diff --git a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 07fcd125..73aaaa41 100644
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -69,6 +69,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: false
         defaultClientScopes:
@@ -83,6 +84,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
@@ -136,6 +138,7 @@ config:
         frontchannelLogout: false
         publicClient: true
         fullScopeAllowed: true
+        authorizationServicesEnabled: false
         defaultClientScopes:
           - "opendesk"
           - "profile"
@@ -154,6 +157,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
@@ -174,6 +178,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
       - name: "opendesk-nextcloud"
@@ -187,6 +192,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
@@ -220,6 +226,7 @@ config:
         frontchannelLogout: false
         publicClient: false
         serviceAccountsEnabled: true
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
@@ -251,6 +258,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
@@ -282,6 +290,7 @@ config:
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
+        authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: false
           backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
diff --git a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
index 9884de9f..69af717b 100644
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -26,6 +26,12 @@ config:
     user: {{ .Values.databases.keycloak.username | quote }}
     database: {{ .Values.databases.keycloak.name | quote }}
     password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+  logLevel: "DEBUG"
+  enableMetrics: true
+  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
+  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
+  # through an own ingress.
+  exposeAdminConsole: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
diff --git a/helmfile/environments/default/charts.yaml b/helmfile/environments/default/charts.yaml
index 4fe2b814..4ef0241b 100644
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -175,7 +175,7 @@ charts:
     repository: "sovereign-workplace/souvap/tooling/charts/univention-keycloak"
     name: "ums-keycloak"
     oci: true
-    version: "1.0.1"
+    version: "1.0.3"
     verify: true
     username: ~
     password: ~
diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml
index cf2aec54..708b5c24 100644
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -105,7 +105,7 @@ images:
     # registryUrl=https://docker.software-univention.de
     # dependencyType=supplier
     repository: "keycloak-keycloak"
-    tag: "22.0.3-ucs1@sha256:6b17a63d4c6bc60f9c645902f8dbb7ad094a867065e40c43cc81c867c1b8ba00"
+    tag: "22.0.3-ucs2@sha256:1e8e45a2e01050c1473595c3b143446363016ea292b0c599ccd9f1bd37112206"
     # @supplier: "Univention"
   umsKeycloakBootstrap:
     # renovate: