Microsoft
MicrosoftGreg Neveau Nick Wiley romanmensch
Here it goes!
Basically, when a client is able to reach an on-premise domain controller and considered to be on the "intranet", it needs to receive the client policies from an on-premise Management Point, not a CMG. So the only option is to add an on-premise MP in the boundary group(s) you have configured, and enable the checkbox to have the client prefer cloud sources over on-premise sources.
Which is indeed how we had set it up initially, but unfortunately that checkbox only applies to applications, not software updates.
So in order to have VPN clients download update content from Microsoft Update instead of the local DP (which in our case is on the MP we had to add back in the boundary group), we'll have to split up our deployments and work with the download settings to prevent it from downloading from the local DP, and fallback to MS Update for content on the deployments targeting VPN connected devices...
RobYork I can feel some UserVoice requests in the air 🙂
And that also means that this item on Microsoft Docs needs some more details: https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_bgoptions4
