Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager

Published Mar 18 2020 01:17 PM 94.4K Views
Microsoft

In light of the global situation that has escalated over the past weeks regarding COVID-19 and the coronavirus; there has been a significant increase in the number people working from home. Indeed, myself and the rest of the Microsoft Endpoint Manager team are among 100,000+ Redmond based Microsoft employees who are entering our third week of remote work.

 

This increase in the global workforce working from home is unsurprisingly putting an added focus from organizations on remote functionality and management. Not to mention an increased load and strain on services that were implemented to accommodate lower concurrent numbers of remote working employees.

 

Naturally we have seen an increase in the number of queries, questions and tweets around the tools and features Microsoft Endpoint Manager can offer in the way of remote management of the workforce. One of the most common topics I have had to field enquiries is around the use of cloud management gateway (CMG), usually in conjunction with keeping traffic off the VPN.

 

Firstly, let’s clarify some terms….

 

Internet-based client management is a longstanding concept in Configuration Manager whereby servers are placed in the DMZ and published to the Internet to allow clients to continue to be managed when roaming on the Internet.

 

Cloud management gateway, or as I shall refer to it in the rest of the blog, CMG for short, is a cloud service hosted in Azure that acts as a proxy for clients. It greatly simplifies the configuration required to manage clients on the Internet.

 

The final concept is cloud distribution point, also a cloud service hosted in Azure, that allows clients to retrieve content. For the purposes of simplicity, and because cloud distribution point has been deprecated in favor of enabling content distribution from a CMG, I will use the term “CMG” to refer to a content-enabled cloud management gateway for the remainder of this blog

 

Secondly, let’s talk about why clients will potentially still communicate over the VPN when a CMG is deployed. Essentially, the Configuration Manager client has logic that looks at several factors, including being able to resolve a management point and the internal domain. When these factors are not met, the client will evaluate as IsInternet=1 and will communicate with resources published to the Internet.  When a client is connected to a VPN it is likely that the client will meet enough criteria to consider itself IsInternet=0 which is why client traffic will go over the VPN and not the Internet even if split tunneling is configured to allow direct Internet traffic.

 

NOTE: Everything in this blog will require a split-tunnel VPN. If all the traffic is directed back to the corporate network by the VPN client, then even if the Configuration Manager client is ultimately going out to cloud services, it won’t be alleviating VPN traffic.

 

The good news is that there are a couple of configuration options that you can take to move traffic away from the VPN and directly to Internet sources. These options should hopefully free up some bandwidth for line of business traffic whilst ensuring clients remain managed and up to date.

 

When the VPN has a known IP range

 

If your VPN clients are sat neatly in a known IP range or ranges, then firstly you need to create boundaries in Configuration Manager to cover the VPN ranges:

 
 

Rob York_6-1584492420485.png

 

and then add them to a boundary group:

 

Rob York_1-1584492331636.png

 

Then you need to configure that boundary group to use cloud services. You do this on the references tab, to explicitly accommodate the CMG with the boundary group:

 

Rob York_2-1584492331659.png

 

And also on the options tab select  Prefer cloud based sources over on-premise sources

 

Rob York_3-1584492331671.png

 

This option will apply even if you don’t have a CMG, so can offer some respite to your VPN by directing clients to Microsoft Update for content.

 

When the VPN doesn’t have a known IP range

 

Admittedly this complicates matters, but we added the concept of default site boundary group in version 1610 as a replacement to the concept of fallback content location. This behavior means that if your VPN clients do not fall into a known boundary group, they can fallback to communicate with referenced site systems from the default site boundary group.

 

Again, add the CMG to the references tab

 

Rob York_4-1584492331682.png

 

NOTE: This will result in clients in the corporate network, but not in a known boundary, to connect to the CMG.

 

Force the client to Always Internet mode

 

If networking or boundary configuration makes either of the first two options unviable, you can always force the client to always consider itself IsInternet=1, effectively overriding the logic I talked about earlier. Toggling the client back and forth from explicitly Always Internet is not possible, hence why we make the previous options available. If needed, as a matter of last resort, you could (re)deploy the client using the CCMALWAYSINF parameter to ensure your remote clients are always managed by the CMG.

 

Finally, I wanted to call out an implementation within the Configuration Manager client when it comes to Microsoft Updates. You do not need to deploy your Microsoft software updates packages to the CMG: If a client is on the Internet communicating to a CMG, it will instead retrieve updates from Microsoft Updates. As long as the client can download directly from Microsoft Updates it will never download Microsoft updates from a CMG. Although, a good practice is to not deploy updates packages to a CMG that contain Microsoft Updates.

 

We had previously blocked the deploying of update packages to CMG and CDP for this very reason, but we relaxed the restriction in order to facilitate third party updates.

 

 

To allow clients to use cloud sources for Microsoft Update content, ensure you select the “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” check box on the updates deployment:

 

Rob York_5-1584492331712.png

 

Rob York

@robdotyork

Program Manager

Microsoft Endpoint Manager

70 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1233895%22%20slang%3D%22en-US%22%3EManaging%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233895%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20light%20of%20the%20global%20situation%20that%20has%20escalated%20over%20the%20past%20weeks%20regarding%20COVID-19%20and%20the%20coronavirus%3B%20there%20has%20been%20a%20significant%20increase%20in%20the%20number%20people%20working%20from%20home.%20Indeed%2C%20myself%20and%20the%20rest%20of%20the%20Microsoft%20Endpoint%20Manager%20team%20are%20among%20100%2C000%2B%20Redmond%20based%20Microsoft%20employees%20who%20are%20entering%20our%20third%20week%20of%20remote%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20increase%20in%20the%20global%20workforce%20working%20from%20home%20is%20unsurprisingly%20putting%20an%20added%20focus%20from%20organizations%20on%20remote%20functionality%20and%20management.%20Not%20to%20mention%20an%20increased%20load%20and%20strain%20on%20services%20that%20were%20implemented%20to%20accommodate%20lower%20concurrent%20numbers%20of%20remote%20working%20employees.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENaturally%20we%20have%20seen%20an%20increase%20in%20the%20number%20of%20queries%2C%20questions%20and%20tweets%20around%20the%20tools%20and%20features%20Microsoft%20Endpoint%20Manager%20can%20offer%20in%20the%20way%20of%20remote%20management%20of%20the%20workforce.%20One%20of%20the%20most%20common%20topics%20I%20have%20had%20to%20field%20enquiries%20is%20around%20the%20use%20of%20cloud%20management%20gateway%20(CMG)%2C%20usually%20in%20conjunction%20with%20keeping%20traffic%20off%20the%20VPN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirstly%2C%20let%E2%80%99s%20clarify%20some%20terms%E2%80%A6.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fmanage%2Fplan-internet-based-client-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EInternet-based%20client%20management%3C%2FSTRONG%3E%3C%2FA%3E%20is%20a%20longstanding%20concept%20in%20Configuration%20Manager%20whereby%20servers%20are%20placed%20in%20the%20DMZ%20and%20published%20to%20the%20Internet%20to%20allow%20clients%20to%20continue%20to%20be%20managed%20when%20roaming%20on%20the%20Internet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fmanage%2Fcmg%2Fplan-cloud-management-gateway%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3ECloud%20management%20gateway%3C%2FSTRONG%3E%3C%2FA%3E%2C%20or%20as%20I%20shall%20refer%20to%20it%20in%20the%20rest%20of%20the%20blog%2C%20%3CSTRONG%3ECMG%3C%2FSTRONG%3E%20for%20short%2C%20is%20a%20cloud%20service%20hosted%20in%20Azure%20that%20acts%20as%20a%20proxy%20for%20clients.%20It%20greatly%20simplifies%20the%20configuration%20required%20to%20manage%20clients%20on%20the%20Internet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20final%20concept%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fplan-design%2Fhierarchy%2Fuse-a-cloud-based-distribution-point%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3Ecloud%20distribution%20point%3C%2FSTRONG%3E%3C%2FA%3E%2C%20also%20a%20cloud%20service%20hosted%20in%20Azure%2C%20that%20allows%20clients%20to%20retrieve%20content.%20For%20the%20purposes%20of%20simplicity%2C%20and%20because%20cloud%20distribution%20point%20has%20been%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fplan-design%2Fchanges%2Fdeprecated%2Fremoved-and-deprecated-cmfeatures%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edeprecated%3C%2FA%3E%20in%20favor%20of%20enabling%20content%20distribution%20from%20a%20CMG%2C%20I%20will%20use%20the%20term%20%E2%80%9CCMG%E2%80%9D%20to%20refer%20to%20a%20content-enabled%20cloud%20management%20gateway%20for%20the%20remainder%20of%20this%20blog%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecondly%2C%20let%E2%80%99s%20talk%20about%20why%20clients%20will%20potentially%20still%20communicate%20over%20the%20VPN%20when%20a%20CMG%20is%20deployed.%20Essentially%2C%20the%20Configuration%20Manager%20client%20has%20logic%20that%20looks%20at%20several%20factors%2C%20including%20being%20able%20to%20resolve%20a%20management%20point%20and%20the%20internal%20domain.%20When%20these%20factors%20are%20not%20met%2C%20the%20client%20will%20evaluate%20as%20IsInternet%3D1%20and%20will%20communicate%20with%20resources%20published%20to%20the%20Internet.%26nbsp%3B%20When%20a%20client%20is%20connected%20to%20a%20VPN%20it%20is%20likely%20that%20the%20client%20will%20meet%20enough%20criteria%20to%20consider%20itself%20IsInternet%3D0%20which%20is%20why%20client%20traffic%20will%20go%20over%20the%20VPN%20and%20not%20the%20Internet%20even%20if%20split%20tunneling%20is%20configured%20to%20allow%20direct%20Internet%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3EEverything%20in%20this%20blog%20will%20require%20a%20split-tunnel%20VPN.%20If%20all%20the%20traffic%20is%20directed%20back%20to%20the%20corporate%20network%20by%20the%20VPN%20client%2C%20then%20even%20if%20the%20Configuration%20Manager%20client%20is%20ultimately%20going%20out%20to%20cloud%20services%2C%20it%20won%E2%80%99t%20be%20alleviating%20VPN%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20good%20news%20is%20that%20there%20are%20a%20couple%20of%20configuration%20options%20that%20you%20can%20take%20to%20move%20traffic%20away%20from%20the%20VPN%20and%20directly%20to%20Internet%20sources.%20These%20options%20should%20hopefully%20free%20up%20some%20bandwidth%20for%20line%20of%20business%20traffic%20whilst%20ensuring%20clients%20remain%20managed%20and%20up%20to%20date.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EWhen%20the%20VPN%20has%20a%20known%20IP%20range%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20your%20VPN%20clients%20are%20sat%20neatly%20in%20a%20known%20IP%20range%20or%20ranges%2C%20then%20firstly%20you%20need%20to%20create%20boundaries%20in%20Configuration%20Manager%20to%20cover%20the%20VPN%20ranges%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_6%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_6-1584492420485.png%22%20style%3D%22width%3A%20549px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177644i756547203803A181%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_6-1584492420485.png%22%20alt%3D%22Rob%20York_6-1584492420485.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20then%20add%20them%20to%20a%20boundary%20group%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_1-1584492331636.png%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177639iD01A5AA6BCBE35E9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_1-1584492331636.png%22%20alt%3D%22Rob%20York_1-1584492331636.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20you%20need%20to%20configure%20that%20boundary%20group%20to%20use%20cloud%20services.%20You%20do%20this%20on%20the%20references%20tab%2C%20to%20explicitly%20accommodate%20the%20CMG%20with%20the%20boundary%20group%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_2-1584492331659.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177640iA4688F2A251E9FC3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_2-1584492331659.png%22%20alt%3D%22Rob%20York_2-1584492331659.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3EAnd%20also%20on%20the%20options%20tab%20select%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23bkmk_bgoptions4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPrefer%20cloud%20based%20sources%20over%20on-premise%20sources%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_3-1584492331671.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177641iFD88305147483D66%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_3-1584492331671.png%22%20alt%3D%22Rob%20York_3-1584492331671.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20option%20will%20apply%20even%20if%20you%20don%E2%80%99t%20have%20a%20CMG%2C%20so%20can%20offer%20some%20respite%20to%20your%20VPN%20by%20directing%20clients%20to%20Microsoft%20Update%20for%20content.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EWhen%20the%20VPN%20doesn%E2%80%99t%20have%20a%20known%20IP%20range%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdmittedly%20this%20complicates%20matters%2C%20but%20we%20added%20the%20concept%20of%20default%20site%20boundary%20group%20in%20version%201610%20as%20a%20replacement%20to%20the%20concept%20of%20fallback%20content%20location.%20This%20behavior%20means%20that%20if%20your%20VPN%20clients%20do%20not%20fall%20into%20a%20known%20boundary%20group%2C%20they%20can%20fallback%20to%20communicate%20with%20referenced%20site%20systems%20from%20the%20default%20site%20boundary%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20add%20the%20CMG%20to%20the%20references%20tab%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_4-1584492331682.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177642iE1F2591DA468C973%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_4-1584492331682.png%22%20alt%3D%22Rob%20York_4-1584492331682.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3EThis%20will%20result%20in%20clients%20in%20the%20corporate%20network%2C%20but%20not%20in%20a%20known%20boundary%2C%20to%20connect%20to%20the%20CMG.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EForce%20the%20client%20to%20Always%20Internet%20mode%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20networking%20or%20boundary%20configuration%20makes%20either%20of%20the%20first%20two%20options%20unviable%2C%20you%20can%20always%20force%20the%20client%20to%20always%20consider%20itself%20IsInternet%3D1%2C%20effectively%20overriding%20the%20logic%20I%20talked%20about%20earlier.%20Toggling%20the%20client%20back%20and%20forth%20from%20explicitly%20Always%20Internet%20is%20not%20possible%2C%20hence%20why%20we%20make%20the%20previous%20options%20available.%20If%20needed%2C%20as%20a%20matter%20of%20last%20resort%2C%20you%20could%20(re)deploy%20the%20client%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fdeploy%2Fabout-client-installation-properties%23ccmalwaysinf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECCMALWAYSINF%3C%2FA%3E%20parameter%20to%20ensure%20your%20remote%20clients%20are%20always%20managed%20by%20the%20CMG.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%2C%20I%20wanted%20to%20call%20out%20an%20implementation%20within%20the%20Configuration%20Manager%20client%20when%20it%20comes%20to%20Microsoft%20Updates.%20You%20do%20not%20need%20to%20deploy%20your%20Microsoft%20software%20updates%20packages%20to%20the%20CMG%3A%20If%20a%20client%20is%20on%20the%20Internet%20communicating%20to%20a%20CMG%2C%20it%20will%20instead%20retrieve%20updates%20from%20Microsoft%20Updates.%20As%20long%20as%20the%20client%20can%20download%20directly%20from%20Microsoft%20Updates%20it%20will%20never%20download%20Microsoft%20updates%20from%20a%20CMG.%20Although%2C%20a%20good%20practice%20is%20to%20not%20deploy%20updates%20packages%20to%20a%20CMG%20that%20contain%20Microsoft%20Updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20had%20previously%20blocked%20the%20deploying%20of%20update%20packages%20to%20CMG%20and%20CDP%20for%20this%20very%20reason%2C%20but%20we%20relaxed%20the%20restriction%20in%20order%20to%20facilitate%20third%20party%20updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20allow%20clients%20to%20use%20cloud%20sources%20for%20Microsoft%20Update%20content%2C%20ensure%20you%20select%20the%20%E2%80%9CIf%20software%20updates%20are%20not%20available%20on%20distribution%20point%20in%20current%2C%20neighbor%20or%20site%20boundary%20groups%2C%20download%20content%20from%20Microsoft%20Updates%E2%80%9D%20check%20box%20on%20the%20updates%20deployment%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_5-1584492331712.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177643i55AD35C6B17B8AC2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_5-1584492331712.png%22%20alt%3D%22Rob%20York_5-1584492331712.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERob%20York%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Frobdotyork%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40robdotyork%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EProgram%20Manager%3C%2FP%3E%0A%3CP%3EMicrosoft%20Endpoint%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1233895%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20increase%20in%20the%20global%20workforce%20working%20from%20home%20is%20unsurprisingly%20putting%20an%20added%20focus%20from%20organizations%20on%20remote%20functionality%20and%20management.%26nbsp%3BNaturally%20we%20have%20seen%20an%20increase%20in%20the%20number%20of%20queries%2C%20questions%20and%20tweets%20around%20the%20tools%20and%20features%20Microsoft%20Endpoint%20Manager%20can%20offer%20in%20the%20way%20of%20remote%20management%20of%20the%20workforce.%20One%20of%20the%20most%20common%20topics%20I%20have%20had%20to%20field%20enquiries%20is%20around%20the%20use%20of%20cloud%20management%20gateway%20(CMG)%2C%20usually%20in%20conjunction%20with%20keeping%20traffic%20off%20the%20VPN.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1233895%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud-attached%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECM%20current%20branch%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUnified%20Endpoint%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1238729%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1238729%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20just%20manage%20Windows%20Updates%20through%20these%20methods%3F%20Is%20there%20a%20way%20to%20manage%20standard%20content%20via%20on-prem%20and%20Winodws%20Updates%20via%20CMG%20%2F%20Internet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1238949%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1238949%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20cool%20way%20only%20if%20the%20computer%20are%20not%20under%20AlwaysOnVpn%20device%20force-tunnel%20mode.%20I%20always%20say%20this%20to%20my%20customers%20first%20by%20listing%20the%20pros%20and%20cons%20between%20aovpn%20device%20and%20%3CSTRONG%3ECMG%3C%2FSTRONG%3E.%20They%20generally%20choose%20aovpn%20for%20better%20mgmt%20and%20fully%20netlogon%20approach%20into%20the%20DC.%26nbsp%3B%3CBR%20%2F%3ENo%20more%20errors%20in%20trust%20relationship%20between%20workstations%20domain%20for%20%22fully%20away%22%20users%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1239838%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1239838%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20still%20Windows%2010%201709%2C%20I%20now%20we%20are%20late!%20Also%20with%20the%20cloud%20distribution%20point%3CSPAN%3E%26nbsp%3Bit's%20hard%20to%20upgrade%20all%20devices%20until%20April%2014.%20Still%202000%20devices%20left.%20Employee%20can't%20go%20back%20to%20work%20during%20the%20quarantine%20time%20to%20change%20their%20devices%20(a%20few%20devices%20need%20to%20be%20replaced).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EMicrosoft%20can%20you%20please%20postpone%20the%20end-of-%20life%20for%20this%20build%20during%20the%26nbsp%3B%3CSPAN%3ECOVID-19%20days.%20Two%20more%20months%20security%20updates%20would%20help%20a%20lot.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EEdit%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOh%20great%20news!%20Thank%20you%20guys%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fhearteyes_40x40.gif%22%20alt%3D%22%3Ahearteyes%3A%22%20title%3D%22%3Ahearteyes%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Frevised-end-of-service-date-for-windows-10-version-1709-october%2Fba-p%2F1239043%23%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Frevised-end-of-service-date-for-windows-10-version-1709-october%2Fba-p%2F1239043%23%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1240028%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1240028%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20of%20us%20without%20CMG%2C%20if%20you%20create%20the%20VPN%20boundary%20group%20and%20configure%20it%20to%20prefer%20cloud%20resources%20do%20you%20need%20to%20associate%20site%20system%20servers%20with%20it%20or%20can%20that%20be%20left%20blank%20since%20it%20prefers%20the%20cloud%20anyways.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243489%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243489%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20might%20want%20to%20turn%20off%20P2P%20for%20that%20boundary%20group%20too%20if%20using%20Peer%20Cache%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1245465%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1245465%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20can%20I%20find%20the%20IP%20addresses%20of%20the%20Windows%20updates%20servers%20to%20include%20in%20the%20split%20tunneling%20rules%20(can%20only%20find%20URL's%20or%20the%20whole%20MS%20IP%20address%20space)%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1246294%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1246294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F590359%22%20target%3D%22_blank%22%3E%40Doogle2006%3C%2FA%3E%26nbsp%3Bthere%20is%20no%20list%20available%20with%20IPs%20addresses%20for%20WU.%20The%20WU%20endpoints%20are%20distributed%20across%20the%20world%20with%20different%20CDNs%20and%20there%20is%20no%20possibility%20to%20provide%2Fmaintain%20a%20list%20of%20the%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1248874%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1248874%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F590359%22%20target%3D%22_blank%22%3E%40Doogle2006%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmiketerrill.net%2F2020%2F03%2F18%2Fforcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmiketerrill.net%2F2020%2F03%2F18%2Fforcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252840%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252840%22%20slang%3D%22en-US%22%3E%3CP%3EAnything%20to%20add%20for%20clients%20who%20are%20on%20Direct%20Access%3F%20Gotcha's%20when%20it%20comes%20to%20ADRs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1256710%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1256710%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Frobdotyork%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40robdotyork%3C%2FA%3E%26nbsp%3BWe've%20been%20implementing%20CMG%20(using%20Enhanced%20HTTP%20%2B%20Azure%20AD)%20and%20are%20happy%20to%20see%20already%20quite%20some%20traffic%20from%20the%20Cloud%20DP's.%3CBR%20%2F%3EHowever%2C%20we%20run%20into%20an%20issue%20where%20clients%20using%20the%20CMG%20as%20management%20point%2C%20don't%20see%20user-targeted%20applications%20in%20their%20Software%20Center%2C%20and%20in%20the%20SCClient%20logs%20it%20shows%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%20https%3A%2F%2F*********.CLOUDAPP.NET%2FCCM_Proxy_MutualAuth%2F72057594037927951%3A443%2FCMUserService_WindowsAuth%2C%20Windows%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%20SCClient%203%2F26%2F2020%2012%3A33%3A19%20PM%205%20(0x0005)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CDIV%3EGetApplicationsAsync%3A%20The%20HTTP%20request%20was%20forbidden%20with%20client%20authentication%20scheme%20'Negotiate'..%20Unable%20to%20fetch%20user%20categories%2C%20unknown%20communication%20problem.%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B(Microsoft.SoftwareCenter.Client.ViewModels.SoftwareListViewModel%2B%3CLOADAPPCATALOGAPPLICATIONSASYNC%3Ed__164%20at%20MoveNext)%3C%2FLOADAPPCATALOGAPPLICATIONSASYNC%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EAny%20ideas%20on%20what%20I'm%20missing%3F%20All%20the%20rest%20seems%20to%20work%20fine.%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1264588%22%20slang%3D%22de-DE%22%3ESubject%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1264588%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%20we%20have%20the%20same%20problem.%20That%20the%20Internet%20Clients%20(with%20no%20VPN)%20only%20reach%20the%20Device%20Software%20or%20installed%20software%20before.%20But%20the%20Available%20User%20Software%20not%20showing%20up%20in%20the%20Internet.%20In%20the%20%22Intranet%22%20mode%20with%20VPN%20Connection%20the%20User%20Software%20aviable%20is%20showing%20up%20normaly.%20We%20have%20tested%20it%20with%20Hybrid%20Join%20Device%20an%20the%20right%20clients%20setting%20with%20our%20partner%20from%20switzerland%20ITNETX%20had%20we%20correctly%20set.%26nbsp%3B%3CSPAN%3EShould%20we%20open%20a%20case%20too%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295719%22%20slang%3D%22de-DE%22%3ESubject%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295719%22%20slang%3D%22de-DE%22%3E%3CP%3EShort%20update%20from%20me%2024.04.20%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%20We%20also%20make%20an%20MS%20call.%20Unfortunately%2C%20we%20have%20a%20solution%20yet.%20However%2C%20we%20also%20found%20a%20very%20hidden%20user%20settings%20in%20configmgr%20that%20allowed%20cloud%20policies.%20We%20have%20to%20say%20yes%20its%20was%20no.%20Now%20in%20Production%20it's%20works!%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20is%20important%20that%20both%20apps%20(Client%20%2F%20Server%20APP)%20are%20available%20in%20AD%20Azure%20and%20the%20CMG%20Analyzer%20is%20completely%20green%20an%20the%20Clients%20are%20Hybrid%20Joined.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EUser%20setting%20in%20Client%20Setting%20and%20deploy%20it%20on%20active%20users%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20796px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183357i02DBA8B0BA1EB985%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257565%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257565%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20the%20same%20issue%20with%20user%20targeted%20apps%20and%20the%20'Negotiate'%20error.%26nbsp%3B%20It%20seems%20since%20the%20client%20thinks%20it%20is%20on%20the%20intranet%20with%20a%20split%20tunnel%20VPN%26nbsp%3Binstead%20of%20the%20internet%20that%20it%20tries%20to%20authenticate%20to%20the%20CMG%20with%20some%20method%20other%20than%20PKI%26nbsp%3Bwhich%20fails.%26nbsp%3B%26nbsp%3BDisconnecting%20the%20VPN%20to%20force%20the%20client%20into%20internet%20mode%20shows%20proper%20PKI%20authentication%20and%20user%20apps%20work%20fine.%26nbsp%3B%20Any%20suggestions%20to%20resolve%20would%20be%20appreciated%2C%20we%20are%20working%20with%20premier%20support%2C%20but%20not%20making%20any%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258450%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258450%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3BWell%20at%20least%20there%20will%20be%202%20cases%20with%20premier%20support%20then%2C%20I'm%20opening%20one%20this%20morning.%20Perhaps%20with%20more%20cases%20it%20will%20get%20more%20attention%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258641%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258641%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20can%20use%20subnets%20instead%20of%20of%20IP%20ranges%20right%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259917%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3Bi%20think%20we%20have%20the%20same%20issue.%26nbsp%3B%20You%20make%20any%20headway%20on%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259938%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259938%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20headway%20for%20us%2C%20we%20are%20working%20with%20support%20on%20getting%20updates%20to%20work%20via%20the%20CMG%20when%20the%20client%20is%20in%20intranet%20mode%20and%20then%20have%20a%20case%20waiting%20with%20support%20to%20work%20on%20the%20negotiate%20error.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260076%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F218410%22%20target%3D%22_blank%22%3E%40Chris%20Calaf%3C%2FA%3E%26nbsp%3B%20yes.%20i%20just%20chose%20ranges%20for%20the%20purposes%20of%20screenshot%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260082%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260082%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F71740%22%20target%3D%22_blank%22%3E%40Nick%20Wiley%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3Bwe're%20investigating%20if%20you%20have%20a%20case%20open%20get%20your%20support%20person%20to%20email%20me%20the%20ccm%5Clogs%20folder%20from%20your%20client.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260126%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260126%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3BI%20opened%20up%20a%20case%20with%20Premier%20Support%20this%20morning%20but%20still%20have%20heard%20anything...%20I%20can%20zip%20the%20client%20logs%20I%20backed%20up%20yesterday%20and%20attach%20them%20to%20the%20case%2C%20and%20let%20you%20know%20the%20case%20number%20if%20that%20helps%20%3A)%3C%2Fimg%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260391%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260391%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3B%2C%20we%20will%20have%20our%20TAM%20loop%20you%20in%20on%20the%20cases.%26nbsp%3B%20We%20have%20two%20open%2C%20the%20first%20dealing%20with%20software%20updates%20failing%20and%20the%20second%20for%20intranet%20clients%20and%20authentication.%26nbsp%3B%20Thank%20You.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265146%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265146%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454255%22%20target%3D%22_blank%22%3E%40romanmensch%3C%2FA%3E%2C%26nbsp%3BI%20think%20you%20are%20seeing%20the%20opposite%20of%20us%20where%20our%20clients%20work%20on%20the%20internet%20and%20not%20on%20the%20intranet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20noticing%20that%20when%20the%20client%20is%20in%20intranet%20mode%20(%20on%20VPN%20)%2C%20we%20see%20in%20our%20SCClient%20logs%20that%20the%20configuration%20manager%20client%20is%20trying%20to%20use%20windows%20authentication%20to%20the%20CMG%20which%20fails.%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%20%3CA%20href%3D%22https%3A%2F%2FXXXXXXXX.CLOUDAPP.NET%2FCCM_Proxy_MutualAuth%2FXXXXXXXX%3A443%2FCMUserService_WindowsAuth%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FXXXXXXXX.CLOUDAPP.NET%2FCCM_Proxy_MutualAuth%2FXXXXXXXX%3A443%2FCMUserService_WindowsAuth%3C%2FA%3E%2C%20Windows%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20in%20Internet%20mode%2C%20we%20see%20the%20configuration%20manager%20client%20using%20AAD%20auth%20to%20the%20CMG%20which%20succeeds.%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%20%3CA%20href%3D%22https%3A%2F%2FXXXXXXXX.CLOUDAPP.NET%2FCCM_Proxy_ServerAuth%2FXXXXXXXX%2FCMUserService%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FXXXXXXXX.CLOUDAPP.NET%2FCCM_Proxy_ServerAuth%2FXXXXXXXX%2FCMUserService%3C%2FA%3E%2C%20AAD%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20still%20working%20with%20support%20on%20this%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265415%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265415%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454255%22%20target%3D%22_blank%22%3E%40romanmensch%3C%2FA%3E%26nbsp%3BIndeed%2C%20we%20have%20the%20same%20issue%20as%20Greg%20%3A)%3C%2Fimg%3E%20Actually%20on%20a%20support%20call%20with%20Microsoft%20at%20the%20moment.%20If%20it%20leads%20to%20anything%20I%E2%80%99ll%20let%20you%20know.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265645%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F71740%22%20target%3D%22_blank%22%3E%40Nick%20Wiley%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454255%22%20target%3D%22_blank%22%3E%40romanmensch%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EHere%20it%20goes!%26nbsp%3B%3CBR%20%2F%3EBasically%2C%20when%20a%20client%20is%20able%20to%20reach%20an%20on-premise%20domain%20controller%20and%20considered%20to%20be%20on%20the%20%22intranet%22%2C%20it%20needs%20to%20receive%20the%20client%20policies%20from%20an%20on-premise%20Management%20Point%2C%20not%20a%20CMG.%20So%20the%20only%20option%20is%20to%20add%20an%20on-premise%20MP%20in%20the%20boundary%20group(s)%20you%20have%20configured%2C%20and%20enable%20the%20checkbox%20to%20have%20the%20client%20prefer%20cloud%20sources%20over%20on-premise%20sources.%26nbsp%3B%3CBR%20%2F%3EWhich%20is%20indeed%20how%20we%20had%20set%20it%20up%20initially%2C%20but%20unfortunately%20that%20checkbox%20only%20applies%20to%20applications%2C%20not%20software%20updates.%26nbsp%3B%3CBR%20%2F%3ESo%20in%20order%20to%20have%20VPN%20clients%20download%20update%20content%20from%20Microsoft%20Update%20instead%20of%20the%20local%20DP%20(which%20in%20our%20case%20is%20on%20the%20MP%20we%20had%20to%20add%20back%20in%20the%20boundary%20group)%2C%20we'll%20have%20to%20split%20up%20our%20deployments%20and%20work%20with%20the%20download%20settings%20to%20prevent%20it%20from%20downloading%20from%20the%20local%20DP%2C%20and%20fallback%20to%20MS%20Update%20for%20content%20on%20the%20deployments%20targeting%20VPN%20connected%20devices...%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3BI%20can%20feel%20some%20UserVoice%20requests%20in%20the%20air%20%3A)%3C%2Fimg%3E%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3EAnd%20that%20also%20means%20that%20this%20item%20on%20Microsoft%20Docs%20needs%20some%20more%20details%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23bkmk_bgoptions4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23bkmk_bgoptions4%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1265871%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1265871%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%2B%20others%3A%20Please%20post%20a%20new%20comment%20if%20you%20find%20a%20solution%20or%20workaround.%20We%20have%20the%20same%20problem...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1266463%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3Bi%20cover%20the%20implementation%20logic%20around%20IsInternet%3D1%20at%20the%20beginning%20of%20the%20blog.%20but%20it%20is%20not%20correct%20to%20say%20that%20%22t%3CSPAN%3Ehe%20only%20option%20is%20to%20add%20an%20on-premise%20MP%20in%20the%20boundary%20group%22%3CBR%20%2F%3E%3CBR%20%2F%3Ehave%20you%20added%20the%20CMG%20to%20the%20Boundary%20group%3F%3C%2FSPAN%3E%20%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_2-1584492331659.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180758i2F99F5C5846812B0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Rob%20York_2-1584492331659.png%22%20alt%3D%22Rob%20York_2-1584492331659.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1266465%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266465%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%26nbsp%3Bi%20responded%20on%20email%20but%20replying%20here%20for%20broader%20benefit%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20client%20is%20in%20a%20known%20boundary%20then%20SUP%20needs%20to%20be%20configured%20to%20be%20in%20the%20client%E2%80%99s%20boundary%20group%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fsum%2Fplan-design%2Fplan-for-software-updates%23BKMK_SUPSwitching%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fsum%2Fplan-design%2Fplan-for-software-updates%23BKMK_SUPSwitching%3C%2FA%3E%2C%20OR%20in%20the%20fallback%20chain%20from%20the%20current%20boundary%20group%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23fallback%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23fallback%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1314226%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314226%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F625259%22%20target%3D%22_blank%22%3E%40Phil_Brandvold%3C%2FA%3E%26nbsp%3Bwe%20have%20the%20same%20issue%2C%20and%20even%20though%20we%20have%20multiple%20management%20points%2C%20all%20of%20them%20also%20host%20a%20DP%20role%20with%20Software%20Update%20content.%26nbsp%3B%3CBR%20%2F%3ESo%20what%20I%20did%20now%20(which%20was%20also%20confirmed%20by%20the%20MS%20engineer%20on%20our%20case%20as%20workaround)%20is%20splitting%20up%20our%20patching%20collections%20between%20VPN%20and%20on-prem%20devices%20with%20incremental%20updates...%20and%20using%20the%20deployments%E2%80%99%20download%20settings%20to%20prevent%20VPN%20devices%20from%20using%20the%20content%20from%20local%20or%20neighbor%20sites.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20the%20most%20ideal%20solution%20as%20some%20devices%20can%20still%20roam%20between%20on-prem%20and%20VPN%20but%20that%20should%20be%20a%20very%20small%20amount%2C%20and%20from%20initial%20tests%20it%20seems%20to%20be%20working%20ok%20for%20the%20most%20part.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1266881%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266881%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3BYes%20we%20did%20add%20only%20the%20CMG%20in%20the%20VPN%20boundary%20group%20and%20tried%20that%20again%20with%20the%20support%20engineer%20yesterday%2C%20but%20in%20that%20case%20the%20user-targeted%20app%20deployments%20don't%20show%20up%20in%20the%20Software%20Center.%20For%20that%20to%20work%2C%20the%20engineer%20said%20that%20when%20a%20device%20is%20on%20intranet%2C%20it%20needs%20to%20receive%20the%20policy%20from%20an%20on-premise%20MP.%20And%20in%20our%20case%20the%20MP%20also%20hosts%20the%20SUP%2FDP%20role%2C%20and%20then%20clients%20don't%20pull%20the%20content%20from%20Microsoft%20Update%20but%20use%20the%20on-premise%20content%2C%20unless%20we%20split%20up%20our%20patch%20deployment%20collections%20and%20use%20different%20download%20settings%20for%20the%20VPN%20clients%20(which%20is%20going%20to%20be%20complex%20to%20manage).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe'll%20have%20another%20look%20at%20it%20today%20with%20the%20fallback%20chain%20but%20we%20had%20already%20tried%20that%20last%20week.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1267537%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1267537%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BWe%20have%20configured%20both%20our%20SUP%20and%20a%20stand%20alone%20MP%20into%20the%20VPN%20boundary%20group%20with%20the%20CMG%20and%20our%20application%20deploys%20and%20software%20updates%20are%20now%20working.%26nbsp%3B%20In%20this%20configuration%2C%20the%20management%20traffic%20traverses%20the%20VPN%20connection%2C%20but%20we%20are%20seeing%20the%20the%20content%20downloads%20falling%20back%20to%20the%20CMG%20or%20Microsoft%20update%20so%20the%20largest%20portion%20of%20our%20traffic%20is%20offloaded%20from%20the%20VPN.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1267778%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1267778%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454255%22%20target%3D%22_blank%22%3E%40romanmensch%3C%2FA%3E%20we're%20seeing%20the%20same%20thing%20(users%20not%20being%20able%20to%20download%20content%20for%20user-targeted%20apps%20that%20are%20%22required%22)%20and%20believe%20it%20to%20be%20an%20issue%20with%20how%20our%20AD%20is%20connected%20to%20Azure.%20We're%20investigating%20using%20our%20Premier%20DSE%20for%20%23MEMCM%20but%20believe%20that%20it%20may%20be%20because%20user-targeted%20apps%20that%20are%20required%20need%20to%20be%20authenticated%20via%20Azure%20and%20not%20via%20on-prem%20AD.%20I%20don't%20believe%20all%20of%20our%20users%20are%20being%20sync'd%20fully%20into%20Azure%20such%20that%20a%20domain%5Cuser%20auth%20%3D%20%3CA%20href%3D%22mailto%3Auser%40domain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Euser%40domain.com%3C%2FA%3E%26nbsp%3B...%20we're%20still%20investigating%20tho%20so%20I%20will%20report%20back%20when%20we%20see%20a%20solution%20in%20sight.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1268273%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268273%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208056%22%20target%3D%22_blank%22%3E%40James%20Lewis%3C%2FA%3E%26nbsp%3Byes%2C%20in%20order%20to%20leverage%20user%20policy%20over%20CMG%20you%20need%20to%20enable%20Azure%20AD%20User%20Discovery%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fazure-services-wizard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fazure-services-wizard%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1268427%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268427%22%20slang%3D%22en-US%22%3E%3CP%3EGlad%20to%20see%20we're%20not%20the%20only%20ones%20with%20the%20issue%3B%26nbsp%3B%20User%20Apps%20not%20appearing%20in%20Software%20Center%20when%20utilising%20CMG%20%2B%20EHTTP%20%2B%20VPN.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20getting%20no%20where%20with%20my%20PremSupport%20case.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3Bthis%20realllly%20feels%20like%20a%20bug..%26nbsp%3B%20Are%20you%20able%20to%20confirm%20that%20when%20client%20is%20on%20Intranet%20(via%20VPN)%2C%20with%20CMG%20as%20it's%20sole%20Site%20Server%20in%20boundary%2C%20that%20when%20it%20contacts%20the%20CMG%20upon%20opening%20Software%20Center%2C%20it%20should%20use%20Windows%20Authentication%2C%20as%20opposed%20to%20AAD%20Authentication%20(which%20works%20when%20on%20Internet)%20as%20per%20the%20below%20lines%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIntranet%20Software%20Center%3A%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2FFQDN-OF-CMG%2FCCM_Proxy_MutualAuth%2FXXXXXXXX%3A443%2FCMUserService_WindowsAuth%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FFQDN-OF-CMG%2FCCM_Proxy_MutualAuth%2FXXXXXXXX%3A443%2FCMUserService_WindowsAuth%3C%2FA%3E%2C%20Windows%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInternet%20Software%20Center%3A%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2FFQDN-OF-CMG%2FCCM_Proxy_ServerAuth%2FXXXXXXXX%2FCMUserService%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FFQDN-OF-CMG%2FCCM_Proxy_ServerAuth%2FXXXXXXXX%2FCMUserService%3C%2FA%3E%2C%20AAD%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20here%20is%20also%20that%20because%20it%20fails%20with%20Windows%20Authentication%2C%20it%20takes%202%20minutes%20of%20403%20returns%20(confirmed%20by%20iis%20on%20CMG)%20until%20Software%20Center%20actually%20loads.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20really%20feels%20like%20someone%20has%20just%20forgotten%20that%20the%20CMG%20being%20a%20sole%20Site%20System%20on%20Intranet%20was%20a%20possible%20outcome%2C%20and%20the%20'Intranet%20Only'%20switch%20in%20the%20sms%20agent%20instantly%20sets%20it%20to%20Windows%20Auth%20be%20damned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269233%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269233%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22css-1dbjc4n%20r-156q2ks%22%3E%0A%3CDIV%20class%3D%22css-901oao%20r-hkyrab%20r-1qd0xha%20r-1blvdjr%20r-16dba41%20r-ad9z0x%20r-bcqeeo%20r-bnwqim%20r-qvutc0%22%20dir%3D%22auto%22%20lang%3D%22en-us%22%3E%3CSPAN%20class%3D%22css-901oao%20css-16my406%20r-1qd0xha%20r-ad9z0x%20r-bcqeeo%20r-qvutc0%22%3EIt%20does%20look%20like%20client%20on%20intranet%20talking%20to%20CMG%20wont%20use%20AAD%20auth.%20We're%20investigating.%20Workaround%20is%20to%20make%20an%20MP%20available%20to%20the%20VPN%20boundary%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20class%3D%22css-1dbjc4n%20r-vpgt9t%22%3E%0A%3CDIV%20class%3D%22css-1dbjc4n%20r-1awozwy%20r-18u37iz%20r-1wtj0ep%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269623%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20follow%20up%2C%20we%20also%20have%20a%20case%20open%20and%20haven't%20been%20able%20to%20make%20any%20progress.%20Will%20be%20watching%20closely%20for%20updates%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1272399%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1272399%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20anyone%20seeing%20that%20when%20they%20add%20the%20internal%20management%20point%20to%20the%20VPN%20boundary%20group%2C%20some%20clients%20still%20prefer%20the%20CMG%20over%20the%20internal%20management%20point%20and%20fail%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320671%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320671%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F625259%22%20target%3D%22_blank%22%3E%40Phil_Brandvold%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3B%20Alternatively%2C%20all%20you%20need%20is%20a%20dedicated%20MP.%26nbsp%3B%20Should%20only%20take%20half%20a%20day%20to%20spin%20up%20a%20VM%20and%20install%20the%20required%20features%5Croles%20%3A).%26nbsp%3B%20I'd%20debateley%20say%20this%20is%20better%2C%20and%20easier%20to%20get%20rid%20of%20afterwards%20once%20this%20bug%20is%20resolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3Bappreciate%20you're%20a%20busy%20man.%26nbsp%3B%20Is%20there%20any%20rough%20timeline%20we%20can%20expect%20for%20this%20to%20be%20resolved%3F%26nbsp%3B%20Also%2C%20an%20official%20KB%20doc%20so%20people%20aren't%20spending%20days%20with%20PremSupport%20to%20eventually%20just%20find%20these%20comments%20themselves.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1278376%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278376%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3Bwhat%20is%20the%20effect%20of%20overlapping%20boundaries%3F%26nbsp%3B%20If%20we%20have%20a%20boundary%20for%20an%20AD%20site%20of%20which%20the%20VPN%20IP%20range%20is%20a%20part%2C%20do%20we%20need%20to%20remove%20the%20AD%20site%20boundary%20and%20replace%20it%20with%20IP%20ranges%2Fsubnets%20within%20that%20site%3F%20Or%20can%20we%20set%20up%20a%20new%20boundary%20for%20the%20VPN%20IP%20range%20and%20put%20it%20in%20its%20own%20boundary%20group%20and%20configure%20the%20appropriate%20site%20systems%20and%20settings%20for%20the%20VPN%20boundary%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382856%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20running%20CB1910%2C%20currently%20have%20IBCM%20deployed%20and%20have%20just%20set%20up%20Cloud%20Management%20Gateway%20with%20DP.%20Our%20VPN%20is%20configured%20with%20split%20tunneling.%20The%20on-prem%20DP's%20are%20blocked%20through%20the%20VPN%20tunnel%2C%20so%20users%20have%20had%20to%20end%20their%20VPN%20connection%20to%20receive%20content.%20CMG%20was%20set%20up%20to%20allow%20content%20to%20be%20received%20by%20remote%20clients%20whether%20or%20not%20a%20VPN%20connection%20is%20established.%20I%20am%20still%20having%20an%20issue%20receiving%20content%20when%20VPN%20is%20connected.%20I%20have%20created%20a%20VPN%20Boundary%20Group%20with%20the%20CMG%20and%20the%20VPN%20IP%20range%20boundary.%20The%20CMG%20is%20shown%20as%20the%20assigned%20management%20point%20in%20the%20client%20properties%20when%20a%20VPN%20connection%20is%20established.%20%22Prefer%20cloud%20based%20sources%20over%20on-premise%20sources%22%20is%20enabled%20in%20the%20VPN%20boundary%20group.%20When%20attempting%20to%20install%20from%20the%20Software%20Center%2C%20I%20see%20in%20the%20cas.log%20file%20after%20ContentLocationRequest%20is%2C%20%22No%20reply%20received%22%2C%20%22Failed%20to%20create%20Location%20Request%20Message%20body%22%20and%20%22GetLocationSyncEx3%20failed%20with%20error%200x80004005%22.%20Do%20you%20have%20any%20thoughts%20what%20may%20be%20causing%20the%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383191%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383191%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F200703%22%20target%3D%22_blank%22%3E%40John%20Pine%3C%2FA%3E%26nbsp%3Bthere%20is%20a%20known%20bug%20where%20user%20apps%20will%20not%20be%20available%20in%20software%20center%20if%20AAD%20is%20being%20used%20for%20auth.%20We're%20working%20on%20a%20fix.%20If%20that%20is%20not%20the%20issue%20here%20then%20i%20suggest%20you%20raise%20a%20case%20and%20support%20can%20dig%20into%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Mar 18 2020 02:33 PM
Updated by: