SCCM client not detecting software updates over VPN

Daniel Kaliel 1,261 Reputation points

We have SCCM with a single site. With the latest updates (August 2021, Windows 10 20H2) our test clients internally got the updates, but the test clients over the VPN are not detecting the deployment.

In the UpdatesDeployment.log the last entry shows:

EnumerateUpdates for action (UpdateActionInstall) - Total actionable updates = 0

The IP address for VPN users is included in the boundary. So I am stumped where else to look to solve this problem.

We use the GlobalProtect VPN client.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,569 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
1,005 questions
{count} votes

Accepted answer
  1. Daniel Kaliel 1,261 Reputation points

    We were able to solve this, but I don't know the cause. For every VPN user we had them run disk clean and click on Cleanup System Files as well. After that ran and they restarted the SCCM client was able to detect and install the missing updates.

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Amandayou-MSFT 11,056 Reputation points

    Hi @Daniel Kaliel ,

    First please check if these clients over the VPN have received the policy of update. When policy is received, the following entry is logged in PolicyAgent.log:


    We could check if Deployment Unique Id on the console is consistent with policy id displayed in PolicyAgent.log.


    Software update would be checked if it is required by client , kindly check UpdatesStore.log. UpdateStore.log would record updates as missing if they are required. If it is not required or has been installed by client, there is no record in this log. So we could check the update is really required by these clients over the VPN.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Daniel Kaliel 1,261 Reputation points

    I added the "Boundaries Group" column to the Devices list and it shows all VPN devices with no boundaries.


    But I verified the IP address of the adapter is within the IP range associated with a boundary group



    0 comments No comments

  3. Daniel Kaliel 1,261 Reputation points

    In the UpdatesStore.log on a VPN attached device I see:

    Queried Update (6e88be6e-d470-4e7e-9f36-01479049aadb): Status=Missing, Title=2021-08 Servicing Stack Update for Windows 10 Version 20H2 for x64-based Systems (KB5005260), BulletinID=, QNumbers=5005260, LocaleID=, ProductID=b3c75dc1-155f-4be4-b015-3f1a91758e52, UpdateClassification = 0fa1201d-4330-4fa8-8ae9-b877473b6441, ExcludeForStateReporting=FALSE.

    But it has been over an hour and Software Center still does not any available updates and they are still not installed.

  4. Daniel Kaliel 1,261 Reputation points

    It is required.

    I get that it "won't show" but it does show while it installs in the updates list and disappears after that. This update does not do that. Having said that, the issue is that it does not install and never shows up as "installing" in Software Center. The Windows update is not found in the installed updates list and users are never notified to reboot their PC's as the deployment is configured.

    0 comments No comments