Hi, @Leon Taljaard
Thank you for posting in Microsoft Q&A forum.
Now my question is this, do clients have to always be connected to VPN to receive policy or the monthly updates or once they receive policy the first time initially making them aware of the CMG then they will just be able to install the deployed updates from SCCM because they will receive policy from the CMG MP/SUP and they will just download from the internet?
It's recommended to use VPN Split tunneling with boundary groups to download updates from Microsoft Update sites, so clients have to always be connected to VPN. VPN split tunneling needs to be configured where all the Microsoft Update URLs will connect to direct internet without coming to the on-premises datacenter. Clients get management policies, agent communication from VPN connection, and for software updates, it will connect to the Internet.
You may refer to the detailed guidance:
https://www.terminalworks.com/blog/post/2020/05/17/deploy-windows-updates-through-internet-using-sccm-work-from-home-scenario
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.