Known issue: Upgrading Microsoft Tunnel version 20260129.1

We’ve come across a problem with the March release of Microsoft Tunnel version 20260129.1. This issue can cause servers to get stuck during upgrades. Luckily, there’s a straightforward solution. You can uninstall and then reinstall the server with a newer version (20260330.1 or later). Alternatively, there’s a handy script available to assist you in updating affected servers. In this blog, we’ll guide you through using the mstunnel-patch-2602 script to fix the problem.

Before you get started with the script, please ensure you’ve got everything you need:

• Access to the Linux virtual machine that’s hosting the Microsoft Tunnel server.
• Sufficient permissions to run commands with sudo.
• The patch script downloaded to the server from https://aka.ms/mstunnel-patch-2602.

If your server is showing one or more of the following issues, the script can help:

• Your server is stuck on the affected version (20260129.1) and isn’t upgrading to the latest.
• In the Intune admin centre, your server’s health state looks Healthy, yet the upgrade banner displays an error.
• The server reverts back to the affected version due to a version mismatch in Agent Settings.

This issue specifically impacts servers running version 20260129.1. To confirm whether your deployment is on this version, check the following hash:

The problem was resolved with version 20260330.1, which was released on March 30, 2026. You can verify that your servers are using this version with the corresponding hash:

Once you have the script on your server, follow these simple steps:

Step 1: Enable Execution Permissions

If required, make the script executable:

chmod +x mstunnel-patch-2602.sh

Step 2: Run the Script

To run the script, you’ll need elevated permissions:

sudo ./mstunnel-patch-2602.sh

1. The script checks whether the current server is using the affected build hashes.
2. It creates backups of the current configuration to allow for a revert if the update doesn’t work.
3. The Tunnel agent and server services are then stopped.
4. Next, the configuration is updated with version 20260330.1 hashes.
5. Finally, it fetches version 20260330.1 and executes mst-cli install without needing any further input from you.

Once the script runs successfully, your server should be upgraded to the March 30, 2026, version 20260330.1. This solution is designed to tackle upgrade failures caused by version mismatches, saving you the hassle of manually uninstalling and reinstalling.

If you have any questions or run into issues while using the script to update your servers, feel free to comment on this post or contact our team on X @IntuneSuppTeam.