Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Configuration Manager (current branch)
Update 2603 for Configuration Manager current branch is available as an in-console update. Apply this update on sites that run version 2409 or later.
Always review the latest checklist for installing this update. For more information, see Checklist for installing update 2603. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager changes, after you update the site, also update clients to the latest version. New functionality appears in the Configuration Manager console when you update the site and console, but the complete scenario isn't functional until the client version is also the latest.
General enhancements
As part of Microsoft's Secure Future Initiative (SFI) the 2603 version of Configuration Manager continues to focus on security, quality, and infrastructure modernization. For more information, see the Microsoft Trust Center. For a list of significant customer-reported issues resolved in this release, see the Summary of changes in Configuration Manager version 2603 knowledge base article.
Security improvements for Network Access Account
This update enhances security by improving access controls for the Network Access Account (NAA). Access to NAA information is now restricted to supported OSD media task sequence scenarios by enforcing additional permission requirements and removing legacy access paths to reduce exposure and align with least privilege principles. For more information, see KB 37447175.
Weak ciphers disabled on Cloud Management Gateway
Weak DHE (Diffie-Hellman Ephemeral) cipher suites are now disabled on Cloud Management Gateway (CMG) instances. Only TLS 1.3 (AES_256_GCM, AES_128_GCM) and TLS 1.2 ECDHE ciphers remain enabled, improving the security posture of CMG connections.
Additionally, the EnableCertPaddingCheck registry keys are now set by default on CMG Virtual Machine Scale Set instances to mitigate CVE-2013-3900 (WinVerifyTrust Signature Validation Vulnerability).
SQL Server 2025 support
SQL Server 2025 (RTM) is now a supported database platform for Configuration Manager sites, including the central administration site, primary sites, and secondary sites. SQL Server 2025 Express is also supported for secondary sites. The recommended database compatibility level for SQL Server 2025 is 160. For more information, see Support for SQL Server versions.
SQL Server Native Client dependency removed
All Configuration Manager components and site roles are updated to remove the dependency on the deprecated SQL Server Native Client (sqlncli.msi). Customers can now safely uninstall sqlncli from site systems. The product no longer includes sqlncli.msi in its redistributables.
SQL Server Management Objects updated
The Microsoft SQL Server Management Objects and Microsoft System CLR Types for SQL Server are updated from the deprecated SQL Server 2014 versions to the SQL Server 2025 versions (SMO 17).
PKI certificate support for site system-to-SQL Server communication
Added support and testing for PKI certificates used in site system-to-SQL Server communication. This includes proper handling of certificate trust, private key access, and BitLocker Management portal registry thumbprint configuration.
ARM64 support improvements
- The
Import-CMDriverPowerShell cmdlet now correctly includes ARM64 platform support when importing drivers from INF files. Previously, ARM64 was filtered out from the Supported Platforms list. - Client push installation (CcmSetup) no longer fails with error code
0x80070643on Windows 11 ARM64 devices when upgrading from ConfigMgr 2409 or 2503.
Cloud Management Gateway improvements
- The
New-CMCloudManagementGatewayPowerShell cmdlet now allows combining the-IsUsingExistingGroup $trueparameter with-ServerAppClientId, enabling automated CMG deployment into existing Azure resource groups without requiring interactive credentials. - CMG deployment error handling is improved to capture and display detailed Azure error response information when Attribute-Based Access Control (ABAC) conditions block role assignments.
- The CMG outbound traffic alert and "Total Outbound data" metric now work correctly for CMGv2 (Azure Virtual Machine Scale Sets-based) deployments.
Updated Feedback experience
The Configuration Manager console In-App Feedback feature is updated to support the new OCV Feedback SDK with authenticated submissions. Both authenticated and offline feedback submission modes are supported.
Deprecated and removed features
- An internal service required for device compliance checks will be deprecated in October 2026. Following the deprecation, compliance checks in Software Center may fail in co-managed environments where the Compliance workload is managed by Intune. To prevent this issue, apply this update before October 2026.
- The deprecated Asset Intelligence synchronization point site role is removed from the site roles selection UI.
- The Software Update Health Troubleshooting Dashboard is hidden in this release due to performance issues in large environments.
New requirements
Management point requires internet access for Microsoft Entra token validation
Starting in version 2603, the management point uses Microsoft Identity Service Essentials (MISE) for Microsoft Entra token validation. This change requires the management point server to have internet access. In previous versions, the management point could function without internet access.
This requirement applies to environments that meet the following conditions:
- The site is configured to support Microsoft Entra joined users and devices
- Clients authenticate using Microsoft Entra tokens, typically through a cloud management gateway (CMG)
Note
Environments that only use on-premises Active Directory authentication without Microsoft Entra integration aren't affected by this requirement.
Identify the issue
If the management point server can't reach the required endpoints, the CCM_STS_ManagedBase.log on the management point logs a MiseAuthenticationTicketProviderException with an underlying network error. Look for the SocketException or HttpRequestException that indicates a network connectivity failure, for example:
Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: MISE12034: AuthenticationTicketProvider Name:AuthenticationTicketProvider
System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it
Important
The MISE12034 exception can also appear for other reasons. This section specifically addresses the case where the underlying exception indicates a network connectivity problem, such as SocketException, HttpRequestException, or a connection timeout. Verify that the error message points to a network access issue before applying the resolution below.
Resolution: Allow access to Azure authentication endpoints
Ensure that the management point server can connect to Microsoft Entra authentication endpoints in the system context. Allow the following URLs through the proxy and firewall:
https://login.microsoftonline.comhttps://sts.windows.net
If the management point server uses a proxy, configure the proxy at the system level. For more information, see Management point proxy configuration.
For a full list of required endpoints, see Management point internet access requirements.
Next steps
As of May 27, 2026, version 2603 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for installing update 2603.
Tip
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
For known significant issues, see the Release notes.
After you update a site, also review the Post-update checklist.