Software Update Compliance report for CMG connected devices

With COVID-19 around the globe, the organizations who are using Configuration Manager have shown much interest in Cloud Management Gateway.

Cloud Management Gateway helps you to manage the clients on the internet. For more information on how to setup CMG, please refer https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/setup-cloud-management-gateway

A customer who recently deployed Cloud management gateway, wanted to monitor the software update compliance for the CMG connected devices ONLY.

As these CMG devices are on internet and focus for patch compliance status is always have high visibility from the management prospective.

I know that there are several default software update compliance reports available and i also posted some custom reports on software update compliance but knowing the compliance status only for CMG connected devices is something that is not availabel unless you crate a collection for CMG connected devices and run the deault or custom compliance reports.

So lets start how to get a compliance report for CMG connected devices.

When I first started creating the SQL code for compliance reports for CMG connected devices, I started searching for the SQL view’s that has the information about the CMG info.

As usual, I looked at the SQL views documentation to find the right SQL views for this requirement and have found BGB_ResStatus .

So doing a simple query select top 10 * from BGB_ResStatus reveals the following information.

This information is coming from a fast channel (BGB) from the client. If you want to know more information about fast channel communication in the configuration manager, please refer to this post

To create a collection or identify devices that are connected to CMG, we can do so by adding the new attribute value to the device collection and search for the value ccm_proxy_mutual

Or follow this post to create a collection or report for CMG connected devices.

The SCCM client automatically determines whether it's on the intranet or the internet. If the client can resolve a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet and uses the location of the CMG service to communicate with the site.

When the client switches to the internet and select the CMG service for communication, the client management point information can be seen in the console and the database as something like http://CMG servicename/CCM_Proxy_Mutualauth/ and this will be recorded into AccessMP.

Until the client connects to the on-premise network, the ACCESSMP holds the CMG service name.

The following are the SQL views that I will use to create the software update compliance report for CMG connected devices.

v_Update_ComplianceStatusAll

v_r_system

v_FullCollectionMembership

v_AuthListInfo

BGB_ResStatus

Based on the above data, I have created 2 reports

Summary of the compliance status for the CMG connected devices

List of clients with specific software update compliance status for the update group.

2nd report is linked to the first report and the parameters are hidden for the 2nd report, so you will have to run the first report to go to 2nd report.

  1. Summary of the compliance status for the CMG connected devices

To see the list of required or unknown clients, click on the link (blue icon).

Since Technet is going offline very soon, I have uploaded the reports into my Github account. Download the report, upload it to your SSRS folder, change the data source, and run it.

Make sure you upload the reports into the same folder and do not change the 2nd report name as it is linked to the first report.

Happy patching!

Post Comment