SCCM client User policy not downloading over VPN

Vijayaguru M 21 Reputation points


We are running SCCM CB 2103 infra and a single standalone primary site. We have CMG configured for Internet users, whoever connected over VPN to corp network they will communicate with CMG for any content download (except software updates). Boundary group has created for VPN ip ranges and associated the VPN boundaries to CMG as content location.

Created custom Client settings under Cloud Services 1) Enable clients to use a cloud management gateway is set to yes. 2) Allow access to cloud DP is set to Yes. 3) Automatically register new Windows 10 domain joined devices with AAD is set to yes. This client settings have been deployed to all workstations.

In our environment all the applications have been deployed to User collection based deployment.


There are some windows 10 internet users (connected over VPN and the client is talking to CMG) who requested for applications and their user id added to appropriate application user collection however they don't see the requested applications in software center after we ran machine & user evaluation policy and also tried restart sms agent host service but nothing helps. The users can see the application as soon as we removed the VPN CMG boundary group for the IP ranges of those users. It seems like the machine is failed to download user policy when the machines are connected to VPN. This issue is not happening for every internet users only few users. I also checked that the affected machines are joined hybrid AD.

PFB the errors in policyagent.log


Please provide your expert comments and help me to address this issue.


Microsoft Configuration Manager
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Jason Sandys 31,146 Reputation points Microsoft Employee

    Do the users have hybrid identities, i.e., are they synced between your on-prem AD and AAD using AAD Connect, and do these systems have cloud identities, i.e., are they hybrid Azure AD domain joined or [full] Azure AD domain joined?

    Both are required for user deployments from a CMG.

  2. Vijayaguru M 21 Reputation points

    I am getting the below error in SCClient.log when the VPN/CMG boundary group associated with VPN Boundaries.


    0 comments No comments

  3. Jason Sandys 31,146 Reputation points Microsoft Employee

    Have you validated that a PRT has been successfully acquired from AAD?

  4. Jason Sandys 31,146 Reputation points Microsoft Employee

    Are the devices shown as on Internet or on the intranet?

  5. Devi Natarajan 1 Reputation point

    Hi, I'm facing same issue. Was it resolved for you? Please guide me.

    0 comments No comments