top of page

ConfigMgr 2603: What You Need to Know (+ CMG Hotfix KB 37942646)

  • Writer: Christopher Hazlitt
    Christopher Hazlitt
  • Jun 5
  • 4 min read

Configuration Manager version 2603 (KB 37426535) dropped on May 5, 2026 — the first current branch release of 2026, and the first under Microsoft's new annual release cadence. It's not glamorous, but your environment probably needs it.

Version 2603 is available as an in-console update from the top-tier site in your hierarchy. Don't expect a feature parade — this one is squarely focused on security hardening, infrastructure modernisation, and fixing a handful of issues that have been quietly annoying admins since 2503. Still, it's a release worth taking seriously.

A note on cadence: Microsoft has shifted Configuration Manager to an annual release cycle. Version 2603 is the first under this new model, with the next major release (2709) pencilled in for late 2027. Hotfix rollups will now only ship for urgent security or functionality issues.

🔧 What's Actually Fixed

The official "issues fixed" list is, as ever, not exhaustive — Microsoft only documents the things they think the broad customer base cares about. Here's what made the cut:

  • Microsoft Connected Cache (MCC) proxy fix. MCC setup was failing with ReturnCode 13631517 on distribution points behind proxy servers. The root cause: the connectivity test was using relative-form URLs instead of absolute-form, violating HTTP RFC specs. Fixed.

  • PKI certificate support for site system-to-SQL communication. Proper handling of certificate trust, private key access, and BitLocker Management portal registry thumbprint configuration has been added and tested. Long overdue.

  • Import-CMDriver ARM64 fix. The PowerShell cmdlet was silently stripping ARM64 from the Supported Platforms list when importing drivers from INF files. It now correctly includes ARM64 platform support.

  • SQL Server Management Objects updated. The deprecated SQL Server 2014 SMO versions have been replaced with SQL Server 2025 versions (SMO 17). If you've been holding your breath on this one, you can exhale.

  • Intune EDR policy regression fix. EDR policies now apply correctly on ConfigMgr clients via tenant attach in non-co-managed scenarios. This was a regression introduced in 2503.

🔒 Security Changes

This release is part of Microsoft's Secure Future Initiative (SFI), and they mean it. Two changes in particular deserve your attention before you rush to deploy.

Network Access Account (NAA) Hardening

Access to NAA information is now restricted to supported OSD media task sequence scenarios only. Legacy access paths have been removed. If your environment has anything relying on NAA access outside of those supported scenarios, it will break. Review KB 37447175 before deploying to understand the full scope of the access control changes.

Cloud Management Gateway (CMG) Cipher Hardening

Weak DHE (Diffie-Hellman Ephemeral) cipher suites are now disabled on CMG instances. Only TLS 1.3 (AES_256_GCM, AES_128_GCM) and TLS 1.2 ECDHE ciphers remain enabled. If any clients or upstream systems are still negotiating DHE, they will stop talking to your CMG.

⚠️ Bottom line: The NAA access control changes and CMG cipher hardening can cause real breaks in production. Audit your OSD task sequences and CMG client connectivity before rolling 2603 to your hierarchy.

📋 Prerequisites

  • Minimum version: Sites must be running version 2409 or later.

  • Not a baseline: 2603 is not a baseline version — use 2503 for new site installs.

  • Delivery: In-console update from the top-tier site in a hierarchy.

  • Early update ring: A PowerShell opt-in script is required during early update ring availability.

  • Support window: May 5, 2026 – November 4, 2027.

🚀 How to Install

  1. Open the Configuration Manager console and navigate to Administration > Updates and Servicing.

  2. Locate the Configuration Manager 2603 update in the list. If it doesn't appear, run a service connection point synchronisation.

  3. Right-click the update and select Install Update Pack. If you're in the early update ring, run the opt-in PowerShell script first.

  4. Work through the Update Wizard. Review the prerequisite check results carefully — don't skip past warnings.

  5. Monitor the installation via Updates and Servicing Status or hman.log / dmpdownloader.log.

  6. Update the console, then roll out the updated client to your devices.

💡 Tip: Install into a non-production or pre-production hierarchy first. The NAA and CMG changes in particular warrant validation before you commit production.

🩹 Post-Release Hotfix: CMG VM Scale Set Image Update (KB 37942646)

On June 2, 2026, Microsoft released an out-of-band hotfix under KB 37942646. If you're running a Cloud Management Gateway on virtual machine scale sets, this one is not optional — it's a deprecation response, and enforcement is coming.

What's the Problem?

The legacy Windows Server 2022 Azure Marketplace images (offer: windowsserver) that include .NET 6 are being deprecated. CMG deployments using VM scale sets currently reference these legacy images. Once deprecation is enforced in early 2027, new CMG deployments and any reimaging operations that reference the old images will simply fail — and they stop receiving OS patch updates before that point.

What the Hotfix Does

KB 37942646 transitions the CMG virtual machine scale set to the new Windows Server 2022 image offer (windowsserver2022), which doesn't include the deprecated .NET 6 packages. No restart required. No site reset needed.

Applicability by Version

  • Version 2603: Available directly in Updates and Servicing.

  • Version 2503: Requires KB 32851084 (Update rollup for 2503) first.

  • Version 2409: Requires KB 30385346 (Update rollup for 2409) first.

  • Version 2509: Already included in KB 37864969 — no separate action needed.

Console Versions After Applying KB 37942646

  • Console (2409): 5.2409.1183.2100

  • Console (2503): 5.2503.1083.2100

  • Console (2603): 5.2603.1035.1200

🗺️ The Bigger Picture

2603 is the new reality for Configuration Manager: less frequent, more deliberate releases. Microsoft has been clear that new innovation is going to Intune. ConfigMgr's mandate from here is security, stability, and support for organisations that aren't ready — or willing — to go fully cloud-managed.

This release isn't exciting, but it is consequential. The security hardening, the SMO update, the ARM64 driver fix, and the EDR regression patch together make it worth prioritising if you're running ConfigMgr at any meaningful scale. Get it into your change management queue.

References

  • KB 37426535 — Summary of changes in Configuration Manager version 2603

  • KB 37447175 — Network Access Account access control changes

  • KB 37942646 — CMG virtual machine scale set image update

  • Microsoft Learn: What's new in version 2603 — learn.microsoft.com/en-us/intune/configmgr/core/plan-design/changes/whats-new-in-version-2603

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating*
bottom of page