Config Manager 2603: What's New and What You Need to Know
- Christopher Hazlitt
- 24 hours ago
- 4 min read
š Microsoft has officially released Configuration Manager current branch version 2603 ā the first current branch update of 2026. Released on May 5, 2026, this update doubles down on security improvements under Microsoft's Secure Future Initiative (SFI) and lays critical groundwork before the product shifts to its new annual release cadence starting with version 2609 in September 2026.
š Security Is the Headliner
š Version 2603 is explicitly framed as a security-first release, and the improvements are substantial. If your organization runs ConfigMgr in a regulated or security-sensitive environment, this update deserves your full attention.
Network Access Account (NAA) Hardening: Access to NAA information is now restricted to supported OSD media task sequence scenarios only. Legacy access paths have been removed, aligning with least-privilege principles.
Stronger CMG Cipher Suites: Weak DHE cipher suites are now disabled on Cloud Management Gateway instances. Only TLS 1.3 and TLS 1.2 ECDHE ciphers remain ā a significant hardening of CMG connections.
PKI Certificate Support for SQL: Added support and testing for PKI certificates in site system-to-SQL Server communication, including certificate trust, private key access, and BitLocker Management portal configuration.
CVE-2013-3900 Mitigation: The EnableCertPaddingCheck registry keys are now set by default on CMG Virtual Machine Scale Set instances, mitigating the WinVerifyTrust Signature Validation vulnerability.
This release is part of Microsoft's Secure Future Initiative (SFI) ā an organisation-wide commitment to baking security into products by design. For ConfigMgr, this means tightening authentication, eliminating legacy access paths, and enforcing modern cryptographic standards across the platform.
š» ARM64 & Platform Improvements
š» ARM64 support continues to mature across ConfigMgr. Version 2603 closes several gaps that were blocking ARM64 deployments in production environments.
The Import-CMDriver PowerShell cmdlet now correctly includes ARM64 platform support when importing drivers from INF files ā previously, ARM64 was silently filtered out from the Supported Platforms list.
Client push installation (CcmSetup) no longer fails with error code 0x80070643 on Windows 11 ARM64 devices when upgrading from ConfigMgr 2409 or 2503.
Software metering and ARM64 device tracking improvements carry forward from 2509.
šļø Infrastructure & Quality Fixes
š Beyond security and ARM64, 2603 delivers a solid batch of infrastructure modernization and regression fixes.
Microsoft SQL Server Management Objects (SMO) and System CLR Types have been updated from the deprecated SQL Server 2014 versions to the current SQL Server 2025 (SMO 17) versions.
The New-CMCloudManagementGateway PowerShell cmdlet now allows combining -IsUsingExistingGroup $true with -ServerAppClientId, enabling fully automated CMG deployment into existing Azure resource groups.
Intune Endpoint Detection and Response (EDR) policies now apply correctly on ConfigMgr clients via tenant attach (non-co-managed). This is a regression fix for an issue introduced in ConfigMgr 2503.
š The Bigger Picture: A New Release Cadence
š® Version 2603 is one of the last releases under the semi-annual model. Microsoft has announced that starting with version 2609 in September 2026, Configuration Manager will move to an annual release cadence ā one major update per year. Here's how the roadmap looks:
Version 2509 (December 2025): Stability and quality updates, including initial ARM64 support.
Version 2603 (May 5, 2026 ā current): Enhanced security aligned with the Microsoft Secure Future Initiative. First update of 2026.
Version 2609 (September 2026): First annual release under the new cadence. Aligns with Windows client H2 update model.
Version 2709 (September 2027): Next annual baseline. Details to be determined.
Important for IT teams: The 18-month support window per release remains unchanged. Under annual releases, staying on a supported version now requires upgrading roughly once a year rather than every six months. Plan your upgrade cycles accordingly ā skipping a release will become significantly more consequential.
š Upgrade Prerequisites & Key Notes
Your site must be running version 2409 or later to upgrade to 2603. Older versions (including SCCM 2012 or 2012 R2) are not supported upgrade paths.
Starting with 2603, the upgrade is blocked on Windows Server 2012/2012 R2. You must upgrade host servers to 2016, 2019, or 2022 first.
SQL Server support covers SQL 2017, SQL 2019, and SQL 2022. SQL 2014 SMO packages are now deprecated and replaced.
Supported Windows ADK versions: Windows 10 ADK 2004 or Windows 11 ADK 10.1.26100.2454.
Version 2603 is not a baseline version. New site installations should use the 2503 baseline media, then update in-console.
Currently in the early update ring ā you will need to run the opt-in PowerShell script to install it now. Full rollout will follow.
āļø The Intune Elephant in the Room
š Microsoft continues to push cloud-first messaging with this release. The official position is clear: Microsoft Intune is the future of device management, and all new innovations will occur there. Configuration Manager will continue to serve on-premises devices, with a renewed focus on security, stability, and long-term support.
For many enterprise and public sector organizations, that's perfectly fine ā ConfigMgr's on-premises control, granular software deployment, OSD capabilities, and compliance tooling aren't going away. If you haven't evaluated co-management or tenant attach yet, now is a great time to start. A hybrid co-management strategy gives you the best of both worlds.
Tags: Configuration Manager | SCCM | ConfigMgr 2603 | Microsoft Intune | Endpoint Management | Security | ARM64 | 2026
test