Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1233895%22%20slang%3D%22en-US%22%3EManaging%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233895%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20light%20of%20the%20global%20situation%20that%20has%20escalated%20over%20the%20past%20weeks%20regarding%20COVID-19%20and%20the%20coronavirus%3B%20there%20has%20been%20a%20significant%20increase%20in%20the%20number%20people%20working%20from%20home.%20Indeed%2C%20myself%20and%20the%20rest%20of%20the%20Microsoft%20Endpoint%20Manager%20team%20are%20among%20100%2C000%2B%20Redmond%20based%20Microsoft%20employees%20who%20are%20entering%20our%20third%20week%20of%20remote%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20increase%20in%20the%20global%20workforce%20working%20from%20home%20is%20unsurprisingly%20putting%20an%20added%20focus%20from%20organizations%20on%20remote%20functionality%20and%20management.%20Not%20to%20mention%20an%20increased%20load%20and%20strain%20on%20services%20that%20were%20implemented%20to%20accommodate%20lower%20concurrent%20numbers%20of%20remote%20working%20employees.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENaturally%20we%20have%20seen%20an%20increase%20in%20the%20number%20of%20queries%2C%20questions%20and%20tweets%20around%20the%20tools%20and%20features%20Microsoft%20Endpoint%20Manager%20can%20offer%20in%20the%20way%20of%20remote%20management%20of%20the%20workforce.%20One%20of%20the%20most%20common%20topics%20I%20have%20had%20to%20field%20enquiries%20is%20around%20the%20use%20of%20cloud%20management%20gateway%20(CMG)%2C%20usually%20in%20conjunction%20with%20keeping%20traffic%20off%20the%20VPN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirstly%2C%20let%E2%80%99s%20clarify%20some%20terms%E2%80%A6.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fmanage%2Fplan-internet-based-client-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EInternet-based%20client%20management%3C%2FSTRONG%3E%3C%2FA%3E%20is%20a%20longstanding%20concept%20in%20Configuration%20Manager%20whereby%20servers%20are%20placed%20in%20the%20DMZ%20and%20published%20to%20the%20Internet%20to%20allow%20clients%20to%20continue%20to%20be%20managed%20when%20roaming%20on%20the%20Internet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fmanage%2Fcmg%2Fplan-cloud-management-gateway%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3ECloud%20management%20gateway%3C%2FSTRONG%3E%3C%2FA%3E%2C%20or%20as%20I%20shall%20refer%20to%20it%20in%20the%20rest%20of%20the%20blog%2C%20%3CSTRONG%3ECMG%3C%2FSTRONG%3E%20for%20short%2C%20is%20a%20cloud%20service%20hosted%20in%20Azure%20that%20acts%20as%20a%20proxy%20for%20clients.%20It%20greatly%20simplifies%20the%20configuration%20required%20to%20manage%20clients%20on%20the%20Internet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20final%20concept%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fplan-design%2Fhierarchy%2Fuse-a-cloud-based-distribution-point%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3Ecloud%20distribution%20point%3C%2FSTRONG%3E%3C%2FA%3E%2C%20also%20a%20cloud%20service%20hosted%20in%20Azure%2C%20that%20allows%20clients%20to%20retrieve%20content.%20For%20the%20purposes%20of%20simplicity%2C%20and%20because%20cloud%20distribution%20point%20has%20been%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fplan-design%2Fchanges%2Fdeprecated%2Fremoved-and-deprecated-cmfeatures%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edeprecated%3C%2FA%3E%20in%20favor%20of%20enabling%20content%20distribution%20from%20a%20CMG%2C%20I%20will%20use%20the%20term%20%E2%80%9CCMG%E2%80%9D%20to%20refer%20to%20a%20content-enabled%20cloud%20management%20gateway%20for%20the%20remainder%20of%20this%20blog%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecondly%2C%20let%E2%80%99s%20talk%20about%20why%20clients%20will%20potentially%20still%20communicate%20over%20the%20VPN%20when%20a%20CMG%20is%20deployed.%20Essentially%2C%20the%20Configuration%20Manager%20client%20has%20logic%20that%20looks%20at%20several%20factors%2C%20including%20being%20able%20to%20resolve%20a%20management%20point%20and%20the%20internal%20domain.%20When%20these%20factors%20are%20not%20met%2C%20the%20client%20will%20evaluate%20as%20IsInternet%3D1%20and%20will%20communicate%20with%20resources%20published%20to%20the%20Internet.%26nbsp%3B%20When%20a%20client%20is%20connected%20to%20a%20VPN%20it%20is%20likely%20that%20the%20client%20will%20meet%20enough%20criteria%20to%20consider%20itself%20IsInternet%3D0%20which%20is%20why%20client%20traffic%20will%20go%20over%20the%20VPN%20and%20not%20the%20Internet%20even%20if%20split%20tunneling%20is%20configured%20to%20allow%20direct%20Internet%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3EEverything%20in%20this%20blog%20will%20require%20a%20split-tunnel%20VPN.%20If%20all%20the%20traffic%20is%20directed%20back%20to%20the%20corporate%20network%20by%20the%20VPN%20client%2C%20then%20even%20if%20the%20Configuration%20Manager%20client%20is%20ultimately%20going%20out%20to%20cloud%20services%2C%20it%20won%E2%80%99t%20be%20alleviating%20VPN%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20good%20news%20is%20that%20there%20are%20a%20couple%20of%20configuration%20options%20that%20you%20can%20take%20to%20move%20traffic%20away%20from%20the%20VPN%20and%20directly%20to%20Internet%20sources.%20These%20options%20should%20hopefully%20free%20up%20some%20bandwidth%20for%20line%20of%20business%20traffic%20whilst%20ensuring%20clients%20remain%20managed%20and%20up%20to%20date.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EWhen%20the%20VPN%20has%20a%20known%20IP%20range%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20your%20VPN%20clients%20are%20sat%20neatly%20in%20a%20known%20IP%20range%20or%20ranges%2C%20then%20firstly%20you%20need%20to%20create%20boundaries%20in%20Configuration%20Manager%20to%20cover%20the%20VPN%20ranges%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_6%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_6-1584492420485.png%22%20style%3D%22width%3A%20549px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177644i756547203803A181%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_6-1584492420485.png%22%20alt%3D%22Rob%20York_6-1584492420485.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20then%20add%20them%20to%20a%20boundary%20group%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_1-1584492331636.png%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177639iD01A5AA6BCBE35E9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_1-1584492331636.png%22%20alt%3D%22Rob%20York_1-1584492331636.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20you%20need%20to%20configure%20that%20boundary%20group%20to%20use%20cloud%20services.%20You%20do%20this%20on%20the%20references%20tab%2C%20to%20explicitly%20accommodate%20the%20CMG%20with%20the%20boundary%20group%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_2-1584492331659.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177640iA4688F2A251E9FC3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_2-1584492331659.png%22%20alt%3D%22Rob%20York_2-1584492331659.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3EAnd%20also%20on%20the%20options%20tab%20select%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fservers%2Fdeploy%2Fconfigure%2Fboundary-groups%23bkmk_bgoptions4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrefer%20cloud%20based%20sources%20over%20on-premise%20sources%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_3-1584492331671.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177641iFD88305147483D66%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_3-1584492331671.png%22%20alt%3D%22Rob%20York_3-1584492331671.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20option%20will%20apply%20even%20if%20you%20don%E2%80%99t%20have%20a%20CMG%2C%20so%20can%20offer%20some%20respite%20to%20your%20VPN%20by%20directing%20clients%20to%20Microsoft%20Update%20for%20content.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EWhen%20the%20VPN%20doesn%E2%80%99t%20have%20a%20known%20IP%20range%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdmittedly%20this%20complicates%20matters%2C%20but%20we%20added%20the%20concept%20of%20default%20site%20boundary%20group%20in%20version%201610%20as%20a%20replacement%20to%20the%20concept%20of%20fallback%20content%20location.%20This%20behavior%20means%20that%20if%20your%20VPN%20clients%20do%20not%20fall%20into%20a%20known%20boundary%20group%2C%20they%20can%20fallback%20to%20communicate%20with%20referenced%20site%20systems%20from%20the%20default%20site%20boundary%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20add%20the%20CMG%20to%20the%20references%20tab%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_4-1584492331682.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177642iE1F2591DA468C973%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_4-1584492331682.png%22%20alt%3D%22Rob%20York_4-1584492331682.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%20%3C%2FSTRONG%3EThis%20will%20result%20in%20clients%20in%20the%20corporate%20network%2C%20but%20not%20in%20a%20known%20boundary%2C%20to%20connect%20to%20the%20CMG.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EForce%20the%20client%20to%20Always%20Internet%20mode%3C%2FU%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20networking%20or%20boundary%20configuration%20makes%20either%20of%20the%20first%20two%20options%20unviable%2C%20you%20can%20always%20force%20the%20client%20to%20always%20consider%20itself%20IsInternet%3D1%2C%20effectively%20overriding%20the%20logic%20I%20talked%20about%20earlier.%20Toggling%20the%20client%20back%20and%20forth%20from%20explicitly%20Always%20Internet%20is%20not%20possible%2C%20hence%20why%20we%20make%20the%20previous%20options%20available.%20If%20needed%2C%20as%20a%20matter%20of%20last%20resort%2C%20you%20could%20(re)deploy%20the%20client%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fconfigmgr%2Fcore%2Fclients%2Fdeploy%2Fabout-client-installation-properties%23ccmalwaysinf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECCMALWAYSINF%3C%2FA%3E%20parameter%20to%20ensure%20your%20remote%20clients%20are%20always%20managed%20by%20the%20CMG.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%2C%20I%20wanted%20to%20call%20out%20an%20implementation%20within%20the%20Configuration%20Manager%20client%20when%20it%20comes%20to%20Microsoft%20Updates.%20You%20do%20not%20need%20to%20deploy%20your%20Microsoft%20software%20updates%20packages%20to%20the%20CMG%3A%20If%20a%20client%20is%20on%20the%20Internet%20communicating%20to%20a%20CMG%2C%20it%20will%20instead%20retrieve%20updates%20from%20Microsoft%20Updates.%20As%20long%20as%20the%20client%20can%20download%20directly%20from%20Microsoft%20Updates%20it%20will%20never%20download%20Microsoft%20updates%20from%20a%20CMG.%20Although%2C%20a%20good%20practice%20is%20to%20not%20deploy%20updates%20packages%20to%20a%20CMG%20that%20contain%20Microsoft%20Updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20had%20previously%20blocked%20the%20deploying%20of%20update%20packages%20to%20CMG%20and%20CDP%20for%20this%20very%20reason%2C%20but%20we%20relaxed%20the%20restriction%20in%20order%20to%20facilitate%20third%20party%20updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20allow%20clients%20to%20use%20cloud%20sources%20for%20Microsoft%20Update%20content%2C%20ensure%20you%20select%20the%20%E2%80%9CIf%20software%20updates%20are%20not%20available%20on%20distribution%20point%20in%20current%2C%20neighbor%20or%20site%20boundary%20groups%2C%20download%20content%20from%20Microsoft%20Updates%E2%80%9D%20check%20box%20on%20the%20updates%20deployment%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRob%20York_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rob%20York_5-1584492331712.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177643i55AD35C6B17B8AC2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Rob%20York_5-1584492331712.png%22%20alt%3D%22Rob%20York_5-1584492331712.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERob%20York%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Frobdotyork%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40robdotyork%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EProgram%20Manager%3C%2FP%3E%0A%3CP%3EMicrosoft%20Endpoint%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1233895%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20increase%20in%20the%20global%20workforce%20working%20from%20home%20is%20unsurprisingly%20putting%20an%20added%20focus%20from%20organizations%20on%20remote%20functionality%20and%20management.%26nbsp%3BNaturally%20we%20have%20seen%20an%20increase%20in%20the%20number%20of%20queries%2C%20questions%20and%20tweets%20around%20the%20tools%20and%20features%20Microsoft%20Endpoint%20Manager%20can%20offer%20in%20the%20way%20of%20remote%20management%20of%20the%20workforce.%20One%20of%20the%20most%20common%20topics%20I%20have%20had%20to%20field%20enquiries%20is%20around%20the%20use%20of%20cloud%20management%20gateway%20(CMG)%2C%20usually%20in%20conjunction%20with%20keeping%20traffic%20off%20the%20VPN.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1233895%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud-attached%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECM%20current%20branch%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUnified%20Endpoint%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1238729%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1238729%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20just%20manage%20Windows%20Updates%20through%20these%20methods%3F%20Is%20there%20a%20way%20to%20manage%20standard%20content%20via%20on-prem%20and%20Winodws%20Updates%20via%20CMG%20%2F%20Internet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1238949%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1238949%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20cool%20way%20only%20if%20the%20computer%20are%20not%20under%20AlwaysOnVpn%20device%20force-tunnel%20mode.%20I%20always%20say%20this%20to%20my%20customers%20first%20by%20listing%20the%20pros%20and%20cons%20between%20aovpn%20device%20and%20%3CSTRONG%3ECMG%3C%2FSTRONG%3E.%20They%20generally%20choose%20aovpn%20for%20better%20mgmt%20and%20fully%20netlogon%20approach%20into%20the%20DC.%26nbsp%3B%3CBR%20%2F%3ENo%20more%20errors%20in%20trust%20relationship%20between%20workstations%20domain%20for%20%22fully%20away%22%20users%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ECheers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1239838%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1239838%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20still%20Windows%2010%201709%2C%20I%20now%20we%20are%20late!%20Also%20with%20the%20cloud%20distribution%20point%3CSPAN%3E%26nbsp%3Bit's%20hard%20to%20upgrade%20all%20devices%20until%20April%2014.%20Still%202000%20devices%20left.%20Employee%20can't%20go%20back%20to%20work%20during%20the%20quarantine%20time%20to%20change%20their%20devices%20(a%20few%20devices%20need%20to%20be%20replaced).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EMicrosoft%20can%20you%20please%20postpone%20the%20end-of-%20life%20for%20this%20build%20during%20the%26nbsp%3B%3CSPAN%3ECOVID-19%20days.%20Two%20more%20months%20security%20updates%20would%20help%20a%20lot.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EEdit%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOh%20great%20news!%20Thank%20you%20guys%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fhearteyes_40x40.gif%22%20alt%3D%22%3Ahearteyes%3A%22%20title%3D%22%3Ahearteyes%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Frevised-end-of-service-date-for-windows-10-version-1709-october%2Fba-p%2F1239043%23%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Frevised-end-of-service-date-for-windows-10-version-1709-october%2Fba-p%2F1239043%23%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1240028%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1240028%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20of%20us%20without%20CMG%2C%20if%20you%20create%20the%20VPN%20boundary%20group%20and%20configure%20it%20to%20prefer%20cloud%20resources%20do%20you%20need%20to%20associate%20site%20system%20servers%20with%20it%20or%20can%20that%20be%20left%20blank%20since%20it%20prefers%20the%20cloud%20anyways.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243489%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243489%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20might%20want%20to%20turn%20off%20P2P%20for%20that%20boundary%20group%20too%20if%20using%20Peer%20Cache%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1245465%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1245465%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20can%20I%20find%20the%20IP%20addresses%20of%20the%20Windows%20updates%20servers%20to%20include%20in%20the%20split%20tunneling%20rules%20(can%20only%20find%20URL's%20or%20the%20whole%20MS%20IP%20address%20space)%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1246294%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1246294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F590359%22%20target%3D%22_blank%22%3E%40Doogle2006%3C%2FA%3E%26nbsp%3Bthere%20is%20no%20list%20available%20with%20IPs%20addresses%20for%20WU.%20The%20WU%20endpoints%20are%20distributed%20across%20the%20world%20with%20different%20CDNs%20and%20there%20is%20no%20possibility%20to%20provide%2Fmaintain%20a%20list%20of%20the%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1248874%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1248874%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F590359%22%20target%3D%22_blank%22%3E%40Doogle2006%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmiketerrill.net%2F2020%2F03%2F18%2Fforcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmiketerrill.net%2F2020%2F03%2F18%2Fforcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252840%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252840%22%20slang%3D%22en-US%22%3E%3CP%3EAnything%20to%20add%20for%20clients%20who%20are%20on%20Direct%20Access%3F%20Gotcha's%20when%20it%20comes%20to%20ADRs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1256710%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1256710%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Frobdotyork%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40robdotyork%3C%2FA%3E%26nbsp%3BWe've%20been%20implementing%20CMG%20(using%20Enhanced%20HTTP%20%2B%20Azure%20AD)%20and%20are%20happy%20to%20see%20already%20quite%20some%20traffic%20from%20the%20Cloud%20DP's.%3CBR%20%2F%3EHowever%2C%20we%20run%20into%20an%20issue%20where%20clients%20using%20the%20CMG%20as%20management%20point%2C%20don't%20see%20user-targeted%20applications%20in%20their%20Software%20Center%2C%20and%20in%20the%20SCClient%20logs%20it%20shows%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20endpoint%20Url%3A%20https%3A%2F%2F*********.CLOUDAPP.NET%2FCCM_Proxy_MutualAuth%2F72057594037927951%3A443%2FCMUserService_WindowsAuth%2C%20Windows%20authentication%20(Microsoft.SoftwareCenter.Client.Data.ACDataSource%2B%26lt%3B%26gt%3Bc%20at%20%3CREFRESHLOCALSETTINGSASYNC%3Eb__16_0)%20SCClient%203%2F26%2F2020%2012%3A33%3A19%20PM%205%20(0x0005)%3C%2FREFRESHLOCALSETTINGSASYNC%3E%3C%2FP%3E%3CDIV%3EGetApplicationsAsync%3A%20The%20HTTP%20request%20was%20forbidden%20with%20client%20authentication%20scheme%20'Negotiate'..%20Unable%20to%20fetch%20user%20categories%2C%20unknown%20communication%20problem.%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B(Microsoft.SoftwareCenter.Client.ViewModels.SoftwareListViewModel%2B%3CLOADAPPCATALOGAPPLICATIONSASYNC%3Ed__164%20at%20MoveNext)%3C%2FLOADAPPCATALOGAPPLICATIONSASYNC%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EAny%20ideas%20on%20what%20I'm%20missing%3F%20All%20the%20rest%20seems%20to%20work%20fine.%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1264588%22%20slang%3D%22de-DE%22%3ESubject%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1264588%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68653%22%20target%3D%22_blank%22%3E%40Rob%20York%3C%2FA%3E%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19002%22%20target%3D%22_blank%22%3E%40Andy%20D'Hollander%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29736%22%20target%3D%22_blank%22%3E%40Greg%20Neveau%3C%2FA%3E%20we%20have%20the%20same%20problem.%20That%20the%20Internet%20Clients%20(with%20no%20VPN)%20only%20reach%20the%20Device%20Software%20or%20installed%20software%20before.%20But%20the%20Available%20User%20Software%20not%20showing%20up%20in%20the%20Internet.%20In%20the%20%22Intranet%22%20mode%20with%20VPN%20Connection%20the%20User%20Software%20aviable%20is%20showing%20up%20normaly.%20We%20have%20tested%20it%20with%20Hybrid%20Join%20Device%20an%20the%20right%20clients%20setting%20with%20our%20partner%20from%20switzerland%20ITNETX%20had%20we%20correctly%20set.%26nbsp%3B%3CSPAN%3EShould%20we%20open%20a%20case%20too%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257565%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20remote%20machines%20with%20cloud%20management%20gateway%20in%20Microsoft%20Endpoint%20Configuration%20Manag%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257565%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20the%20same%20issue%20with%20user%20targeted%20apps%20and%20the%20'Negotiate'%20error.%26nbsp%3B%20It%20seems%20since%20the%20client%20thinks%20it%20is%20on%20the%20intranet%20with%20a%20split%20tunnel%20VPN%26nbsp%3Binstead%20of%20the%20internet%20that%20it%20tries%20to%20authenticate%20to%20the%20CMG%20with%20some%20method%20other%20than%20PKI%26nbsp%3Bwhich%20fails.%26nbsp%3B%26nbsp%3BDisconnecting%20the%20VPN%20to%20force%20the%20client%20into%20internet%20mode%20shows%20proper%20PKI%20authentication%20and%20user%20apps%20work%20fine.%26nbsp%3B%20Any%20suggestions%20to%20resolve%20would%20be%20appreciated%2C%20we%20are%20working%20with%20premier%20support%2C%20but%20not%20making%20any%20progress.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

In light of the global situation that has escalated over the past weeks regarding COVID-19 and the coronavirus; there has been a significant increase in the number people working from home. Indeed, myself and the rest of the Microsoft Endpoint Manager team are among 100,000+ Redmond based Microsoft employees who are entering our third week of remote work.

 

This increase in the global workforce working from home is unsurprisingly putting an added focus from organizations on remote functionality and management. Not to mention an increased load and strain on services that were implemented to accommodate lower concurrent numbers of remote working employees.

 

Naturally we have seen an increase in the number of queries, questions and tweets around the tools and features Microsoft Endpoint Manager can offer in the way of remote management of the workforce. One of the most common topics I have had to field enquiries is around the use of cloud management gateway (CMG), usually in conjunction with keeping traffic off the VPN.

 

Firstly, let’s clarify some terms….

 

Internet-based client management is a longstanding concept in Configuration Manager whereby servers are placed in the DMZ and published to the Internet to allow clients to continue to be managed when roaming on the Internet.

 

Cloud management gateway, or as I shall refer to it in the rest of the blog, CMG for short, is a cloud service hosted in Azure that acts as a proxy for clients. It greatly simplifies the configuration required to manage clients on the Internet.

 

The final concept is cloud distribution point, also a cloud service hosted in Azure, that allows clients to retrieve content. For the purposes of simplicity, and because cloud distribution point has been deprecated in favor of enabling content distribution from a CMG, I will use the term “CMG” to refer to a content-enabled cloud management gateway for the remainder of this blog

 

Secondly, let’s talk about why clients will potentially still communicate over the VPN when a CMG is deployed. Essentially, the Configuration Manager client has logic that looks at several factors, including being able to resolve a management point and the internal domain. When these factors are not met, the client will evaluate as IsInternet=1 and will communicate with resources published to the Internet.  When a client is connected to a VPN it is likely that the client will meet enough criteria to consider itself IsInternet=0 which is why client traffic will go over the VPN and not the Internet even if split tunneling is configured to allow direct Internet traffic.

 

NOTE: Everything in this blog will require a split-tunnel VPN. If all the traffic is directed back to the corporate network by the VPN client, then even if the Configuration Manager client is ultimately going out to cloud services, it won’t be alleviating VPN traffic.

 

The good news is that there are a couple of configuration options that you can take to move traffic away from the VPN and directly to Internet sources. These options should hopefully free up some bandwidth for line of business traffic whilst ensuring clients remain managed and up to date.

 

When the VPN has a known IP range

 

If your VPN clients are sat neatly in a known IP range or ranges, then firstly you need to create boundaries in Configuration Manager to cover the VPN ranges:

 
 

Rob York_6-1584492420485.png

 

and then add them to a boundary group:

 

Rob York_1-1584492331636.png

 

Then you need to configure that boundary group to use cloud services. You do this on the references tab, to explicitly accommodate the CMG with the boundary group:

 

Rob York_2-1584492331659.png

 

And also on the options tab select  Prefer cloud based sources over on-premise sources

 

Rob York_3-1584492331671.png

 

This option will apply even if you don’t have a CMG, so can offer some respite to your VPN by directing clients to Microsoft Update for content.

 

When the VPN doesn’t have a known IP range

 

Admittedly this complicates matters, but we added the concept of default site boundary group in version 1610 as a replacement to the concept of fallback content location. This behavior means that if your VPN clients do not fall into a known boundary group, they can fallback to communicate with referenced site systems from the default site boundary group.

 

Again, add the CMG to the references tab

 

Rob York_4-1584492331682.png

 

NOTE: This will result in clients in the corporate network, but not in a known boundary, to connect to the CMG.

 

Force the client to Always Internet mode

 

If networking or boundary configuration makes either of the first two options unviable, you can always force the client to always consider itself IsInternet=1, effectively overriding the logic I talked about earlier. Toggling the client back and forth from explicitly Always Internet is not possible, hence why we make the previous options available. If needed, as a matter of last resort, you could (re)deploy the client using the CCMALWAYSINF parameter to ensure your remote clients are always managed by the CMG.

 

Finally, I wanted to call out an implementation within the Configuration Manager client when it comes to Microsoft Updates. You do not need to deploy your Microsoft software updates packages to the CMG: If a client is on the Internet communicating to a CMG, it will instead retrieve updates from Microsoft Updates. As long as the client can download directly from Microsoft Updates it will never download Microsoft updates from a CMG. Although, a good practice is to not deploy updates packages to a CMG that contain Microsoft Updates.

 

We had previously blocked the deploying of update packages to CMG and CDP for this very reason, but we relaxed the restriction in order to facilitate third party updates.

 

 

To allow clients to use cloud sources for Microsoft Update content, ensure you select the “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” check box on the updates deployment:

 

Rob York_5-1584492331712.png

 

Rob York

@robdotyork

Program Manager

Microsoft Endpoint Manager

24 Comments
Occasional Visitor

Is it possible to just manage Windows Updates through these methods? Is there a way to manage standard content via on-prem and Winodws Updates via CMG / Internet?

Senior Member

This is a cool way only if the computer are not under AlwaysOnVpn device force-tunnel mode. I always say this to my customers first by listing the pros and cons between aovpn device and CMG. They generally choose aovpn for better mgmt and fully netlogon approach into the DC. 
No more errors in trust relationship between workstations domain for "fully away" users ;)


Cheers

Occasional Visitor

We have still Windows 10 1709, I now we are late! Also with the cloud distribution point it's hard to upgrade all devices until April 14. Still 2000 devices left. Employee can't go back to work during the quarantine time to change their devices (a few devices need to be replaced). 

Microsoft can you please postpone the end-of- life for this build during the COVID-19 days. Two more months security updates would help a lot.

 

 

Edit:

Oh great news! Thank you guys :hearteyes:

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revised-end-of-service-date-for-windows-1...

Occasional Visitor

For those of us without CMG, if you create the VPN boundary group and configure it to prefer cloud resources do you need to associate site system servers with it or can that be left blank since it prefers the cloud anyways.

Senior Member

You might want to turn off P2P for that boundary group too if using Peer Cache ;)

Occasional Visitor

Where can I find the IP addresses of the Windows updates servers to include in the split tunneling rules (can only find URL's or the whole MS IP address space) !

Microsoft

@Doogle2006 there is no list available with IPs addresses for WU. The WU endpoints are distributed across the world with different CDNs and there is no possibility to provide/maintain a list of the IPs.

Regular Visitor

Anything to add for clients who are on Direct Access? Gotcha's when it comes to ADRs?

New Contributor

@robdotyork We've been implementing CMG (using Enhanced HTTP + Azure AD) and are happy to see already quite some traffic from the Cloud DP's.
However, we run into an issue where clients using the CMG as management point, don't see user-targeted applications in their Software Center, and in the SCClient logs it shows: 

 

Using endpoint Url: https://*********.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927951:443/CMUserService_WindowsAuth, Windows authentication (Microsoft.SoftwareCenter.Client.Data.ACDataSource+<>c at <RefreshLocalSettingsAsync>b__16_0) SCClient 3/26/2020 12:33:19 PM 5 (0x0005)

GetApplicationsAsync: The HTTP request was forbidden with client authentication scheme 'Negotiate'.. Unable to fetch user categories, unknown communication problem.      (Microsoft.SoftwareCenter.Client.ViewModels.SoftwareListViewModel+<LoadAppCatalogApplicationsAsync>d__164 at MoveNext)
 
Any ideas on what I'm missing? All the rest seems to work fine. 
Senior Member

We have the same issue with user targeted apps and the 'Negotiate' error.  It seems since the client thinks it is on the intranet with a split tunnel VPN instead of the internet that it tries to authenticate to the CMG with some method other than PKI which fails.  Disconnecting the VPN to force the client into internet mode shows proper PKI authentication and user apps work fine.  Any suggestions to resolve would be appreciated, we are working with premier support, but not making any progress.

New Contributor

@Greg Neveau Well at least there will be 2 cases with premier support then, I'm opening one this morning. Perhaps with more cases it will get more attention :) 

New Contributor

We can use subnets instead of of IP ranges right? 

Senior Member

@Greg Neveau and @Andy D'Hollander i think we have the same issue.  You make any headway on it?

Senior Member

No headway for us, we are working with support on getting updates to work via the CMG when the client is in intranet mode and then have a case waiting with support to work on the negotiate error.  

Microsoft

@Chris Calaf  yes. i just chose ranges for the purposes of screenshot

Microsoft

@Greg Neveau @Nick Wiley @Andy D'Hollander we're investigating if you have a case open get your support person to email me the ccm\logs folder from your client.

New Contributor

@Rob York I opened up a case with Premier Support this morning but still have heard anything... I can zip the client logs I backed up yesterday and attach them to the case, and let you know the case number if that helps :)  

Senior Member

@Rob York , we will have our TAM loop you in on the cases.  We have two open, the first dealing with software updates failing and the second for intranet clients and authentication.  Thank You.

Visitor

@Rob York  @Andy D'Hollander @Greg Neveau we have the same Problem. That the Internet Clients (with no VPN) only reach the Device Software or installed software before. But the Available User Software not showing up in the Internet. In the "Intranet" Modus with VPN Connection the User Software aviable is showing up normaly. We have testet it with Hybrid Join Device an the right clients setting with our partner from switzerland ITNETX had we correctly set. Should we open a case too?

Senior Member

@romanmensch, I think you are seeing the opposite of us where our clients work on the internet and not on the intranet.

 

We are noticing that when the client is in intranet mode ( on VPN ), we see in our SCClient logs that the configuration manager client is trying to use windows authentication to the CMG which fails.

Using endpoint Url: https://XXXXXXXX.CLOUDAPP.NET/CCM_Proxy_MutualAuth/XXXXXXXX:443/CMUserService_WindowsAuth, Windows authentication (Microsoft.SoftwareCenter.Client.Data.ACDataSource+<>c at <RefreshLocalSettingsAsync>b__16_0)

 

When in Internet mode, we see the configuration manager client using AAD auth to the CMG which succeeds.

Using endpoint Url: https://XXXXXXXX.CLOUDAPP.NET/CCM_Proxy_ServerAuth/XXXXXXXX/CMUserService, AAD authentication (Microsoft.SoftwareCenter.Client.Data.ACDataSource+<>c at <RefreshLocalSettingsAsync>b__16_0)

 

We are still working with support on this issue.

New Contributor

@Greg Neveau @romanmensch Indeed, we have the same issue as Greg :) Actually on a support call with Microsoft at the moment. If it leads to anything I’ll let you know. 

New Contributor

@Greg Neveau @Nick Wiley @romanmensch 
Here it goes! 
Basically, when a client is able to reach an on-premise domain controller and considered to be on the "intranet", it needs to receive the client policies from an on-premise Management Point, not a CMG. So the only option is to add an on-premise MP in the boundary group(s) you have configured, and enable the checkbox to have the client prefer cloud sources over on-premise sources. 
Which is indeed how we had set it up initially, but unfortunately that checkbox only applies to applications, not software updates. 
So in order to have VPN clients download update content from Microsoft Update instead of the local DP (which in our case is on the MP we had to add back in the boundary group), we'll have to split up our deployments and work with the download settings to prevent it from downloading from the local DP, and fallback to MS Update for content on the deployments targeting VPN connected devices... 


@Rob York I can feel some UserVoice requests in the air :)  
And that also means that this item on Microsoft Docs needs some more details: https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/boundary-groups#bkmk_bgopti... 

Occasional Visitor

@Andy D'Hollander+ others: Please post a new comment if you find a solution or workaround. We have the same problem...