SCCM CMG Windows Updates

%3CLINGO-SUB%20id%3D%22lingo-sub-1360548%22%20slang%3D%22en-US%22%3ESCCM%20CMG%20Windows%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360548%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20recently%20setup%20CMG%20in%20our%20environment%20for%20VPN%20devices%20only%2C%26nbsp%3Bbut%20slightly%20confused%20as%20to%20how%20the%20content%20for%20Windows%20Updates%20would%20work%20as%20well%20as%20content%20for%20applications.%26nbsp%3B%20Currently%20have%20deployed%20Windows%20Updates%20to%20the%20CMG%20as%20well%20our%20Local%20DPs%20(which%20is%20for%20devices%20that%20not%20on%20VPN%20and%20in%20our%20offices).%26nbsp%3BNo%20Application%20content%20is%20deployed%20to%20the%20CMG.%26nbsp%3BWe%20have%20setup%20a%20boundary%26nbsp%3Bgroup%20for%20VPN%20devices%20and%20have%20added%20to%26nbsp%3Bthe%20CMG%20to%20that.%26nbsp%3B%20My%20question%20is%20how%20would%20VPN%20devices%26nbsp%3Bget%20content%20for%20applications%20that%20on%20the%20internal%20DPs%20if%20no%20boundary%20group%20is%20setup%20for%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20followed%20Rob%20York%20article%20for%20the%20updates%20part.%26nbsp%3B%20But%20would%20like%20some%20help%20or%20advice%20in%20relation%20to%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364152%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20CMG%20Windows%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F656329%22%20target%3D%22_blank%22%3E%40nikeshmistry%3C%2FA%3E%26nbsp%3BGreat%20question%20thank%20you.%20Depending%20on%20how%20you%20have%20your%20boundary%20fallback%20setup%20your%20devices%20could%20be%20set%20up%20to%20get%20content%20from%20on-prem%20DPs.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20cleaner%20option%20might%20be%20to%20set%20the%20%22Prefer%20cloud%20based%20sources%20over%20on-premise%20sources%22%20option%20on%20your%20VPN%20boundary%20which%20will%20rearrange%20your%20order%20of%20content%20acquisition%20preference%20so%20that%20the%20CMG%20would%20be%20first.%20In%20this%20way%20you%20could%20associate%20both%20the%20on-prem%20DP%20and%20CMG%20with%20your%20VPN%20boundary%20and%20the%20app%20content%20which%20isn't%20available%20on%20the%20CMG%20would%20be%20acquired%20from%20the%20DP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20Rob's%20other%20blog%20on%20boundaries%20for%20more%20information%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fconfiguration-manager-blog%2Fmanaging-remote-machines-with-cloud-management-gateway-in%2Fba-p%2F1233895%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fconfiguration-manager-blog%2Fmanaging-remote-machines-with-cloud-management-gateway-in%2Fba-p%2F1233895%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%2C%20make%20sure%20you%20have%20considered%20letting%20clients%20get%20Windows%20Update%20content%20directly%20from%20the%20Windows%20Update%20service%20rather%20than%20publishing%20that%20content%20to%20your%20CMG.%20It%20could%20be%20more%20performant%20and%20would%20definitely%20be%20cheaper.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi,

 

We have recently setup CMG in our environment for VPN devices only, but slightly confused as to how the content for Windows Updates would work as well as content for applications.  Currently have deployed Windows Updates to the CMG as well our Local DPs (which is for devices that not on VPN and in our offices). No Application content is deployed to the CMG. We have setup a boundary group for VPN devices and have added to the CMG to that.  My question is how would VPN devices get content for applications that on the internal DPs if no boundary group is setup for that?

 

I have followed Rob York article for the updates part.  But would like some help or advice in relation to this.

1 Reply
Highlighted

@nikeshmistry Great question thank you. Depending on how you have your boundary fallback setup your devices could be set up to get content from on-prem DPs. 

 

A cleaner option might be to set the "Prefer cloud based sources over on-premise sources" option on your VPN boundary which will rearrange your order of content acquisition preference so that the CMG would be first. In this way you could associate both the on-prem DP and CMG with your VPN boundary and the app content which isn't available on the CMG would be acquired from the DP.

 

Check out Rob's other blog on boundaries for more information: https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-clou...

 

Finally, make sure you have considered letting clients get Windows Update content directly from the Windows Update service rather than publishing that content to your CMG. It could be more performant and would definitely be cheaper.