In Cumulative Update 3 for System Center Configuration Manager 2012 R2, Microsoft introduced Management Point Affinity and Justin Chalfant had a nice write-up on the new feature. One thing that was left undocumented was an acceptable way to set MP Affinity; the blog only mentions the use of Group Policy, Compliance Scripts, etc.
<
div class=”ExternalClass6524A099EAD241FE9444FCC5BDBC0B9E”>
I worked out the details of a ConfigMgr Configuration Item (for Compliance). The challenge is that the registry key is a Multi-String Value (an array of strings) and that ConfigMgr’s Configuration Item cannot natively handle this registry data type. I decided to use a VBScript since it is the least common denominator of our scripting choices.
Below is the Discovery/detection script and the Remediation script. I’ve also included step-by-step screen shots and the final exported Configuration Item if you just want to import it and not create the object yourself.
The exported file can be downloaded from [read-more-redirect urltext=”CatapultSystems.com” url=”https://www.catapultsystems.com/blogs/management-point-affinity-allowedmps-compliance-setting-in-configmgr-2012-r2-cu3″] OneDrive @ https://onedrive.live.com/redir?resid=E3B0C73435A2F778%212827 \ ConfigMgr Client AllowedMPs.cab
Scripts
For testing or one-off situations, run this command line to set the list of allowed MPs.
reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM /v AllowedMPs /t REG_MULTI_SZ /d “https://MP1.lab.localhttp://MP2.lab.localMP3.lab.local” |
This is the Configuration Item Discovery script. Be sure to update strDataDesired with your actual value for the group of computers which will be targeted.
On Error Resume Next strDataDesired = “https://MP1.lab.local|http://MP2.lab.local|MP3.lab.local|” Set StdOut = WScript.StdOut Set objWMIreg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv”) objWMIreg.GetMultiStringValue &H80000002,“SOFTWARE\Microsoft\CCM”,“AllowedMPs”,arrData If VarType(arrData) = 8204 Then For Each strData In arrData strDataDetected = strDataDetected & strData & “|” Next End If
If strDataDesired <> strDataDetected Then StdOut.WriteLine “reset needed” Else StdOut.WriteLine “as expected” End If |
This is the Configuration Item Remediation script. Be sure to update arrDataDesired with your actual value for the group of computers which will be targeted.
On Error Resume Next arrDataDesired = array(“https://MP1.lab.local”,“http://MP2.lab.local”,“MP3.lab.local”) Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv”) oReg.SetMultiStringValue &H80000002,“SOFTWARE\Microsoft\CCM”,“AllowedMPs”,arrDataDesired |
After adding these scripts to a Configuration Item to a Configuration Baseline and Deploy it to a collection of computers. You’ll need a different Configuration Setting, Baseline, Deployment, and Collection for each list of AllowedMPs you need.
Screen Shots
Create a new Configuration Item and give it an appropriate name accounting for the group of computers / list of MPs that will be allowed.
Select the operating systems this will be allowed to run on.
Configure the Setting type as Script and Data type as String
Type the script to detect the registry key value. Ensure that the strDataDesired variable is updated to match the list of allowed MPs. Notice the | (pipe) as the last character.
Type the script to remediate the registry key value. Ensure that the arrDataDesired variable is updated to match the list of allowed MPs.
Select the Compliance Rules tab, give it a name, set the Rule type to Value, The value returned by the specified script to Equals as expected.
Enable “Run the specified remediation script..”
Optionally enable “Report noncompliance…” and set the severity to an appropriate value such as Warning
Next, Next, Next, …
That completes the creation of the Configuration Item. Add it to a Configuration Baseline and Deploy it to a collection of computers. You’ll need a different Configuration Setting, Baseline, Deployment, and Collection for each list of AllowedMPs you need.
[/read-more-redirect]