How to Patch VPN and ON_prem device if only on Primary Server


We have one Data center and configure our Primary Server (DP, MP,SUP,FSP) role on that box. We have 4 Sites and they got all windows updates from Primary server . Everything works fine but after Covid19; user are working from home. We were patching VPN workstation and ask to connect VPN on weekend; patching was happening fine but suddenly network bandwith start chocking. We have enabled split tunneling and select option so VPN Client donwload only from microsoft not their Local DP.
Our problem is how to provide patch to VPN and on-prem devices.
if we don’t download the Monthly patch and enable check box to download from microsoft so everything goes well with VPN device but our on-perm client not able to download anything.

please suggest me how to work on this isuse to provide patch to on-prem and vpn client.

1) should we create Software update group and no download from Microsoft. Deploy this SUG to VPN device and select (if software updates are not available on DP in current, neighbor or site boundary group, download from Microsoft updates.

2) Create another Software update Group and download. Deploy this to on-perm device

Answers ( 3 )


    And create a collection with IP address range but it’s going to a bit complex ..

    You need to have some more Logic from the collection WQL query … try something which you can identify the client is connecting from on-prem …

    Something like MP it’s connecting to?

    And target the software update deployment with the package to that collection

    Best answer

      Sure Sir, I will try to create collection as per IP address range

      select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_NETWORK_ADAPTER_CONFIGURATION on SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_NETWORK_ADAPTER_CONFIGURATION.IPAddress like “10.3.102.%”


    Make sure yo have two boundary groups

    1. For VPN Ip address – Follow the same method you are using
    2. For On-Prem Clients – Create Software update package in the normal way

Leave an answer

Sorry, you do not have permission to answer to this question .