How to find software update deployments enabled with download content from Microsoft update for clients from VPN CMG internet connected

Due to the COVID-19 outbreak and the situation is constantly changing around the world, the organization's started moving the workforce either from remote or work from home.

Considering the number of users working remotely, it is very important to make sure that the devices are protected in all possible ways starting from windows security patching, antivirus, and other security tools available on the device.

For windows security patching (manage the devices remotely) using SCCM/configuration manager, you have different options in configuration manager such as cloud management gateway, co-management. If your organization has installed a VPN on the endpoint, you can use split tunneling.

Please read more information about managing the remote devices using configuration manager https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895 and https://miketerrill.net/2020/03/18/forcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update/

Both the above posts cover almost everything that you need to patch the remote devices including VPN connected devices.

Like other organizations, we have also enabled the split-tunneling and using CMG to download the Microsoft updates from internet and not from corporate/on-premise network.

For the remote devices to get the windows updates from Microsoft using configuration manager, it is important to set the correct options in the software update deployment group.

Following are the settings to enable for the VPN or internet based clients to download the updates directly from Microsoft updates.

If you don't configure the above setting in the software deployment deployment group, your VPN/CMG connected clients will fail to download the patches from windows update and always look for DP.

For the newly created software update deployment group, you can enable the checkbox since you go through the process of deployment but if you want to monitor OR enable the checkbox for existing/already created software update group deployment, you need report and Powershell script to enable the checkbox .

If you have fewer SUG deployments (10 or so), you can right-click the deployment and change the properties but this is not going to be an easy task if you have hundreds of SUG deployments and make sure they are enabled.

The following SCCM report would help to identify the list of all software update deployments that are enabled and not enabled with above option for your reference and also the Powershell script will enable the checkbox for all software update deployments.

I have also provided the powershell cmdlet to enable or disable the checkbox for the software update deployments you wish to.

Preview of the SSRS report:

This report comes with prompt to select option 'Download content from Microsoft updates'.

In my research , If the DP Locality falls in the range of 262144, 262208,393280,393216 then it is considered as download from MSFT.

If you  notice anything wrong with column 'download from MSFT',  please report in the comments section.

Following are the settings available in the SSRS report.

Deployment settings with type of deployment and Wake-on-LAN.

User experience with user notifications, deadline behavior, device restart behavior, and software updates deployment re-evaluation behavior upon restart

Download settings with download content from Microsoft updates.

If you want other fields that are not listed in the report, you can get it from SQL View v_CIAssignment.

To enable the check box to download the content from Microsoft updates, use the following the powershell cmdlet.

Set-CMSoftwareUpdateDeployment

Download the SSRS report and upload to your reporting services, change the datasource.

Happy managing the VPN/internet connected devices.