Managing Patch Tuesday with Configuration Manager in a remote work world
Published Mar 31 2020 03:45 PM 145K Views
Microsoft

The global health crisis has dramatically changed life for all of us. We are working to get you the information and guidance you need to keep your people productive and secure. Two weeks from today is Patch Tuesday, which will provide the April 2020 security update for supported versions of Windows.

 

A couple of weeks ago I published a blog detailing the options and configuration available in Microsoft Endpoint Configuration Manager to allow a remotely managed PC to intelligently leverage the broadband connection without adding traffic load on the VPN connection back to corporate network.

 

A common theme in the questions we’ve seen after that post is customers asking how they can continue to patch based on their specific configuration and environment. Two weeks from today (April 14, 2020) is the April Patch Tuesday, so this article is designed to help you successfully deliver patches to your managed PCs that are no longer on-premises and connecting via VPN using home broadband networks. We will take you through a decision tree of options available to your organization when it comes to managing your upcoming patch deployments as we approach the April 2020 security update.

 

We know that every enterprise and small business is different, with different scenarios across their organizations. This article will help you use your existing patch strategy to update your remote machines. In some of your organizations, more than one of these VPN scenarios may apply, so please follow the appropriate guidance for that part of your organization. In some companies, more than one of the scenarios may be implemented.

 

VPN Guidance

The Microsoft recommended approach is to configure the VPN client to only send traffic bound for corporate resources located on-premises via the VPN connection, allowing all other traffic to go directly to the Internet and to be routed accordingly. This is how the VPN is configured internally at Microsoft. This also aligns to how we are securing our internal network through zero trust.

There has already been some great content published on VPN and configuration, I won’t go into that in too much detail here, so if you’re looking for guidance on how to start deploying a VPN, or you want more information on the best practices for configuring split tunnel, here some resources on how to position the value of split tunnel VPN and zero trust IT:

 

 

Common VPN scenarios

I’ll start by borrowing from one of those articles and describe the broad buckets customers typically fall into when it comes to VPN configuration:

  • No VPN
  • VPN forced tunnel: 100% of traffic goes into the VPN tunnel, including on-premise, management, Internet and all Office 365 or Microsoft 365 traffic
  • VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services. Default route (Internet and all Internet based services) goes direct
  • VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
  • VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Office 365 or Azure-routed traffic, etc.)

 

I don’t have a (split tunnel) VPN

If you don’t have a VPN, then it’s possible to configure ConfigMgr to leverage cloud services by default, and you should consider using Intune to manage your Windows Updates deployments without the need for any on-prem infrastructure.

If you do have a VPN but it routes all traffic back on premises, then unfortunately you cannot direct ConfigMgr traffic away from the VPN, and all update traffic will flow from the on-premises servers. This can be problematic for normal day-to-day operations, but the impact is likely exacerbated when faced with a patch deployment to remote machines.

 

Split tunnel defaults to Internet

If this is your configuration, happy days. To leverage the split tunnel, in the Configuration Manager console you’ll need to:

  • Configure a boundary that encompasses your VPN clients
  • Create a boundary group to control your VPN clients and assign the VPN boundary(s)
  • Associate the boundary with the Cloud Management Gateway (CMG) and / or Cloud Distribution Point (CDP)
  • Configure the boundary group to leverage cloud sources
  • Configure your update deployments to use Microsoft Updates

 

This will allow your clients to directly receive the Patch Tuesday updates from the Internet, without adding congestion traffic on your corporate VPN. 

 

Configuring split tunnel with known FQDNs.

We know that a number of customers aren’t quite ready to adopt split tunneling to the Internet because of current security or networking policies. If you’re in that position, then you can configure the split tunnel to direct known traffic to cloud services.

 

In this context, cloud services mean a combination of CMG, CDP, and Microsoft Update.

The FQDN of your CMG / CDP should be known to you already. Depending on your configuration, this will be either CMGhostname.cloudapp.net or CMGHostname.domainnameFQDN e.g. ContosoCMG.Contoso.com.

 

If you have a CDP or a content enabled CMG then, in addition to the service FQDN, the client will also need to retrieve content from *.blob.core.windows.net and also access *. table.core.windows.net to enable cloud-based content lookup.

 

For Microsoft Update, you will need to whitelist the endpoints in this article

 

 

 

If this applies to you, you can follow all the steps in my last blog. To leverage the split tunnel, in the Configuration Manager console you need to:

 

  • Configure a boundary that encompasses your VPN clients
  • Create a boundary group to control your VPN clients and assign the VPN boundary(s)
  • Associate the boundary with the Cloud Management Gateway (CMG) and / or Cloud Distribution Point (CDP)
  • Configure the boundary group to leverage cloud sources
  • Configure your update deployments to use Microsoft Updates

 

This will allow your clients to directly receive the Patch Tuesday updates from the Internet, without adding congestion traffic on your corporate VPN. 

 

Configuring split tunnel with known IP ranges.

We’ve also heard from customers that some VPN client configurations do not allow FQDN for configuring split tunnel whitelisting. If you fall into this category, then you can use the documented Microsoft addressable space in the following article: https://www.microsoft.com/download/details.aspx?id=53602. This will cover your CMG and CDP services, but does not cover Microsoft Update, so you need to keep reading.

 

Cannot configure split tunnel VPN to whitelist Microsoft Update

If you’re in this situation, the tradeoff you now face is to either deliver content from an on-prem distribution point over the VPN, or by using a CDP to deliver directly from the Internet and reduce the load on the VPN.

Normally, the Configuration Manager client will prefer Microsoft Update over Cloud Distribution Point, because we don’t want you to pay for content from a Microsoft cloud service that is available for free on a different Microsoft cloud service. For the April 2020 updates cycle specifically, the estimated cost is going to range anywhere between $0.01 and $0.10 per client based on a number of factors, including but not limited to:

 

  • The OS being patched
    • Major version
    • Current patch level
  • The type of updates being deployed
  • The pricing tier of Azure you are on
  • Your organization’s existing usage of Azure

 

There are actions you can take to minimize the payload size for updates and ultimately reduce the necessary transfer from the CDP.

 

Now, at this point I fully expect that a multi-way discussion between networks, security, client management, and potentially procurement teams need to take place to determine the acceptable trade off in network savings versus cost.

 

I’ll skip forward to the point where the tradeoff has been decided. If the decision is to configure split tunneling, great…. Go back 3 places and start the decision tree again to find the guidance that applies for your newly applicable split tunnel configuration.

 

If you’ve decided to use Cloud Distribution Point in order to leverage the split tunnel configuration then… in the event the client fails to retrieve content from Microsoft Update, it will automatically fallback to CDP. But there are steps you can take in the Configuration Manager console to ensure the client automatically retrieves content from CDP:

 

  • Configure a boundary that encompasses your VPN clients
  • Create a boundary group to control your VPN clients and assign the VPN boundary(s)
  • Associate the boundary with the CMG and / or CDP
  • Distribute the updates packages to the content enabled CMG / CDP
  • DISABLE the “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” check box on the updates deployment

 

blog2.png

 

These are unprecedented times and we are here to help and share guidance so you can keep your employees connected. We continue to update our Microsoft COVID-19 Response resources with guidance and learnings, please check frequently for more ideas and information: https://news.microsoft.com/covid-19-response.

 

As always, we would love to hear your experiences and feedback. Either use the comments below or join the conversation in our Remote Work Tech Community to share, engage and learn from experts.

 

Rob York

@robdotyork

Program Manager

Microsoft Endpoint Manager

17 Comments
Copper Contributor

For those admins with corporate proxy configurations, dont forget if you have WinHTTP configured to goto your internal proxy, you will need to adjust that once you split tunnel traffic. 

Thanks again Rob!! 

Brass Contributor

Hmm, how the remote client communicate with SoftwareUpdatePoint role server  when it is located on prem? Cant use this role on CMG/CDP. How should client be configured?

Copper Contributor

We have an IBCM server not a CMG\CDP, can we still take advantage of these guidelines?

Iron Contributor

@Rob York, if we can't completely isolate the VPN clients from on-premise DPs where Windows update packages are stored, could we just use the 'Prefer cloud based sources over on-premise sources' so that VPN clients go to WU instead of DPs?

Thks

Copper Contributor

@Rob York Important to note that there is currently a bug meaning 'Prefer Cloud Distribution Points over Distribution Points' does NOT work for Office 365 Client Updates.

 

Described https://techcommunity.microsoft.com/t5/office-365-blog/configuring-office-365-proplus-updates-for-re...  

Microsoft

@Andres Pae absolutely you can connect your Software Update Points to CMG. 

Microsoft

@lalanc01 check out the previous blog i reference in this article.

Copper Contributor

No need for a CMG/Cloud DP here as we can pull from MS Update

Copper Contributor

Rob - thanks for this informative post. Do you know if there is similar guidance for how organisations can manage Office 365 and Windows 10 updates in our brave new working from home world, particularly those organisation (like mine) that have traditional pushed these updates out via SCCM over a corporate network?

Copper Contributor

Hi Rob,

it is stated in this article that we should not upload the update packages to the CMG / CDP:

https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

"Internet-based clients get Microsoft software update content from Windows Update at no charge. Don't distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs"

Thanks for your reply

Copper Contributor

Very helpful and detailed article. Thank you for this.

Copper Contributor

Hey Rob, The big question here is how can we split off / redirect Packages and TS deployments short of having to stand up a cloud DP?

Copper Contributor

@Rob York Can you please share on the functions of the HTTP FQDNs to whitelist on split tunnel and why encryption is not required?  Our Security is asking if there are HTTPS FQDNs we can substitute in place of:

*.blob.core.windows.net

*. table.core.windows.net

http://emdl.ws.microsoft.com

http://*.dl.delivery.mp.microsoft.com

http://*.windowsupdate.com

 

Thank you!

Copper Contributor

Hi
We have environment that boundary group attached VPN dp server and Split tunnel enabled. Updates are distributed to VPN DP.While deploying security or cumulative update to client, on the deployment download settings do we need to use (2 drop down) do not download the update from neighbor and current and default site boundary and below options to check download from MS site ?? So that client can get patch from internet?
If yes I have one more question
We have already distributed patches to VPN dp associate with VPN boundary , if still download from vpn server??

What about desktop connected local intranet if we use same download settings (do not download)

Copper Contributor

Don't forget many regulations HIPAA, PCI-DSS in the (United States anyway) do not allow your organization to have split tunneling. So make sure your are not falling out of compliance.

Community Manager
Copper Contributor

Has anyone else experienced headaches when it comes time to deploy Service Stack Update (SSU)? The biggest headache I have with SSU is that it will take nearly 45 min + to install and get past the Pending Verification context within Software Center. After this then my other .NET\CU\Office updates install successfully and quickly.

 

Please note I am on Windows 10 Enterprise 1903 x64 and the SSU is indeed being called first for install. MEMCM is version 1902, looking to upgrade soon.

 

Appreciate anyone else feedback on SSU updates in their environment. 

Version history
Last update:
‎Apr 01 2020 07:42 AM
Updated by: