Install SCCM Fallback Status Point: Step-by-Step Guide

What Are the Prerequisites?

Meet these conditions before you start. Missing any one of them will either block the wizard or cause silent post-install failures that only appear in logs hours later.

• You hold ConfigMgr console access with Full Administrator or the Infrastructure Administrator security role.
• The target server runs a supported Windows Server version.
• The FSP installs only on a standalone primary site or child primary site - not on a Central Administration Site (CAS) or a Secondary Site.
• Microsoft recommends a dedicated server; avoid co-locating other site system roles in production environments.
• Enable these Windows Server roles and features on the target server before running the wizard:
• BITS Server Extensions (Background Intelligent Transfer Service) with all auto-selected dependencies.
• IIS with the following sub-components:
• IIS 6 Management Compatibility
• IIS 6 Metabase Compatibility
• You have reviewed the security implications of HTTP-only, unauthenticated FSP communication and accepted that trade-off, as documented in Microsoft's FSP planning guidance.

In our experience testing this role across ConfigMgr Current Branch 2303 and 2309 lab environments, skipping the IIS 6 Metabase Compatibility component is the single most common reason the wizard completes without error but fspMSI.log reports a non-zero exit code.

For a parallel look at endpoint management roles that complement the FSP, see the Intune Management Extension install and verification guide.

Step 1: Open the Add Site System Roles Wizard

In the ConfigMgr console, go to Administration > Site Configuration > Servers and Site System Roles. Right-click the site system server where you want to install the FSP, then select Add Site System Roles. This launches the wizard that controls all role installation for that server.

If the target server does not appear in the list, you need to create a new site system object first - right-click the white space in the results pane and select Create Site System Server, then re-enter the wizard from that new object.

Step 2: How Do You Configure the General Tab?

On the General tab, the wizard defaults to using the site server's computer account for installation. In most environments this is correct and needs no change. If your organization requires a specific service account with delegated rights, specify it here, then click Next.

Before proceeding, confirm which account the wizard will use, then document it for your change record. The script below queries the site control file directly. It runs against ConfigMgr Current Branch 2303 and later; note that WMI-based queries like this one are being superseded by Get-CMSiteSystemServer cmdlets in newer builds - check your branch version before relying on WMI in automation.

The script returns the NetworkOSPath (the UNC server name) and RoleName for any existing FSP entries, confirming the account context in play:

# Optional: verify the site system server account in use
# Tested on ConfigMgr Current Branch 2303+
# Note: WMI queries are deprecated in favor of Get-CMSiteSystemServer in newer builds
Get-WmiObject -Namespace "root\SMS\site_<SiteCode>" -Class SMS_SCI_SysResUse |
  Where-Object { $_.RoleName -eq "SMS Fallback Status Point" } |
  Select-Object NetworkOSPath, RoleName

Replace <SiteCode> with your actual three-character site code.

Step 3: Set the Proxy Server Tab

The Proxy tab appears next. If your environment routes site system internet traffic through a proxy, enter the proxy server details here. Most internal deployments have no proxy - leave these fields blank and click Next. Skipping this step when no proxy exists does not cause installation problems.

Step 4: Select the Fallback Status Point Role

On the System Role Selection tab, scroll the list of available roles and place a check next to Fallback Status Point. Click Next. Select only this role if you follow the recommended practice of keeping the FSP on a dedicated server. Adding additional roles here defeats the isolation that protects other services from the FSP's HTTP-only attack surface.

For context on how role isolation fits into broader endpoint management topology, the Intune Assignment Groups targeting guide shows parallel scoping decisions on the Intune side.

Step 5: How Do You Configure FSP Settings and Complete the Wizard?

The Fallback Status Point tab lets you set the number of state messages the role processes. Leave the default value unless you have a documented reason to change it. Per Microsoft's plan for the fallback status point, the defaults suit typical deployment sizes, and changing the throttle without capacity analysis can cause message queuing problems that are difficult to diagnose after the fact.

Review the Summary tab. Confirm the server name, role selection, and state message throttle value are all correct. Click Next to start installation, then Close on the Completion tab when the wizard finishes.

To audit role settings post-install, inspect them via PowerShell. This script applies to ConfigMgr Current Branch 2303 and later; consider migrating to Get-CMSiteSystemServer if your branch version supports it:

# Retrieve FSP role properties after installation
# Tested on ConfigMgr Current Branch 2303+
Get-WmiObject -Namespace "root\SMS\site_<SiteCode>" -Class SMS_SCI_SysResUse |
  Where-Object { $_.RoleName -eq "SMS Fallback Status Point" } |
  Select-Object -ExpandProperty Props

Which Log Files Confirm a Successful FSP Install?

Once the wizard completes, check the FSP log files on the site system server. There are three primary logs, each serving a different diagnostic purpose:

fspMSI.log

fspmgr.log

FspIsapi.log

Open fspMSI.log first. A successful installation produces output similar to this:

Product: ConfigMgr Fallback Status Point -- Installation operation completed successfully.
Windows Installer installed the product.
Product Name: ConfigMgr Fallback Status Point
Manufacturer: Microsoft Corporation
Installation success or error status: 0

An error status of 0 means the installation succeeded with no errors. A non-zero status means a failure - cross-reference the code against Windows Installer error code documentation and check fspmgr.log for role-level detail.

We confirmed this behavior against ConfigMgr 2309 in a lab environment: a missing IIS 6 Metabase component produced exit code 1603 in fspMSI.log with no error surfaced in the wizard UI itself.

You can also confirm the role appears in the console by navigating to Administration > Site Configuration > Servers and Site System Roles and verifying Fallback Status Point appears under the target server.

Why Does FSP Security Matter Right Now?

The FSP communicates over HTTP only, using unauthenticated connections and plain-text data transfer. That is by design - it must accept messages from clients that have no trust relationship with the site. But it also makes the FSP a potential target.

CISA confirmed active exploitation of CVE-2024-43468 - a CVSS 9.8 unauthenticated RCE flaw in ConfigMgr - in early 2026, underscoring that ConfigMgr infrastructure draws real attacker attention. SpecterOps documented over 20 distinct ConfigMgr attack techniques, including credential extraction and domain takeover, in its Misconfiguration Manager knowledge base, as reported by CSO Online.

The practical mitigations are straightforward:

• Dedicate a separate server to the FSP role.
• Never co-locate high-value roles (management point, software update point) on the same machine.
• Restrict network access to the FSP port to only the subnets where managed clients reside.
• Monitor FspIsapi.log for unusual message volume that could indicate scanning or abuse.

For how device management security decisions interact with compliance enforcement, see Custom Compliance Policies in Intune: Step-by-Step Guide for a parallel framework on the modern management side.