Prevent the SCCM client from using hyper-v IP addresses
If you install Hyper-V on Windows 10, it will create a default adapter and randomly create an IP address, usually in the 172.x.x.x subnet. If by chance, you have a boundary that this random IP address falls into, the SCCM client will think it is part of this boundary, in addition to the boundary associated with it's physical NIC. The client considers both boundaries to be a Current boundary group and will therefore potentially download content from DP's associated within either boundary. In most situations, this additional DP will likely be across a WAN link which of course can cause issues.
Anonymous
shared this idea
7 comments
-
Thorsten
commented
Two years time, problem not solved. Come on Adam, this is an important one.
Probably it has not that many votes, because of the random nature it primarily affects sites with many boundaries. Also not those using 10.x.x.x IPs only. And, I'm sure, many people probably don't realize the fallback to another boundary's server because they don't read the logs as long as it runs fine 9 out of 10 times.@Edd Weaver: Afaik, since W10v1607 there is no need to enable Hyper-V features in order to use the security features that you may refer to. When configuring the security features, the hypervisor layer is automatically enabled. Quick win: no virtual adapter on the machine.
Ref: Credential guard doc: "Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped." -
Alex
commented
Also have this same issue using split tunnel VPN. Would be nice to get this resolved with all the current WFH we want to make sure all VPN clients download from cloud sources
-
Michel Leclerc
commented
Hyper-v is one of the problem. If computer is used at home (Split VPN) and if the IP of one network adapter (home network IP range or 4G tethering) matches with a corporate IP range there will be a wrong boundary assignment. So in our case computer will download content from Intranet DP instead of Cloud DP. SCCM should only consider network interface that are able to reach configmgr systems !
-
Edd Weaver
commented
When will this be fixed?
We have nonoption but to disable hyper-v and lose all the security features it brings -
Anonymous
commented
This impacts peer cache subnet detection, especially if the default Hyper-V NIC picks up a PIPA address
-
Understood. The problem is that the Hyper-V default switch is adding another IP address that's creating an overlapping boundary. I'll move this out of By Design to Noted to keep it on the radar so we can look into possible ways to improve this in the future.
-
Anonymous
commented
Adam, I don't think I explained this very well. This is happening on the HOST machine not the guest VM. Even without a VM running on the host, windows will install the default switch when the Hyper-V feature is installed. This extra IP address is the one that messes up the host's sccm client.