@Michiel Overweel . thanks for the information.  we do have the cmg configured as a distribution point.  

CMG distro was up and working prior to the upgrade, however this would be the first time a client upgrade would have happened over cmg.  we now have around 20 devices with a client, however I believe these were likely devices that came back on the intranet and got the client while onsite.  

Client settings, under cloud services, all are enabled - distro, register with AAD and enable CMG for clients.  

I verified the new client package appears under content tab in properties for the CMG.

on the cmg connected device in configuration manager applet, network tab, the internet based management point is configured, none of the proxy options have entries.  (if this refers to a standard proxy, we don't use one so that is OK, if it refers to cmg as the proxy, then wondering if anything maybe should be in there.  

in Ccmsetup.log on a cmg connected device, the log finishes with the following (only thing changed is I changed our cmg name and site code.  )

@PaulKlerkx The only thing I can think of right now is based on the fact that an 0x2ee7 (ERROR_WINHTTP_NAME_NOT_RESOLVED) error is generated when the client tries to retrieve the CMG metadata. Are you sure the CMG FQDN can be resolved by clients while they are on the Internet? You might want to disconnect a client from the corporate network and try to resolve the CMG FQDN to make sure. Maybe the CNAME record was deleted from your public DNS zone or something like that.

@Michiel Overweel - sorry for not replying soon, got a bit busy.  

when you say "try to resolve the CMG FQDN" If i type in the ProxyServiceFQDN, it returns an ip and alias, if that is what you meant then yes that works.  

@ forgot to mention, that was with NSLookup, assuming that was the requirement.  

@Anandkumar Thanks for that info,  I'll try to take a look tomorrow.  

One thing I thought of, since I configured CMG, I haven't modified the Client Push installation properties for our site.  Should I have?  We currently only have the SMSSITECODE property in there.  (could this be the reason for the CMG client install failures??)

*************************************************************************

I had quick look at the command line you posted

"CCMHTTPSSTATE=31" - the documentation doesn't seem to mention this.  I have looked at the logs of an internal machine and it has  CCMHTTPSSTATE="1472" , any idea what the different numbers equate to or what the purpose of the property is?  the only google results I can find don't have much information on it.  

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-installation-propert...

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-azure

@PaulKlerkx There's no need to add anything to the Client Push Installation properties. Client Push, by definition, can be used on the intranet only. After the agent is installed, the client will receive the CMG location(s) as part of its policy.

Using the client package with a command line, as @Anandkumar suggested, will probably work, but it shouldn't be necessary in my opinion.

@Michiel Overweel thanks for the reply.  we have had issues with our server infrastructure and I am currently in the process of migrating to new hardware.  as part of that, I had to uninstall our CMG, so once I tidy up, I'll reinstall the CMG and get back to sorting this out.  

@Michiel Overweel thankyou for the assistance, after restoring MECM to new hardware, CMG was completely dead and we had to remove from both MECM and Azure and completely recreate.  Two days after doing this I have found that all our internet connected devices are on the latest client, so I'm making the assumption that this has resolved our problem.  We have the 2006 upgrade scheduled for about 4 weeks from now, so I guess I'll know for sure after that, but for now, issue resolved, thanks again.