First, I need to say….the new Cloud Management Gateway feature in Configuration Manager 1610 is awesome. There are a couple of gotchas you need to know about, when creating the service, but once you have overcome those hurdles – you will look like a hero at work, and be known as the person who finally enabled client management on internet based endpoints like road-warriors and colleagues working from home.

In the wuahandler.log on the client you might run into Scan failed with error = 0x80240439. If that happens, first step in your troubleshooting should be checking he configuration manager agent version and verify you have the latest version and hotfix installed.


Second step in troubleshooting is to check the IIS log files on the Software update point to see if the traffic makes it all the way from the client to your internal environment. If you don’t see any activity in your IIS log files, then the issue must be on the Cloud Management Gateway virtual machine in Azure.

  1. Login to Azure, select Cloud Services and find the CMG service.
  2. Enable remote desktop on the cloud management gateway
  3. Notice the IIS log files are not located in the default location


  4. Check the IIS log file for any errors related to software update traffic. In my example I have the following:

    2017-03-13 07:00:39 W3SVC1273337584 RD00155D563B24 POST /CCM_Proxy_ServerAuth/72057594037927953/ClientWebService/client.asmx – 443 – HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 – – 413 0 0 357 14260 187

  5. In my example the error indicated that the traffic coming from the client was over the default limit which is why it never made back to my internal SUP server. You can check the default limits in Azure, connect to the cloud service and navigate to Configuration and check the ProxyEndpointConfig. Default value for ClientWebService</Name><ClientAuthScheme>0</ClientAuthScheme><RequestLimitContentLength>10240</RequestLimitContentLength> can be a little to low for some environments.


  6. In my DEMO environment, I had to modify the value in SQL by running this script

    update Proxy_EndpointDefinition set RequestLimitContentLength=1048576 where Name=’ClientWebService’

  7. After running the script, the Cloud Manager component will write the configuration changes to Azure. You will be able to monitor the activity in the cloudmgr.log file on the site server and also by checking the updated ProxyEndpointConfig in Azure.
  8. For me the change took 2-3 minutes after which my clients started scanning for software updates and patched happily ever after


To those of you, who still believe a VPN connection is the way forward when managing clients on the road…….wake up, we are not in the 90’s any longer – stop it, it’s simply not cool.