question

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 asked saldana-msft edited

SCCM client not detecting software updates over VPN

We have SCCM with a single site. With the latest updates (August 2021, Windows 10 20H2) our test clients internally got the updates, but the test clients over the VPN are not detecting the deployment.

In the UpdatesDeployment.log the last entry shows:

EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0

The IP address for VPN users is included in the boundary. So I am stumped where else to look to solve this problem.

We use the GlobalProtect VPN client.

windows-server-update-servicesmem-cm-updates
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, i already had this identical issue vpn devices, after upgrade windows 10 1909 to 20h2.
can you try install sccm client this options and tell result after?
129412-image.png


This action solved the problem for me. Hopefully it will be resolved with you too


129423-image.png


0 Votes 0 ·
image.png (54.9 KiB)
image.png (74.5 KiB)

I tried this and it didn't change anything.

0 Votes 0 ·
DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered

We were able to solve this, but I don't know the cause. For every VPN user we had them run disk clean and click on Cleanup System Files as well. After that ran and they restarted the SCCM client was able to detect and install the missing updates.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
1 Vote"
Amandayou-MSFT answered DanielKaliel-3171 commented

Hi @DanielKaliel-3171,

First please check if these clients over the VPN have received the policy of update. When policy is received, the following entry is logged in PolicyAgent.log:

124876-820.png

We could check if Deployment Unique Id on the console is consistent with policy id displayed in PolicyAgent.log.

124923-8201.png


Software update would be checked if it is required by client , kindly check UpdatesStore.log. UpdateStore.log would record updates as missing if they are required. If it is not required or has been installed by client, there is no record in this log. So we could check the update is really required by these clients over the VPN.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



820.png (226.7 KiB)
8201.png (69.4 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just checking in to see if there is any update. We haven't heard from you for a few days and would like to know the current status of the problem. Is the problem solved? Do you need any further assistance? Look forward to hearing from you.

Thanks for your time.
Amanda

0 Votes 0 ·

Although the VPN workstations now show as part of a boundary group, they still do not receive the Windows Updates.

0 Votes 0 ·

I ran the update Machine Policy action and waited 20 minutes. Then I opened the PolicyAgent.log and searched for the UID of the August software update deployment. No results were found.

0 Votes 0 ·

I created a new boundary of the type VPN and specified the name of our Vendors VPN adapter and associated it with a boundary group.. Then I ran a full device scan. Now the VPN devices have a boundary group.

I'll run scans on the client and see if they now pick up the updates.

0 Votes 0 ·

I've run every task on the client in Control Panel and no updates yet. Maybe they will arrive tomorrow morning.

0 Votes 0 ·
DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered

I added the "Boundaries Group" column to the Devices list and it shows all VPN devices with no boundaries.

126889-screenshot-2021-08-26-135722.jpg

But I verified the IP address of the adapter is within the IP range associated with a boundary group

126913-screenshot-2021-08-26-140009.jpg

126931-screenshot-2021-08-26-140109.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered Amandayou-MSFT commented

In the UpdatesStore.log on a VPN attached device I see:

Queried Update (6e88be6e-d470-4e7e-9f36-01479049aadb): Status=Missing, Title=2021-08 Servicing Stack Update for Windows 10 Version 20H2 for x64-based Systems (KB5005260), BulletinID=, QNumbers=5005260, LocaleID=, ProductID=b3c75dc1-155f-4be4-b015-3f1a91758e52, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.

But it has been over an hour and Software Center still does not any available updates and they are still not installed.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

The deployment settings of update is available or required? If it is required, the client will download and install the update automatically and after installing, the update would not be shown in the software center. If it is available, it will be shown in software center.

Best regards,
Amanda

0 Votes 0 ·
DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered

It is required.

I get that it "won't show" but it does show while it installs in the updates list and disappears after that. This update does not do that. Having said that, the issue is that it does not install and never shows up as "installing" in Software Center. The Windows update is not found in the installed updates list and users are never notified to reboot their PC's as the deployment is configured.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielKaliel-3171 avatar image
0 Votes"
DanielKaliel-3171 answered Amandayou-MSFT commented

All VPN devices show up here:

127701-screenshot-2021-08-30-105153.jpg



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please run the action referring to the following screenshot to update the status:

128269-911.png

Best regards,
Amanda


0 Votes 0 ·
911.png (14.8 KiB)

Nothing. I tried that several times. Are there other logs I should dig into?

0 Votes 0 ·

Hi,

We could check UpdatesDeployment.log to see the deployed updates are still applicable.

128628-921.png

Here is the article about troubleshooting the update deployment:
https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/track-software-update-deployment-process

Best regards,
Amanda


0 Votes 0 ·
921.png (94.1 KiB)