Management Point Affinity Added in ConfigMgr 2012 R2 CU3


Overview:

Update: In Configuration Manager 2012 SP2/SP1 R2 this feature can now be implemented using boundary groups and doesn’t require this registry method. You can enable this feature in the Hierarchy Settings on the site:

image

A common request the product group has received is to provide a way to define management point affinity for a specific set of ConfigMgr Clients in a primary site.

Starting with ConfigMgr 2012 R2 cumulative update 3 (http://support.microsoft.com/kb/2994331) there is a new way to define management point affinity for clients.

Caveats of Management Point Affinity in CU3:

There are some caveats in the way management point affinity works in cumulative update 3. You can set a client to use a specific management point(s) by setting a registry value. When this registry value exist, It will cause LocationServices to bypass switching to any management point(s) during a Location Services Rotation unless it’s defined in the registry value.

The downside to this approach is if the management point(s) the client is forced to use goes down you will have an unmanaged client until the management point(s) is back online or the registry value is deleted or changed.

This method should only be used for management point(s) in a primary site. Clients in a boundary group of a secondary site will still use the secondary sites management point as a proxy management point. This can be used to set the initial management point communication for clients to register with a management point at a primary site before it starts to use a secondary site’s management point as a proxy management point.

This method is only for management point selection. This does not apply to distribution points, software update points, Fallback Status Points, or any other site system roles.

This method only works for intranet clients and intranet management points.

This method can’t be used to defeat the HTTPS preference over HTTP management point(s).

Only management point(s) in the same primary site as the client can be used.

Potential Scenarios:

  • Computers in restricted network such as a DMZ where the client can only communicate with specific set management point(s) in the primary site.

How to Set the Management Point Affinity:

Below are snippets from my lab that I used to test out this new feature.

Site Servers / Systems:

CM12PR1 – (Site Server also Hosting a Management Point Intranet)
CM12IBCM – (Site System Hosting a Management Point Intranet)

Clients:

WIN7CL1 – (Client currently using CM12PR1 as MP)
WIN7CL2 – (Client currently using CM12PR1 as MP)
WIN8CL1 – (Client currently using CM12PR1 as MP)
WINCPCL1 – (Client currently using CM12IBCM as MP)

5

How to Set Management Point Affinity:

Management point affinity is set by defining the following registry value.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM:AllowedMPs
Type: Reg_Multi_SZ
Value Data: CM12IBCM.CONTOSO.LOCAL

Value Data: Is the FQDN of the Management Point(s) you want to allow the client to communicate with. You can set multiple management points in the REG_MULTI_SZ value one per line.

reg

I manually set these values on four machines in my lab, but you could use Group Policy, Compliance Scripts, etc.

I set each of my four clients to use the opposite management point as they were currently communicating with as mentioned above.

After these values where set, I installed the cumulative update 3 on my 4 clients machines. The order shouldn’t matter here though you could set the registry values before or after installing the cumulative update 3 client update.

On WIN7CL1, I could see the following information in the logs after cumulative update 3 was installed:

ClientLocation.log

ClientLocation

LocationServices.log

LocationServices1 

LocationServices2 

We can see that Location Services can detect the new registry value and will filter out any management points that are not in the list.

Here’s a screenshot of my 4 clients after cumulative update 3 was installed. We can see each client switched management points.

7

Wrapping Up:

This is not intended as a MP enforcement for “Mobile” devices such as Laptops and Tablets. This is intended for scenarios where it is really required like DMZ networks where communication may not be open to all management points in the site.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use

Comments (22)

  1. Anonymous says:

    For the last three comments, if multiple management points are defined in the registry value the section will still be random (Same behavior as normal). You can think of this method as a way to filter out management points the points a client can’t communicate
    due to network restrictions e.g. Clients in a DMZ network that have port (80 or 443) blocked to the internal management point(s).

    As far as setting the value, the built in compliance settings for the registry can’t set Reg_Multi_SZ value’s directly. You would need to use a configuration item with a remediation script to set the value or use GPO. It really doesn’t matter how it gets set
    there are many ways this could be accomplished

    @ Perry, Yes this is a good start to fix specific scenarios. I know the product group is aware a more permanent solution would be very helpful. For example, MP and SUP priority using something like Boundary Groups similar to the way distribution points work.
    The best way to keep visibility high on this would be to submit a feedback item here:

    https://connect.microsoft.com/ConfigurationManagervnext/feedback/CreateFeedback.aspx

  2. Anonymous says:

    MP affinity only applies if you set the registry keys no issue deploying.

  3. Anonymous says:

    Thanks for implementing this.

  4. Anonymous says:

    Yes, i would like to know how does the client handles multiple MP’s when listed? And how is this setting modfied, Can we do this in the console, or is this a GPO that applies the setting?

  5. Anonymous says:

    @ Christian, I’m not aware of any issues with HTTPS MP’s. This can’t be used for Internet Facing clients though.

  6. Anonymous says:

    You could try creating site based media, but this solution is not designed for WinPE.

  7. Anonymous says:

    @Ithomas this only applies to windows.

  8. Perry says:

    This is a great start, but would be better without the registry hack piece.

  9. APS says:

    If we set multiple entries in the registry key how does the client process the list/will it attempt to use the first MP/use the second if the first isn’t available?

  10. The SCCM Architect says:

    Yes, i would like to know how does the client handles multiple MP’s when listed? And how is this setting modfied, Can we do this in the console, or is this a GPO that applies the setting?

  11. Syd says:

    Finally we will be able to fully use Config Manager in our environment. This update/fix wasn’t a day too soon. Thanks for testing and confirming it!

  12. Anonymous says:

    The latest cumulative update for SCCM 2012 R2 has been released by Microsoft
    http://support.microsoft

  13. Anonymous says:

    Mon collègue américain Justin Chalfant a publié sur son blog un article expliquant l’utilisation d’une

  14. Perry says:

    Thanks Justin. We have a very large multi tennancy company with three sites currently. There are no trusts in our environment, so having the power to select which MP a client uses during the deployment would be a tremendous benefit for us. You see, due
    to network connectivity, clients are able to only interact with certain MP’s. However, because the client is "told" that the others exist, sometimes they try to connect to it and it sometimes takes days (literally) until the server actually connects to the
    MP it CAN use. Even with the string ccmsetup.exe /mp:xxxxx.xxxx smssitecode=xxx smsmp=xxxx.xxx FSP=xxxx.xxxx, some clients still try to conect to another MP until it finally gives up and then goes to the server in the string. I will send the feedback and look
    forward to future releases. I think you have a great idea with Boundary groups being the deciding factor.

  15. Christian Lehrer says:

    Hi Justin,

    is there any known issue when the MP in allowed MPs is https only? Or does it have to be
    https://Mp.domain.com in the allowedmps-Setting then?

    Thanks
    Christian

  16. Christian Lehrer says:

    @Justin ok. thanks.

  17. joseph says:

    What about a scenario where the company uses two management points for failover purposes, e.g., one MP connects to site DB, and the other MP connects to a replica of the site DB? If I’m reading this post correctly, we would need to deploy the registry
    values for BOTH MP’s to each client, so if a MP fails, the client fails over to the other MP. Is this a correct assumption? If we don’t wish to add the extra complexity and trouble associated with implementing MP affinity–and keep our location services rotation
    the way it currently is, which works great–is there a way to deploy the rest of CU3 without deploying MP affinity?

  18. Surjeet says:

    How can I use the AllowedMPs in the Task Sequence ? because every the task sequences reboots, the TS initialises the CM client and the AllowedMPs are cleared off 🙁

    We have a requirement where we would like a machine to be built via specific MP because the other MP in our domain are not reachable. It’s kinda like building the machine in DMZ where it can only talk to specific MP for anything.. the reg file works fine once
    the OS is deployed and CM client is installed and later point it to a MP via AllowedMPs reg key

    Any ideas ?

  19. Baatch says:

    Yes, we also wonder about Task Sequence and unknown computers. How can we force MP communication in WINPE ?

  20. lthomas says:

    What about Linux/Unix and other clients?

  21. Iliass El Taghadouini says:

    FYI
    If you have a stand-alone primary site in ConfigMgr 2012 R2 SP1, the setting "Clients prefer to use management points specified in boundary groups" is ignored (tested in my environment). You have to apply CU1 for ConfigMgr 2012 R2 SP1, see
    https://support.microsoft.com/en-us/kb/3074857