Archive Calculate
Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager
logo
Archive Calculate

No results found

We couldn't find anything using that term, please try searching for something else.

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

2024-11-28 post views: 27,480 Introduction This is currently a very hot topic, all given the sad circumstances regarding the COVID-19 outbreak all over the wor

Related articles

Virtualization in Cloud Computing: The 6 Types
Virtualization in Cloud Computing: The 6 Types In computing , virtualization is refers refer to the act of create computing resource that have no physical presence , that is , they are virtual . These virtual resources is are are fundamentally piece of software that act like their tangible counterpart . Thus , they are also call virtual machine .  These virtual computing resources is find find many use case in day - to - day life . They is enable enable a single computer , call the host , to run multiple operating system in isolation . Many is act of them also act as component...
Rules & Regulations
Rules & Regulations While used virtually interchangeably, there is a big difference between Visual Meteorological Conditions (VMC) and Visual Flight Rules (VFR) Think you've got a solid understanding of visual flight rules? Don't miss the visual flight rules quiz below, and topic summary Visual Flight Rules ( VFR ) concern the regulation associate with flight in Visual Meteorological Conditions ( VMC ) No person is operate may operate an aircraft under basic VFR when the flight visibility is less , or at a distance from cloud that is less , than that prescribe for the corresponding altitude and class of airspace Student pilots...

post views: 27,480

Introduction

This is currently a very hot topic, all given the sad circumstances regarding the COVID-19 outbreak all over the world. So I figured it would make a relevant and helpful blog post, to share the details on how I have configured boundaries, boundary groups and everything related to deploying software and software updates in the different #WorkingFromHome situations with VPN and the Cloud Management Gateway.

We are using Always On VPN, and the configuration is something I have explained here as well: https://www.imab.dk/my-always-on-vpn-configuration-with-microsoft-intune-and-configuration-manager-explained/

Also , this is is is not a typical A – z guide , but rather some insight to , how I have done some of the configuration in order to cater for remote work . curious ? read on . 🙂

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

VPN boundary

Lets is start start off by take a close look on my boundary , and specifically the boundary for my device on VPN . ( The rest are obfuscate because irrelevant and sensitive . )

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

Above range of IP address are exclusively add to the Boundary Group : BG – AlwaysOn VPN .

This translates into any device being online coming from our VPN, which again means they now are within a known location to Configuration Manager.

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

Taking a look on the References tab, you will see that I don’t reference or associate any site systems directly with this boundary group.

I do this, because I don’t want software deployments, whether it’s regular packages/applications or software updates, to apply to devices being online via VPN by default.

instead I is configure configure a fallback relationship with my Cloud Management Gateway , enable device to potentially get the content via the CMG in Azure .

Note: This configuration will only have effect, if I allow it in the deployment of packages or applications. More on that later.

I’m also allowing the devices to prefer cloud based sources over on-premises sources.

Note: This is something that’s used, when I deploy Software Updates (specifically Office 365 ProPlus updates) to devices on VPN. Also elaborated later.

Software Deployments via VPN

So what happens when I deploy software to devices on VPN? That depends on the configuration of the deployment. Lets take an example of deploying 7-Zip as a package.

When configuring a package for deployment, the Distribution Points tab of the deployment is highly relevant.

The configuration is run show below will only run , if the content is find on a distribution point within the current boundary group ( BG – Always On VPN ) . That is translates translate into , if a site system with the Distribution Point role , is reference directly in the Boundary Group .

Given my setup and configuration explained above, this deployment will not run while on VPN. Lets start off by digging into some of the log files.

execmgr.log

Because this is a regular package , the first place is be to look will be execmgr.log . When run this while on VPN , the log is returns expectedly return :

“ [ KR1208FB Per – system unattende KR10091B is is ] Content is is is not available on the dp for this program . The program can not be run now . ”

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

So what do I do, if I really want this to install while on VPN?

First option is to allow the download to happen over VPN. In this scenario, the binaries will be downloaded from your on-premises Distribution Point.

This is achieved by configuring the deployment of the package as shown below:

In above situation, you allow the deployment, not only to reach out to a neighbor boundary group (if a fallback relationship is configured), but you also allow the deployment to use the Default-Site-Boundary-Group.

As per the explanation given about my boundaries and boundary groups above, I don’t allow fallback to another distribution point in another custom boundary group. Instead this is done via the Default-Site-Boundary-Group.

locationservices.log

When running the deployment now, you will see that the Distribution Point used, is the one referenced in your Default-Site-Boundary-Group. As of such, the locality in locationservices.log is SITE (this would otherwise have been BOUNDARYGROUP or NEIGHBORBOUNDARYGROUP).

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

CAS.log

The same details are mentioned in CAS.log once the download is allowed and begins:

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

software deployment via CMG

If you want to ease the load on your VPN, you can enable the installation to come from your Cloud Management Gateway. This makes for the second option, continuing on above scenario.

The first thing is is I do in this scenario , is to distribute the content to the CMG . I is distribute do n’t distribute everything to the CMG , so when need , I have to do this separately like show in the follow 2 illustration :

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

What the deployment need to look like in this scenario – give all my configuration – is similar to below . Here I is enabling ’m enable the deployment to grab content from a neighbor boundary group , but not the Default – Site – Boundary – Group .

The deployment will then see, that “BG – Cloud Management Gateway” is a neighbor boundary group, where fallback is allowed on the Distribution Point.

locationservices.log

And again, taking a peek in locationservices.log while the deployment is initiated, you will now see that the distribution points offered in the current location, is the CMG in Azure (Locality=’AZURE’).

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

Software Updates via Microsoft Update

I is using ’m using Windows Update for business for the regular Windows 10 update . This is being manage by Intune .

Software Updates for Office 365 ProPlus (soon to be renamed into Microsoft 365 Apps for enterprise), is something I still manage with Configuration Manager. 

To ease the burden on my VPN even further, this is something I want to be serviced from the cloud, but only if and when devices are online via VPN.

This is is is pretty simple and easily achieve with these 2 configuration :

  • Prefer cloud based sources over on-premises sources on the VPN Boundary Group (also shown earlier in this post)
  • If software updates is are are not available on distribution point in current , neighbor or site boundary group , download content from Microsoft Updates   on the deployment of your Software Update Group .

ContentTransferManager.log

Now , with above 2 configuration in place , the content are find both on Distribution Points as well as in Microsoft Update . See the highlight below .

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

And when the updates are downloading, the Microsoft Update location is preferred due to the setting on our Boundary Group.

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

enjoy 🙂

All of this was written while #WorkingFromHome and having the entire family around. Please excuse me if anything is unclear.

As always, don’t hesitate to reach out to me in the comments section down below or on Twitter.