Update Rollup for Microsoft Endpoint Configuration Manager version 2002

Applies to: Microsoft Endpoint Configuration Manager (current branch – version 2002)


This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2002. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.

For additional information on changes in Configuration Manager version 2002, refer to:

What’s new in version 2002 of Configuration Manager current branch

Summary of changes in Microsoft Endpoint Configuration Manager current branch, version 2002

Issues that are fixed

  • The option to schedule updates is unavailable when applying software updates to an image (offline servicing) for Windows Server, version 2004.
  • Hybrid Azure Active Directory domain joined clients are detected as Intranet clients when communicating with the Cloud Management Gateway. User based deployments are blocked as a result.
  • Users are unable to submit feedback from the Configuration Manager console when using a Japanese version of the operating system.
  • The value for dynamic task sequence variables are still displayed even after selecting the option Do not display this value in the Configuration Manager console.
  • After changing Enable third party software updates to "Yes" in client settings, clients perform an extra group policy update on startup resulting in increased load on domain controllers.
  • The SetupComplete.cmd window is now hidden during Windows 10 upgrade task sequences.
  • The Configuration Manager console may terminate unexpectedly after entering Microsoft Azure login credentials in the Co-Management Configuration Wizard.
  • After deleting a setting from the Co-management node in the Configuration Manager console, the Configure co-management option is unexpectedly grayed out and unavailable. This blocks you from re-enabling co-management and is a variation of the issue first resolved in KB 4540794.
  • After updating to Configuration Manager version 2002, content download for updates may fail when Allow clients to download delta content when available is enabled in client software update settings.

  • When multiple pilot groups are selected for co-management, the Automatic enrollment into Intune process may take longer than expected.
  • The co-management pilot process generates extraneous policy updates on Configuration Manager clients.
  • After clearing the Use a boot image option from the properties of a task sequence the reference is not removed as expected. This results in the boot image being referenced in the deployment and download of the task sequence.
  • The SMS Agent Host service (ccmexec.exe) may sporadically cause high CPU utilization on client computers if the local time zone setting is changed. This CPU utilization typically only persists until the client computer restarts, or for the delta between the old and new time zones.
  • The Configuration Manager console hangs when opening automatic deployment rules (ADR) when multiple languages are selected.
  • After updating to Configuration Manager current branch, version 2002, client policy data may fail to apply. Messages resembling the following are recorded in the PolicyEvaluator.log file. 
  • Group policy updates are incorrectly triggered if Configuration Manager is set to manage Delivery Optimization (DO) settings on a client but DO is not yet implemented in the environment.
  • Co-managed device data, such as the operating system version, may be missing when viewed in the Intune portal. This occurs if the data was unavailable (null) when the device was first synchronized during the onboarding process, even if it was added later.
  • The Configurations tab of the client control panel applet may hang on Windows 10 ARM64 devices.
  • Client computers do not restart as required after a software update installation. This occurs when a software update group contains both an update that can install within the maintenance window, and one that cannot install within the maintenance window.
  • Expected subscriptions are not listed in the Create Cloud Management Gateway Wizard after signing in with the correct subscription admin account.
  • After updating to Configuration Manager current branch, version 2002, management points do not process domain data from client heartbeat discover data records (DDR). This leaves client records without domain data until Active Directory System Discovery runs.
  • Collections with the option Make this collection available to assign Microsoft Defender ATP policies in Intune enabled can no longer be deleted from the Configuration Manager console; that option must be disabled before deletion is available.
  • An operating system upgrade task sequence does not resume after the target computer restarts. This occurs when the task sequence incorrectly tries to take the client out of provisioning mode. Errors resembling the following are recorded in the TSAgent.log file. 
  • The BytesDownloaded property of instances in the CCM_CTM_DownloadHistory class does not record values larger than 4GB, leading to potential inaccuracies in reporting.
  • The Co-management Configuration Wizard may terminate unexpectedly when selecting a collection to upload.
  • The installation or removal of Office updates may fail. This occurs when the SMS Agent Host (ccmexec.exe) incorrectly holds a lock on Office add-in files, such as Visual Studio Tools for Office (VSTO) add-ins, after hardware inventory runs. Office updates fail to install via Configuration Manager in this scenario.
    Additionally, users that install or uninstall Office updates manually in these environments may encounter errors resembling the following.
  • Operating system deployment task sequences may fail in an environment with a mix of management points using HTTP and HTTPS for communications. This is most common with a HTTPS management points used for a cloud management gateway, and operating system boot images are not configured to use client authentication certificates.
  • After updating to Configuration Manager current branch, version 2002, delta hardware inventory files may be rejected at a primary site and copied to the \BADMIFS folder. Errors resembling the following are recorded in the dataldr.log on the primary site. 

Additional changes

KB 4561945 "The underlying connection was closed" error when the service connection tool downloads the ConfigMgr.AdminUIContent.cab file

Additional hotfixes contained in this rollup

KB 4563473 Update rollup for Configuration Manager version 2002 tenant attach issues
4567007 PXE Boot failures or task sequence delays after updating to Configuration Manager current branch, version 2002

Update information for Microsoft Endpoint Configuration Manager, version 2002

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2002.

Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.

To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to new installations of version 2002 from baseline media, as well as installations from packages that have the following GUIDs:

  • AA9975F2-160A-4910-A698-B7A4AF35D727
  • B39BBA45-E1F0-4233-971E-BB66EB25359D
  • 382F6B53-9217-47CB-9852-7A53232EC80D
  • 0808D0BA-B36F-4719-BD10-08585C1B8B3E
  • AA09154F-56FB-449D-8009-5BBB7C23CB4F
  • C427C4F5-6967-4B64-86BC-DEC9E0F201CC
  • 06F89B19-5A8B-460E-A7F4-6CC0E86A1FC6
  • A680BEFC-783A-49FC-8FAF-1AADB2A7EE84

The update is also applicable to the following package GUID with the private TAP rollup installed:

  • 373BBBC6-F070-43C6-B0AC-163D91C731E7

Restart information

You do not have to restart the computer after you apply this update.

Update replacement information

This update replaces the following previously release updates.
KB 4553501 Update for Microsoft Endpoint Configuration Manager version 2002, early update ring
KB 4563473 Update rollup for Configuration Manager version 2002 tenant attach issues
4567007 PXE Boot failures or task sequence delays after updating to Configuration Manager current branch, version 2002

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.