Edit

Summary of changes in Configuration Manager current branch, version 2603

Applies to: Configuration Manager (current branch, version 2603)

Summary of KB37426535

Release version 2603 of Configuration Manager current branch contains fixes and feature improvements. The "Issues that are fixed" list isn't inclusive of all changes. Instead, it highlights changes the product development team believes are most relevant to the broad Configuration Manager customer base. These changes were made in response to direct customer feedback about product issues and improvements.

Notes

Issues that are fixed

  • This update enhances security in Configuration Manager by improving access controls for the Network Access Account (NAA). For more information, see KB 37447175.
  • An internal service required for device compliance checks will be deprecated in October 2026. Following the deprecation, compliance checks in Software Center may fail in co-managed environments where the Compliance workload is managed by Intune. To prevent this issue, apply this update before October 2026.
  • Microsoft Connected Cache (MCC) setup fails with ReturnCode 13631517 on distribution points where a proxy server is configured in the Site System Properties. The proxy rejects the HTTP request because the connectivity test used relative-form URLs instead of the absolute-form required by proxies per HTTP RFC specifications.
  • Added support and testing for PKI certificates used in site system-to-SQL Server communication. This includes proper handling of certificate trust, private key access, and BitLocker Management portal registry thumbprint configuration.
  • All ConfigMgr components and site roles are updated to remove the dependency on the deprecated SQL Server Native Client (sqlncli.msi). Customers can now safely uninstall sqlncli from site systems. The product no longer includes sqlncli.msi in its redistributable.
  • The Microsoft SQL Server Management Objects and Microsoft System CLR Types for SQL Server are updated from the deprecated SQL Server 2014 versions to the SQL Server 2016 versions (SMO 17).
  • The Orchestration Group member reset function now also resets the RequestSent registry key (HKLM\SOFTWARE\Microsoft\CCM\Orchestration\RequestSent), preventing clients from being stuck in a state where they perpetually wait for an orchestration lock and are unable to install updates.
  • The stored procedure spCanDisableLEDBAT can produce a "Subquery returned more than 1 value" error in WSUSCtrl.log when one distribution point server name is a substring of another DP server name. The LIKE pattern now uses proper delimiters to ensure exact server name matching.
  • The EnableCertPaddingCheck registry keys are now set by default on Cloud Management Gateway (CMG) Virtual Machine Scale Set instances to mitigate CVE-2013-3900 (WinVerifyTrust Signature Validation Vulnerability).
  • The prerequisite check for Network Access Account (NAA) is updated to acknowledge documented scenarios where NAA is still required, such as the Request State Store task sequence step and Apply OS Image with direct DP access.
  • Deprecated Management Insights entries for the retired Upgrade Readiness / Desktop Analytics service are removed from the Cloud Services category.
  • The Windows Defender Antivirus (WDAV) reporting for tenant-attached ConfigMgr clients no longer incorrectly shows 'True' in the 'Signature Update Overdue' field when clients have up-to-date signature definitions.
  • A race condition in Orchestration Groups is fixed that previously caused sequencing settings to be ignored, allowing multiple servers to install updates and reboot simultaneously instead of one at a time as configured.
  • Anti-malware policy path exclusion validation is confirmed to correctly enforce that wildcards can't be used in the server name portion of UNC paths, consistent with Microsoft Defender for Endpoint documentation.
  • The Software Update Health Troubleshooting Dashboard is hidden in this release due to severe performance issues in large environments. The vSMS_SUAutoRemediation SQL view could accumulate tens of millions of rows, causing console freezes and excessive SQL Server load.
  • The New-CMCloudManagementGateway PowerShell cmdlet now allows combining the -IsUsingExistingGroup $true parameter with -ServerAppClientId, enabling automated CMG deployment into existing Azure resource groups without requiring interactive credentials.
  • Build and Capture task sequences on Windows 11 24H2 (November/December 2024 media) no longer produce a "Why did my PC restart" error dialog during deployment of the captured image.
  • The misleading Network Access Account (NAA) requirement warning in the Distribution Points tab of the Task Sequence deployment wizard is updated to accurately reflect when NAA is actually required.
  • Site upgrades no longer fail on SQL Server Always On Availability Group environments due to the UpgradeDatabase function incorrectly attempting to set SINGLE_USER mode on a database participating in an availability group.
  • The CMG outbound traffic alert and "Total Outbound data" metric now work correctly for CMGv2 (Azure Virtual Machine Scale Set based) deployments. Previously, network-out usage metrics were not collected for Virtual Machine Scale Set deployments.
  • Windows 10 IoT Enterprise LTSC 2021 devices are no longer incorrectly reported as 'not supported' or 'end of life' in Management Insights and the Product Lifecycle dashboard. The lifecycle matching logic now correctly distinguishes IoT LTSC editions from standard Windows 10 version 21H2 editions.
  • The BitLocker Management HelpDesk portal's "Recovery Audit Report" now loads correctly when SQL Server Reporting Services (SSRS) is installed in a non-English language. The report name is no longer inadvertently translated.
  • When you create a script with a Boolean parameter and a default value of True, the checkbox state now correctly matches the actual value passed to the script at execution time.
  • The ConfigMgr console In-App Feedback feature is updated to support the new OCV Feedback SDK with authenticated submissions. Both authenticated and offline feedback submission modes are supported.
  • Windows Update scan source registry settings are no longer incorrectly modified on co-managed devices when third-party updates are enabled, preventing Feature Updates and Quality Updates intended for Microsoft Intune/WUfB from being redirected to WSUS/Configuration Manager.
  • CMPivot queries through the AdminService no longer fail with a 400 Bad Request error due to a query parsing issue in the KustoParser. Previously, CMPivot would fall back to the SMS Provider path requiring additional Script Read permissions.
  • Weak DHE (Diffie-Hellman Ephemeral) cipher suites are disabled on Cloud Management Gateway (CMG) instances. Only TLS 1.3 (AES_256_GCM, AES_128_GCM) and TLS 1.2 ECDHE ciphers remain enabled.
  • The "All Application deployments (advanced or basic)" reports no longer return duplicate results when viewing detailed error or unknown deployment states. Previously, each result was multiplied by the number of deployment collections.
  • The deprecated "Asset Intelligence synchronization point" site role is removed from the site roles selection UI, preventing inadvertent installation of this nonfunctional role.
  • The Import-CMDriver PowerShell cmdlet now correctly includes Arm64 platform support when importing drivers from INF files. Previously, Arm64 was filtered out from the Supported Platforms list.
  • Applications with OS requirements (such as "All x64 Windows 11 and higher Clients") no longer fail during OSD with a 404 error when the client attempts to download the OS requirement policy definition after upgrading to a new version.
  • An informational notice is added to the Schedule Updates Wizard to inform administrators that offline servicing (applying software updates to OS images) doesn't work on all Windows platforms.
  • The System.Linq.Dynamic.Core library used by the AdminService component is updated from version 1.0.20.0 to version 1.7.1, resolving CVE-2023-32571 (Dynamic LINQ injection remote code execution vulnerability).
  • CMG deployment no longer fails with an InvalidTemplateDeployment error when Azure security policies are applied to the subscription. The Virtual Machine Scale Set SKU capacity field in the Azure Resource Manager (ARM) template is now correctly defined as an integer instead of a string.
  • Software update synchronization no longer reimports previously declined Surface firmware driver updates on every sync cycle. This resolves sync delays of several hours in environments with many declined drivers.
  • CMG deployment error handling is improved to capture and display detailed Azure error response information when Attribute-Based Access Control (ABAC) conditions block role assignments. Previously, only a generic 403 Forbidden error was shown.
  • Client push installation (CcmSetup) no longer fails with error code 0x80070643 on Windows 11 Arm64 devices when upgrading from ConfigMgr 2403 or 2503. The failure was caused by the upgrade process attempting to uninstall a 32-bit Management Point Provider component not compatible with Arm64 architecture.
  • Intune Endpoint Detection and Response (EDR) policies now apply correctly on ConfigMgr clients via tenant attach (non-co-managed). This is a regression fix for an issue introduced in ConfigMgr 2503.

Hotfixes that are included in this update

  • KB 35877153: Summary of changes in Configuration Manager current branch, version 2509
  • KB 33247081: Microsoft Connected Cache update for Configuration Manager
  • KB 36419072: Feedback for Configuration Manager
  • KB 36495448: Software update management client fix for Configuration Manager versions 2503 and 2509
  • KB 37447175: Security update for Microsoft Configuration Manager
  • KB 37172183: Software Center client fix for Configuration Manager

Dependency changes

  • The Microsoft SQL Server Management Objects and Microsoft System CLR Types for SQL Server are updated to the 2016 versions (SMO 17).
  • The SQL Server Native Client (sqlncli.msi) dependency is removed from all ConfigMgr components and site roles.
  • The System.Linq.Dynamic.Core library is updated to version 1.7.1 for the AdminService component.
  • Last updated on