Known issue: Upgrading Microsoft Tunnel version 20260129.1
We identified an upgrade issue with the early March release of Microsoft Tunnel version 20260129.1 that caused servers to become stuck and unable to complete the upgrade. The issue can be resolved by uninstalling and reinstalling the server to a newer version (20260330.1 or later). Alternatively, we’ve created a script to help you update affected servers. This blog explains how to use the mstunnel-patch-2602 script to remediate the issue. Before you begin Before you run the script, make sure you have the following: Access to the Linux virtual machine hosting the Microsoft Tunnel server Permission to run commands with sudo The patch script downloaded to the server from https://aka.ms/mstunnel-patch-2602 When to use this script Use this script if your server is showing one or more of the following behaviors: The server remains on the affected version (20260129.1) and doesn’t move to the latest version In the Intune admin center, the server health state appears as Healthy, but the upgrade banner shows an error The server rolls back to the affected version because of a version mismatch in Agent Settings Identify impacted servers The issue affects servers on version 20260129.1, use the following hash to identify whether your deployment is on this version: Agent: sha256:abbdcd854aa5ac376aed32c828e4c84917e776a701855cd1e3febed18a3e4dae Server: sha256:ad57d6a7ffe21f64fc1577713063ae9b180914cf65bc70b4e49be21299cfc1d3 The issue was resolved with version 20260330.1, released March 30, 2026. You can verify your servers are on this version with the following hash: Agent: sha256:163214b94af6d91a5ef02690f891c5a41e87b1059b9530324716ee34778c1785 Server: sha256:dd62c292528e8e5aa4e7b84418efa42fd3830ec0db40467947cde8125aa17d7e Run the script After downloading the script to the server, complete the following steps. Step 1: Enable execution permissions If needed, make the script executable: chmod +x mstunnel-patch-2602.sh Step 2: Run the script Run the script with elevated permissions: sudo ./mstunnel-patch-2602.sh When the script runs, it performs the following actions automatically: Checks whether the current server is using the affected build hashes. Creates backups of the current configuration so the system can revert if the update fails. Stops the Tunnel agent and server services. Updates the configuration with version 20260330.1 hashes Pulls version 20260330.1 and forces mst-cli install without requiring additional user input Expected results After the script completes successfully, the server should be updated to the March 30, 2026 version 20260330.1. This remediation is intended to resolve upgrade failures caused by a version mismatch and eliminate the need for a manual uninstall and reinstall workflow. If you have any questions or issues running the script to update your servers, reply to this post or reach out to the team on X @IntuneSuppTeam.Resolved - Support Tip: Occasionally occurring with iOS MAM and Office apps
We had a few cases on this recently and after investigation, decided to share this known issue that affects sign in on iOS Mobile Application Management (MAM, also known as APP). It does not impact the majority of users, but for the one that it does impact, it prompts for sign in when an Office app is opened. Office has a fix in their backlog; in the interim, read this post for a way to clear it up if you have a user running into this scenario.
