects with requirement rules or applicability lists.
+
+OS deployment isn't supported, except for a feature update task sequence. You can deploy a task sequence with a feature update to a Windows 11 on ARM64 device. For more information, see [Upgrade Windows to the latest version](../../../osd/deploy-use/upgrade-windows-to-the-latest-version.md).
+
 ## Support for Windows Insider
 
 You can [update and service Windows Insider](../../../sum/get-started/configure-classifications-and-products.md#bkmk_WIfB) builds. This ability is provided as a convenience to our customers. While this functionality should work, its support is best effort. Configuration Manager might not issue a hotfix for this functionality if it doesn't work.

memdocs/configmgr/core/servers/deploy/install/release-notes.md

@@ -2,7 +2,7 @@
 title: Release notes
 titleSuffix: Configuration Manager
 description: Learn about urgent issues that aren't yet fixed in the product or covered in a Microsoft Support knowledge base article.
-ms.date: 08/31/2021
+ms.date: 10/25/2021
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: troubleshooting
@@ -115,6 +115,18 @@ To work around this issue, temporarily uninstall the later version of Visual C++
 
 ## OS deployment
 
+### Image servicing with Windows Server 2022
+
+<!-- 11843519, MEMDocs#2108 -->
+
+_Applies to: version 2107_
+
+If you try to [apply software updates to an image](../../../../osd/get-started/manage-operating-system-images.md#apply-software-updates-to-an-image) for Windows Server 2022, no updates display as available to install.
+
+This issue is caused by a change to the Windows update category for Server 2022.
+
+To resolve this issue, install the [update rollup](../../../../hotfix/2107/11121541.md) for Configuration Manager version 2107.
+
 ### Task sequence and application policy issue
 
 <!-- 10506770 -->

memdocs/configmgr/core/servers/deploy/install/remove-central-administration-site.md

@@ -2,7 +2,7 @@
 title: Remove CAS
 titleSuffix: Configuration Manager
 description: Remove the central administration site (CAS) to simplify your Configuration Manager infrastructure to a single, standalone primary site.
-ms.date: 08/02/2021
+ms.date: 10/15/2021
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
@@ -43,9 +43,6 @@ If the hierarchy consists of the central administration site (CAS) and a single
   - Data warehouse service point
   - Cloud management gateway (CMG)
 
-    > [!NOTE]
-    > If you enabled the CMG for content, plan to redistribute the content after you recreate the CMG on the primary site.<!-- 6608659 -->
-
 - Turn off distributed views
 
 - Configuration Manager automatically handles package source locations for built-in packages, like the Configuration Manager client. Review all other content source locations to make sure they aren't using a share on the CAS.

memdocs/configmgr/develop/adminservice/custom-properties.md

@@ -2,7 +2,7 @@
 title: Custom properties for devices
 titleSuffix: Configuration Manager
 description: Use the administration service to set custom property data on devices, for reporting or collections.
-ms.date: 09/10/2021
+ms.date: 10/25/2021
 ms.prod: configuration-manager
 ms.technology: configmgr-sdk
 ms.topic: how-to
@@ -107,7 +107,7 @@ where SMS_G_System_ExtensionData.PropertyName = "AssetTag" and SMS_G_System_Exte
 ```
 
 > [!NOTE]
-> Incremental collection updates don't work with custom properties WQL statements.<!--10901844-->
+> To use custom properties WQL statements with incremental collection updates, use Configuration Manager version 2107 with the [update rollup](../../hotfix/2107/11121541.md) or later.<!--10964944-->
 
 ## Next steps
 

memdocs/configmgr/hotfix/2107/11121541.md

@@ -0,0 +1,209 @@
+---
+title: Update rollup for Microsoft Endpoint Configuration Manager version 2107
+titleSuffix: Configuration Manager
+description: Update rollup for Configuration Manager 2107
+ms.date: 10/27/2021
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 6fb1ecf7-f7fa-4221-a3af-a6165862e1cb
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Update rollup for Microsoft Endpoint Configuration Manager version 2107
+
+*Applies to: Configuration Manager (current branch, version 2107)*
+
+## Summary of KB11121541
+
+This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2107. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release. For more information on changes in Configuration Manager version 2107, see:
+
+- [What’s new in version 2107 of Configuration Manager current branch](../../core/plan-design/changes/whats-new-in-version-2107.md)
+- [Summary of changes in Microsoft Endpoint Configuration Manager current branch, version 2107](../../hotfix/2107/10096997.md)
+
+This update also adds support for devices running Windows 11 ARM64. For more information, see [Support for Windows 11 in Configuration Manager](../../core/plan-design/configs/support-for-windows-11.md#windows-11-on-arm64).
+
+## Issues that are fixed
+
+<!-- 11892479 -->
+- After upgrading to version 2107, one or more applications in a task sequence fail with an error resembling the following in the `smsts.log`.
+
+   ```text
+   Install Static Applications failed, hr=0x87d00267
+   ```
+
+<!-- 11993093 -->
+- Offline Servicing for Windows Server 2022 operating system image fails to detect updates as applicable.
+
+<!-- 10555301 -->
+- The **Installation Status** tab in Software Center hangs without loading completely. When this issue occurs, errors resembling the following are repeated in the `scclient.log`.
+
+   ```text
+   Getting all instances of CCM_Application
+   Getting all instances of CCM_Program
+   Getting all instances of CCM_SoftwareUpdate
+   ```
+
+<!-- 10692952 -->
+- The **CMTrace** log file viewer does not display all characters at the beginning of a line.
+
+<!-- 10732477 -->
+- Syntax highlighting for PowerShell ignores the back quote escape character (\`\) when escaping double quotation marks.
+
+<!-- 10732503 -->
+- The site server may stop processing state messages, resulting in a backlog of files, due to a primary key constraint violation. Errors resembling the following are recorded in the `statesys.log` file.
+
+   ```text
+   SQL MESSAGE: spProcessStateReport - Error: Message processing encountered a SQL error 2627 at record 100 for TopicType 500, StateID 1: "Violation of PRIMARY KEY constraint 'SR_MissingMessageRanges_PK'. Cannot insert duplicate key in object 'dbo.SR_MissingMessageRanges'. The duplicate key value is (123456, 112233).", Line 0 in procedure ""
+   ```
+
+<!-- 10732515, 10745070 -->
+- A console extension may fail to import with an error resembling the following recorded in the `AdminUI.ExtensionInstaller.log` file.
+
+   ```text
+   Return code indicates unhandled case. Result: Exception of type 'System.OutOfMemoryException' was thrown.
+   ```
+
+<!-- 10745061, 10745082 -->
+- The Configuration Manager console generates an exception when selecting **View Collection** from the Collections tab in the Devices node. The exception contains information resembling the following.
+
+   ```text
+   The requested object information could not be retrieved. Refresh the Configuration Manager console to verify that another administrator has not moved or deleted the object, or that the role-based administration security scopes or security roles for the object or current user have not changed.
+   ConfigMgr Error Object:
+   instance of __ExtendedStatus
+   {
+   Operation = "GetObject";
+   ParameterInfo = "SMS_DeviceCollectionMember.SiteID=\"{Site_ID}\"";
+   ProviderName = "WinMgmt";
+   };
+   Error Code:
+   NotFound
+   ```
+
+<!-- 10745095 -->
+- The Configuration Manager client is blocked from sending endpoint analytics sensor events to the management point. This happens when there are backlogs in the CCM_SensorMessageQueue in WMI. Errors resembling the following are recorded in the `SensorEndpoint.log` file.
+
+   ```text
+   Invoke SensorWmiProvider succeeded.
+   QueryTraceW returned=234 for SensorFramework-Live-Etw...
+   Failed to get the next message to send. 0x80041032
+   ```
+
+<!-- 10748788 -->
+- The Configuration Manager console terminates unexpectedly if a Reporting Services Point is installed while the SQL Server Reporting Services (SSRS) service is stopped. The `AdminUI.log` file contains errors resembling the following.
+
+   ```text
+   System.ArgumentException
+   Version string portion was too short or too long.
+   ```
+
+<!-- 10789923 -->
+- The **Configuration Manager Support Center Client Tools** application terminates unexpectedly on a Windows 11 computer selecting different deployments.
+
+<!-- 10789925 -->
+- The Cloud Management Gateway Azure Storage Account can now be configured to use TLS 1.2 through the Configuration Manager console. For more information, see [Enforce TLS 1.2](../../core/clients/manage/cmg/security-and-privacy-for-cloud-management-gateway.md#enforce-tls-12).
+
+<!-- 10800388 -->
+- Improvements to the Data Warehouse synchronization process are included to prevent the SQL Server TempDB from filling up.
+
+<!-- 10800703 -->
+- Endpoint analytics sensor data now includes the system SKU and processor name, and Microsoft Surface Model information, for Windows 11 hardware readiness.
+
+<!-- 10944353 -->
+- The cloud service configuration file (.csfg) is not updated after deploying a cloud management gateway. Errors resembling the following are recorded in the `CloudMgr.log` file.
+
+   ```text
+   ERROR: TaskManager: Task [UpdateServiceConfigurationTask: Service {ID}] has failed. Exception Hyak.Common.CloudException, ChangeDeploymentConfigurationOperationFailed: The Change Deployment Configuration operation failed for the domain '{ID}' in the deployment slot 'Production' with the name '{ID}-deployment': 'The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers.'..~~
+   ```
+
+<!-- 10959492 -->
+- Incremental collection updates don't work when the WQL statements contain custom properties.
+
+<!-- 10973090 -->
+- In some scenarios the maximum client policy size is incorrectly limited to 16MB instead of 32MB. This results in errors resembling the following in the `smsts.log` file.
+
+   ```text
+   Request was successful.
+   dwBodyLength <= m_nMaxReplySize, HRESULT=80004005
+   reply message body length is too long (18291682, 16777216)
+   ```
+
+<!-- 10997261 -->
+- The BitLocker recovery key is only escrowed for the first user on a computer instead of all users that log on.
+
+<!-- 11007543 -->
+- Clients fail to download content from a peer cache source under the following conditions:
+
+  - The content is deleted from a distribution point but remains in the peer cache.
+  - The client is on a low bandwidth connection that causes the BITS download job to take over 24 hours to complete.
+
+<!-- 11041519 -->
+- The device collection is unexpectedly empty when selected from the device graph on the Windows 10 dashboard.
+
+<!-- 11184150 -->
+- The list of BitLocker recovery keys is blank for Azure Active Directory-joined devices.
+
+## Hotfixes that are included in this update
+
+- KB [10503003](../../hotfix/2107/10503003.md) Update for Microsoft Endpoint Configuration Manager version 2107, early update ring
+
+## Known issues in this release
+
+- The **Log Analytics connector for Azure Monitor** feature was removed from Configuration Manager version 2107. However, the pages that allow an administrator to view and delete the **OMS Connector** are still present but don't function. For more information, see [Deprecated features](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md#unsupported-and-removed-features).
+
+## Update information for Microsoft Endpoint Configuration Manager current branch, version 2107
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2107.
+
+Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.
+
+To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:
+
+- **248DC1EB-4B98-4483-BAF3-08C678C1CD0A**
+- **142D394F-4E40-4574-AB8F-D182200DF03C**
+- **8D0F9A5B-B21D-438F-AC56-38428FECB787**
+- **86FE4AF1-68A1-4AD4-B435-91995D30ECD6**
+- **E392EF90-DB2C-47BB-ACB8-11E702D0F451**
+- **42E1CF6E-95A1-4A8D-96AD-311E6247B3FB**
+
+The update is also applicable to TAP builds with the private TAP rollup installed.
+
+### Restart information
+
+This update does not require a computer restart but will initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+
+   ```code
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+
+- If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+- If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+
+The following major components are updated to the versions specified:
+
+| Component                     | Version          |
+|-------------------------------|------------------|
+| Configuration Manager console | 5.2107.1059.3700 |
+| Client                        | 5.0.9058.1047    |
+
+## File information
+
+File information is available in the downloadable [KB11121541_FileList.txt](https://aka.ms/KB11121541_FileList) text file.
+
+## Release history
+
+- October 27, 2021: Initial hotfix release
+
+## References
+
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/TOC.yml

@@ -7,6 +7,8 @@ items:
     href: 2107/10096997.md
   - name: KB 10503003 Early update ring
     href: 2107/10503003.md
+  - name: KB 11121541 Update rollup for 2107
+    href: 2107/11121541.md
 - name: Version 2103
   items:
   - name: KB 9210721 Summary of changes in 2103