This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
Hi,
We are running SCCM CB 2103 infra and a single standalone primary site. We have CMG configured for Internet users, whoever connected over VPN to corp network they will communicate with CMG for any content download (except software updates). Boundary group has created for VPN ip ranges and associated the VPN boundaries to CMG as content location.
Created custom Client settings under Cloud Services 1) Enable clients to use a cloud management gateway is set to yes. 2) Allow access to cloud DP is set to Yes. 3) Automatically register new Windows 10 domain joined devices with AAD is set to yes. This client settings have been deployed to all workstations.
In our environment all the applications have been deployed to User collection based deployment.
Issue:
There are some windows 10 internet users (connected over VPN and the client is talking to CMG) who requested for applications and their user id added to appropriate application user collection however they don't see the requested applications in software center after we ran machine & user evaluation policy and also tried restart sms agent host service but nothing helps. The users can see the application as soon as we removed the VPN CMG boundary group for the IP ranges of those users. It seems like the machine is failed to download user policy when the machines are connected to VPN. This issue is not happening for every internet users only few users. I also checked that the affected machines are joined hybrid AD.
PFB the errors in policyagent.log
Please provide your expert comments and help me to address this issue.
Thanks,
VJ
Do the users have hybrid identities, i.e., are they synced between your on-prem AD and AAD using AAD Connect, and do these systems have cloud identities, i.e., are they hybrid Azure AD domain joined or [full] Azure AD domain joined?
Both are required for user deployments from a CMG.
Hi Jason,
Yes, the users identities are synced between on-prem AD and AAD. Also, the device is hybrid AD joined.
I am getting the below error in SCClient.log when the VPN/CMG boundary group associated with VPN Boundaries.
Have you validated that a PRT has been successfully acquired from AAD?
Thanks Jason. I verified Under SSO State in all devices that i can find AzureAdPrt set to No. This issue is not for every windows 10 users only certain users who don't see applications in softwarecenter.
Thanks.
No PRT means no Azure AD auth so you need to resolve that first as it is definitely required here. This should help: https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
Sorry. it was my mistake. i was checking PRT status from system account. I got the SSO state from the problematic machine.
Are the devices shown as on Internet or on the intranet?
The devices are connected to corp network through vpn
Right, that's not the question though. Does the ConfigMgr agent show them as Internet or Intranet connected?
sorry. It shows intranet.
It's time to open a support case as this is almost certainly an AAD auth issue, but it's difficult to dig deep in a forum and really needs to be done in a more hands on fashion.
Thanks Jason. Will do.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 51%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDN%3C/text%3E%3C/svg%3E)
Hi, I'm facing same issue. Was it resolved for you? Please guide me.