Update for Microsoft Endpoint Configuration Manager version 2002, early update ring

Applies to: Microsoft Endpoint Configuration Manager (current branch – version 2002)


An update is available to administrators who opted in through a PowerShell script to the early update ring deployment for Microsoft Endpoint Configuration Manager current branch, version 2002. You can access the update in the Updates and Servicing node of the Configuration Manager console.

This update addresses important, late-breaking issues that were resolved after version 2002 became available globally. This article summarizes the most significant changes.

This update does not apply to sites that downloaded version 2002 on May 11, 2020, or a later date. Therefore, it will not be listed in the Configuration Manager console for those sites.

Issues that are fixed

  • A Central Administration Site (CAS) may be placed in maintenance mode if the site database contains BitLocker management data and one of the following scenarios is true.
    1. If the or data link between a primary site and CAS is unavailable, and data is backed up for 5 days.
    2. If the site goes through the data reinitialization (reinit) process.
    3. If the CAS is recovered.
  • Microsoft Advanced Threat Protection (ATP) policy deployment status shows as “Unknown” when deployed from the Microsoft Endpoint Management admin center.
  • The SMS Agent Host process (CCMExec.exe) may cause high CPU and memory utilization when the computer is not a member of an orchestration group. The MaintenanceCoordinator.log will show the entry “Orchestration lock is required.”.
  • The download of third-party updates for internet clients will fail if only a cloud distribution points is available unless the user triggers the installation via Software Center.
  • A computer restart initiated from Software Center on a client will fail if a Windows Servicing Stack Update (SSU) was installed with other updates.
  • If both a Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) are deployed together and past due, the SSU is not installed first.
  • Clients in boundary groups with limited network speed or BITS throttling ignore the “Prefer cloud based sources over on-premise sources" setting.
  • The Desktop Analytics dashboard may show stale data up to 12 hours out of date if duplicate devices are in the environment.
  • Site installation fails when the database is installed on a clustered instance of SQL on a Windows Server 2012 R2 server.
  • Administrators cannot run CMPivot scripts without having default scope access.
  • The Azure_CloudService table has inconsistent data after onboarding, offboarding, then onboarding co-management.
  • A client only retries a failed management point connection one time until the client is restarted, leading to delays in policy retrieval.
  • Windows Feature Updates that installed successfully may still appear in Software Center as pending installation after the client computer restarts.
  • The link to the Microsoft Intune Device Explorer for a specific device in the Configuration Manager console does not load correctly.
  • A site administrator with rights to read Devices and Boundary Groups is unable to query the same data using the administration service.
  • Administrators receive an “Insufficient user permissions” error in the Microsoft Endpoint Manager admin center when their on-premises permissions are granted via Active Directory group membership.
  • The Workspace Key and Workspace ID fields are now optional in the Create Microsoft Defender ATP Policy Wizard.
  • Application content fails to download from a cloud distribution point when BranchCache is enabled and there are multiple files to be downloaded.
  • The “Prefer cloud based sources over on-premise sources” boundary group setting is not used for Microsoft Ofice 365 update content downloads.
  • The tenant attach process fails if the SMS Provider is installed remotely from the site database server.
  • After client upgrade the PolicyAgent.log may be flooded with duplicate log entries, overwriting information valuable to troubleshooting. The entries resemble the following.
  • The administration service is unavailable if the service connection point is installed remotely from the site server.
  • The Windows PowerShell Integrated Scripting Environment (ISE) generates a “Failed to refresh” error when loading the cmdlet library and refreshing the list of available cmdlets.
  • Upgrade of the Configuration Manager client fails on Windows 10 clients with error code 80070020 when using the “Auto upgrade” and “Auto upgrade(Pre-production collection)”.
  • Error handling for the administration service is improved.
  • Installation of dynamic packages via the Install Package task in a Task Sequence fails with error 0x87d02004. This occurs if the “Allow this program to be installed from the Install Package task sequence without being deployed” option is selected in the program for the package.
  • Desktop analytics deployment plans in large environments may not display correctly in the Configuration Manager console due to a SQL timeout.
  • If the site database and data warehouse database are on different computers, and the data warehouse service point is on a different computer from the data warehouse database, the synchronization process may fail. Errors resembling the following are recorded in the Microsoft.ConfigMgrDataWarehouse.log file.

Additional hotfixes contained in this update

KB 4561494: Microsoft Edge application creation fails in Configuration Manager

Update information for Microsoft Endpoint Configuration Manager, version 2002 early update ring

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring builds of version 2002 and that were downloaded between March 23, 2020 and May 11, 2020.

To verify which first wave build is installed, look for a package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. This update applies to first wave installations of version 2002 from packages that have the following GUIDs:


Restart information

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace any previously released update.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

File information



Updates and servicing for Configuration Manager

Learn about the terminology Microsoft uses to describe software updates.