Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Tunnel, a VPN gateway solution for Microsoft Intune, periodically receives software upgrades, which must install on the tunnel servers to keep them in support. To stay in support, servers must run the most recent release, or at most be one version behind. The information in this article explains:
- The upgrade process
- Upgrade controls
- Status reports you can use to understand the software version of tunnel servers
- When upgrades are available
- How to control when upgrades happen.
Intune handles the upgrade of servers assigned to each tunnel site for you. When you start the upgrade for site, all servers in the site upgrade one at a time, which is referred to as an upgrade cycle. While a server is upgrading, the Microsoft Tunnel on that server isn't available for use. Upgrading a single server at a time helps minimize disruptions to users when the site includes multiple servers.
During an upgrade cycle:
- Intune begins by upgrading one server in the site. The upgrade can start as soon as 10 minutes after the release becomes available.
- If a server was off, upgrade begins after the server turns on.
- After a successful upgrade of one server at a site, Intune waits a short time before it starts the upgrade of the next server.
Use upgrade controls
To help control when Intune starts the upgrade cycle, configure the following settings at each site. You can configure the settings when creating a new site, or by editing the properties of an existing site:
- Automatically upgrade servers at this site
- Limit server upgrades to maintenance window
Automatically upgrade servers at this site
This setting determines if an upgrade cycle for the site can begin automatically, or if an admin must explicitly approve the upgrade before the cycle can begin.
Yes (default) – When set to Yes, the site automatically upgrade servers as soon as possible after a new tunnel version becomes available. Upgrades begin without admin intervention.
If you set a maintenance window for the site, the upgrade cycle begins between the windows start and end time. When no maintenance window is set, the upgrade cycle starts as soon as possible.
No – When set to No, Intune doesn't upgrade servers until an admin explicitly chooses to begin the upgrade cycle.
After upgrade is approved for a site with a maintenance window, the upgrade cycle begins between the windows start and end time. If there's no maintenance window, the upgrade cycle starts as soon as possible.
Important
When you configure site for manual upgrades, periodically review the Health check tab to understand when newer versions of Microsoft Tunnel are available to install. The report also identifies when the current tunnel version at the site is out of support.
Limit server upgrades to maintenance window
Use this setting to define a maintenance window for the site.
When configured for site, the server upgrade cycle can begin only during the configured period. However, once begun, the cycle continues to update servers one-by-one until all servers assigned to the site complete the upgrade.
No (default) – No maintenance window is set. Sites that are configured to upgrade automatically do so as soon as possible. Sites configured to require explicit action to start the upgrade will do so as soon as possible after the upgrade is approved.
Yes – Set a maintenance window. The window limits when a server upgrade cycle can begin at the site. The maintenance window doesn’t define when individual servers assigned to the site might start to upgrade.
Sites that are configured to upgrade automatically start the upgrade cycle only during the configured period. Sites configured to require the admin to approve the upgrade before beginning, will do during the next maintenance window after the upgrade is approved.
When set to Yes, configure the following options:
- Time zone – The time zone you select determines when the maintenance window starts and ends on all servers in the site. The time zone of individual servers isn't used.
- Start time – Specify the earliest time that the upgrade cycle can start, based on the time zone you selected.
- End time - Specify the latest time that upgrade cycle can start, based on the time zone you selected. Upgrade cycles that start before this time will continue to run and can complete after this time.
View tunnel server status
You can view information about the status of Microsoft Tunnel servers, including the version of Microsoft Tunnel on a server.
For sites that don't support automatic upgrade, you can also view when upgrades to a new version are available.
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel Gateway > Health status. Select a server and then open the Health check tab to view the following information about it:
Server version - The status of the Tunnel Gateway Server software, in the context of the most recent version available.
- Healthy - Up to date with the most recent software version.
- Warning - One version behind.
- Unhealthy - Two or more versions behind, and out of support.
When a server doesn’t run the most recent software version, plan to install an available upgrade to keep the Microsoft Tunnel in support.
Approve upgrades
Sites that have the setting Automatically upgrade servers at this site set to No don't automatically upgrade servers. Instead, an admin must approve upgrades for servers at that site before the upgrade cycle starts.
To understand when an upgrade is available for servers, use the Health check tab to review server status.
To approve an upgrade
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel Gateway > Sites.
Select the site with an Upgrade type of Manual.
On the site’s properties, select Upgrade servers.
After you choose to upgrade servers, Intune starts the process to do so, which can't be canceled. The time that upgrades begin at the site depends on the configuration of maintenance windows for the site.
Understanding version identifiers
Microsoft Tunnel uses two types of identifiers for container image versions:
- Version Number Labels: Human-readable identifiers that represent the build date and sequence or version of an update. For example, version 20251126.1 represents version 1 for a build created on November 26, 2025.
- SHA256 Digests: Cryptographic hashes that provide precise identification and validation for update deployment.
Version number labels are internal identifiers applied during the build process that help customers and Microsoft support teams quickly identify specific releases. These labels complement the SHA256 digests that are used for actual deployment and validation.
While SHA256 digests remain the official reference for deployment precision, you can use version labels to:
- Reference releases in automation scripts and deployment pipelines
- Simplify inventory management and compliance reporting
- Streamline communication with Microsoft support when discussing specific releases
- Validate that deployed images match expected release dates and sequences
The Microsoft Tunnel version for a server isn't available in the Intune UI at this time. Instead, run the following command on the Linux server that hosts the tunnel to identify the hash values of agentImageDigest and serverImageDigest: cat /etc/mstunnel/images_configured
Microsoft Tunnel update history
Updates for the Microsoft Tunnel release periodically. When a new version is available, read about the changes here.
After an update releases, it rolls out to tenants over the following days. This rollout time means new updates might not be available for your tunnel servers for a few days.
Important
Container releases take place in stages. If you notice that your container images aren't the most recent, please be assured that they will be updated and delivered within the following week.
November 26, 2025
Version Number: 20251126.1
Image hash values:
- agentImageDigest: sha256:b556382d7aefb94d2be9ae860ed95021abc8d900f11b71db9232a0fcda615c40
- serverImageDigest: sha256:3c8bb39920694f6be510801f49ea61faa297d7df8b8618c1c49374f69fcf9cb2
Changes in this release:
- Minor bug fixes
November 12, 2025
Version Number: 20251030.2
Image hash values:
- agentImageDigest: sha256:2ab9316bc7a5a5e4ddcb387c0fb3eb599dbcfeae44da56652c540c00fccf81fd
- serverImageDigest: sha256:8a59825275e41555a9ee3bf8e6e38f5db07dac953a8bd067673330ed536e1432
Changes in this release:
- Package updates to resolve CVEs
- Bug fixes to address server health banner on UX issue
October 29, 2025
Version Number: 20251028.1
Image hash values:
- agentImageDigest: sha256:adc8259f8946e23612f9156223be6462690da82d113f919b9503fe227ca811e3
- serverImageDigest: sha256:a8f1d5c7d734516e40ee3c2ead88d785ad25c5886ded095ce6dc74cf62b9916f
Changes in this release:
- Contains various package updates and a major bugfix for the UI
October 7, 2025
Version Number: 20250815.1
Image hash values:
- agentImageDigest: sha256:c658a64a3a849f3bec94aa18acd48a56a652023cef163e5f683c580cd8407ea4
- serverImageDigest: sha256:6772cfe5f32a741864732254b26b40b13d8544294d739cc9dc79b964e433f069
Changes in this release:
- Minor bug fixes
Sept 15, 2025
Version Number: 20250716.1
Image hash values:
- agentImageDigest: sha256:24f1b034e1b0f72ceba6b9b351ddfcca3f2f8c26d32028b520e9e666ed6d6b75
- serverImageDigest: sha256:44685069ca08ea6f6781d9d35eff4a616c93fb5aa985b7f05dff4700887b698c
Changes in this release:
- Minor bug fixes
July 21, 2025
Image hash values:
- agentImageDigest: sha256:559e8f5576ec1f989211ecbe831bb641eb279f430ec1000eb89ce52d79e98567
- serverImageDigest: sha256:6c235570c7a8741cb6fc95823f04b8163ae11229e9a4b9c170993b03b4e17ddd
Changes in this release:
- Minor bug fixes
July 1, 2025
Image hash values:
- agentImageDigest: sha256:5ded906dbfe63a7920e817939b83ebf38917b3317162438180038ad1455eddae
- serverImageDigest: sha256:9d666fb8d363b978f50978c2cfb427cf6851102cd7db1a1a7e75a50420c22277
Changes in this release:
- Minor bug fixes