Skip to content

Instantly share code, notes, and snippets.

@mt7479

mt7479/sccm-fsp-notes.md

Last active September 30, 2023 19:45
Show Gist options
  • Save mt7479/2681a3646e19b4d4a0823487c5d58c2b to your computer and use it in GitHub Desktop.
Save mt7479/2681a3646e19b4d4a0823487c5d58c2b to your computer and use it in GitHub Desktop.
Download ZIP
Notes on the Fallback Status Point
Raw
sccm-fsp-notes.md

Notes on the Fallback Status Point

I recently was challenged by moving to the FSP to a different location and started researching the available documentation which leaves, to be blunt, much room for improvements.

Most of my findings deal with implementation of Internet Based Client Management but could be useful in an Intranet environment also.

This gist is a attempted write-up of all the stuff I could put together before and after this reddit post.

Facts

Allow Intranet and Internet Connections:

Some ConfigMgr roles can be configured to allow either or both connection types mentioned above. This should be the case for the fsp as well but contrary to Management Point or Distribution Point you cannot select the exact configuration by yourself.

Configuration Manager is supposed to set that value correctly if your specify a Internet FQDN. But it doesn't. It will stick to Intranet Only, no matter what you do.

To configure the fallback status point configuration for Internet-based client connections

FSP for Internet Based Client Management

Active Directory Publishing:

Only the Intranet Hostname will be published to Active Directory. You can check this for yourself firing up ADSIEdit navigate to the System Management Container, select the appropriate Site Server, click properties, and check the content of mSSMSCapabilities.

I was not able to find out if the Internet FQDN was ever published there, and in conjunction to that, set/updated automatically on the clients.

FSP does not roam:

The FSP role does not roam. You can defiantly install it more than once. If you co-locate the FSP Role with a MP Role I suspect your client will configure the FSP associated with the MP.

FSP Roaming

FSP for roaming clients

Client settings

On the client side we have the following two registry keys:

  • HKLM\Software\Microsoft\CCM\FSP\HostName
  • HKLM\Software\Microsoft\CCM\FSP\IntranetHostName

IntranetHostName:

Contains the intranet fqdn of your FSP. If you move the FSP role to a different site system the clients will change the address by themselves. This is done by querying the ActiveDirectory information published in the System Management Container. You can observe changes in LocationServices.log.

HostName:

Will contain the internet fqdn of your FSP. This setting will not be changed automatically.

  • Adding the FSP= switch to your client install command line will set this registry value.
  • This can also be used in the Client Push settings.
  • The client push syntax will also be published to ActiveDirectory.

Selection behaviour:

Once the HostName key is set the client will try to send a FSP state message to the internet fqdn by default, if this url is not reachable it will fall back to the intranet fqdn. You can observe this in FSPStateMessage.log.

I was able to verify this with the following method:

  • Delete the client certificate.
  • Set HostName to a server that does not host the FSP role.
  • Set IntranetHostName to my working site system hosting the FSP role.
  • Running cmhttpsreadiness.exe in C:\windows\ccm.
  • Check the Count of clients capable of HTTPS communication SRS report.

Changing the client settings:

If you move your FSP to a different site system and also want to use the FSP for IBCM you have to set the registry keys manually. The most obvious way to do that would be a Configuration Item.

What you set andw where depends on you. I have a single primary site and a single IBCM instance, so for simplicity I set HostName to point to my IBCM instance since all my clients have internet access.

You could of course scope this for different systems.

  • Hostname and IntranetHostname pointing to the intranet fqdn for computers.
  • Hostname pointing to your Internet FQDN for Laptops/Tablets.

Remarks

There is one thing I have not touched until now Microsoft does not recommend hosting the fsp on a site system that excepts https connections only.

I personally think this is up to discussion and depends on your configuration and a lot of factors. I'll leave this up to you if you want to use a dedicated server for your FSP.

Determine If You Should Install a Fallback Status Point for Configuration Manager Clients

Reddit Discussion

Log files

The following log file can be of use to see what is going on:

Location Name
Client C:\windows\ccm\logs\LocationServices.log
Client C:\windows\ccm\logs\FSPStateMessage.log
Site Server C:\SMS_CCM\Logs\fspisapi.log
Site Server C:\SMS\Logs\fspmgr.log

Discussion

There is nothing worse than bad documentation, so if you find errors or have stuff to share please let me known and I will update this gist accordingly.

You can reach me via:

@echu2013
Copy link

Very interesting! thank you for this contribution, I was really useful for me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment