In my last blog post, I highlighted the option to install the ConfigMgr client over Internet for Windows 10 AAD joined machine, the next challenge is to perform Windows 10 Servicing to ensure the managed device is running a supported OS.
A similar challenge is for Domain-Joined Windows 10 clients who are rarely on the corporate network without VPN/Direct-Access and rely on CMG to stay up to date.
Since OSD isn't supported with CMG, our option is to leverage Software Updates to deploy Feature Updates.
- Enable SUP to allow CMG traffic
- Enable Upgrades Classification
- Deploy Feature Update
Enable SUP to allow CMG traffic
The clients need an update source, and enabling this feature will force the client to use the on-premise SUP instead of Windows Update.
On the Properties of the desired SUP check the box to Allow Configuration Manager CMG traffic.
Enable Upgrades Classification
If you are already synchronizing Windows 10 Upgrades, you can skip this option.
From Site Server components click on SUP properties > Classification tab and check the Upgrades box. If you are not on Server 2016 already, you need to install these Hotfixes on each WSUS/SUP servers - KB3095113 & KB3159706 (has additional manual steps)
Perform a Sync to ensure the Windows 10 Feature Updates (upgrades) are visible in the console under Windows 10 Servicing node in Software Library tab.
Deploy Feature Updates
Select the desired Feature update (upgrade) under Windows 10 Servicing node in Software Library tab and right click to Deploy. You can also run the Software Update compliance reports to validate the required Feature Update based on Scan results reported from the Internet facing machines.
Complete the deployment wizard following your org. standards, consider the following points –
- Do Not distribute the content to Cloud DP's as its unnecceary cost, the clients will download the updates directly from Microsoft Update instead.
- You may still want to distribute this update to on-premise DPs if you expect these clients to roam into to corporate network.
Optionally check the box to allow the client to download the content from Microsoft Update (for intranet clients as CMG clients will anyway download content over Internet). Don't check box to download the content over metered Internet connection for obvious reasons .
Once the client receive's the policy, it will go through the Software Update process and download updates from Microsoft Update instead of Cloud DP.
Note: For clients on VPN/Direct-Access you have the option to use the Upgrade Task Sequence for greater control, refer this recent blog post by MSIT.