How to get clients to avoid one of your management points

The other week I had a customer asking me how they could keep clients from using a Management Point, yet still have it installed and functional to interact with some 3rd party software they wanted to use.  That question didn’t have a simple answer.  By default an SCCM 2012 client will randomly choose from any available MP in a site.  The key things that control the choice over one MP versus another are if an HTTPS MP specifically is required.  Clients also have a preference to use the MP in the same forest they are in, if several MP area available.  For my customer, all the MP were HTTP and all in the same forest, so of their 3 MP all would have the same possibility of being chosen.

I tried an idea that turned out to work, which is to "hide" one of the MP.  By “hide” I mean that it is still in AD and seen in an MPList call but will not be returned to clients which call their current MP and request other MP to communicate with. This means that normal client processes would randomize between 2 of the MP, but the third MP would be used only when specified or hard coded, such as during client installation.  That third MP is still there and running as normal but it takes something like 3rd party software, boot media, or a client command line parameter for it to be used. Un-publishing the MP means that it won’t be listed in AD and normal location requests will not return it as an option.  Screen shots on where this un-publishing can be done are below.  The change can be seen by watching the clientlocation.log on the clients and looking for a line similar to the following, never changing to the "hidden" MP:

Assigned MP changed from <MP1> to <MP2>.


There is a desire in the SCCM community to allow clients to have an affinity to a specific MP, similar to the use of boundaries and Distribution Points (DP).  To be clear this will not provide that affinity.  It simply removes one or more MP from normal client use processes.  It cannot be used to selectively make one MP serve a subset of clients.  If you were to  set a client to use this “hidden” MP it would, for a time.  Various processes in the SCCM client would eventually ask for a list of available MP, and the results returned would be the other MP, and thus the clients would switch away from the use of this “hidden” MP.  The MP would serve a limited purpose, until such a switch occurred.


Thanks go to Jason Sandys and Adam Meltzer for helping me provide clarity on this post.

6/27/2014 UPDATE - To provide better clarity I changed the post to reflect that MPList will still show the "hidden" MP and its object will still be in AD

Comments (5)

  1. I don’t have my repro for this up to look at currently. I think the MPList did not return the "hidden" MP, but I can’t verify that to be sure.

  2. Tim.. uncheck the MP and then watch the ClientLocation.log of your clients. See if they truly do stop use of the "hidden" MP.

  3. Tim says:

    What about when the client asks for mplist? It will still still receive the unpublished MP via that mechanism

  4. Tim says:

    I'm looking at my site with one MP unpublished, and mplist does return the hidden MP unfortunately. MS support tell me that the only sure fire way to achieve this is to put the MP in a secondary site. It does seem to be quite a limiting feature of ConfigMgr
    though IMO.

  5. Cliff Hughes (MSFT) says:

    I am trying to achieve something like this for managing Mac OS and Internet Based Client Management in a single SCCM 1706 site, I have them both working, however, the laptops that we are enabling for Internet client management via script, sets the MP FQDN on the Network tab of the client, and if we connect it to the Internet, it works just fine, we have received policy and installed some packages from Software Center while on the Internet. the problem comes when we reconnect back to the corp network, and update machine policy, the Internet MP FQDN gets changed to the Internal HTTPS Site System we setup for Macs, since it requires the setting to enable Internet on it, this MP gets set as the clients Internet FQDN, internal http MP is still set as the MP. I have disabled Site Publishing, and unchecked the internal HTTPS DP it is only used for Mac enrollment manually) to no avail, the Internet FQDN keeps getting reset to the intranet https server. How can we get it to keep the Internet MP FQDN we set via script? Or how to prevent it from resetting it on the corporate network.

Skip to main content