Let’s learn how to use an existing SCCM configuration to help to cater to remote work scenarios. In this post, let’s understand the opportunity to improve end-user experience in Work from home scenarios.
I hope, this post helps to Learn and Use Existing SCCM Config to Help to reduce VPN Bandwidth.
Updated on April 4th, 2020 -You can refer to the post from Rob York on 1.” Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager” 2. “Managing Patch Tuesday with Configuration Manager in a remote work world“.
Updated on April 5th, 2020 – Post from Jonas, Roland and Stefan. ✔ Mastering Configuration Manager Bandwidth limitations for VPN connected Clients
We have modern options like cloud management gateway (CMG) & Cloud distribution points (CDP) to avoid traffic coming into the on-prem data center. Yes, also WUfB policies controlled by Microsoft Intune.
But the main question is “Are these options help to reduce the VPN bandwidth without slipt tunneling and appropriate proxy configurations.“?
Yes. If you have Configuration Manager infrastructure is cloud-enabled or cloud-attached with all modern features, then you are in good shape already.
NOTE! – CMG & CDP might not be efficient if you don’t have spilt tunneling enabled for those kinds of traffic.
Many organizations are not using cloud management gateway or cloud distribution points. In this scenario what are the best options to avoid SCCM using all VPN bandwidth two batch windows devices?
Let’s see whether we can use the existing SCCM Config to Help to reduce VPN Bandwidth. Mainly to cover critical scenarios like Software updates (patching).
NOTE! – This is critical because if all of your workforces forced to work from home in a scenario like COVID19 for several coming months.
Split Tunneling & Proxy
Split tunneling and proxy configurations are pretty much critical in these scenarios. Even if configure everything OK from SCCM and Intune.
NOTE – When there is no appropriate spilt tunneling and proxy configurations, then the SCCM|Intune configuration changes might not help at all.
More details available in the following Microsoft documentation to build exceptions for Microsoft related services.
- Manage connection endpoints for Windows 10 Enterprise, version 1903
- Manage connection endpoints for Windows 10 Enterprise, version 1809
- SCCM CMG – Firewall Ports Proxy Requirements
Office 365 Communications
Even spilt tunneling and proxy configuration changes are applicable for Office 365 traffic as well. If you have a VPN and proxy are configured to route all the traffic via a VPN tunnel, then this is going to impact the entire VPN tunnel.
This shall in term impact your entire business application echo system as well. The users are connecting through the VPN in a work from home scenario won’t be able to perform any work at all.
Network & Proxy Team
In this scenario, we should get in touch with our network team members to understand the possibility of enabling split tunneling for these kinds of cloud services. Probably, they can help us to implement split tunneling for the following Microsoft services which impact the workplace.
- Office 365
- Software updates (Patching)
- CMG or CDP connectivity
NOTE! – This will help to reduce the VPN bandwidth usage and the critical business applications which need connectivity to on Prem so worse can work seamlessly in a remote working scenario like this.
SCCM Config to Help to Reduce VPN Bandwidth
Even if you don’t have CMG or CDP enabled for your SCM|ConfigMgr infrastructure, you can use the following option to keep your Windows 10 devices or Windows 7 devices secured.
Software update or patch deployment is a critical activity for all device management admins. SCCM can perform this activity without impacting critical business deliverables.
Let’s check the following option and test whether this is useful for you or not. This configuration as per Microsoft documentation helps to reduce VPN traffic.
Starting in version SCCM 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large update content. More details – here.Patch Windows 10 from Internet – SCCM Config to Help to reduce VPN Bandwidth
NO Deployment package – Clients download contents from peers or the Microsoft cloud
While creating software updates packages in SCCM, there is a default option to download the content from the Internet instead of downloading the software update content from your on Prem distribution points. This SCCM Config to Help to reduce VPN Bandwidth.
TRY the following option – If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates.
Select the following setting to have clients download software updates from Microsoft Update. The Internet-based clients always go to Microsoft Update for software updates content (if you have appropriate VPN spit tunneling and proxy configurations).
Hopefully, this setting along with split tunneling might help you to reduce the VPN bandwidth usage from SCCM perspective.
Boundary Group Options
Boundary group option – Prefer cloud based sources over on-prem sources is another useful option that you can think about.
If you have a branch office with a faster internet link, you can now prioritize cloud content. In ConfigMgr 1902, this setting is now titled Prefer cloud based sources over on-premise sources. Cloud based sources include the following – More details here.Boundary Options – SCCM Config to Help to reduce VPN Bandwidth
- Cloud distribution points
- Microsoft Update (added in version 1902)
BITs Throttling Options for SCCM DP MP SUP
I have posted about the BITs Throttling Options for SCCM DP, MP, and SUP over https://anoopcnair.com/vpn-bandwidth-control-via-bits-throttling-for-sccm-dp-client
Let me know what you think about it how many of you are thinking to implement this kind of option.