Update Rollup for Microsoft Endpoint Configuration Manager version 2006

Applies to: Microsoft Endpoint Configuration Manager (current branch – version 2006)


This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2006. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.

For additional information on changes in Configuration Manager version 2006, refer to:

What’s new in version 2006 of Configuration Manager current branch

Summary of changes in Microsoft Endpoint Configuration Manager current branch, version 2006

Issues that are fixed

  • During client policy download, the execmgr.log repeats the following log entry multiple times every minute.
    This results in potentially valuable troubleshooting information being overwritten.
  • Client computers that are performing a PXE boot to install a new operating system are unable to find the boot WIM file. This occurs when the WIM file is stored in a content library split across multiple drives. Errors resembling the following are recorded in the SMSPXE.log file.


  • Computers are unexpectedly removed from orchestration groups. This occurs if the site has the option Use this boundary group for site assignment enabled, but the target computers are not in that boundary group.

  • Clients are unable to communicate over a custom port for a management point when other communications changes are made to the site. For example, enabling HTTPS communication for a site causes previously defined custom HTTP ports to stop working.
  • State messages from clients may not be properly recorded if the client computer restarts within 10 seconds of state message generation. This results in inconsistent or unexpected state message values, affecting the accuracy of task sequence and software deployment reporting.
  • Clients incorrectly attempt to use PKI certificates for communication, even if the option Use PKI client certificate (client authentication capability) when available is disabled on the Communication Security tab of Site Properties. When the Use PKI client certificate option is disabled, errors resembling the following are recorded in the CcmMessaging.log file on internet-facing clients.

    The Use PKI client certificate option must be enabled once this update rollup is installed for clients that rely on PKI certificates for encrypted communication. For example, internet-based clients or communicating with a cloud management gateway.

  • Intranet clients will not fall back to another management point (MP) if the preferred MP is also a cloud management gateway.
  • After updating to Configuration Manager current branch, version 2006, client installation using the PROVISIONTS property fails if the "Allow access to cloud distribution point" device setting is set to "No".  The client is unable to download content, and an error resembling the following is recorded in the tsagent.log file.


  • Installation of a passive site server fails if orphaned .JOB files are present in the \inboxes\schedule.box folder. A message resembling the following is repeated in the FailOverMgr.log file.


  • Adding a passive site into a Configuration Manager infrastructure with at least 1 secondary site and client language packs installed will trigger a re-installation of all secondary sites.
  • The Configuration Manager client installed on a Windows Embedded device stays in servicing mode if the maximum run time of a deployment is greater than the duration of the maintenance window.
  • Improvements are made to the download process in the case of a timeout when the Download delta content when available client setting is enabled.
  • The content download step of a task sequence may fail to download files to clients. This occurs if the BranchCache Windows feature is enabled, and the environment is using enhanced HTTP for communication with distribution points. The clients will retry the download step, but overall completion is delayed. Errors resembling the following are recorded in the smsts.log on the client.


  • Improvements are made to the synchronization and processing of policy assignments and policy data between the Microsoft Endpoint admin center and the Configuration Manager console. This prevents issues such as creating a policy in the admin center that is not visible in the on-premises console.
  • The Configuration Manager console may generate an exception resembling the following when attempting to complete the Co-management Configuration Wizard.

    This occurs after removing previously created settings.
  • Configuration Manager clients deployed to Mac computers receive duplicate GUIDs. This occurs if the same user name is provided as a parameter to the CMEnroll tool during client installation.
  • Clients may receive the incorrect policy, including scripts or settings, when multiple orchestration groups are present. Consider the following scenario:
    Client 1 is a member of orchestration group 1.
    Client 2 is a member of orchestration group 2.
    Client 1 may receive policy from orchestration group 2, causing it to run the pre- and post-scripts intended for group 2 when installing an update intended for group 1.
    Note: Any affected orchestration groups must be deleted and recreated after installing this update to correct the policy issue.
  • The setting Allow access to cloud distribution points is not configured when clients are deployed using the Autopilot service and the PROVISIONTS parameter.  This causes Install Application and Install Software Updates task sequence steps to fail.
  • Client connections to a cloud management gateway may fail when multiple clients perform full software update scans in a short amount of time. Errors resembling the following are recorded in the SMS_Cloud_ProxyConnector.log file.


  • After installing Windows updates released on October 13, 2020, Configuration Manager, version 1910, is unable to download Office 365 updates. The specific Windows update article ID varies by build; for example, KB 4579311 is the article ID for Windows 10, version 2004, and Windows Server version 2004.
    Errors resembling the following are recorded in the PatchDownloader.log on the computer downloading the content.


  • Windows 10 feature updates may fail to install on client computers using fast physical hardware. Errors resembling the following are recorded in the UpdatesHandler.log.


  • Clients may randomly fail to install an update, or series of updates, due to a timing condition when they are deployed to a software update group. Errors resembling the following are recorded in the UpdatesHandler.log.

    Messages resembling the following are recored in the WUAHandler.log at the same time as the UpdateHandler errors.


Hotfixes that are included in this update

  • KB 4576791 Update for Microsoft Endpoint Configuration Manager version 2006, early update ring
  • KB 4580678 Tenant attach rollup for Configuration Manager current branch, version 2006
  • KB 4584759 Clients report Desktop Analytics configuration errors in Configuration Manager, version 2006

Known issues in this update

  • Automatic client enrollment during the co-management onboarding process may be delayed after upgrading clients.
    The following steps are recommended prior to installing this update rollup.
  1. Disable automatic enrollment in Configuration Manager by setting the Automatic enrollment into Intune value to None before upgrading clients to version 5.00.9012.1052.
  2. Disable automatic client upgrade on the Client Upgrade tab of Hierarchy Settings.
    The client upgrade process should be delayed until the new client, version 5.00.9012.1054, from KB 4575787 is installed in the environment.

Refer to the following article for additional detail on impacted environments and the revised client update.
KB 4575787 Co-management enrollment takes longer than expected for Configuration Manager clients

Update information for Microsoft Endpoint Configuration Manager current branch, version 2006

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2006.

Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.

To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:

  • E150700D-0C89-4D3A-A6D9-849C155810CF
  • 68B5A14B-D9E7-4908-B076-7CB7C4453C28
  • 34900584-46D4-4C8C-BDB6-41B4EE01244F
  • 1B0D893B-AD3A-4F16-8370-66551EAC7FE6
  • A200E842-5CB5-4BD3-AB77-2999B59721AE

The update is also applicable to TAP builds with the private TAP rollup (8E35EFE6-5133-4DE5-A1BA-47B3660E8224) installed.

Restart information

You do not have to restart the computer after you apply this update.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.