Check for Updates is not actually supported or will not do anything when you are under SCCM management. With CMG, you should not distribute Software Update packages to CMG, but allow clients to download content from Microsoft, you will find this option from Deployment object. If you have VPN, I suggest you add VPN network to boundaries and point it to CMG.
SCCM, CMG, and WIndows Updates
Need some direction on a situation I am troubleshooting. Users click on Check for Updates in the Windows 10 Settings and it takes at least 10 minutes to complete. SCCM is setup for Windows Updates and as far as I can tell, everything is set up correctly. The updates are being distributed to a CMG (not sure why this is setup this way as the updates get installed from Microsoft) and the client is on a VPN that points to the CMG. None of the SCCM logs really tell me anything and the CBS.log was a dead end as well.
Thoughts?
6 answers
Sort by: Most helpful
-
Pavel yannara Mirochnitchenko 12,611 Reputation points MVP
2021-05-13T19:43:53.517+00:00 -
AllenLiu-MSFT 45,686 Reputation points Microsoft Vendor
2021-05-14T07:39:17.78+00:00 Hi, @Matt Dillon
Thank you for posting in Microsoft Q&A forum.
Agree with yannara, Check for Updates is not related to SCCM.
Please try to set the "Prefer cloud based sources over on-premise sources" option on your VPN boundary group which will rearrange your order of content acquisition preference so that the CMG would be first. This option will apply even if you don’t have a CMG, so can offer some respite to your VPN by directing clients to Microsoft Update for content.
For more details:
https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895And make sure you have considered letting clients get Windows Update content directly from the Windows Update service rather than publishing that content to your CMG. It could be more efficient and would definitely be cheaper.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
AllenLiu-MSFT 45,686 Reputation points Microsoft Vendor
2021-05-18T09:23:47.027+00:00 Hi, @Matt Dillon
Are you referring to the policy "Do not allow update deferral policies to cause scans against Windows Update", SCCM will enable the policy by default, it will disable Dual Scan. You may try to disable the policy.For the reference:
https://techcommunity.microsoft.com/t5/configuration-manager-archive/using-configmgr-with-windows-10-wufb-deferral-policies/ba-p/274278 -
AllenLiu-MSFT 45,686 Reputation points Microsoft Vendor
2021-05-21T07:40:00.713+00:00 Hi, @Matt Dillon
If we use below powershell script to check the update source for the client, what's the results:
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUServiceIf Windows Update is False in the results, the Check for Updates should not work.
-
Matt Dillon 1,216 Reputation points
2021-05-14T14:01:50.283+00:00 Thanks for all the replies... I did suggest not to distribute any Software Update to the CMG. Hopefully we take care of that this morning. I did not think that was setup correctly.
I did notice that when I deleted the contents of the C:\windows\system32\grouppolicy folder, and the e download and SLS sub folders of c:\windows\softwaredistribution, followed by deleting the reg key for Group Policy (HKLM\software\policies\microsoft), and then rebooting - it worked fine.
I will be updating the content on the CMG's this morning and setting up the missing SSL settings for WSUS. I always struggled with the GPO's needed for WSUS when SCCM is in play. They want to be able to have that check for updates run when the VPN client (F5) starts up which is how the issue was discovered. I am leaning on a GPO causing the issue, but wonder what I need to set to have SCCM in line with these updates and for this Check for Updates to just always work.