top of page

ConfigMgr 2503: The Release That Kept Giving (Six Hotfixes and Counting)

  • Writer: Christopher Hazlitt
    Christopher Hazlitt
  • Jun 5
  • 6 min read

ConfigMgr 2503 shipped on April 23, 2025, carrying over 350 bug fixes and a patch for CVE-2025-47178 — and zero new features. That last part was intentional. This was a security-and-stability release under Microsoft's Secure Future Initiative, and Microsoft said so plainly. What they didn't say plainly was how many times they'd be coming back to fix what the release itself introduced, or broke, or failed to fully address the first time around.

By the time 2503 reached end of support on September 30, 2026, it had accumulated an early update ring patch, a full update rollup bundling three separate hotfixes, a revised security update addressing three CVEs, a standalone CMG deployment fix, and a VM scale set image deprecation update it shared with other versions. That's six distinct KB articles against a single branch release. For a version that shipped with no new features, it had quite a lot to answer for.

Here's the complete rundown of everything Microsoft shipped against 2503 — in chronological order, because the order matters.

📦 KB 31909343 — The Base Release (April 23, 2025)

This is the summary article for the 2503 release itself, so technically not a hotfix. But it's the foundation everything else patches, so it deserves a mention. The headline fix was CVE-2025-47178, a security vulnerability in smsprov.dll. Beyond the CVE, the release addressed a respectable pile of issues accumulated since 2409:

  • Software metering not running on ARM64 clients — the Software Metering Agent simply wasn't starting on ARM64 devices. Silent, unhelpful.

  • SMS Executive unhandled exception on orchestration groups — smsexec.exe could terminate unexpectedly in environments using orchestration groups.

  • ADR Wizard console crash — the Configuration Manager console could terminate when running the Create Automated Deployment Rule Wizard.

  • CMG communication failure with Entra auth disabled — clients couldn't reach the cloud management gateway in environments where Microsoft Entra authentication was turned off.

  • SQL AlwaysOn application install failures — clients failed to install applications in AlwaysOn environments, with MP_Location.log logging SQL connection errors.

  • Distribution point install failure with alternate accounts — a relatively specific but painful failure mode.

  • Windows 10 21H2 servicing state corrected — finally updated to reflect that 21H2 is out of support.

  • Status message viewer crash on large message volumes — the viewer could terminate unexpectedly when dealing with large message sets.

Note: The globally available release on April 23, 2025 already included the CVE patch. If you downloaded 2503 on or after that date, you had the fix baked in.

🚨 KB 32480179 — Early Update Ring Patch (May 8, 2025)

Less than three weeks after release, Microsoft shipped an emergency patch for anyone who had installed 2503 during the early update ring window (March 31 – April 22, 2025). If you downloaded 2503 on April 23 or later, this one doesn't apply to you — it won't even show up in your console. If you were an early adopter, it was mandatory.

The headline issue was genuinely disruptive:

  • PXE clients stuck in 'Waiting for Approval' — after upgrading to 2503, PXE boot clients would stall indefinitely at the Waiting for Approval stage if the Require a password when computers use PXE option was not enabled. SMSPXE.log would log PXE::CRYPT::CalcHMACBuffer failed (0x80090008) errors. Fixing it required updating both default and custom boot images on all distribution points after applying the patch. Not a small ask.

  • CVE-2025-47178 (again) — included here for early ring sites that hadn't yet received the globally available build.

⚠️ This update initiates a site reset after installation. Plan accordingly.

🔐 KB 34503790 — Revised Security Update (September 8, 2025)

Four months after release, Microsoft came back with a revised security update addressing three CVEs — two of which were new:

  • CVE-2025-47178 — yes, again. This revision improved the security of discovery data records (DDR) processing beyond what the original fix addressed.

  • CVE-2025-55320 — new vulnerability resolved in this update.

  • CVE-2025-59213 — new vulnerability resolved in this update.

KB 34503790 supersedes all prior releases of the CVE-2025-47178 fix. This update requires KB 32480179 (early ring) to be installed first on those sites, or the globally available 2503 build for everyone else.

🔧 KB 32851084 — Update Rollup (September 30, 2025)

The proper update rollup for 2503, released on the same day support technically began winding down. It bundles KB 33177653, KB 34503790, and KB 35360093, and adds several standalone fixes on top:

  • Web Deploy updated on CMG VMs from 3.6 to 4.0 — a dependency refresh on CMG virtual machines.

  • Windows Server 2025 update Maximum Run Time bug — the incorrect Maximum run time value was causing update installations to be incorrectly cancelled on Windows Server 2025. This had been quietly breaking deployments.

  • Check compliance button error after KB 33177653 — in environments where the Cloud Management Azure Service was previously deleted, the Check compliance button threw errors post-patch.

  • Windows Update scan source policy fix — client updated to ensure scan source policies are set correctly.

  • Microsoft Defender policies removed from Windows Servers — Intune Portal-created Defender policies were incorrectly being removed from Windows Servers. Subtle and nasty.

  • SMS Executive service unexpected termination — another smsexec.exe crash scenario, this time specifically during orchestration group evaluation.

  • Deployment status reporting inaccuracies — the 'Requirements Not Met' count and broader success/error summarisation could report incorrect numbers.

Known issue with this rollup: After installing KB 32851084, CMG may appear in Error status in the console with 'Failed to perform maintenance'. There's no functional impact to the CMG itself, but it's alarming. Microsoft documented this in a separate troubleshooting article.

⚠️ This update initiates a site reset. Secondary sites must be manually updated after installation.

☁️ KB 35958849 — CMG Deployment Maintenance Update (December 3, 2025)

A targeted fix for a specific but recurring CMG failure that, if you hit it, would drive you absolutely mad:

  • CMG 'Create or Update Public IP Address' maintenance task failing every 20 minutes — the deployment maintenance task would fail on a 20-minute loop in subscriptions created in regions with Availability Zones, and also during CMG upgrades. CloudMgr.log would fill with Resource Manager errors and STATMSG 9418/9401 entries.

Requires KB 32851084 (the update rollup) to be installed first. No restart, no site reset needed.

🖼️ KB 37942646 — CMG VM Scale Set Image Update (June 2, 2026)

Shared with 2603 and other versions, but applicable to 2503 with the update rollup installed. The legacy Windows Server 2022 Azure Marketplace image offer (windowsserver) that includes .NET 6 is being deprecated by Microsoft. CMG deployments on VM scale sets reference these legacy images, and once enforcement begins in early 2027, new deployments and reimaging operations will fail.

The fix transitions the CMG VMSS to the new windowsserver2022 image offer, which doesn't carry the deprecated .NET 6 packages. For 2503, KB 32851084 must be installed first. No restart, no site reset.

📅 The Full 2503 Hotfix Timeline

  • April 23, 2025 — KB 31909343: 2503 globally available (350+ fixes, CVE-2025-47178)

  • May 8, 2025 — KB 32480179: Early update ring patch (PXE boot fix, site reset required)

  • September 8, 2025 — KB 34503790: Revised security update (CVE-2025-47178 rev., CVE-2025-55320, CVE-2025-59213)

  • September 30, 2025 — KB 32851084: Update rollup (8 fixes + 3 bundled hotfixes, site reset required)

  • December 3, 2025 — KB 35958849: CMG maintenance task fix (Availability Zone regions)

  • June 2, 2026 — KB 37942646: CMG VM scale set image deprecation update

🗺️ What This Actually Means

2503 was shipped as a no-frills maintenance release. The irony is that it generated more post-release maintenance work than most feature releases. If you're still on 2503, the checklist before September 30, 2026 is straightforward: KB 34503790 for the security fixes, KB 32851084 for the full rollup, KB 35958849 if you're using CMG in Availability Zone regions, and KB 37942646 if you're on VM scale sets and you'd like your CMG to keep working in 2027.

Or you could just upgrade to 2603. Which also has its own hotfix. But that's a different article.

References

  • KB 31909343 — Summary of changes in Configuration Manager version 2503

  • KB 32480179 — 2503 early update ring patch

  • KB 34503790 — Revised security update (CVE-2025-47178, CVE-2025-55320, CVE-2025-59213)

  • KB 32851084 — Update rollup for Configuration Manager version 2503

  • KB 35958849 — CMG deployment maintenance update

  • KB 37942646 — CMG VM scale set image update

  • Microsoft Learn: learn.microsoft.com/en-us/intune/configmgr/hotfix/

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating*
bottom of page