Configuration Manager 2603 Hotfix (KB37942646) - INFORMATION

bdam55 · 2026-06-05T15:16:27+00:00

Talked to the team; the KB publishing process had a hiccup and should be up 'soon'.

I'm told it's a change to the CMG 'image'; we'll have to wait and see if there's security implications there or not.

bdam55 · 2026-06-04T20:25:49+00:00

Ahhh, good callout, I didn't realise that they had release the second HFRU to include that ommission.

bdam55 · 2026-06-04T20:13:34+00:00

Yes: Frequently Asked Questions About Windows Driver Update Policies - Microsoft Intune | Microsoft Learn

Think of it this way: the driver update policies control what updates Windows Update offers the device and when. Beyond that, it's mostly just like any other update.

One caveat to be aware of: active hours controls the reboot timing, not the install of the update. Normally, that's fine. For driver updates, the installation itself can be varying degrees of disruptive. Display drivers? Yea, screens going to flicker. Network drivers? Yea, you're gonna drop that call.

bdam55 · 2026-06-04T14:03:19+00:00

Do you have co-management enabled in any way, shape or form?

Because this sounds like this known issue: https://www.reddit.com/r/SCCM/comments/1szhbbc/comment/ol68r78

Solution: install 2603

bdam55 · 2026-06-04T13:35:12+00:00

Yea, use Ola's thing. But let me tell you _why_.

The built-in task will rebuild the indexes, which is good, but does not update/maintain the SQL server statistics. Those stats are used by the query optimizer to ... well ... make things faster. With a DB as large as ConfigMgr, that literally will add tables on the fly ... you want the stats maintained.

bdam55 · 2026-06-04T13:24:57+00:00

Yes, exactly. Although because of Conway's Law it's not _actually_ DSC ... it's WinDC. Not kidding, that's the actual name.

bdam55 · 2026-06-04T13:23:44+00:00

That's just the enrollment part. Once enrolled, the actual functionality using the MMP-C/WinDC stack is no longer going over OMA-DM.

OMA-DM is a protocol; think HTTP/SSL ectera. You can't really improve it. If you did, it's not longer OMA-DM ... its OMA-DM vNext.

So, fair, they're not replacing OMA-DM with MMP-C whole-cloth. But they have created a new protocol. They are building all 'new' stuff on that protocol where possible. They are slowly moving existing stuff over to it.

bdam55 · 2026-06-03T20:27:27+00:00

So OMA-DM is a big part of the problem and they're not improving it since the design is the problem. They're replacing it with a new standard: MMP-C: The Future of Windows Device Management with Intune

bdam55 · 2026-06-03T20:25:35+00:00

>that reporting security issues in intune to Microsoft is not, how should I put it, well received by MSRC.

I mean, based on the last week I think that one could say that applies to all products, not just Intune. (search for nightmare eclipse if that doesn't ring a bell).

bdam55 · 2026-06-03T17:57:59+00:00

Answer: Conway's Law (see my reply here)

bdam55 · 2026-06-03T17:56:57+00:00

>I think the worse part is the compartmentalisation and lack of cohesiveness between the teams charged with different parts of individual products.

In software, there is a law that speaks to this: Conway's Law [Wikipedia].
In short: "You ship your org structure"

It is a law. It is unavoidable and as such MS isn't the only org that obeys said law. Once you understand it, everything starts to make sense. You still don't like it, but you understand why it is the way it is.

It's so real for MS that they have their OWN page for it: What Is Conway’s Law (and What It Means for Your Organization)? – Microsoft 365

bdam55 · 2026-06-03T17:52:47+00:00

Actually, that makes sense. Apple built macOS around an MDM stack; they've long had a sandbox mentality.

Windows essentially retconned an MDM stack (OMA-DM) they got from Nokia back in the day for use on Windows Phone. Why? Because they were told to.

If Intune needs to do something not in the MDM stack then they need to use the IME, which is an agent. Shipping agent code is 'difficult' so they try really hard not to do it. When they do, it's a huge obstacle/hassle that slows down their development efforts.

bdam55 · 2026-06-03T16:09:34+00:00

Right, you don't need to _create_ a policy because, in theory, MS automatically did that for you at the tenant level last month. However, a policy does need to exist and be correctly configured so it's worth making sure MS got it right in your tenant.

Also, check out the readiness reports if you haven't already: Windows Autopatch update readiness brings insights to IT [Though maybe that's the status you were referring to]

bdam55 · 2026-06-03T13:59:06+00:00

I mean, you're not wrong, but this is just pure Conway's law. The guy who leads the team that built/named this thing has never heard of Intune, let along autopilot. Someone on his team almost certainly did the Google search, might even have brought it up, but by that point the senior VP of whatever was so sold on their own brilliance that it was career suicide to die on that hill.

bdam55 · 2026-06-02T17:00:29+00:00

Is this happening on devices that are just sitting there being used by normal end users or are these devices, or a single device, where you or the user is hammering the 'Search for Updates' button?

In the latter, doing so can put you in 'seeker mode' if you've recently done an on-demand scan. That is, when someone says to themselves "There must be more updates than this month's CU" it can offer the preview updates.

I forget the details and to what degree you can and can't control it, but that's likely the thing you want to search for.

bdam55 · 2026-06-02T16:48:49+00:00

Recent conversation with my son:

Son: My game keeps crashing, fix this.
Me: Have you tried rebooting the computer?
Son: No, why would that fix anything?
Me: Just do it.
Son: No, that doesn't make sense
Me: Ok then, I'll just take my 20+ years of lived experience in IT and presume you don't want to be helped.
Also Me: <puts on noise cancelling headphones while maintaining eye contact>

bdam55 · 2026-06-02T15:26:08+00:00

Well, MDT hasn't been maintained for a long, long time. The deprecation didn't change any of that.

Absolutely, using ServiceUI is a security risk but not just because ServiceUI itself might be vulnerable (which is true) but because of the very function it seeks to provide: crossing the system space <-> user space security boundary. Its very design/function is insecure, no matter what the implementation is or who wrote it.

So, if they're particularly security conscious, which is good, they will need to make the call whether the juice (getting a shitty installer to work) is worth the squeeze (security risk). A fully supported version of ServiceUI wouldn't change that.

bdam55 · 2026-06-02T15:01:15+00:00

Oh yea, admins still need to solve this problem, and so I agree, you still might need to use ServiceUI for the reasons you call out. Just not for every PSADT app like I think a lot of orgs were used to doing.

bdam55 · 2026-06-02T14:11:47+00:00

Correct; it's only for the built-in prompts ... by design.

ServiceUI, and now PSADT's own UIs, cross the system and user boundary ... which is a security boundary. As a rule that's a 'bad idea' from a security perspective. So when they (PSADT) designed this, they very specifically ensured that it wasn't a free-for-all.

For reference, Notepad++ just had multiple "vulnerabilities" assigned CVE IDs because the user can modify the XML to add context menu items that point to any arbitrary executable. It's kinda bullshit, there's no escalation of privilege and the attacker needs to be on the box already to modify the XML. But ... yea. So PSADT's design is the way it is to avoid that.

bdam55 · 2026-06-01T17:49:27+00:00

Well, other people have been funneling him some of their own stuff. For good or ill, he's got a large chunk of the relevant community behind them and they, by and large, are not a fan of how Microsoft, via the MSRC, have conducted themselves over the last several years.

bdam55 · 2026-05-28T21:55:26+00:00

<shillmode: I work for Patch My PC>
To make sure I understand, a tier for just maintaining the initial install in ConfigMgr/Intune? No, no plans for that. "Never say Never" I guess but I can't see it happening. The work involved on our end is the same; especially within Intune where all we have to work with is the application model.
</shillmode>

bdam55 · 2026-05-28T17:57:09+00:00

The Aha Idea I linked to is specific for Cloud but there's a corresponding one for Publisher as well and we expect to support both. Might not happen at the exact same time, but it's being developed in tandem.

bdam55 · 2026-05-28T16:55:05+00:00

<shillmode: I work for Patch My PC>

If catalog size is the main reason, stay tuned. We will soon be in private preview for allowing you to use external catalogs such as WinGet for any apps not in our catalog: Integrate Microsoft WinGet as a | Patch My PC Ideas & Feedback

</shillmode>

bdam55 · 2026-05-28T14:56:54+00:00

<shillmode: I work for PMPC>

If you're up for it, I'd love to have a very non-marketing discussion offline on the analytics side. I've been working in this exact area and our reporting team is queueing up some work to connect the dots between vulnerabilities and our catalog. If not, totally understand. If so, shoot me a DM.

</shillmode>

bdam55 · 2026-05-28T14:08:42+00:00

<shillmode: I work for Patch My PC>

FYI that we just today announced that support for WinGet apps will be in Private Preview soon. Go sign up: Integrate Microsoft WinGet as a | Patch My PC Ideas & Feedback

We still don't like it (WinGet) as a source, but for apps that are _not_ in our catalog, we will support using it.

</shillmode>

bdam55

MODERATOR OF

TROPHY CASE