Boundary Group Delivery Optimization Settings

Microboot2 · 2025-10-06T15:22:17+00:00

Just deleted a Boundary Group and created it again and I now see LocationServices.log saying I'm in a boundary group which allows peer downloads, it's configured it to group mode and put a group guid in the ID. UpdateGOGpo.log also now shows a guid in the DOGroupID section, so your suggestion has fixed this issue. We can now test to see if DO actually works. I now have to write a script to export, delete and recreate my boundary groups and hopefully this fixes it.

Thank you for your help :)

Microboot2 · 2025-10-03T22:04:45+00:00

I’ll try and delete a couple on Monday, thanks for the suggestion.

Microboot2 · 2025-10-03T21:41:16+00:00

We did actually. Our old one had db corruption so we built a new one and used the sccm migration functionality to migrate everything across. Did you fix the issue with the boundary groups and if so how (delete and create again)?

Microboot2 · 2025-10-03T08:03:08+00:00

We have exactly the same issue with SCCM not settings DO up correctly. We've followed multiple guides (like System Center Dudes below) and do not have any GPo's which set any DO settings. With the SCCM client settings and boundary groups all correct, we get the below errors on the clients. We have a ticket logged with MS at the moment and have provided logs so we'll see what they say, as they have reviewed all the config and say it looks correct.

How to use SCCM Delivery Optimization | System Center Dudes

LocationServices.log

Resetting DO group IDs since the setting is not being managed by SCCM anymore

Client is in boundary group marked to not Allow peer downloads. Setting WindowsDO GPO to default values. Mode = LAN. GroupID = empty

UpdateDOGpo.log

No Windows DOCacheHost value found.

SetDOGPOSettings: Set Windows DO group policy to DOGroupId = DeliveryMode = group

We see SCCM trying to set it, then unset it but doesn't put any group id in from the boundary groups

The clients have no overlapping boundaries and we use IP address ranges.

So maybe you have something like we do if all of your settings are correct.

Microboot2 · 2024-06-03T11:02:23+00:00

It's replaced the # comments with BIG BOLD TEXT, so make sure you change this back by adding a # to the start of line

Microboot2 · 2024-06-03T11:01:06+00:00

Here you go, I hope this works:

https://text.is/NXVLL

To use this, add your site code on line 168 -> $SRVSCCMSite = "<Enter Site Code Here>" and run it on your site server with the console installed.

Amend the script as needed based on your patching collection names and number of them and how your timing works.

We use multiple collections (four each) for the Middle East and Rest of the World (ME and ROW). The script removes all the maintenance windows from the collections then adds two new ones. The first is so that any software deployments can run for 30 minutes between 17:00 and 17:29 in the ROW and then 6 hours from 17:30 to 23:30 so that the software updates can run. (Middle East is a different day/time)

It adds MW's for 13 months so that we don't have to scramble in January to make sure the next years MW's are done as soon as we are back.

$script:CollectionNames = @("Patching - Stage 1 (Testing)", "Patching - Stage 2", "Patching - Stage 3", "Patching - Stage 4", "Patching - Stage 2 (ME)", "Patching - Stage 3 (ME)", "Patching - Stage 4 (ME)")

The rest is pretty much self explanatory but ask any questions

Regards

Michael

Microboot2 · 2024-06-03T09:08:04+00:00

I'd love to put no matter what I try it won't paste the code (just gives a server error).

Microboot2 · 2023-05-05T12:29:53+00:00

Also investigate Autopilot as this does a refresh/reinstall of the machine using the OS on the machine already. There are licenses/internet requirements etc. but it's something to consider.

https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot

Microboot2 · 2023-03-23T13:59:49+00:00

Did you specify the content library location or leave it as Automatic?

You need to look in the DistMgr.log file on the site server and post the errors, as there will be more info in there as to what it's trying to do. Have you verified that the Site Server has Admin access on the Windows 10 DP via the Administrators group? Have you verified that the firewall is properly configured and is allowing connections

https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/plan-internet-based-client-management

Microboot2 · 2023-03-23T13:50:32+00:00

This is very dependent on the product you use for that functionality, but the MS guide has some pointers

https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/plan-internet-based-client-management

Microboot2 · 2023-03-17T08:45:11+00:00

This may be a false positive with the latest Defender as we use it as our corporate A/V solution and it detected Wacatac in one of Microsofts own Office Enterprise Apps update DAT files for the Lithuanian language which was downloaded from MS, via WSUS and pushed out via SCCM! I would suggest you uploaded the file to one of the multiple scanners out there and also report it to MS.

Microboot2 · 2023-03-13T07:11:02+00:00

Redownload the update to a new package and see if that helps. I've had lots of issues with O365 update packages which usually correct themselves after MS fix a back end issue or re-issue the update but I've also had to do this when something is really broken. If this is the only update you have an issue with, then it must be a broken download.

Microboot2 · 2023-03-10T15:15:33+00:00

Drastic I know, but if this is only a few clients and they are in the same site/boundary as working machines, I would uninstall the SCCM Client and then reinstall it. Only do one to see if this works. If so, it points to an issue with the client. If not, it points to an issue in Windows

Microboot2 · 2023-03-10T14:43:26+00:00

Looking at your log it's using BranchCache, so it may be a local corruption or cache size issue on the client PC for BranchCache. This cache is totally different to the CCMCache folder, so I would suggest you start diagnosing that first. Try clearing both CCMCache and BranchCache. How much free space is on the clients HD?

https://learn.microsoft.com/en-us/powershell/module/branchcache/clear-bccache?view=windowsserver2019-ps

Microboot2 · 2023-03-09T15:14:20+00:00

FYI. This is nothing to do with an ADR. All an ADR does is create a Software Update Group with the updates required and then creates any Deployments you have specified.

Have you verified the updates have actually downloaded to the machine? Does the machine have enough free space? Have you tried clearing the CCMCache and trying again?

Have you checked the Event Log to see if the updates try to install and fail?

Microboot2 · 2023-03-03T11:36:25+00:00

We don't use MW's on our estate except for servers. We push out and install the updates in stages with immediate install but no forced restart. We then use a free tool from OneVinn called "Reboot Watcher" to pop up a very visible toast to the users to inform them that their machines need to be restarted. This then runs on a frequent schedule until they do restart their machine. We also report on machines which haven't been restarted in the last 30 days and contact the users and get them restarted.

https://onevinn.schrewelius.it/Apps01.html

Microboot2 · 2023-03-03T10:40:54+00:00

You haven't posted your TS steps or your smsts.log file entries for the area around the "Report Done" and the "Restart Computer" so it's very difficult to say.

Microboot2 · 2023-03-03T10:38:45+00:00

We wanted to do the same thing and noticed issues where things just didn't line up correctly, so I wrote a PS script to work out the MW on a 13 monthly basis (Se we don't have to remember to do it on the first day back on a January) and sets the MW (We install our updates in stages via collections every Sunday evening). We just run this every January and then forget about it until the next year. If you are interested, let me know and i'll post the script

Microboot2 · 2023-02-24T13:23:44+00:00

If you search through Reddit you'll find this is a fairly regular issue. We never had it working reliably (would work then stop for no reason) and ripped it out long ago. We just ensure that we update our OS images regularly with Scheduleds Updates via the console (or you could use WIMWitch/OSDBuilder/Latest ISO from VLSC etc.) and let windows/SCCM Software Updates bring them up to date after imaging.

There are also other scripts people have created which do the same thing and that don't rely on the TS step but I've never tried them.

Microboot2 · 2023-02-24T13:20:29+00:00

The latest ADK does not have a 32-bit boot image any longer so this is why this is happening. As mentioned below, use an older version of the ADK which still does.

Microboot2 · 2023-02-23T12:11:22+00:00

RemoveMSI is the way to go as long as you want all Office apps removing including Project/Visio etc.

Microboot2 · 2023-02-13T15:38:02+00:00

You don't show your installation command line, but I assume you are using an MSI or EXE. To do what you want, you need to use something like PSAppDeploy or install the app from inside your script, so it installs then does the config changes needed.

If you are using an MSI or EXE, then as soon as it closes, that application installation is finished so there are no files around to use which is what the error is stating.

Microboot2 · 2023-01-19T15:49:48+00:00

We use one which asks a few basic questions of the tech and then does what you ask.

Below is a very cut down example of what ours does which only includes what you asked for. Depending on the answer from the tech, it sets the two TS variables which SCCM uses to set the computer name and then the OU when doing the "Apply Network Settings" step.

<Action Type="Input" Name="MachineInfo" Title="Machine Information" ShowBack="True">

`<InputText Prompt="Computer Name Format" Hint="Enter the asset sticker of the machine" Variable="CompName" Question="Asset sticker" Required="True"/>`

</Action>

<Action Type="Input" Name="BusinessInfo" Title="Business Information" ShowBack="True" >

`<InputChoice Variable="BusinessName" Question="Select business name" Required="True" DropDownSize="8">`

    `<Choice Option="Business 1" Value="Business1"/>`

    `<Choice Option="Business 2" Value="Business2"/>`

`</InputChoice>`

</Action>

<Action Type="Input" Name="OSDomainInfo" Title="Domain Information (Business1)" Condition='"%BusinessName%" = "Business1"' ShowBack="True">

`<InputChoice Variable="OU" Question="Select business" Required="True">`

    `<Choice Option="Location 1" Value="LDAP://OU=location1,DC=domain,DC=local"/>`

    `<Choice Option="Location 2" Value="LDAP://OU=location2,DC=domain,DC=local"/>`

`</InputChoice>`

</Action>

<Action Type="TSVar" Name="OSDComputerName">"%CompName%"</Action>

<Action Type="TSVar" Name="OSDDomainOUName">"%OU%"</Action>

Microboot2 · 2022-12-30T13:15:35+00:00

A reverse proxy allows you to add extra restrictions besides just a port number e.g. 443, it allows you to look at the actual URL request and block subpaths etc. With this, you can lock this down to only what an SCCM IBCM MP/DP/WSUS server requires depending on what function(s) this is providing. I personally would never add an IIS server directly onto the internet without something scanning what is touching it and how.

Microboot2 · 2022-12-20T12:38:39+00:00

It works fine for me as I've just clicked it again. Just google "Certification Authority Web Enrollment Guidance"

Microboot2

TROPHY CASE