MicrosoftDocs · MandiOhlinger · May 27, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/...core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md b/...core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md
@@ -59,9 +59,9 @@ For more information, see the following articles:
 
 ### Supported server OS versions
 
-- **Windows Server 2025**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2409_)<!-- 10200029 -->
+- **Windows Server 2025**: IoT, Standard, Datacenter, Datacenter: Azure Edition (_starting in Configuration Manager version 2409_)<!-- 10200029 -->
 
-- **Windows Server 2022**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2107_)<!-- 10200029 -->
+- **Windows Server 2022**: IoT, Standard, Datacenter, Datacenter: Azure Edition (_starting in Configuration Manager version 2107_)<!-- 10200029 -->
     - *Windows Server IoT 2022 for Storage* is not supported
 
 - **Windows Server 2019**: IoT, Standard, Datacenter

diff --git a/intune/configmgr/hotfix/2509/36949461.md b/intune/configmgr/hotfix/2509/36949461.md
@@ -1,7 +1,7 @@
 ---
 title: Update rollup for Microsoft Configuration Manager version 2509
 description: Update rollup for Configuration Manager 2509
-ms.date: 05/11/2026
+ms.date: 05/20/2026
 ms.subservice: core-infra
 ms.topic: reference
 ---
@@ -104,13 +104,18 @@ File information for the release is available in the downloadable [KB36949461_Fi
 
 ## Known issues
 
-The following fixes are not included in this update rollup. If these fixes were previously installed as individual hotfixes, installing this update rollup overwrites those changes. These fixes will be included in a future update rollup.
+The following fixes are not included in this update rollup. These fixes are included in [KB 37864969](37864969.md).
 
 - [KB 36419072](../2509/36419072.md): Offline feedback update for Configuration Manager
 - [KB 36495448](../2509/36495448.md): Co-management and 3rd party update scan source fix for Configuration Manager
 
+## Update replacement information
+
+This update is replaced by [KB 37864969](37864969.md).
+
 ## Release history 
 
+- May 2026: This update is replaced by [KB 37864969](37864969.md)
 - May 2026: Article revised to document known issues
 - April 2026: Initial hotfix release
 

diff --git a/intune/configmgr/hotfix/2509/37864969.md b/intune/configmgr/hotfix/2509/37864969.md
@@ -0,0 +1,132 @@
+---
+title: Second update rollup for Microsoft Configuration Manager version 2509
+description: Second update rollup for Configuration Manager 2509
+ms.date: 05/27/2026
+ms.subservice: core-infra
+ms.topic: reference
+---
+
+# Second update rollup for Microsoft Configuration Manager version 2509
+
+*Applies to: Configuration Manager (current branch, version 2509)*
+
+## Summary of KB37864969
+
+This update rollup supersedes [KB 36949461](36949461.md) and includes all fixes from that update along with more fixes.
+
+For more information on changes in Configuration Manager version 2509, see:
+
+- [What's new in version 2509 of Configuration Manager current branch](../../core/plan-design/changes/whats-new-in-version-2509.md)
+- [Summary of changes in Microsoft Configuration Manager current branch, version 2509](35877153.md)
+
+## Issues that are fixed
+
+- **Build and Capture task sequence produces incorrect restart error on Windows 11 24H2**
+
+   When performing a Build and Capture task sequence on Windows 11 24H2 using November or December 2024 media, the resulting captured image displays a "Why did my PC restart" error dialog when subsequently deployed. This error appears during the Windows setup phase of the captured image and can interrupt automated deployment sequences, causing confusion for technicians performing image deployments.
+
+- **Windows 10 IoT Enterprise LTSC 2021 incorrectly reported as unsupported**
+
+   Windows 10 IoT Enterprise LTSC 2021 (version 21H2, Build 19044) devices are incorrectly reported as "not supported" in the ConfigMgr console. In **Administration** > **Management Insights** > **Simplified Management** > **Update Clients to a supported Windows 10 version**, these devices show "Action needed". The Product Lifecycle dashboard also incorrectly shows these devices as end-of-life, even though Windows 10 IoT Enterprise LTSC 2021 has mainstream support until January 12, 2027.
+
+- **Software Center compliance check fails in co-managed environments**
+
+   An internal service required for device compliance checks will be deprecated in October 2026. Following the deprecation, compliance checks in Software Center may fail in co-managed environments where the Compliance workload is managed by Intune. To prevent this issue, apply this update before October 2026. For more information, see [KB 37172183](../2503/37172183.md).
+
+- **Applications with OS requirements fail during OSD with HTTP 404 error after upgrading to 2509**
+
+   After upgrading to ConfigMgr 2509, applications with OS requirement rules (such as "All x64 Windows 11 and higher Clients") fail to install during Task Sequence deployment. Multiple applications that reference the affected OS requirement fail simultaneously. Errors similar to the following are recorded in the CIDownloader.log file.
+
+   ```text
+   failed to download source file http://mp/SMS_MP/.sms_dcm?Id&DocumentId=Windows/All_x64_Windows_11_and_higher_Clients/ to destination ... with error 0x80190194
+   ```
+
+- **Co-managed clients with 3rd party update catalogs receive updates from incorrect source**
+
+   In ConfigMgr 2509, co-managed clients with third party update catalogs stop receiving updates from the expected source. The Windows Update Agent is locked to WSUS for Quality, Feature, and Driver updates even though the co-management slider is set to Intune. The  `SetPolicyDrivenUpdateSourceForXXXUpdates` registry values for Feature, Driver, Quality updates under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` are incorrectly assumed to be 1 (WSUS) if only the key `SetPolicyDrivenUpdateSourceForOtherUpdates` is set to 1 (making it a partial configuration of policy). This issue was originally addressed in [KB 36495448](../2509/36495448.md).
+
+- **ConfigMgr client upgrade fails on Windows 11 ARM64 devices**
+
+   Client push installation (CcmSetup) fails with error code `0x80070643` on Windows 11 ARM64 devices when upgrading from ConfigMgr 2403 or 2503 to 2509. The failure occurs during the upgrade path when the installer attempts to uninstall a 32-bit Microsoft Policy Platform (MPP) component that doesn't exist on ARM64 architecture. The issue doesn't occur on x64 devices and reproduces on Windows 11 25H2 ARM64 and 26H1 ARM64.
+
+- **Subsequent ConfigMgr client upgrades fail on ARM64 after initial upgrade failure**
+
+   On Windows 11 ARM64 devices, if a previous ConfigMgr client upgrade failed to uninstall the 32-bit Microsoft Policy Platform (MPP) MSI, subsequent client upgrades also fail with error code `0x80070643`. In ccmsetup.log, the 32-bit `MicrosoftPolicyPlatformSetup.msi` uninstall is attempted and the error is ignored, but the upgrade logic then proceeds to install the 64-bit MPP without checking whether it's already present, causing the `client.msi` upgrade to fail.
+
+- **Microsoft Defender does not apply Intune policies after Endpoint Protection workload is switched to Intune**
+
+   When the Endpoint Protection (EP) co-management workload is switched from Configuration Manager to Intune, Microsoft Defender doesn't pick up Intune's Endpoint Protection settings. Defender remains in a state where it believes Configuration Manager is managing it. Intune AV policies (such as tamper protection) aren't applied. The issue occurs because the ConfigMgr client leaves behind a registry key that prevents Defender from recognizing the workload transition.
+
+- **Intune EDR policies fail to apply on tenant-attached clients**
+
+   In ConfigMgr 2509, Intune Endpoint Detection and Response (EDR) policies fail to be applied on ConfigMgr clients via tenant attach (non-co-managed). The ConfigMgr client doesn't receive or process EDR policy from Intune when only tenant attach is configured without co-management. Policy deployment errors may appear in client logs related to EDR configuration.
+
+- **Security update for Configuration Manager**
+
+   This update enhances security in Configuration Manager by improving access controls for the Network Access Account (NAA). For more information, see [KB 37447175](../2503/37447175.md).
+
+- **Offline feedback submission fails due to authentication library version mismatch**
+
+   The standalone tool UploadOfflineFeedback.exe fails with a System.IO.FileLoadException due to a Microsoft.Identity.Client version mismatch. This issue was originally addressed in [KB 36419072](../2509/36419072.md).
+
+- **Cloud Management Gateway VMSS image updated to remove end-of-life .NET 6**
+
+   The Cloud Management Gateway (CMG) Virtual Machine Scale Set (VMSS) image is updated to use a new SKU that doesn't include .NET 6, which has reached end of life.
+
+## Issues that are fixed in this update that aren't in KB 36949461
+
+The following issues are new in this update rollup and weren't included in [KB 36949461](36949461.md):
+
+- Offline feedback submission fails due to authentication library version mismatch. For more information, see [KB 36419072](../2509/36419072.md).
+- Co-managed clients with third party update catalogs receive updates from incorrect source. For more information, see [KB 36495448](../2509/36495448.md).
+- Cloud Management Gateway VMSS image updated to remove end-of-life .NET 6.
+
+## Hotfixes that are included in this update
+
+- [KB 37172183](../2503/37172183.md): Software Center compliance check fails with GET_TOKEN_FROM_STS_ERROR in co-managed environments
+- [KB 37447175](../2503/37447175.md): Security update to harden access to Network Access Account information
+- [KB 36419072](../2509/36419072.md): Offline feedback update for Configuration Manager
+- [KB 36495448](../2509/36495448.md): Co-management and third party update scan source fix for Configuration Manager
+
+## Update information for Microsoft Configuration Manager current branch, version 2509
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using the globally available build of version 2509.
+
+### Restart information
+
+This update doesn't require a computer restart but will initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** > **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. The reinstallation doesn't affect configurations and settings for the secondary site. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+
+```sql
+select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+```
+
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, all the fixes that are applied to the primary site aren't installed for the secondary site. You should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+
+The following major components are updated to the versions specified:
+
+| Component | Version |
+|---|---|
+| Configuration Manager console | 5.2509.1036.1700 |
+| Client | 5.0.9141.1032 |
+
+## File information
+
+File information for the release is available in the downloadable [KB37864969_FileList.txt](https://aka.ms/KB37864969_FileList) text file.
+
+## Release history
+
+- May 2026: Initial hotfix release
+
+## References
+
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)
diff --git a/intune/configmgr/hotfix/TOC.yml b/intune/configmgr/hotfix/TOC.yml
@@ -17,6 +17,8 @@ items:
     href: 2509/36419072.md
   - name: KB 36949461 Update rollup for Configuration Manager version 2509
     href: 2509/36949461.md
+  - name: KB 37864969 Second update rollup for Configuration Manager version 2509
+    href: 2509/37864969.md
 - name: Version 2503
   items:
   - name: KB 31909343 Summary of changes in 2503

diff --git a/intune/configmgr/hotfix/index.yml b/intune/configmgr/hotfix/index.yml
@@ -29,6 +29,8 @@ landingContent:
             url: 2509/36495448.md
           - text: KB 36949461 Update rollup for Microsoft Configuration Manager version 2509
             url: 2509/36949461.md
+          - text: KB 37864969 Second update rollup for Microsoft Configuration Manager version 2509
+            url: 2509/37864969.md
   - title: Configuration Manager 2503
     linkLists:
       - linkListType: overview