Jump to content


keywan

Problem downloading updates software update deployment(SCCM and ADR) specfiy Windows 11 build 25 H2

By keywan, in System Center Configuration Manager (Current Branch)

Recommended Posts

keywan Enthusiast

keywan

Posted
Posted

I'm in the process of deploying windows updates to Windows Clients (Windows 11 build 25H2) Windows servers(2019,2022,2025) in my environment with SCCM and ADRs and most of the client computers have installed updates just fine however around 50 or so client computers are not installing updates and the updates are not getting downloaded. When I click to install updates it just stays stuck at 0% downloading and never installs until eventually it times out

My Boundary and Boundary Groups

the updates have been distributed to the DP servers. The boundaries are configured to include the clients in the scope. All of my boundary groups are set up with the Active Directory site only.

We have the following IP Range

192.168.0.0, 172.20.0.0, 172.10.0.0. 172.40.0.0

But I set my My Boundary and Boundary Groups with the Active Directory site only.

Is that the my issue?

Should/Could I create or add some new Boundary with IP address Range(what we have see above IP Range) additionally to my Active Directory site?

Could you please help me?

Regards

Share this post

Link to post
Share on other sites
anyweb Experienced

anyweb

Posted
Posted

from Copilot.


1. Add IP Range Boundaries

Yes — you should absolutely create IP Range boundaries for each of your ranges.

Example:

Boundary Type Range
IP Range 192.168.0.1 – 192.168.0.254
IP Range 172.20.0.1 – 172.20.0.254
IP Range 172.10.0.1 – 172.10.0.254
IP Range 172.40.0.1 – 172.40.0.254

👉 Adjust ranges appropriately to your subnet masks.

✔️ 2. Add them to the correct Boundary Groups

  • Put all new IP range boundaries into your existing boundary groups
  • Ensure each boundary group:
    • Has a DP assigned
    • Has site assignment enabled (if needed)

✔️ 3. Leave AD Site boundaries (optional)

You can keep them, but:

👉 Best practice:

  • Use IP range boundaries as primary
  • Use AD Site boundaries only if you trust their accuracy

Share this post

Link to post
Share on other sites
keywan Enthusiast

keywan

Posted
Posted

Hi Anyweb,

First question

What do you mean with best practice?

Use IP range boundaries as primary

Do you mean I have to change from Active Directory site to IP RANGE? Can I edit the Active Directory site to to IP RANGE?

 

I created 4 new Boundary with IP Range and add them to the existing Boundary Group( I have only one), Now my Boundary Group show me 4 Members.

My default Boundary was  Active Directory site and I added 3 new IP RANGE Boundary

image.png.6d8bea01cede0fa6244e033f40d690d1.png

image.png.7e8b3175748ba782b314b7abb22552b4.png

 

and the "References"

image.png.b5082d51207c476e11383613b9d06733.png

Is there any more steps I have to do?

Share this post

Link to post
Share on other sites
anyweb Experienced

anyweb

Posted
Posted

here's the full reply from my chat with Copilot, you should try it too

 

Short answer: yes — your boundary configuration is very likely the issue.

Using only Active Directory Site boundaries can absolutely cause exactly what you’re seeing:

  • Clients resolve a boundary
  • But don’t get a valid DP or fallback DP assignment
  • Result = updates sit at 0% downloading

Why this is happening

SCCM content download (including updates) depends on:

  1. Client is inside a boundary
  2. That boundary is part of a boundary group
  3. That boundary group has a Distribution Point (DP) assigned

With AD Site boundaries only, problems occur when:

  • AD Sites are not accurately mapped to IP subnets (very common)
  • Clients’ IP ranges are not tied to the correct AD site
  • Subnet definitions in AD are missing or incorrect

👉 Result:
Clients may:

  • Fall into no boundary
  • Fall into a boundary group without content locations
  • Try to download from a DP they cannot reach
  • Sit at 0% downloading indefinitely

🔍 Your specific situation

Your IP ranges: 

192.168.0.0
172.20.0.0
172.10.0.0
172.40.0.0

But you're using:

Active Directory Site only

🚨 Problem

Unless all these IP ranges are properly mapped in Active Directory Sites and Services, SCCM cannot correctly assign clients.

This is extremely common in environments where:

  • Networks expanded over time
  • AD Sites weren't kept updated
  • Multiple IP ranges exist in one logical site

Recommended Fix (Best Practice)

✔️ 1. Add IP Range Boundaries

Yes — you should absolutely create IP Range boundaries for each of your ranges.

Example:

Boundary Type Range
IP Range 192.168.0.1 – 192.168.0.254
IP Range 172.20.0.1 – 172.20.0.254
IP Range 172.10.0.1 – 172.10.0.254
IP Range 172.40.0.1 – 172.40.0.254

👉 Adjust ranges appropriately to your subnet masks.

✔️ 2. Add them to the correct Boundary Groups

  • Put all new IP range boundaries into your existing boundary groups
  • Ensure each boundary group:
    • Has a DP assigned
    • Has site assignment enabled (if needed)

✔️ 3. Leave AD Site boundaries (optional)

You can keep them, but:

👉 Best practice:

  • Use IP range boundaries as primary
  • Use AD Site boundaries only if you trust their accuracy

🔧 Additional things to check

Check Boundary Group settings

Verify:

  • DP is assigned: 

    Administration → Hierarchy Configuration → Boundary Groups

  • Under References tab:

    • Distribution Points listed
    • "Use this boundary group for site assignment" if applicable

Check fallback configuration

If clients are failing to find content:

  • Enable fallback (optional, but helpful)
  • Configure:
    • Neighbor boundary group relationships
    • Fallback time (e.g., 20–60 minutes)

Verify client logs

On one affected machine, check:

LocationServices.log

Look for:

  • Boundary detection
  • Assigned boundary group
  • DP location requests

ContentTransferManager.log

Look for:

  • Stuck download attempts

CAS.log

Look for:

  • Content location failures

DataTransferService.log

Look for:

  • BITS download issues

🧪 Quick validation test

On a problem client:

Run:

 
 
PowerShell
 
ipconfig
 

Then check:

 
 
PowerShell
 
nltest /dsgetsite
 

👉 Compare the AD Site vs actual IP

If:

  • IP doesn’t match AD Site mapping → confirmed root cause

Expected result after fix

Once IP boundaries are added:

  • Clients correctly map to boundary groups
  • SCCM returns valid DP locations
  • Updates move from: 
0% downloading → downloading → installing

💡 Pro Tips (real-world SCCM guidance)

  • IP ranges are the most reliable boundary type
  • AD Sites are often neglected → unreliable
  • Always verify with logs, not assumptions
  • If “0% downloading” appears → it's almost always boundary/content location

Final Answer

Yes — relying only on Active Directory Site boundaries is very likely causing your issue.

👉 You should:

  • Add IP range boundaries for all your networks
  • Associate them with your boundary groups
  • Ensure DPs are correctly assigned

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.