question

MattD-7613 avatar image
0 Votes"
MattD-7613 asked saldana-msft edited

SCCM, CMG, and WIndows Updates

Need some direction on a situation I am troubleshooting. Users click on Check for Updates in the Windows 10 Settings and it takes at least 10 minutes to complete. SCCM is setup for Windows Updates and as far as I can tell, everything is set up correctly. The updates are being distributed to a CMG (not sure why this is setup this way as the updates get installed from Microsoft) and the client is on a VPN that points to the CMG. None of the SCCM logs really tell me anything and the CBS.log was a dead end as well.

Thoughts?

mem-cm-updates
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just noticed that the IIS WSUS settings for ApiRemoting, ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService were not configured to Require SSL.

Not sure if this is contributing to the issue.

Also - If I were to select Check Online for updates from microsoft update, that returns with immediate results.

0 Votes 0 ·
yannara avatar image
1 Vote"
yannara answered

Check for Updates is not actually supported or will not do anything when you are under SCCM management. With CMG, you should not distribute Software Update packages to CMG, but allow clients to download content from Microsoft, you will find this option from Deployment object. If you have VPN, I suggest you add VPN network to boundaries and point it to CMG.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT edited

Hi, @MattD-7613
Thank you for posting in Microsoft Q&A forum.
Agree with yannara, Check for Updates is not related to SCCM.
Please try to set the "Prefer cloud based sources over on-premise sources" option on your VPN boundary group which will rearrange your order of content acquisition preference so that the CMG would be first. This option will apply even if you don’t have a CMG, so can offer some respite to your VPN by directing clients to Microsoft Update for content.
For more details:
https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895

And make sure you have considered letting clients get Windows Update content directly from the Windows Update service rather than publishing that content to your CMG. It could be more efficient and would definitely be cheaper.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

Thanks for all the replies... I did suggest not to distribute any Software Update to the CMG. Hopefully we take care of that this morning. I did not think that was setup correctly.

I did notice that when I deleted the contents of the C:\windows\system32\grouppolicy folder, and the e download and SLS sub folders of c:\windows\softwaredistribution, followed by deleting the reg key for Group Policy (HKLM\software\policies\microsoft), and then rebooting - it worked fine.

I will be updating the content on the CMG's this morning and setting up the missing SSL settings for WSUS. I always struggled with the GPO's needed for WSUS when SCCM is in play. They want to be able to have that check for updates run when the VPN client (F5) starts up which is how the issue was discovered. I am leaning on a GPO causing the issue, but wonder what I need to set to have SCCM in line with these updates and for this Check for Updates to just always work.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered

Hi, @MattD-7613
Are you referring to the policy "Do not allow update deferral policies to cause scans against Windows Update", SCCM will enable the policy by default, it will disable Dual Scan. You may try to disable the policy.

For the reference:
https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattD-7613 avatar image
0 Votes"
MattD-7613 answered

This issue is making me question everything I know.

So the setup is just this. They have a boundary group for the VPN clients that points to the CMG. I had them remove all the distributed items from the CMG as they are not necessary. I also discovered that the engineer I am working with is not actually making a deployment package in the ADR, but instead selecting "No deployment package. Clients download content from peers or the Microsoft cloud." He told me yesterday he would like all Windows Updates to come from Microsoft for all endpoints whether or not they were in an office and had an assigned DP or using the CMG. They have F5 VPN setup and would like the Check for Updates to run during log in. This is where the issue is. When I select Check for Updates - it spins forever or errors out altogether. When I have setup Windows Updates in the past, I have always setup a deployment package and distributed to the DP's - not the CMG. The endpoints that are in the office grab the updates from the DP and the endpoints not in the office have grabbed the windows updates from Microsoft as directed by the CMG.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @MattD-7613
If we use below powershell script to check the update source for the client, what's the results:
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService

If Windows Update is False in the results, the Check for Updates should not work.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

99581-image.png



Here are the results. What does this exactly tell me? Does this mean that the Check for Updates in Windows 10 should really not do anything? They apparently need the Check for Updates to work for the F5 VPN client. Perhaps they need to just remove WSUS role from SCCM and built out a WSUS server. The more I work on this issue, the more I seem to think that should be the directions to get the answers/ results they need.

I appreciate the feedback. I feel like I am drowning on this one.

0 Votes 0 ·
image.png (23.1 KiB)

Hi,
The result means, that the WU channel is closed, and only the WSUS channel is open and only this one is usable.
If we disable the GPO "Do not allow update deferral policies to cause scans against Windows Update", the WU channel will open.

0 Votes 0 ·