Quick summary on how management point selection works in flexible (formerly native) mode in Configuration Manager 2012


There’s been a lot of questions as of late in the TechNet forums on how flexible mode works in Configuration Manager 2012 with regard to MP communication. I’m writing up this quick post to quickly summarize how things work in Configuration Manager 2012.

In Configuration Manager 2007, there were two modes: mixed and native mode. Native mode required the client to communicate with all site roles over HTTPS. Clients that could not communicate over HTTPS could not use your site and you would have to set up a separate site for mixed (HTTP) mode. HTTPS clients could roam into a HTTP site and communicate with roles in that boundary only if HTTP fallback was enabled. This setting was not enabled by default.

In Configuration Manager 2012, there is no longer mixed mode and native mode. HTTPS mode can be configured on a per-site role basis. You can have a single site with a HTTPS and HTTP MP for instance. This is well covered in the documentation. What’s less understood is how clients will communicate with a particular MP.

Here’s a brief summary: if there is a HTTPS MP for your site, and the client has PKI certificates that meet the site’s configuration settings, and the HTTPS MP is operational, the client will only communicate with a HTTPS MP. This applies even if the client is in the boundary for a HTTP MP (in other words there’s no concept of “HTTP fallback” as it existed in Configuration Manager 2007). The only exception for this is that if the HTTPS MP is not working, then the client will fail over to a HTTP MP after a pre-determined time (as of this writing it’s 5 consecutive failures).

This has caused some difficulties where clients have PKI-issued certificates and the client uses a HTTPS MP when this is not desirable. The way to work around this is to apply some sort of limiting settings on your site’s configuration. This can include scoping the allowed root CA certificates, specifying certain certificate attributes, or specifying a specific certificate store to use. In a scenario where a client has PKI issued certificates and none of those criteria are met, the client will only communicate with a HTTP MP, even if the client is in the boundary of a HTTPS MP.

I hope this clears up a bit of confusion and offers some more insight into the different scenarios around how a client selects a MP to use.

If you have more questions, I’m happy to answer them in the comments.

Comments (1)

  1. jhlim says:

    Thanks for the article for the insight on SCCM PKI client. I am not a PKI guy, but able to give more insight into the scoping of the root CA certificates, and some suggestion on what is the attributes or store to implement?

    Thanks in anticipation.

Skip to main content