none
Downloading directly from Microsoft

    Question

  • I enabled the option, that updates might be downloaded from MS directly, if not found in DP. I want, that VPN users will pull the content from MS, but LAN users would still use DP. 

    The problem is, that even when VPN IP range is not connected to any DP, the VPN clients are still pulling the content from DP. 

    Is it so, that this option will work only if update is not downloaded on ANY DP?


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Friday, May 11, 2018 8:36 AM

All replies

  • Are they falling back to the default boundary group to get the content?

    Cheers Paul | http://sccmentor.com

    Friday, May 11, 2018 10:44 AM
  • Paul is most likely spot on here. You need to either disable fallback for the deployment or configure the boundary group that the VPN systems fall into not to fallback to the default site boundary group for content.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, May 11, 2018 1:58 PM
  • Hi,

    You could also verify it from these logs:
    UpdatesDeployment.log
    ContentTransferManager.log
    LocationServices.log


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 14, 2018 2:43 AM
  • Unfortunatelly, I don´t have currently the opportunaty to check this hands on right now, but this is how I have configured it. From your answers, I feel this should be possible, even if the content is downloaded to DP, right? I will continue to investigate this later.


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.



    • Edited by yannara Tuesday, May 15, 2018 10:07 AM
    Monday, May 14, 2018 6:05 AM

  • MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, May 15, 2018 10:07 AM
  • What about the relationships (these are the neighbor boundary groups)?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, May 16, 2018 2:12 AM
  • What about the relationships (these are the neighbor boundary groups)?

    Jason | https://home.configmgrftw.com | @jasonsandys

    I think I deleted all links and relations everywhere. I was meant to isolate the VPN boundery.

    I still see the content downloading via VPN from CM server, but MS locations are in the logs as well...

    I can upload logs later to OneDrive, I´m still waiting what will happend with larger CU release.


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Wednesday, May 16, 2018 6:49 AM
    Wednesday, May 16, 2018 6:42 AM
  • > "I think I deleted all links and relations everywhere. I was meant to isolate the VPN boundery."

    Assuming you mean the relationships, then you actually put back the relationship to the default boundary group as this has an implicit relationship with all boundary groups. To override this relationship, you need to explicitly add it and configure the override behavior.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 17, 2018 2:47 AM
  • My main question is this - should downloading from MS be possible, if the patch is downloaded on any DP? Lets start from that fact. Or is this feature only for situations, where the patch is not downloaded to any dp at all?

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Thursday, May 17, 2018 7:55 AM
  • > "should downloading from MS be possible, if the patch is downloaded on any DP?"

    Yes, that's what the text on the option states.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 17, 2018 6:51 PM
  • I´m just wondering, did someone get this really to work in real life? Is it just me, or could it be than no one had used this before...


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Monday, May 21, 2018 7:46 AM
    Monday, May 21, 2018 7:46 AM
  • Yes. There are multiple other forum posts of folks using this successfully.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, May 21, 2018 3:14 PM
  • Is your VPN Boundary maybe a IP Subnet from on of your AD Sites you are using in other Boundary Groups?
    Monday, May 21, 2018 7:18 PM
  • Is your VPN Boundary maybe a IP Subnet from on of your AD Sites you are using in other Boundary Groups?

    The VPN boundery is made as IP-range and it is not gathered from AD. I made 100% sure that the range is correct and the client gets IP from that range.

    Unfortunatelly, it seems, that my screenshots get lost, I added them second time already in this thread, but they are not visible anomore.. or is it just me :(


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, May 22, 2018 5:24 AM
  • It's not just you. I have screenshots disappear too. Hopefully this one sticks around. It's how our default boundary group fallback behavior is configured.  Try the "Never fallback" options.

    Wednesday, May 23, 2018 6:56 PM
  • This is quite good hint you found Chrispher, thanks. I didn´t had Never Fallback option there enabled. It will take me some time to ensure, is this the solution or not. I'll get back to this later.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    • Edited by yannara Thursday, May 24, 2018 9:10 AM
    Thursday, May 24, 2018 9:09 AM
  • This is exactly what I said above btw.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 24, 2018 2:40 PM
  • i am using primary site as site assignment and primary site server under site system servers. As i want my direct access users to receive the package deployment from primary site DP but security updates from Microsoft.

    do you think its achievable?

    Monday, May 28, 2018 12:02 AM
  • Still couldn´t get this to work..

    Summary;

    - Boundary group = no site server added, no fallback relationships
    - Boundary = no site system
    - Distribution point = no boundary group for VPN
    - Default Site Boundary group = Default behavior - Software Update point - Never Fall Back eneabled

    I suspect, that this scenario would require additional DP, where is no updates downloaded. 


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Friday, June 15, 2018 10:29 AM
  • I know others have gotten this to work but it's not straight-forward.

    Note that the 1806TP contains an option to configure clients to always retrieve the update binaries from Microsoft Update so hopefully this makes it to the production build of 1806 and thus make addressing this scenario quite easy.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, June 15, 2018 2:06 PM
  • I added additional DP for testing, added that DP without any content to the VPN boundary group. No change in situation, still pulling contant from the primary local DP.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Monday, August 20, 2018 1:22 PM
  • Did you also disable fallback for content from the boundary group for these systems to the default site boundary group?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, August 20, 2018 1:46 PM
  • Did you also disable fallback for content from the boundary group for these systems to the default site boundary group?

    Jason | https://home.configmgrftw.com | @jasonsandys


    Could you throw me some screenshots here? Thanks.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Monday, August 20, 2018 6:54 PM
  • I reviewed all settings and took every screenshot to this document, Jason could you please take a look?

    CM.labs.dom is the main site server and existing DP
    MBAM.labs.dom is new DP without content.

    https://1drv.ms/w/s!Ak7cWcimOhmHm7tfryy2GZta_RFBpg

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, August 21, 2018 5:53 AM
  • I witness a specific proglem here, so;

    - When a there is no DP in a Boundary Group, the Scan Agent returns "ScanJob xxx will process the scan request once locations are available".   

    - When a DP without updates is added to a VPN boundary Group (which I want to avoid here), the ScanAgent will pickup new updates then.

    .. I think this is the major issue here. Maybe a product design problem? I could open an uservoice topic.  


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Wednesday, December 12, 2018 8:06 AM
  • There's a new option in 1810 to use a CloudDP for content -- this is an option on the boundary group itself.

    I've also been told by a dev that there will be a new option (hopefully in 1902) that will also enable updates directly from Windows update on a boundary group. There already is a uservoice item for this: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/32416654-software-updates-client-download-from-windows-upda. It's marked as completed but isn't really as there was a mix up over this item and the clouddp item in 1810.


    Jason | https://home.configmgrftw.com | @jasonsandys


    Wednesday, December 12, 2018 4:13 PM
  • Excelent stuff Jason, actually I found better topic in Uservoice, https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/12246705-force-clients-to-download-updates-from-microsoft-u

    ..now everyone go and vote!


    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Thursday, December 13, 2018 7:46 AM
  • Per the dev, this should actually be in the 1812 TP (emphasis on should) -- that's not a guarentee that it will actually make it to production though. The change I'm specifically talking about is the one in the UV I linked to above specifically a BG-based option.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, December 13, 2018 4:15 PM