Roberts Blog

The House of ConfigMgr and Intune on Endpoint Management Way

Tag: 1906

ConfigMgr CB1906–Management Insights–NTLM Fallback

I remember a few years back at an MVP Summit watching a PG member showing us the mock up’s they had prepared for how Management Insights would “look” in the console, while gauging our response and taking in feedback.

The feature certainly has come along way from then, if’ you’ve not paid much attention to Management Insights, now would be a good time to visit the feature and see what insights it gives you for your site.

From what I can recall the motivating reason for Management Insights was driven by the desire to make administrators lives easier overall, bringing to light the “house chores” needed to keep SCCM running fluidly, highlighting or giving insights into operational capability of a site (Empty collections, Fast Evaluation rules etc), and it has extended out to highlight best practices for certain parts of the product (example being the Site’s current Client Push NTLM Fallback state).

There’s a new Management Insight (MI) in CB 1906, called “NTLM Fallback disabled” which I’ll quickly run over now.

This MI will check the ConfigMgr Site, to see if Client Push Installation property Allow connection fallback to NTLM is enabled:


Enabled, the MI will report Action Needed:


When Allow connection fallback to NTLM is disabled in Client Installation properties, and when the MI is re-evaluated (right click) the MI reports a Completed state, which means we’re compliant:


The reason why you would disable Client Push attempts using NTLM is to force site to client authentication to take place using Kerberos, so as to fall in place with modern security practices, which see NTLM as insecure (rightly so) and something we should all be drifting away from, as partially noted in the docs:


When using the client push method of installing the Configuration Manager client, the site can require Kerberos mutual authentication. This enhancement helps to secure the communication between the server and the client. For more information, see How to install clients with client push.

At a lower lever you can disable NTLM fallback for the Operating System itself, with consequences that should be thought out first, using either domain or local GPO settings. This isn’t something you do without wising up on the consequences.

The new Management Insight is not checking the OS, it isn’t checking IIS or SQL for relevance and state, which have their own options for handling NTLM fallback.

Here’s a shot of local GPO on the site server for tinkering with restricting NTLM:

Note that GPO changes are made, remote devices attempting RDP to the site server that are not patched may encounter the “Encryption Oracle Remediation” issue.

Changing any NTLM setting requires some preparation work, at the least an understanding of what might break in your environment.

ConfigMgr CB1906–Site Maintenance

Now that Current Branch 1906 (5.0.8853.1000) is out, and I have some spare time to chase through some of the features, I thought I’d whack out some mini-posts highlighting various features.

One of the less impactful but interesting features due to what they are tinkering with, is Site Maintenance. This one isn’t going to woo your manager or users, or change your work routine one jot, but it is interesting nonetheless as it touches ‘old ground’.

Other than additions to the site maintenance task list over the last two decades, there hasn’t been any other change made in this space visually.

That changes as of CB 1906.

There hasn’t been much of a need to change something that isn’t broken, we hardly ever visit site maintenance, but it was long overdue a visual overhaul so as to scrub away that Win32 dialog look, as shown below:


Now, we have no need for a pop-up dialog, Site Maintenance tasks are listed in the details pane when you visit the Site Configuration > Sites node, and select a new tab called Maintenance Tasks.


Double click (Properties) on any of the listed tasks and you get taken back to familiar territory with the tasks properties sheet:


A very simple change to an oft-ignored part of the product, I like subtle changes like this, enabled by the fast cadence of ConfigMgr.

I noticed that post-upgrade of CB to 1906 the Last Start Time and Last Completion Time columns were rendering blank.

I chose and ran the Rebuild Indexes maintenance task (changed its scheduled +5 mins into the future) to see if the values are shown once a task runs post-upgrade.

Here’s the task running (SMSDBMON log):


And as I thought, well, I got lucky “thinking”, that a nudge would sort it, much like the classic “Have you tried turning it off and on again?” approach, much adored by the mightiest of admins:


A simple and as I said subtle change, that has modernised a very boring surface. Nice.

Powered by WordPress & Theme by Anders Norén