Boundary Group Validation Script - Configuration Manager

Configuration Manager uses Boundary Groups to define site system roles that a client should use for site assignment or content retrieval. Ensuring clients are covered by a Boundary and that Boundary is added to a Boundary Group with site systems listed is critical to ensuring clients can successfully download content for any deployment.

For general information about Boundary Groups (which you will need to understand this post), see /en-us/sccm/core/servers/deploy/configure/boundary-groups.

Finding clients that do not have a valid location to download content from can be challenging depending on the size or complexity of an environment. As a result, I've created a script that helps an administrator review their configuration and hopefully identify clients that are in a boundary that provides them with content.

The script has been through a few iterations, and can now successfully validate boundaries based on:

  • Active Directory site;
  • IP Subnet;
  • IP Range, or;
  • IPv6 Prefix.

The script prompts for and connects to a site server and checks the information recorded for each client to verify that either it's Active Directory site name, or one of it's IP addresses results in it being a member of a Boundary Group with a Site System listed.

Script Details

This section details how the script works.

Results if all Clients are Covered by a Boundary Group

Figure 1 displays the script results if all clients are detected as being covered by a Boundary Group.

[caption id="attachment_395" align="alignnone" width="500"]All clients are covered by a Boundary Group Figure 1 - All clients are covered by a Boundary Group[/caption]

Results if Some Clients are not Covered by a Boundary Group

Figure 2 shows the script results when some clients are not covered by a Boundary Group.

[caption id="attachment_405" align="alignnone" width="498"]Some clients are not covered by a Boundary Group Figure 2 - Some clients are not covered by a Boundary Group[/caption]

The script will also pop a window (Figure 3) that displays a list of computers and their IP addresses that are not covered by a Boundary Group.

[caption id="attachment_415" align="alignnone" width="501"]All clients not covered by a Boundary Group Figure 3 - All clients not covered by a Boundary Group[/caption]

The results are exported to a file called BoundaryGroups.csv in the temp directory (%temp%).


The CSV file outputs the following columns:

Column Name Description
BoundaryCount The number of Boundaries detected for this client
CoveredByBoundary True if the client has any Boundary found
Type The type of Boundary checked (IP range, AD Site, Iv6 Prefix, IP Subnet)
IP The IP address checked (if relevant)
GroupNameContent The Boundary Group name detected that has a site system
SiteCode The site code listed if the Boundary Group is configured as a Site Assignment Boundary.
Value The detected or suggested Boundary value (AD Site name, IP Subnet or IP address range)
Name The name of the Boundary if detected
DPs How many DPs the client has access to
GroupNameSiteOnly The name of the Boundary Group if it's used for Site Assignment
CoveredByBoundaryGroup True if the client is covered by a Boundary Group that also has a site system in the references tab.


If you are opening the CSV file in Excel and want to just list possible boundaries for a client that does not have a Boundary Group with a site system - filter the Covered by Boundary Group column to "not true".

You'll notice multiple entries for each client, that's because it provides you with the information you'd need to create an appropriate boundary depending on your preference. Could be that you select AD Site, which should be listed.

Script Download

You can download the script from TechNet gallery, here:


This script is provided as is with no warranties. I recommend running it on your PC and connecting remotely to the Configuration Manager server rather than running it on the Configuration Manager server as it stores client and boundary information in memory while running.

If computers are connected over VPN or DirectAccess, some of the IP addresses listed (and collected by Configuration Manager) might include private addresses of home networks. So keep that in mind when you are looking to create boundaries and ensure you check with your network teams.

Please comment below if you have any feedback or questions.