Patching in this unprecedented time without CMG or Co-Management Configured

Hi All, Hope you are doing well. This blog is to give an insight to how to patch the machines in this difficult situation. I want to emphasize of one scenario where majority of the customers who haven’t moved to cloud will fall. So it make more sense for them to follow the guidance mentioned in this mail.

Being said that, customers has to fully test it in a subset of machines before rolling out to all machines in their environment.

The scenario is “We are using VPN (don’t know whether its having split tunneling configured or not) and don’t have either ConfigMgr Co-Management or ConfigMgr Cloud Management Gateway (CMG) configured

Before jumping to the solution, we need to understand the type of VPN used in any environment. Below is the blog which explained split tunneling VPN in a great way:

https://techcommunity.microsoft.com/t5/premier-field-engineering/mastering-configuration-manager-bandwidth-limitations-for-vpn/ba-p/1280002

By reading the above mentioned blog, now you would be having a fair idea of how Split Tunneling VPN works. So now you knew that which kind of VPN tunneling is used in your environment and the next section will help you to how to best optimize ConfigMgr to use for patch management.

Important Consideration to be taken care are:

  1. Talk to your network team how much bandwidth ConfigMgr is allowed to utilize over VPN
  2. We recommend to always use dedicated boundary groups for VPN Addresses
  3. Deadline and start time should not be the same time, to avoid many parallel downloads
  4. Plan your deployment strategy based on overall download time and maybe stretch the deployment times

Important Actions to be taken:

  1. Based upon the IP address range given by the Network Team, create a dedicated collection which needs to be used while patching.
  2. If you are using ADR in ConfigMgr, please plan the deployment strategy accordingly. Don’t plan the patch deployment to all workstation. But plan the deployment through ADR to only those machines which are not participating in VPN connectivity.
  3. For VPN connected workstation, please stay tuned as I have some screenshot to how to configure it.
  4. If you have a dedicated DP for VPN enabled machines, restrict the bandwidth to be used by configuring IIS
  5. To configure the IIS bandwidth limitation, just open the IIS Manager on your DP,

select the Default Web Site => Advanced Settings => Limits => Maximum Bandwidth

6. If you don’t have dedicated DP’s just for VPN Clients, (where majority of the customers will fall), we could use local QoS policies directly on the DPs and just limit the bandwidth for every subnet for VPN clients.

7. To configure a local QoS Policy, go to Start => Run => gpedit.msc

8. In the Local Group Policy Editor, expand Computer Configuration => Windows Settings => Policy-based QoS

9. Do a right click and create a new policy.

10. Give it a name and specify the Outbound Throttle Rate:

Please keep in mind that the limit is configured in Kilobytes or Megabytes per second and not Kilobit or Megabit per second.

11. Click Next, select All applicationsand Next

12. Configure the destination IP Range of your VPN Clients. Only this Range will be affected by the throttling:

13. Click Next and Finish to complete the configuration. The throttling limit will be in place right away.

By making the above changes, we made sure that the VPN tunnel is not choked with the ConfigMgr traffic.

Please follow the below steps to how to patch the VPN connected machines through ConfigMgr, when we don’t have CMG or Co-Management configured.

The steps are:

  1. Create a collection of all machines which are connected through VPN. You can use the IP address range (which you will get from Network team for the VPN connection) query to create the collection.
  2. Either Create the Software Update Group (SUG)Manually or create Automatic Deployment Rules (ADR) without the Package. In this blog post, i am demonstrating by creating the SUG manually. select the patch released for the month.

3. Create a Software update Group (SUG) for those patches.

4. Don’t Download the patches

5. Deploy the SUG patches:

6. Give it any name and in the Collection, provide the collection which you have created in Step (a)

7. Make it’s a Required deployment type.

8. Schedule it accordingly:

9. Make sure to check as per the below screenshot, else if there is Maintenance Windows defined, it will not install the patch. Here is the screenshot:

10. Most Important Step: Select ‘No Deployment Package’:

11. The clients will go to Microsoft site for updates. Here is the screenshot:

12. Finish the wizard.:

On Client Side (VPN Clients):

  1. Client will get the policy, as they are connected through VPN. In software center it will appear:

2. As its required, its started to install at the deadline. See the logs from where its getting the contents. The logs to look for ‘DataTransferServices.log’:

3. Once it will be installed, as it might require restart, it will start the restart notification as:

4. The restart deadline is configured the client setting here at:

Hence in summary, clients is getting the policy from VPN tunnel, for downloading, its using internet. The status messages is sent back to the ConfigMgr servers and the patches will be deployed.

Please note that its only be used for Patch Management. For any custom application deployment, you have to use Cloud Management Gateway CMG if you don’t want to choke the VPN bandwidth.

Hope this article will give some insight to how to patch in this unprecedented time

Leave a Reply