SCCM client not detecting software updates over VPN

Daniel Kaliel 1,241 Reputation points
2021-08-19T17:40:25.197+00:00

We have SCCM with a single site. With the latest updates (August 2021, Windows 10 20H2) our test clients internally got the updates, but the test clients over the VPN are not detecting the deployment.

In the UpdatesDeployment.log the last entry shows:

EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0

The IP address for VPN users is included in the boundary. So I am stumped where else to look to solve this problem.

We use the GlobalProtect VPN client.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,259 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
977 questions
{count} votes

Accepted answer
  1. Daniel Kaliel 1,241 Reputation points
    2021-09-10T17:46:38.333+00:00

    We were able to solve this, but I don't know the cause. For every VPN user we had them run disk clean and click on Cleanup System Files as well. After that ran and they restarted the SCCM client was able to detect and install the missing updates.

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Amandayou-MSFT 11,051 Reputation points
    2021-08-20T03:08:44.373+00:00

    Hi @Daniel Kaliel ,

    First please check if these clients over the VPN have received the policy of update. When policy is received, the following entry is logged in PolicyAgent.log:

    124876-820.png

    We could check if Deployment Unique Id on the console is consistent with policy id displayed in PolicyAgent.log.

    124923-8201.png

    Software update would be checked if it is required by client , kindly check UpdatesStore.log. UpdateStore.log would record updates as missing if they are required. If it is not required or has been installed by client, there is no record in this log. So we could check the update is really required by these clients over the VPN.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Daniel Kaliel 1,241 Reputation points
    2021-08-26T20:01:30.373+00:00

    I added the "Boundaries Group" column to the Devices list and it shows all VPN devices with no boundaries.

    126889-screenshot-2021-08-26-135722.jpg

    But I verified the IP address of the adapter is within the IP range associated with a boundary group

    126913-screenshot-2021-08-26-140009.jpg

    126931-screenshot-2021-08-26-140109.jpg

    0 comments No comments

  3. Daniel Kaliel 1,241 Reputation points
    2021-08-27T15:59:13.097+00:00

    In the UpdatesStore.log on a VPN attached device I see:

    Queried Update (6e88be6e-d470-4e7e-9f36-01479049aadb): Status=Missing, Title=2021-08 Servicing Stack Update for Windows 10 Version 20H2 for x64-based Systems (KB5005260), BulletinID=, QNumbers=5005260, LocaleID=, ProductID=b3c75dc1-155f-4be4-b015-3f1a91758e52, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.

    But it has been over an hour and Software Center still does not any available updates and they are still not installed.


  4. Daniel Kaliel 1,241 Reputation points
    2021-08-30T15:38:34.08+00:00

    It is required.

    I get that it "won't show" but it does show while it installs in the updates list and disappears after that. This update does not do that. Having said that, the issue is that it does not install and never shows up as "installing" in Software Center. The Windows update is not found in the installed updates list and users are never notified to reboot their PC's as the deployment is configured.

    0 comments No comments