Microsoft has released KB33177653 Azure for US Government update for SCCM versions 2503, 2409, and 2403 on June 30, 2025. The hotfix resolves an issue where co-managed devices in Azure for US Government fail to correctly retrieve compliance status from Microsoft Intune. This results in the devices to be marked as noncompliant when viewed in Software Center.
It is important to note that the above issue only impacts environments running Configuration Manager current branch versions 2503, 2409, and 2403. To resolve this problem permanently, installing hotfix KB33177653 is required. Please refer to the official Microsoft documentation on Azure for US Government for Configuration Manager.
Is installing hotfix KB33177653 mandatory? Well, this update is designed only for environments with devices that are co-managed in the Azure for US Government cloud.
In the below screenshot, my ConfigMgr lab is running version 2409 and hence the KB 33177653 hotfix shows available for the same version. If you are using SCCM 2503 or version 2403, the update will appear for the respective versions.
Install KB33177653 Azure for US Government Update for SCCM
Open the SCCM console and go to Administration > Overview > Updates and Servicing. Select the Configuration Manager hotfix KB33177653 and in the top-ribbon select Install Update Pack.
Note: If the state of the update shows as Ready to Download, wait for sometime while it downloads in the background. If not, right-click the hotfix and choose Download.
The KB33177653 hotfix includes updates for site server, console, and client. I highly recommend running a prerequisite check before installing this update. Click Next.
Pick the client update option and select Next. Accept the license terms for installing the KB33177653 hotfix. Click Next.
Complete the remaining steps in the wizard and close the update installation wizard. The hotfix installation begins now.
Monitoring the hotfix Installation
To track the progress of hotfix installation, navigate to Monitoring\Overview\Updates and Servicing Status. If the hotfix fails to install, this section will show you the exact step where the update failed. Another way to track the hotfix installation is by reviewing the cmupdate.log file.
The hotfix KB33177653 update required a total of 35 minutes to install on the 2409 server, and there were no errors encountered at any point in the installation process. You don’t have to restart your server after the installation of this update.
Console Upgrade
The KB33177653 hotfix includes updates for the console, so you must complete the console upgrade after the installation. In the upgrade window, click “OK” to proceed with the console upgrade. In the below screenshot, the console version is upgraded to 5.2409.1183.1500.
To verify if the KB33177653 hotfix is installed, open the console and go to Administration > Updates and Servicing. If the State column for the hotfix shows ‘Installed‘, it means the update installation is completed.
Upgrading the clients
As mentioned earlier, the KB33177653 hotfix updates the console and client agents. After the console upgrade, the next step is to upgrade the clients to the latest version. I recommend using the automatic client upgrade method to update the client agents to the newest version.
The table below outlines the client version corresponding to each SCCM version after installing the KB33177653 hotfix.
| KB33177653 Update for SCCM | Client Version |
|---|---|
| 2503 | 5.0.9135.1006 |
| 2409 | 5.0.9132.1027 |
| 2403 | 5.0.9128.1033 |
Updating KB33177653 on Secondary Sites
After installing the hotfix update KB33177653 on a primary site, pre-existing secondary sites must be manually updated. This must be done on all the secondary sites present in your setup.
On the Secondary site server, open the Configuration Manager console. Go to Administration > Site Configuration > Sites > Recover Secondary Site, and then select the secondary site. Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')If the above command returns value 1, it means the site is up-to-date, with all the hotfixes applied on its parent primary site. If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site. You should use the Recover Secondary Site option to update the secondary site.
So mine has been installing for 9 hours so something is wrong. Also the show status is completely empty like its never started to update.