I was curious if there is a way to enable Software Updating via SCCM when you have 15-20% of your endpoints that once deployed may not connect back to the network to receive the update approvals.  My main concern is if we were to enable it, my assumption is that those clients who do not connect back would never get the approval for critical updates and therefore never installed.  As of now, once endpoints are deployed they will at least get critical updates through the normal WU process.  From my understand there is not a hybrid way to do this basically if you enable updating in SCCM.... all clients will require approval for patched.... is that accurate?

A ConfigMgr client has to be able to contact the management point in order to retrieve policies (which tell him what to do). No contact to the MP -> no updates will be installed.

I'd go one step further, and say: "what's the point of having a CM agent installed at all, if it can't contact the MP/hierarchy?"

If the endpoints will have internet access, you could consider implementing the Internet Based Client Management (IBCM) feature, this would allow you to push updates out to those endpoints from a distribution point in a perimeter network.

Alternatively, and again if they have internet access, if you were to deploy DirectAccess to those devices, even though they were remote, they would function as if they were connected to the corporate network and would be able to pick up updates from an internal distribution point.

Another option would be to use native Microsoft Intune to manage the devices, again assuming they will have internet connectivity.

Well clients work off sites and when they do come back on they get policies, etc.  In terms of Updates though we would never want the client to be in a situation where it doesn't hit the MP for say 2 months and thus gets no updates which is why we have never enabled it.  I guess I was hoping there was creative way of saying something like if said client can't communicate with MP in 15 days, critical updates can install.  Seems like it would be more of a hassle then anything which is a shame.  Thanks for the feedback!

Well clients work off sites and when they do come back on they get policies, etc.  In terms of Updates though we would never want the client to be in a situation where it doesn't hit the MP for say 2 months and thus gets no updates which is why we have never enabled it.  I guess I was hoping there was creative way of saying something like if said client can't communicate with MP in 15 days, critical updates can install.  Seems like it would be more of a hassle then anything which is a shame.  Thanks for the feedback!

Ok, that's a little different situation. (I misunderstood your initial scenario, I thought these clients would *never* contact CM again).

CM/SUM, and WSUS, both work the same way. You can implement so that the clients only have to contact you for approvals but they get the update payloads directly from MSFT, if that's more efficient from a network/traffic perspective, but the client can't just go off to MSFT to get stuff without an approval from you. The fundamental idea of managing updating, is that you must manage it, there is no default auto-pilot fallback. This is really a design behaviour of WUAgent, which is only capable of taking instruction from a single management setting. CM/SUM manages that setting and then restarts the WUAgent service as needed, to have WUAgent re-read the setting if it has been changed.

You can allow or deny, the ability for the user to manually bypass your management server (CM/SUM or WSUS) and skip directly to MSFT Update Catalog, but that requires a manual step by the user, and, it completely bypasses your management/approval process.

I've not had first-hand experience with Intune so far, but I expect that Intune cannot resolve this issue, since it's a design feature/constraint of WUAgent.

As Steven says, if the clients are internet-connected, you have the internet-facing MP (IBCM) option, or, Intune etc, which are both forms of cloud-based endpoint management - the client just need to connect to the web/cloud, and your approvals, and content, can flow.

Awesome info.... thanks!