Configuration Manager Technical preview 2006 – Allow Intranet clients to scan against CMG Software update point

Microsoft has released Configuration Manager Technical Preview version 2006 with a lot of cloud features. For more information about the features of this preview release, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2006

This Technical preview version is not a baseline version and can be installed only from the in-console update. If you are building a new site, please install the baseline version (tech preview) 2002 and update it to 2006 using in-console.

This technical preview version focused more on cloud-related feature.One of the most waiting features of CMG is, to allow intranet clients to scan against CMG software update point when you configure the boundary groups.

Until now, in all the preview technical preview features and also in the current branch build, all the client (on-prem) traffic can be routed via CMG except the software update scan which is now possible using a technical preview build 2006.

The following are the 2 scenarios in which you can configure the boundary groups to allow intranet clients to scan against CMG software update point.

· When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

· If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it

How to test this feature to allow intranet clients to scan against CMG SUP?

Create boundaries and boundary groups for your VPN clients. In my lab, i use my intranet client as VPN boundary.

Boundary group:

image

Go to properties of the VPN boundary group and click on references:

Add the CMG here (pls note that, am using 3rd party cert in my lab, hence there is no cloudapp.net).

image

My lab has only 1 SUP so i configured it to support both intranet and internet based clients.

The following setting is applicable in scenario, If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

image

If you have dedicated SUP for internet-based clients then you can choose ‘Allow Internet-only client connections’ for your VPN clients. So when an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.

In the relationships tab, leave it blank. There is no need to configure any fallback.

In the options tab (for downloads), configure the ‘prefer cloud based sources over on-premise sources’.

image

Now login to the client (win10- connected to on-prem ) and restart the SMS agent host service for a quick test or refresh the machine policy cycle.

From the configuration manager applet, run software update scan cycle and monitor wuahandler.log and locationservices.log

Locationservices.log

image

wuahandler.log:

image

As you can see, client is connected to intranet but the software update scan is scanning against the CMG software update point.

Following is the SQL code that will help you to identify the clients connecting to CMG software update point.

select uss.LastScanPackageLocation [Scan Location],
count(*) Total
from v_UpdateScanStatus uss
group by uss.LastScanPackageLocation

image

This is great feature to route all the traffic via internet.

Hope to see this feature in the next version of production build.

Leave a Reply