Tenant attach rollup for Configuration Manager current branch, version 2006

Applies to: Microsoft Endpoint Configuration Manager (current branch – version 2006)


An in-console update that enables the Run scripts feature from the Microsoft Endpoint Manager admin center is available to customers who have completed the tenant attach process. This update also resolves other tenant attach related issues, and is a prerequisite to use the Run scripts feature from the admin center.

Issues that are fixed

  • Features, such as Scripts, in the admin center do not appear for users that are assigned to all security scopes but are not full administrators.

  • Internet-based links to approve or deny user application requests via email fail in Microsoft Endpoint Configuration Manager current branch, version 2006. This occurs for internet-based clients managed with a cloud management gateway (CMG).
    The administrator will receive an HTTP Error 400 when clicking the email link. Note that requests can still be approved using the Configuration Manager console, or other channels such as WMI that rely on the Configuration Manager administration service.

  • The online status listed for devices on the internet connecting via a cloud management gateway (CMG) in the Configuration Manager console may be incorrect. This occurs when the CMG connection point is co-located with the service connection point, and the management point is co-located with the SMS provider.

Update information for Microsoft Endpoint Configuration Manager, version 2006

This update is available in the Updates and Servicing node of the Configuration Manager console for environments that completed the tenant attach process, and were installed by using early update ring or globally available builds of version 2006.
Customers in the Technology Adoption Program (TAP) must have the private TAP rollup installed before this update will appear.
The following update is required for customers that installed an early update ring build of Configuration Manager, version 2006.

KB 4576791: Update for Microsoft Endpoint Configuration Manager version 2006, early update ring

Restart information

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace any previously released updates.

Additional installation information

After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.

Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.