ConfigMgr 2509 Hotfix Rollup (KB36949461) – Installation Guide + What Actually Matters

Microsoft has released the ConfigMgr 2509 Hotfix Rollup (KB36949461), and if you’re running 2509 in production, you’ll want to take a look at it.

In this post, I’ll walk through:

  • What this hotfix actually fixes
  • How to install it step-by-step
  • What to watch out for

What is KB36949461?

KB36949461 is a hotfix rollup for ConfigMgr 2509.

It:

  • Brings your environment to a more stable baseline
  • Rolls up multiple earlier fixes
  • Adds additional updates

What It Actually Fixes

The important ones:

  • App install failures tied to OS requirements
  • Co-management / update scan issues
  • ARM64 client install/upgrade failures (0x80070643)
  • Compliance inconsistencies
  • Task sequence restart issues (notably on newer Windows builds)
  • Security hardening for Network Access Account (NAA)

If your environment is co-managed or you’re doing modern deployments, this hotfix rollup matters more.

Should You Install It?

Short answer: Yes

This is a hotfix rollup that includes several hotfixes.

You should install it because it includes:

  • Co-management and update scan fixes
  • Software Center compliance issue fixes
  • Security hardening for Network Access Account (NAA)
  • Client and feedback-related improvements

Included Hotfixes

KB36949461 includes the following updates:

  • KB36419072 – Offline feedback update
  • KB36495448 – Co-management and 3rd party update scan source fix for Configuration Manager
  • KB37172183 – Software Center compliance check fails with GET_TOKEN_FROM_STS_ERROR in co-managed environments
  • KB37447175 – Security update to harden access to Network Access Account (NAA) information

If you skipped earlier hotfixes, this rollup brings you fully up to date in one install.

Install Steps

Go to:

Administration → Updates and Servicing

  1. Backup the ConfigMgr Database
  2. Take a snapshot if the Primary Site Server is a VM
  3. Locate KB36949461
  4. Right-click the hotfix rollup and choose Download
  5. Wait for the hotfix rollup to download (The status will change to “Ready to install”)
  6. Run Prerequisite Check
  7. Fix any issues the prerequisite checker found
  8. Install Update Pack
  9. Monitor CMUpdate.log for successful installation
  10. Reboot the server
  11. Upgrade clients

This Is the Part People Miss

  • Secondary sites are NOT automatic
    → You must update them manually ( Administration > Site Configuration > Sites > Recover Secondary Site)
  • Client updates matter
    → Skipping this = inconsistent behavior later
  • Console upgrade may be required
  • Older hotfixes disappear after install
    → Expected behavior (this is a rollup)

Client Version

After install:

  • Client updates to 5.0.9141.1030

Verify

  • Monitoring → Updates and Servicing → KB36949461→ Installed
  • Check component status (all green)
  • Test something real (app deploy, TS, policy)

Final Thoughts

This is a stabilization rollup, not a feature update.

  • Not urgent
  • Not flashy
  • Still worth installing

Links

For official details, see:

https://learn.microsoft.com/en-us/intune/configmgr/hotfix/2509/36949461

https://learn.microsoft.com/mem/configmgr/core/servers/manage/updates