Merge pull request #18946 from MicrosoftDocs/main

[AutoPublish] main to live - 10/15 10:30 PDT | 10/15 23:00 IST

Author: m365-skilling-repo-management[bot]

intune/configmgr/develop/adminservice/faq.yml

@@ -52,12 +52,12 @@ sections:
           
           - Control access to the web service with the certificate trust. If a device doesn't trust the certificate chain, a user on that device can't query the administration service.
           
-          - Add additional security layers. For example, [Azure App Proxy](/azure/active-directory/manage-apps/application-proxy).
+          - Add additional security layers. For example, [Azure App Proxy](/entra/identity/app-proxy/).
           
       - question: |
           Can I use it with Conditional Access?
         answer: |
-          Yes, and that configuration is easiest if you use [Azure App Proxy](/azure/active-directory/manage-apps/application-proxy).
+          Yes, and that configuration is easiest if you use [Azure App Proxy](/entra/identity/app-proxy/).
           
   - name: Miscellaneous
     questions:

intune/configmgr/hotfix/2409/35360093.md

@@ -0,0 +1,63 @@
+---
+title: Administration service and CMPivot security update for Microsoft Configuration Manager
+titleSuffix: Configuration Manager
+description: Administration service and CMPivot security update for Configuration Manager
+ms.date: 10/15/2025
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: 6749250f-28d3-4abc-90cc-0520b7b11583
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Security updates in administration service and CMPivot for Microsoft Configuration Manager
+
+*Applies to: Configuration Manager (current branch, versions 2403 and 2409)*
+
+## Summary of KB35360093
+<!-- 35360093 -->
+*Note*
+
+An update is available to resolve an elevation of privilege issue with administration service and CMPivot in Configuration Manager. 
+This same update is included with [KB32851084](../2503/32851084.md) Update rollup for Microsoft Configuration Manager version 2503.
+
+
+### Update information for Microsoft Configuration Manager current branch, versions 2403 and 2409
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for version 2403 and 2409 environments with the following updates applied.
+- 2403: [KB28204160: Update rollup for Microsoft Configuration Manager version 2403](../2403/28204160.md)
+- 2409: [KB30385346: Update rollup for Microsoft Configuration Manager version 2409](../2409/30385346.md)
+
+### Restart information
+
+This update doesn't require a computer restart, but does require a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. This reinstallation doesn't affect configurations and settings for the secondary site. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, all the fixes that are applied to the primary site aren't installed for the secondary site. You should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+The Configuration Manager site (setupcore.dll) is updated to the following versions:
+- 2403: 5.00.9128.1037
+- 2409: 5.00.9132.1031
+
+## File information
+File information is available in the following downloadable files.
+- 2403: [KB35360093_2403_FileList](https://aka.ms/KB35360093_2403_FileList)
+- 2409: [KB35360093_2409_FileList](https://aka.ms/KB35360093_2409_FileList)
+
+## Release history
+- October 15, 2025: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

intune/configmgr/hotfix/2503/32851084.md

@@ -0,0 +1,104 @@
+---
+title: Update rollup for Microsoft Configuration Manager version 2503
+titleSuffix: Configuration Manager
+description: Update rollup for Configuration Manager 2503
+ms.date: 10/15/2025
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: 8e0d46ff-66f1-4cd4-9810-acc48881c17a
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Update rollup for Microsoft Configuration Manager version 2503
+
+*Applies to: Configuration Manager (current branch, version 2503)*
+
+## Summary of KB32851084
+This article describes issues that are fixed in the update rollup for Microsoft Configuration Manager current branch, version 2503. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
+
+For more information on changes in Configuration Manager version 2503, see:
+
+- [What’s new in version 2503 of Configuration Manager current branch](../../core/plan-design/changes/whats-new-in-version-2503.md)
+- [Summary of changes in Microsoft Configuration Manager current branch, version 2503](../2503/31909343.md)
+
+## Issues that are fixed
+<!-- 34731174 -->
+- Microsoft Defender registry keys for the *cloud protection level* and *cloud block timeout* period and are incorrectly removed on co-managed devices.
+
+<!-- 34730905 -->
+- The *Check compliance* button returns an error after installing KB 33177653. The error happens in environments where the Cloud Management Azure Service was previously deleted.
+
+<!-- 34870652 -->
+- The Microsoft Web Deploy program is updated on cloud management gateway virtual machines from version 3.6 to 4.0.
+
+<!-- 34870625 -->
+- Windows Server 2025 updates use the incorrect *Maximum run time* value in the properties for the software update component. The value can lead to update installations being incorrectly canceled.
+
+<!-- 32851851 -->
+- The Configuration Manager client is updated to ensure Windows Update scan source policies are set correctly.
+
+<!-- 32525794 -->
+- Microsoft Defender policies created in the Intune Portal are incorrectly removed from Windows Servers. 
+
+<!-- 33141709 -->
+- The SMS Executive Service (smsexec.exe) can terminate unexpectedly when evaluating orchestration groups.
+
+<!-- 33899387 -->
+- The count of devices in the *Requirements Not Met* section of deployment status reporting can be incorrect.
+
+<!-- 33899391, 33899393, 33899395 -->
+- Deployment status reporting and summarization are updated to more accurately reflect the correct count of success or error conditions.
+
+## Hotfixes that are included in this update
+
+- [KB 33177653](../2503/33177653.md): Azure for US Government update for Configuration Manager 2403, 2409, 2503
+- [KB 34503790](../2503/34503790.md): Revised security update for Microsoft Configuration Manager
+- [KB 35360093](../2409/35360093.md): CMG security update for Microsoft Configuration Manager
+
+## Update information for Microsoft Configuration Manager current branch, version 2503
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using the globally available build of version 2503.
+
+<!-- Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed. -->
+
+### Restart information
+
+This update doesn't require a computer restart but will initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. The reinstallation doesn't affect configurations and settings for the secondary site. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+
+```sql
+select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+```
+
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, all the fixes that are applied to the primary site aren't installed for the secondary site. You should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+
+The following major components are updated to the versions specified:
+
+| Component | Version |
+|---|---|
+| Configuration Manager console | 5.2503.1083.1500 |
+| Client | 5.0.9135.1013 |
+
+## File information
+
+File information for the release is available in the downloadable [KB32851084_FileList.txt](https://aka.ms/KB32851084_FileList) text file.
+
+## Release history
+
+- September 30, 2025: Initial hotfix release
+
+## References
+
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

intune/configmgr/hotfix/2503/33177653.md

@@ -21,9 +21,6 @@ manager: dougeby
 An update is available to resolve the following issue for Configuration Manager customers using the Azure for US Government cloud environment.
 - Co-managed devices in Azure for US Government (Fairfax) fail to correctly retrieve compliance status from Microsoft Intune. This causes them to be marked as noncompliant when checking via Software Center.
 
-<!-- 31986267 -->
-- The vulnerability described in [CVE-2025-47178](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47178) is resolved. Customers can confirm the vulnerability is patched by checking the version of smsprov.dll. A file version of 5.0.9135.1002 or higher indicates the issue is resolved.
-
 
 ### Update information for Microsoft Configuration Manager current branch
 

intune/configmgr/hotfix/2503/34503790.md

@@ -19,6 +19,10 @@ manager: dougeby
 ## Summary of KB34503790
 <!-- 34503790 -->
 A revised update is available to resolve the vulnerability described in [CVE-2025-47178](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47178). The revision also improves the security of discovery data records (DDR) processing. CVE-2025-47178 was originally resolved in the globally available release of Configuration Manager version 2503, and in KB 33926600 for versions 2403 and 2409.
+The following vulnerabilities are also resolved with this update:
+- [CVE-2025-55320](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-55320)
+- [CVE-2025-59213](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59213)
+
 
 KB 34503790 supersedes prior releases of the fix.
 Configuration Manager versions 2403 and 2409 display this update under KB 34503768.

intune/configmgr/hotfix/TOC.yml

@@ -11,6 +11,9 @@ items:
     href: 2503/33177653.md
   - name: KB 34503790 Revised security update for Microsoft Configuration Manager
     href: 2503/34503790.md
+  - name: KB 32851084 Update rollup for version 2503
+    href: 2503/32851084.md
+
 - name: Version 2409
   items:
   - name: KB 30195272 Summary of changes in 2409
@@ -25,6 +28,8 @@ items:
     href: 2409/33926600.md
   - name: KB 34503790 Revised security update for Microsoft Configuration Manager
     href: 2503/34503790.md
+  - name: KB 35360093 Administration service and CMPivot security update for Microsoft Configuration Manager
+    href: 2409/35360093.md
 - name: Version 2403
   items:
   - name: KB 26186448 Summary of changes in 2403
@@ -41,6 +46,8 @@ items:
     href: 2409/33926600.md
   - name: KB 34503790 Revised security update for Microsoft Configuration Manager
     href: 2503/34503790.md
+  - name: KB 35360093 Administration service and CMPivot security update for Microsoft Configuration Manager
+    href: 2409/35360093.md
 - name: Version 2309
   items:
   - name: KB 24341484 Summary of changes in 2309

intune/configmgr/hotfix/index.yml

@@ -29,6 +29,8 @@ landingContent:
             url: 2503/33177653.md
           - text: KB 34503790 Revised security update for Microsoft Configuration Manager
             url: 2503/34503790.md
+          - text: KB 32851084 Update rollup for Microsoft Configuration Manager version 2503
+            url: 2503/32851084.md
   - title: Configuration Manager 2409
     linkLists:
       - linkListType: overview
@@ -45,6 +47,8 @@ landingContent:
             url: 2409/33926600.md
           - text: KB 34503790 Revised security update for Microsoft Configuration Manager
             url: 2503/34503790.md
+          - text: KB 35360093 Administration service and CMPivot security update for Microsoft Configuration Manager
+            url: 2409/35360093.md
   - title: Configuration Manager 2403
     linkLists:
       - linkListType: overview
@@ -63,6 +67,8 @@ landingContent:
             url: 2409/33926600.md
           - text: KB 34503790 Revised security update for Microsoft Configuration Manager
             url: 2503/34503790.md
+          - text: KB 35360093 Administration service and CMPivot security update for Microsoft Configuration Manager
+            url: 2409/35360093.md
   - title: Configuration Manager 2309
     linkLists:
       - linkListType: overview

intune/configmgr/protect/deploy-use/introduction-to-certificate-profiles.md

@@ -59,7 +59,7 @@ There are three types of certificate profiles:
 
 ## Requirements
 
-To deploy certificate profiles that use SCEP, install the certificate registration point on a site system server. Also install a policy module for NDES, the Configuration Manager Policy Module, on a server that runs Windows Server 2012 R2 or later. This server requires the Active Directory Certificate Services role. It also requires a working NDES that's accessible to the devices that require the certificates. If your devices need to enroll for certificates from the internet, then your NDES server must be accessible from the internet. For example, to safely enable traffic to the NDES server from the internet, you can use [Azure Application Proxy](/azure/active-directory/manage-apps/application-proxy).
+To deploy certificate profiles that use SCEP, install the certificate registration point on a site system server. Also install a policy module for NDES, the Configuration Manager Policy Module, on a server that runs Windows Server 2012 R2 or later. This server requires the Active Directory Certificate Services role. It also requires a working NDES that's accessible to the devices that require the certificates. If your devices need to enroll for certificates from the internet, then your NDES server must be accessible from the internet. For example, to safely enable traffic to the NDES server from the internet, you can use [Azure Application Proxy](/entra/identity/app-proxy/).
 
 PFX certificates also require a certificate registration point. Also specify the certificate authority (CA) for the certificate and the relevant access credentials. You can specify either Microsoft or Entrust as certificate authorities.
 

intune/index.yml

@@ -228,7 +228,7 @@ additionalContent:
           url: /azure/active-directory/
         # Card
         - title: Windows client docs for IT Pros
-          summary: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11.
+          summary: Evaluate, plan, deploy, secure, and manage devices running Windows.
           url: /windows/resources/
         # Card
         - title: Windows 365 docs

intune/intune-service/apps/manage-microsoft-edge.md

@@ -662,7 +662,7 @@ You can use Microsoft Edge for iOS and Android and [Microsoft Entra application
 Before you start:
 
 - Set up your internal applications through Microsoft Entra application proxy.
-  - To configure Application Proxy and publish applications, see the [setup documentation](/azure/active-directory/manage-apps/application-proxy).
+  - To configure Application Proxy and publish applications, see the [setup documentation](/entra/identity/app-proxy/).
   - Ensure that the user is assigned to the Microsoft Entra application proxy app, even if the app is configured with Passthrough preauthentication type.
 - The Microsoft Edge for iOS and Android app must have an [Intune app protection policy](app-protection-policy.md) assigned.
 - Microsoft apps must have an app protection policy that has **Restrict web content transfer with other apps** data transfer setting set to **Microsoft Edge**.