Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Configuration Manager (current branch, versions 2503 and 2509)
Summary of KB36495448
An update is available to fix an issue with software updates when third-party updates are used in a co-managed environment.
In Configuration Manager versions 2503 (with Update rollup 32851084 installed) and 2509, Windows Update scan source policies are unintentionally modified on co-managed devices when third-party updates are enabled. The Configuration Manager client can create an incomplete (partial) scan source policy configuration.
The partial scan causes devices that should receive Feature Updates (FU) or Quality Updates (QU) from Microsoft Intune or Windows Update for Business (WUfB) to instead obtain those updates from WSUS/Configuration Manager.
This update corrects the issue by ensuring that Configuration Manager no longer sets or modifies Windows Update scan source policies on co managed devices.
Prerequisites
To apply this hotfix, you must be using Configuration Manager, versions 2503 (with Update rollup 32851084 installed) and 2509.
Issue details
When a device is both co-managed by Microsoft Intune and third-party updates are enabled via ConfigMgr, the client set only two Windows Update scan source policy values:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseUpdateClassPolicySource = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForOtherUpdates = 1
However, the following related policy values aren't set, and are removed if they existed:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForFeatureUpdates
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForQualityUpdates
When only some values are present, the Windows Update Agent can assume all categories should follow the same scan source. As a result, Feature Updates and Quality Updates intended to come from Microsoft Intune/ WUfB are instead redirected to WSUS/ ConfigMgr, even though the environment was configured for Intune-managed updates.
Post hotfix behavior
After applying this hotfix, Configuration Manager will no longer set any of the following values on co-managed devices after installing this update:
- UseUpdateClassPolicySource
- SetPolicyDrivenUpdateSourceFor* (Feature, Quality, Driver, Other)
Existing devices that were placed into a partial policy state by previous builds have those incomplete values cleaned up once.
Third-party updates deployed from WSUS/ConfigMgr aren't affected by this change because they don't rely on Windows Update scan source policies. Customers fully control scan source behavior; if organizations wish to control Windows Update scan source policies, they should do so explicitly using:
- Group Policy or Intune policy configuration service provider for WUfB
Environments using only Configuration Manager (without co-management) or only Microsoft Intune/ WUfB aren't affected.
Restart information
This update doesn't initiate a site reset.
Other installation information
After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, the site hasn't yet installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.
Hotfix replacement information
This hotfix doesn't replace any previously released hotfix.
File information
File information is available in the downloadable
Release history
- February 23, 2026: Initial hotfix release