This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Need some direction on a situation I am troubleshooting. Users click on Check for Updates in the Windows 10 Settings and it takes at least 10 minutes to complete. SCCM is setup for Windows Updates and as far as I can tell, everything is set up correctly. The updates are being distributed to a CMG (not sure why this is setup this way as the updates get installed from Microsoft) and the client is on a VPN that points to the CMG. None of the SCCM logs really tell me anything and the CBS.log was a dead end as well.
Thoughts?
Just noticed that the IIS WSUS settings for ApiRemoting, ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService were not configured to Require SSL.
Not sure if this is contributing to the issue.
Also - If I were to select Check Online for updates from microsoft update, that returns with immediate results.
Check for Updates is not actually supported or will not do anything when you are under SCCM management. With CMG, you should not distribute Software Update packages to CMG, but allow clients to download content from Microsoft, you will find this option from Deployment object. If you have VPN, I suggest you add VPN network to boundaries and point it to CMG.
Hi, @Matt Dillon
Thank you for posting in Microsoft Q&A forum.
Agree with yannara, Check for Updates is not related to SCCM.
Please try to set the "Prefer cloud based sources over on-premise sources" option on your VPN boundary group which will rearrange your order of content acquisition preference so that the CMG would be first. This option will apply even if you don’t have a CMG, so can offer some respite to your VPN by directing clients to Microsoft Update for content.
For more details:
https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895
And make sure you have considered letting clients get Windows Update content directly from the Windows Update service rather than publishing that content to your CMG. It could be more efficient and would definitely be cheaper.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, @Matt Dillon
Are you referring to the policy "Do not allow update deferral policies to cause scans against Windows Update", SCCM will enable the policy by default, it will disable Dual Scan. You may try to disable the policy.
For the reference:
https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278
Hi, @Matt Dillon
If we use below powershell script to check the update source for the client, what's the results:
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService
If Windows Update is False in the results, the Check for Updates should not work.
Here are the results. What does this exactly tell me? Does this mean that the Check for Updates in Windows 10 should really not do anything? They apparently need the Check for Updates to work for the F5 VPN client. Perhaps they need to just remove WSUS role from SCCM and built out a WSUS server. The more I work on this issue, the more I seem to think that should be the directions to get the answers/ results they need.
I appreciate the feedback. I feel like I am drowning on this one.
Hi,
The result means, that the WU channel is closed, and only the WSUS channel is open and only this one is usable.
If we disable the GPO "Do not allow update deferral policies to cause scans against Windows Update", the WU channel will open.
Thanks for all the replies... I did suggest not to distribute any Software Update to the CMG. Hopefully we take care of that this morning. I did not think that was setup correctly.
I did notice that when I deleted the contents of the C:\windows\system32\grouppolicy folder, and the e download and SLS sub folders of c:\windows\softwaredistribution, followed by deleting the reg key for Group Policy (HKLM\software\policies\microsoft), and then rebooting - it worked fine.
I will be updating the content on the CMG's this morning and setting up the missing SSL settings for WSUS. I always struggled with the GPO's needed for WSUS when SCCM is in play. They want to be able to have that check for updates run when the VPN client (F5) starts up which is how the issue was discovered. I am leaning on a GPO causing the issue, but wonder what I need to set to have SCCM in line with these updates and for this Check for Updates to just always work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 15%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
WHat is SLS and e download?