Software Update scan error using Cloud Management Gateway

First, I need to say….the new Cloud Management Gateway feature in Configuration Manager 1610 is awesome. There are a couple of gotchas you need to know about, when creating the service, but once you have overcome those hurdles – you will look like a hero at work, and be known as the person who finally enabled client management on internet based endpoints like road-warriors and colleagues working from home.

In the wuahandler.log on the client you might run into Scan failed with error = 0x80240439. If that happens, first step in your troubleshooting should be checking he configuration manager agent version and verify you have the latest version and hotfix installed.


Second step in troubleshooting is to check the IIS log files on the Software update point to see if the traffic makes it all the way from the client to your internal environment. If you don’t see any activity in your IIS log files, then the issue must be on the Cloud Management Gateway virtual machine in Azure.

  1. Login to Azure, select Cloud Services and find the CMG service.
  2. Enable remote desktop on the cloud management gateway
  3. Notice the IIS log files are not located in the default location


  4. Check the IIS log file for any errors related to software update traffic. In my example I have the following:

    2017-03-13 07:00:39 W3SVC1273337584 RD00155D563B24 POST /CCM_Proxy_ServerAuth/72057594037927953/ClientWebService/client.asmx – 443 – HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 – – 413 0 0 357 14260 187

  5. In my example the error indicated that the traffic coming from the client was over the default limit which is why it never made back to my internal SUP server. You can check the default limits in Azure, connect to the cloud service and navigate to Configuration and check the ProxyEndpointConfig. Default value for ClientWebService</Name><ClientAuthScheme>0</ClientAuthScheme><RequestLimitContentLength>10240</RequestLimitContentLength> can be a little to low for some environments.


  6. In my DEMO environment, I had to modify the value in SQL by running this script

    update Proxy_EndpointDefinition set RequestLimitContentLength=1048576 where Name=’ClientWebService’

  7. After running the script, the Cloud Manager component will write the configuration changes to Azure. You will be able to monitor the activity in the cloudmgr.log file on the site server and also by checking the updated ProxyEndpointConfig in Azure.
  8. For me the change took 2-3 minutes after which my clients started scanning for software updates and patched happily ever after


To those of you, who still believe a VPN connection is the way forward when managing clients on the road…….wake up, we are not in the 90’s any longer – stop it, it’s simply not cool.

By |2017-03-14T08:13:09+00:00March 14th, 2017|Configuration Manager (SCCM), General info|5 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.


  1. Rajul March 16, 2017 at 14:06 - Reply

    This resolved my client WSUS scan failure on Windows 10 machines.
    However i am still facing client scan failures on Windows 7 Machines.

    Thanks Kent for this update.


  2. Rajul March 21, 2017 at 11:11 - Reply

    I have to reinstall the Cloud Management Gateway to make it work. Thanks for the troubleshooting tips.

    • Patrick S. March 28, 2017 at 19:16 - Reply

      Rajul, are you saying that you deleted your existing Cloud Management Gateway and created a new one to resolve the issue? Or did you just remove the Cloud Management Gateway connection point role and reinstall the role? We’re still seeing this problem even with 1702 installed now. Hoping to figure this out soon!

  3. Jason April 17, 2017 at 20:20 - Reply

    Yeah I test with 1702 Branch and I have issues. Mine are 500 errors.

    2017-04-17 18:12:01 W3SVC1273337584 RD0003FF2037A7 POST /CCM_Proxy_ServerAuth/72057594037937959/SimpleAuthWebService/SimpleAuth.asmx – 443 – 71.x.x.x HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 – – 200 0 0 1557 789 203

    2017-04-17 18:12:02 W3SVC1273337584 RD0003FF2037A7 POST /CCM_Proxy_ServerAuth/72057594037937959/ClientWebService/client.asmx – 443 – 71.x.x.x HTTP/1.1 Windows-Update-Agent/10.0.10011.16384+Client-Protocol/1.40 – – 500 0 0 1642 2022 218

  4. Andrew August 9, 2017 at 13:20 - Reply

    Thanks for the fix, helped us out a lot! Keep up the great work.

Leave A Comment