Machines are getting update directly form Microsoft


laptops are on internet (sccm Client installed and connected with CMG) as I hit on windows update (setting–> windows update –> check for update) it started downloading update from Internet ,not from SCCM DP or CMG how to check,how to find what policy missing , cliet suolud get update from SCCM only.event that machine is not part of deployment

Answers ( 5 )


    You may need to check the windows update.log to find out which agent triggered the update scan and when.

    Use get-windowsupdate.log.

    If it shows scan triggered by ccmexec then its sure the sccm agent triggered the scan.

    When cmg is not accessible for wsus scan then it goes to wumu public url for scan.

    So check your wuahandler for any errors which will give you some idea

  1. Did you get any resolution for the above mentioned issue?


    CMG clients are Internet based clients which always try to download Microsoft Updates from WUMU first regardless of DPs or Cloud DPs (I guess this is how the behavior is ) only policy will be given or delivered via CMG and for software update content they would reach out MS.

    Best answer

      correct, but I my case i have not Added that client in any Patch deployment group .also nothing found in SCCM logs , If I see windows update logs it downloaded form Microsoft, now the issue is : customer says if you hve not deployed June patches how client got updates .

Leave an answer

Sorry, you do not have permission to answer to this question .