Early update ring available for Configuration Manager version 2002 (KB4553501)

Microsoft released the first early update ring (hotfix) for Microsoft Endpoint Configuration Manager current branch 2002. This is available and applicable to those who have downloaded and installed build 2002 via fast ring (opt-in) method between March 23, 2020, and May 11, 2020.

For those who have downloaded the build version 2002 from the console on or after May 11, 2020, you will not see this update in the console. So if you don't see it then you are covered with all the fixes in this update.


You can also validate if you are eligible for this early update ring by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The following are the package GUID that will receive this early update ring.


I have updated my configuration manager site to 2002 in one of my lab yesterday that has the following Package GUID which is not in the above list.So am covered with the fixes.


Once you install the update on the primary site, you must manually update the secondary sites by clicking on the secondary site and click on recovery.

To verify if your primary and secondary sites are running the same build, add a build number column, and check the versions.

you can also use the following SQL query to validate the secondary sites are up-to-date or not.

If the value 1 is returned, the site is up-to-date, with all the hotfixes applied on its parent primary site.

If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')

This first early update ring addresses important, late-breaking issues that were resolved after version 2002 became available globally (slow-ring).

Issues that are fixed:

  • A Central Administration Site (CAS) may be placed in maintenance mode if the site database contains BitLocker management data and one of the following scenarios is true.
    1. If the or data link between a primary site and CAS is unavailable, and data is backed up for 5 days.
    2. If the site goes through the data reinitialization (reinit) process.
    3. If the CAS is recovered.
  • Microsoft Advanced Threat Protection (ATP) policy deployment status shows as “Unknown” when deployed from the Microsoft Endpoint Management admin center.
  • The SMS Agent Host process (CCMExec.exe) may cause high CPU and memory utilization when the computer is not a member of an orchestration group. The MaintenanceCoordinator.log will show the entry “Orchestration lock is required.”.
  • The download of third-party updates for internet clients will fail if only a cloud distribution points is available unless the user triggers the installation via Software Center.
  • A computer restart initiated from Software Center on a client will fail if a Windows Servicing Stack Update (SSU) was installed with other updates.
  • If both a Servicing Stack Update (SSU) and Latest Cumulative Update (LCU) are deployed together and past due, the SSU is not installed first.
  • Clients in boundary groups with limited network speed or BITS throttling ignore the “Prefer cloud based sources over on-premise sources" setting.
  • The Desktop Analytics dashboard may show stale data up to 12 hours out of date if duplicate devices are in the environment.
  • Site installation fails when the database is installed on a clustered instance of SQL on a Windows Server 2012 R2 server.
  • Administrators cannot run CMPivot scripts without having default scope access.
  • The Azure_CloudService table has inconsistent data after onboarding, offboarding, then onboarding co-management.
  • A client only retries a failed management point connection one time until the client is restarted, leading to delays in policy retrieval.
  • Windows Feature Updates that installed successfully may still appear in Software Center as pending installation after the client computer restarts.
  • The link to the Microsoft Intune Device Explorer for a specific device in the Configuration Manager console does not load correctly.
  • A site administrator with rights to read Devices and Boundary Groups is unable to query the same data using the administration service.
  • Administrators receive an “Insufficient user permissions” error in the Microsoft Endpoint Manager admin center when their on-premises permissions are granted via Active Directory group membership.
  • The Workspace Key and Workspace ID fields are now optional in the Create Microsoft Defender ATP Policy Wizard.
  • Application content fails to download from a cloud distribution point when BranchCache is enabled and there are multiple files to be downloaded.
  • The “Prefer cloud based sources over on-premise sources” boundary group setting is not used for Microsoft Ofice 365 update content downloads.
  • The tenant attach process fails if the SMS Provider is installed remotely from the site database server.
  • After client upgrade the PolicyAgent.log may be flooded with duplicate log entries, overwriting information valuable to troubleshooting. The entries resemble the following.

Policy instance for 'SMS:Client:Default:{guid}' with unknown policy source 'SMS:Client:Default:{guid}'. Ignoring it.

  • The administration service is unavailable if the service connection point is installed remotely from the site server.
  • The Windows PowerShell Integrated Scripting Environment (ISE) generates a “Failed to refresh” error when loading the cmdlet library and refreshing the list of available cmdlets.
  • Upgrade of the Configuration Manager client fails on Windows 10 clients with error code 80070020 when using the “Auto upgrade” and “Auto upgrade(Pre-production collection)”.
  • Error handling for the administration service is improved.
  • Installation of dynamic packages via the Install Package task in a Task Sequence fails with error 0x87d02004. This occurs if the “Allow this program to be installed from the Install Package task sequence without being deployed” option is selected in the program for the package.
  • Desktop analytics deployment plans in large environments may not display correctly in the Configuration Manager console due to a SQL timeout.
  • If the site database and data warehouse database are on different computers, and the data warehouse service point is on a different computer from the data warehouse database, the synchronization process may fail. Errors resembling the following are recorded in the Microsoft.ConfigMgrDataWarehouse.log file.

Process encountered an unexpected error
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

Additional hotfixes contained in this update

KB 4561494: Microsoft Edge application creation fails in Configuration Manager


Update for Microsoft Endpoint Configuration Manager version 2002, early update ring

Updates and servicing for Configuration Manager

Leave a Reply