Hello, Working in an MECM test lab and recently implemented always on VPN so remote clients could still be managed. Windows updates fails with an 80240437 error, if I check the deployment on the SCCM server console I see "There was a problem authorizing with the service." If a client is roaming and not a member of a boundary group, the value is blank. (The rest are obfuscated because irrelevant and sensitive.) Boundaries can be either an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range. Lets start off by taking a closer look on my boundaries, and specifically the boundary for my devices on VPN. Above range of IP addresses are exclusively added to the Boundary Group: BG – AlwaysOn VPN. SCCM Device not showing VPN IP Address only local - causes identifying boundary group to fail . https://howtomanagedevices.com/sccm/1603/sccm-config-to-help-to-reduce-v… Boundary group caching was introduced with the first version of System Center Configuration Manager (ConfigMgr) Current Branch (CB): version 1511. SCCM Configmgr Report for Boundary group relationships with Fallback Sites Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. Beginning with SCCM 2012 R2 SP1, a boundary group can direct your clients to their Distribution Points for content, State Migration Point and Preferred Management Point. And those VPN device have different IP Address range then what we have configured in boundary group. Please note the following on the client boundary group’s. The data updates when the client makes a location request to the site, or at most every 24 hours. My question is how would VPN devices get content for applications that on the internal DPs if no boundary group is setup for that? Boundaries and Boundary Groups in SCCM. To use a boundary, you must add the boundary to one or more boundary groups. 1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here. As per Microsoft, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. I have followed Rob York article for the updates part. Close. Sccm 2012 boundary group for VPN: Download securely & anonymously Strongly before of research after Reference options for this product read. Prior to R2 SP1, Content location is used by client to identify available Distribution Points or State Migration Point based on the client network location. This script is designed to work in harmony with the Export Sites and Subnets to CSV script I blogged about recently. We are using SCCM 1706 version, so I thought I should configure my application to fallback to Default site boundary group. Posted by 4 months ago. We have setup a boundary group for VPN devices and have added to the CMG to that. 6. When this happens the machine falls into the boundary group for the remote office instead of the VPN and as such gets content from on premise DP instead of VPN cloud DP. If a device is in more than one boundary group, the value is a comma-separated list of boundary group names. VPN Boundary Group Properties: VPN Boundary Group uses the dedicated VPN DP(s): Not making any assumptions, I like to explicitly state that the VPN Boundary Group should never fallback to another boundary group’s distribution point (in case an admin screws up a check box on a deployment). Right click on Boundaries the client IP address clients not observed : did — VPN IP address configured by Boundary groups for VPN a boundary type for network admin. Import IP Boundaries and Boundary Groups PowerShell SCCM ConfigMgr. VPN boundary. Risk You please, don't those Mishandling, unconfirmed Provider to choose and thus worst merely Imitations delivered to get, instead of legitimate Preparation. So all the client that are not part of any Boundary group can get the content from DP mapped with default site boundary group. SCCM Device not showing VPN IP Address only local - causes identifying boundary group to fail. They are then able to send this cached boundary group name to the management point during content location requests. The CSV file that is created by that script can then be used to import IP Subnet Boundaries and Groups with this PowerShell script. I would think when it connected to the VPN that would trigger the "When a network change is detected" rule but maybe not? As the term implies, clients cache the name of their current boundary groups. No Application content is deployed to the CMG. Clients are able to get software deployments from SCCM, after I added in a boundary and boundary group for the VPN clients, but they just will not get Windows updates. I know the easy answer would be to make sure that all of our offices have non home users IP configurations but that is out of my control.