An update for Microsoft Endpoint Configuration Manager current branch, version 2002, is available to resolve the following tenant attach related issues.
- Duplicate deployments may appear in the on-premises Configuration Manager environment. This occurs after editing a pre-existing assignment Endpoint Detection and Response (EDR) policy assignment in the Microsoft Endpoint Manager admin center targeting co-managed devices.
- Clients are unable to onboard to Microsoft Defender Advanced Threat Protection (ATP) after deploying the policy to a target collection. This occurs if the following registry key is missing.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
Errors resembling the following are recorded in the ATPHandler.log on the client.
ATPHandler: ATP Service is not running, onboarding...
ATPHandler: Error, Windows Advanced Threat Protection namespace does not exist in registry.
ATPHandler: Failure in CATPHandler::GenerateAndRunScript: 0x80004005
ATPHandler: Failure in CATPHandler::SetBlobInRegistry: 0x80004005
ATPHandler: Failure in CATPHandler::HandleOnboardingRule: 0x80004005
After this update is installed the ATP registry key will be created if missing during policy deployment.
- The Devices blade in the admin center may sporadically take 30 seconds to load.
Update information for Microsoft Endpoint Configuration Manager current branch, version 2002
This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2002, and have completed the tenant attach process.
Members of the Configuration Manager Technology Adoption Program (TAP) for Configuratation Manager version 2002 must first apply the private TAP rollup before this update is displayed.
Users who installed an early update ring version of 2002 must first apply the following update.
KB 4553501: Update for Microsoft Endpoint Configuration Manager version 2002, early update ring
You do not have to restart the computer after you apply this update.
Update replacement information
This update does not replace any previously released update.
Additional installation information
After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.