SCCM hotfix 2503 succeeded but errors show up for the public IP associated with the CMG

I got a response from Microsoft support about this.

Root Cause: The hotfix changed the behavior of the CMG maintenance task. It now attempts to update the CMG's Azure Public IP address without specifying an availability zone ("No Zone"). However, if your existing Public IP was originally created with zones (1, 2, 3), Azure's API correctly blocks this change, as a zone configuration cannot be modified after creation. This mismatch causes the recurring DeploymentFailed error every 20 minutes. Workaround Solution: The confirmed resolution is to manually replace the existing zoned Public IP with a new one configured for "No Zone". This is a safe procedure that does not impact existing client connectivity to the CMG.

Their instructions were to recreate the public IP address used by the CMG resource group in Azure using "zone-redundant" for the availability zone. However, this simply recreates the same problem as before. You need to create a non-zonal public IP address, but there isn't a way to do this in the Azure web portal (at least none that I could see). I was eventually able to resolve the issue without re-provisioning the CMG by recreating the public IP address without an availability zone using PowerShell. Afterwards, the maintenance was able to be performed on the CMG successfully and all the errors cleared.

1. Stop the CMG and wait for the status to show "stopped"
2. In the Azure portal, go to your CMG's resource group and create a temporary public IP address and name it "CMG-Temp-PIP".
3. In the same resource group, open the Load Balancer resource, go to Frontend IP configuration, edit the existing frontend IP config, and change the public IP address from the original one to the new temporary one (CMG-Temp-PIP).
4. Note the properties of your original public IP address (namely its name and DNS name), then delete it.
5. Recreate the original public IP address using the PowerShell commands below (just be sure to update the values in the hashtable). This creates the public IP address without any zone properties (effectively "no zone", which is what you want).
6. Repeat step 3, except this time repoint the Load Balancer frontend IP configuration to use the replacement public IP address you created in the previous step.
7. Delete the temporary public IP address (CMG-Temp-PIP)
8. Start the CMG. You should now see the maintenance complete successfully on the next attempt.

Install-Module Az.Network
Connect-AzAccount
$ip = @{
    Name = 'CMG-Original-PIP'
    ResourceGroupName = 'Example-CMG-RG'
    Location = 'eastus' #'westus', etc.
    Sku = 'Standard'
    AllocationMethod = 'Static'
    IpAddressVersion = 'IPv4'
    DomainNameLabel = 'Original-CMG-Label'
}
New-AzPublicIpAddress @ip

Hi Edwin Alexander,

The behavior you're seeing is related to how the SCCM 2503 hotfix handles CMG redeployment. When the hotfix is applied, it may trigger a CMG update that inadvertently attempts to recreate or reconfigure the associated Azure resources, including the public IP.

The error you're encountering stems from a mismatch in availability zone settings. Your existing CMG public IP is zonal (zones 1, 2, 3), but the redeployment request is trying to use a regional (NoZone) configuration. Azure doesn’t allow changing a public IP from zonal to regional or vice versa once it's created, which is why the operation fails.

To resolve this, you’ll need to ensure the redeployment process respects the original zone configuration. One workaround is to manually delete and recreate the CMG with the correct zone settings, though this should be done with caution and proper backup. Alternatively, you can open a support case to explore if a patch or configuration adjustment is available to prevent this mismatch.

If this information helps clarify the cause and possible solutions, please click “Accept Answer” so that others facing similar CMG redeployment errors can benefit as well 😊.

Best regards,

Jason