Merge branch 'main' into patch-8

Author: baardhermansen

.openpublishing.redirection.json

@@ -2712,6 +2712,11 @@
       "source_path": "intune/intune-service/protect/advanced-threat-protection.md",
       "redirect_url": "/intune/intune-service/protect/microsoft-defender-with-intune",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "intune/configmgr/hotfix/2509/36495448.md",
+      "redirect_url": "/intune/configmgr/hotfix/",
+      "redirect_document_id": false
     }
   ]
 }

intune/agents/device-offboarding-agent-use.md

@@ -10,7 +10,9 @@ ms.reviewer: rishitasarin
 
 # Use the Device Offboarding Agent
 
-The* Device Offboarding Agent* identifies stale or misaligned devices across Intune and Entra ID, providing actionable insights and requiring admin approval before offboarding any devices. The Device Offboarding Agent complements existing Intune automation by surfacing insights and handling ambiguous cases where automated cleanup may not suffice.
+[!INCLUDE [device-offboarding-agent-deprecation](includes/device-offboarding-agent-deprecation.md)]
+
+The *Device Offboarding Agent* identifies stale or misaligned devices across Intune and Entra ID, providing actionable insights and requiring admin approval before offboarding any devices. The Device Offboarding Agent complements existing Intune automation by surfacing insights and handling ambiguous cases where automated cleanup may not suffice.
 
 This article provides sample responses to show how the agent helps with device offboarding.
 

intune/agents/device-offboarding-agent.md

@@ -10,6 +10,8 @@ ms.reviewer: rishitasarin
 
 # Get started with the Device Offboarding Agent
 
+[!INCLUDE [device-offboarding-agent-deprecation](includes/device-offboarding-agent-deprecation.md)]
+
 The *Device Offboarding Agent* identifies stale or misaligned devices across Intune and Entra ID, providing actionable insights and requiring admin approval before offboarding any devices. The Device Offboarding Agent complements existing Intune automation by surfacing insights and handling ambiguous cases where automated cleanup may not suffice.
 
 ## Prerequisites

intune/agents/includes/device-offboarding-agent-deprecation.md

@@ -0,0 +1,29 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms-topic: include
+ms.date: 03/02/2026
+---
+
+> [!IMPORTANT]
+>
+> **Starting June 1, 2026, the Device Offboarding Agent will no longer be available.**
+>
+> Review your existing offboarding processes and transition to previously used device lifecycle and remediation options in Microsoft Intune before this date.
+>
+> **Device Offboarding Agent timeline**
+>
+> - **April 30, 2026**: You can't set up the Device Offboarding Agent.
+> - **June 1, 2026**: The Device Offboarding Agent is removed from the Intune admin center and isn't available.
+>
+> **What this change means for you**
+> 
+> - You can continue using the Device Offboarding Agent until **June 1, 2026** if it's already set up.
+> - If you delete the agent between **April 30, 2026** and **June 1, 2026**, you can't set it up again.
+> - After **June 1, 2026**, the Device Offboarding Agent isn't accessible.
+> 
+> **Recommended actions**
+> 
+> - Complete any active offboarding actions before **June 1, 2026**.
+> - Avoid creating new dependencies on the Device Offboarding Agent.
+> - Transition existing offboarding workflows to previously used device lifecycle and remediation options in Intune.

intune/configmgr/hotfix/2509/36495448.md

@@ -0,0 +1,92 @@
+---
+title: Software update management client fix for Microsoft Configuration Manager
+titleSuffix: Configuration Manager
+description: SUM Client update for Configuration Manager
+ms.date: 02/23/2026
+ms.subservice: core-infra
+ms.service: configuration-manager
+ms.topic: reference
+ms.assetid: ec969e9b-501e-416b-9b4c-39de23d968b1
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Software update management client fix for Microsoft Configuration Manager versions 2503 and 2509
+
+*Applies to: Configuration Manager (current branch, versions 2503 and 2509)*
+## Summary of KB36495448
+
+An update is available to fix an issue with software updates when third-party updates are used in a co-managed environment.
+
+In Configuration Manager versions 2503 (with Update rollup 32851084 installed) and 2509, Windows Update scan source policies are unintentionally modified on co-managed devices when third-party updates are enabled.
+The Configuration Manager client can create an incomplete (partial) scan source policy configuration.
+
+The partial scan causes devices that should receive Feature Updates (FU) or Quality Updates (QU) from Microsoft Intune or Windows Update for Business (WUfB) to instead obtain those updates from WSUS/Configuration Manager.
+
+This update corrects the issue by ensuring that Configuration Manager no longer sets or modifies Windows Update scan source policies on co managed devices.
+
+## Issue details
+When a device is both co-managed by Microsoft Intune and third-party updates are enabled via ConfigMgr, the client set only two Windows Update scan source policy values:
+* HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseUpdateClassPolicySource = 1
+* HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForOtherUpdates = 1
+
+However, the following related policy values aren't set, and are removed if they existed:
+* HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates
+* HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForFeatureUpdates
+* HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForQualityUpdates
+
+When only some values are present, the Windows Update Agent can assume all categories should follow the same scan source.
+As a result, Feature Updates and Quality Updates intended to come from Microsoft Intune/ WUfB are instead redirected to WSUS/ ConfigMgr, even though the environment was configured for Intune-managed updates.
+
+## Post hotfix behavior
+After applying this hotfix, Configuration Manager will no longer set any of the following values on co-managed devices after installing this update: 
+
+* UseUpdateClassPolicySource
+* SetPolicyDrivenUpdateSourceFor* (Feature, Quality, Driver, Other)
+
+Existing devices that were placed into a partial policy state by previous builds have those incomplete values cleaned up once.
+
+Third-party updates deployed from WSUS/ConfigMgr aren't affected by this change because they don't rely on Windows Update scan source policies. Customers fully control scan source behavior; if organizations wish to control Windows Update scan source policies, they should do so explicitly using:
+
+•	Group Policy, or
+
+•	Intune policy configuration service provider for WUfB
+ 
+Environments using only Configuration Manager (without co-management) or only Microsoft Intune/ WUfB aren't affected.
+
+
+## Update information for Microsoft  Configuration Manager
+The following hotfix to resolve this problem is available for download from the Microsoft Download Center:
+
+[KB36495448](https://aka.ms/KB36495448_Payload)
+
+After you download the hotfix, see the following documentation for installation instructions:
+
+[Use the Update Registration Tool to import hotfixes to Configuration Manager](../../core/servers/manage/use-the-update-registration-tool-to-import-hotfixes.md)
+
+#### Prerequisites
+To apply this hotfix, you must be using Configuration Manager, versions 2503 (with Update rollup 32851084 installed) and 2509.
+
+#### Restart information
+This update doesn't initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset).
+
+### Other installation information
+After you install this update on a primary site, preexisting secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site hasn't yet installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Hotfix replacement information
+This hotfix doesn't replace any previously released hotfix.
+
+## File information
+File information is available in the downloadable [KB36495448_FileList.txt](https://aka.ms/KB36495448_FileList) text file.
+
+## Release history
+- February 23, 2026: Initial hotfix release

intune/configmgr/hotfix/TOC.yml

@@ -5,6 +5,8 @@ items:
   items:
   - name: KB 35877153 Summary of changes in 2509
     href: 2509/35877153.md
+  - name: KB 36495448 Software update management client fix
+    href: 2509/36495448.md
   - name: KB 33247081 Connected cache update for Configuration Manager versions 2409, 2503, and 2509
     href: 2509/33247081.md
 - name: Version 2503
@@ -21,6 +23,8 @@ items:
     href: 2503/32851084.md
   - name: KB 35958849 Cloud management gateway deployment maintenance update
     href: 2503/35958849.md
+  - name: KB 36495448 Software update management client fix
+    href: 2509/36495448.md
 
 - name: Version 2409
   items:

intune/configmgr/hotfix/index.yml

@@ -17,6 +17,8 @@ landingContent:
         links:
           - text: KB 35877153 Summary of changes in 2509
             url: 2509/35877153.md
+          - text: KB 36495448 Software update management client fix
+            url: 2509/36495448.md
           - text: KB 33247081 Connected cache update for Configuration Manager versions 2409, 2503, and 2509
             url: 2509/33247081.md
   - title: Configuration Manager 2503
@@ -35,6 +37,8 @@ landingContent:
             url: 2503/32851084.md
           - text: KB 35958849 Cloud management gateway deployment maintenance update
             url: 2503/35958849.md
+          - text: KB 36495448 Software update management client fix
+            url: 2509/36495448.md
   - title: Configuration Manager 2409
     linkLists:
       - linkListType: overview