Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Configuration Manager (current branch, version 2509)
Summary of KB37864969
This update rollup supersedes KB 36949461 and includes all fixes from that update along with more fixes.
For more information on changes in Configuration Manager version 2509, see:
- What's new in version 2509 of Configuration Manager current branch
- Summary of changes in Microsoft Configuration Manager current branch, version 2509
Issues that are fixed
Build and Capture task sequence produces incorrect restart error on Windows 11 24H2
When performing a Build and Capture task sequence on Windows 11 24H2 using November or December 2024 media, the resulting captured image displays a "Why did my PC restart" error dialog when subsequently deployed. This error appears during the Windows setup phase of the captured image and can interrupt automated deployment sequences, causing confusion for technicians performing image deployments.
Windows 10 IoT Enterprise LTSC 2021 incorrectly reported as unsupported
Windows 10 IoT Enterprise LTSC 2021 (version 21H2, Build 19044) devices are incorrectly reported as "not supported" in the ConfigMgr console. In Administration > Management Insights > Simplified Management > Update Clients to a supported Windows 10 version, these devices show "Action needed". The Product Lifecycle dashboard also incorrectly shows these devices as end-of-life, even though Windows 10 IoT Enterprise LTSC 2021 has mainstream support until January 12, 2027.
Software Center compliance check fails in co-managed environments
An internal service required for device compliance checks will be deprecated in October 2026. Following the deprecation, compliance checks in Software Center may fail in co-managed environments where the Compliance workload is managed by Intune. To prevent this issue, apply this update before October 2026. For more information, see KB 37172183.
Applications with OS requirements fail during OSD with HTTP 404 error after upgrading to 2509
After upgrading to ConfigMgr 2509, applications with OS requirement rules (such as "All x64 Windows 11 and higher Clients") fail to install during Task Sequence deployment. Multiple applications that reference the affected OS requirement fail simultaneously. Errors similar to the following are recorded in the CIDownloader.log file.
failed to download source file http://mp/SMS_MP/.sms_dcm?Id&DocumentId=Windows/All_x64_Windows_11_and_higher_Clients/ to destination ... with error 0x80190194Co-managed clients with 3rd party update catalogs receive updates from incorrect source
In ConfigMgr 2509, co-managed clients with third party update catalogs stop receiving updates from the expected source. The Windows Update Agent is locked to WSUS for Quality, Feature, and Driver updates even though the co-management slider is set to Intune. The
SetPolicyDrivenUpdateSourceForXXXUpdatesregistry values for Feature, Driver, Quality updates underHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateare incorrectly assumed to be 1 (WSUS) if only the keySetPolicyDrivenUpdateSourceForOtherUpdatesis set to 1 (making it a partial configuration of policy). This issue was originally addressed in KB 36495448.ConfigMgr client upgrade fails on Windows 11 ARM64 devices
Client push installation (CcmSetup) fails with error code
0x80070643on Windows 11 ARM64 devices when upgrading from ConfigMgr 2403 or 2503 to 2509. The failure occurs during the upgrade path when the installer attempts to uninstall a 32-bit Microsoft Policy Platform (MPP) component that doesn't exist on ARM64 architecture. The issue doesn't occur on x64 devices and reproduces on Windows 11 25H2 ARM64 and 26H1 ARM64.Subsequent ConfigMgr client upgrades fail on ARM64 after initial upgrade failure
On Windows 11 ARM64 devices, if a previous ConfigMgr client upgrade failed to uninstall the 32-bit Microsoft Policy Platform (MPP) MSI, subsequent client upgrades also fail with error code
0x80070643. In ccmsetup.log, the 32-bitMicrosoftPolicyPlatformSetup.msiuninstall is attempted and the error is ignored, but the upgrade logic then proceeds to install the 64-bit MPP without checking whether it's already present, causing theclient.msiupgrade to fail.Microsoft Defender does not apply Intune policies after Endpoint Protection workload is switched to Intune
When the Endpoint Protection (EP) co-management workload is switched from Configuration Manager to Intune, Microsoft Defender doesn't pick up Intune's Endpoint Protection settings. Defender remains in a state where it believes Configuration Manager is managing it. Intune AV policies (such as tamper protection) aren't applied. The issue occurs because the ConfigMgr client leaves behind a registry key that prevents Defender from recognizing the workload transition.
Intune EDR policies fail to apply on tenant-attached clients
In ConfigMgr 2509, Intune Endpoint Detection and Response (EDR) policies fail to be applied on ConfigMgr clients via tenant attach (non-co-managed). The ConfigMgr client doesn't receive or process EDR policy from Intune when only tenant attach is configured without co-management. Policy deployment errors may appear in client logs related to EDR configuration.
Security update for Configuration Manager
This update enhances security in Configuration Manager by improving access controls for the Network Access Account (NAA). For more information, see KB 37447175.
Offline feedback submission fails due to authentication library version mismatch
The standalone tool UploadOfflineFeedback.exe fails with a System.IO.FileLoadException due to a Microsoft.Identity.Client version mismatch. This issue was originally addressed in KB 36419072.
Cloud Management Gateway VMSS image updated to remove end-of-life .NET 6
The Cloud Management Gateway (CMG) Virtual Machine Scale Set (VMSS) image is updated to use a new SKU that doesn't include .NET 6, which has reached end of life.
Issues that are fixed in this update that aren't in KB 36949461
The following issues are new in this update rollup and weren't included in KB 36949461:
- Offline feedback submission fails due to authentication library version mismatch. For more information, see KB 36419072.
- Co-managed clients with third party update catalogs receive updates from incorrect source. For more information, see KB 36495448.
- Cloud Management Gateway VMSS image updated to remove end-of-life .NET 6.
Hotfixes that are included in this update
- KB 37172183: Software Center compliance check fails with GET_TOKEN_FROM_STS_ERROR in co-managed environments
- KB 37447175: Security update to harden access to Network Access Account information
- KB 36419072: Offline feedback update for Configuration Manager
- KB 36495448: Co-management and third party update scan source fix for Configuration Manager
Update information for Microsoft Configuration Manager current branch, version 2509
This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using the globally available build of version 2509.
Restart information
This update doesn't require a computer restart but will initiate a site reset after installation.
Additional installation information
After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. The reinstallation doesn't affect configurations and settings for the secondary site. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
If the value 0 is returned, all the fixes that are applied to the primary site aren't installed for the secondary site. You should use the Recover Secondary Site option to update the secondary site.
Version information
The following major components are updated to the versions specified:
| Component | Version |
|---|---|
| Configuration Manager console | 5.2509.1036.1700 |
| Client | 5.0.9141.1032 |
File information
File information for the release is available in the downloadable KB37864969_FileList.txt text file.
Release history
- May 2026: Initial hotfix release