Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Configuration Manager (current branch, versions 2409 and 2503)
Summary of KB37172183
An internal service required for device compliance checks will be deprecated in October 2026.
Following the deprecation, compliance checks in Software Center may fail in co-managed environments where the Compliance workload is managed by Intune.
To prevent this issue, apply this update before October 2026.
GET_TOKEN_FROM_STS_ERROR : FFFFFFFF80004003
Note
This same update will be included with Microsoft Configuration Manager current branch, version 2603, and in the update rollup for version 2509. A separate out of band hotfix is not required for versions 2509 and 2603.
Symptoms
- In co-managed environments where the Compliance workload is switched to Intune, the Software Center compliance check fails with error code
GET_TOKEN_FROM_STS_ERROR : FFFFFFFF80004003. - Devices in a co-management configuration with the Compliance slider set to Intune are unable to perform compliance checks from Software Center.
Cause
The Configuration Manager client was using an older method to obtain authentication tokens when Software Center attempted to access Intune compliance services in co-managed environments. This token acquisition method no longer worked correctly with the Intune service, resulting in compliance check failures.
Resolution
The Configuration Manager client has been updated to use a newer token acquisition method that is compatible with Intune compliance services, resolving the issue with Software Center compliance checks in co-managed environments.
Update information for Microsoft Configuration Manager current branch, versions 2409 and 2503
This update is available in the Updates and Servicing node of the Configuration Manager console for environments with the following updates applied.
- 2409: KB 30385346: Update rollup for Microsoft Configuration Manager version 2409
- 2503: KB 32851084: Update rollup for Microsoft Configuration Manager version 2503
Restart information
This update doesn't require a computer restart but will initiate a site reset after installation.
Additional installation information
After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. This reinstallation doesn't affect configurations and settings for the secondary site. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, all the fixes that are applied to the primary site aren't installed for the secondary site. You should use the Recover Secondary Site option to update the secondary site.
Note
This update includes an updated Configuration Manager client agent (client.msi). After the hotfix is installed on the site server, the updated client is made available for distribution. To update existing clients, you can use automatic client upgrade. For more information, see How to upgrade clients.
Version information
The following major components are updated to the versions specified:
| Component | Version |
|---|---|
| Client (2409) | 5.0.9132.1038 |
| Client (2503) | 5.0.9135.1024 |
File information
File information is available in the following downloadable files.
Release history
- April 2026: Initial hotfix release