locked
VPN Clients downloading updates from microsoft, not from SCCM server RRS feed

  • Question

  • Hi,

    regarding the current worldwide situation, our company has sent all of the employees home to work. All employees connect via VPN and we would like to of course keep the updates rolling but without SCCM server. As far as I understood, the SCCM can only "show" which updates need to be downloaded and Windows downloads the updates from the internet without brining our VPN to a halt.

    All machines reside in one VPN IP Range and have our main office location sccm server assigned in the "Boundaries" section. I am pointing this fact out, because I know that option on the screenshot "if software updates are not available on the DP in current, neighbor or site boundary groups, download content from MS updates" could help, but I have the server assigned, and if i remove the server from the boundary group - what does that do for the overall managment of clients in VPN, not just windows updates?

    Setting from Windows 10 ADR:

    The deadline is today for the 2nd wave is today, first wave is finished and those are our friendly colleagues :)

    Cheers!


    • Edited by Tonito Dux Wednesday, March 18, 2020 6:39 AM
    Wednesday, March 18, 2020 6:32 AM

Answers

  • Hi,

    Thanks for posting in TechNet.

    Yes. If you would like to to download the package from Microsoft update rather than on-premise DP, it's recommended to create a DP just for the vpn clients. Scope it appropriately for boundaries. Don't put updates on it. And create a second deployment of updates to vpn clients with the option "No deployment package" option in "Deployment Package" of the "Deploy Software Update Wizard", then the clients will download content from peers or Microsoft cloud. After the clients receive the policy, they will downloaded the packages directly from Microsoft rather than the DP.

    Similar thread for your reference: Deploy windows update on remote client using VPN 

    Thanks for your time.

    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tonito Dux Monday, March 23, 2020 8:59 AM
    Wednesday, March 18, 2020 10:26 AM

All replies

  • Hi,

    Thanks for posting in TechNet.

    Yes. If you would like to to download the package from Microsoft update rather than on-premise DP, it's recommended to create a DP just for the vpn clients. Scope it appropriately for boundaries. Don't put updates on it. And create a second deployment of updates to vpn clients with the option "No deployment package" option in "Deployment Package" of the "Deploy Software Update Wizard", then the clients will download content from peers or Microsoft cloud. After the clients receive the policy, they will downloaded the packages directly from Microsoft rather than the DP.

    Similar thread for your reference: Deploy windows update on remote client using VPN 

    Thanks for your time.

    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Tonito Dux Monday, March 23, 2020 8:59 AM
    Wednesday, March 18, 2020 10:26 AM
  • Hi,

    May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

    Thanks and regards,
    Simon 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 23, 2020 1:48 AM
  • Hi Simon,

    creating a separate DP would work for us, so I have marked your answer as valid and appropriate.

    Cheers!

    Monday, March 23, 2020 9:00 AM
  • Hi,
     
    Thanks for your reply and feedback. And we're glad that the question is solved now. If you have any questions in future, we warmly welcome you to post in this forum again.
     
    Have a nice day!
     
    Best Regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 23, 2020 9:12 AM
  • Thanks Simon - good info thanks.

    I have followed this and another article, stood up a new dedicated VPN DP with the right boundaries, SU group etc. and it works as planned.  I can see it using MU directly.

    There's only one thing I am not 100% on...

    As clients can be off OR on the VPN at any given point in time, their IP of course changes between either on-prem or being VPN connected.

    So when creating collections that the SU targets, I have used the IP subnets to populate the members, using a query that uses something like "SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.IPAddress like "10.x.x.%""

    Now this works fine, and Hardware Inventory runs once a day, so it's generally up to date. But what could happen is the client is not on VPN for the day yet, the inventory runs, they end up in an on-prem collection that has a deployment using on-prem DP's, then they connect to VPN, detect the deployments for the on-prem devices as they are not in the VPN collection yet, and use on-prem DP's over the VPN.

    I could increase the Hardware Inv to be more frequent (say every 4 hours!) but I was wondering how others deal with the forever changing IP collection membership issue!  Plus wasn't sure if HW inventory more than once a day was bad practice.

    Thanks



    • Edited by Kiwifulla2 Monday, March 30, 2020 2:18 AM
    Monday, March 30, 2020 2:16 AM