Microsoft deprecated HTTP-only communication in Configuration Manager to increase security. The HTTP-only communication will not be supported with first release after Oct 31, 2022. Hence, existing infrastructure should be configured for HTTPS based communication in ConfigMgr.
The HTTPS communication can be enabled using PKI certificates. The HTTPS communication is also required for Management Point if you want to use Cloud Management Gateway (CMG) to support internet-based clients. If you are not ready for HTTPS based communication for all clients and need HTTPS management point for CMG only then dedicate a SCCM management point for CMG and configure that one for HTTPS.
In this blog post, we will walk through the SSL requirements and configuration for SCCM management point. We will use SSL certificates from Microsoft Public Key Infrastructure (PKI)
Related Post:
Configure Software Update Point for SSL | ConfigMgr | SCCM
Deploy client authentication certificate for SCCM clients
Create AD Group for ConfigMgr IIS Servers
Create an AD Group with SCCM IIS Servers name and add SCCM site system server (e.g, SCCM Management Point) member of this AD group. When we will issue a Web server authentication certificate later, the certificate enrollment permission will be granted to this AD group.
Issue Server Authentication Certificate for SCCM IIS Site System Servers
On the server running the certification authority, open the Certification Authority Console, right click Certificates Templates and select Manage
In the Certificate Template Management console, Right click on Web Server template and then select Duplicate Template
In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected in Certification Authority
In the General tab, enter a template name ConfigMgr Web Server Certificate, Change the validity period if needed.
In the Subject Name tab, select Supply in the request
In the Security tab, remove the Enroll permission from the Enterprise Admins security group
Choose Add, enter SCCM IIS servers in the text box and then Choose Ok
Select the Enroll and Read permission for this group
Choose Ok, Close the Certificate Templates Console
Back in the Certification Authority console, right click Certificates Templates, select New / Certificate Template to Issue
In the Enable Certificate Template dialog box, select the new template you just created, ConfigMgr Web Server Certificate , Click Ok
Enroll Certificate on IIS Server ( SCCM Management Point Site System Server)
Go to Run, type certml.msc to open Local Machine Certificate Store
Right click Certificates, select All Tasks / Request New Certificate
On the page, click Next
If you see the Select Certificate Enrolment Policy page, chose Next
On the Request Certificates page, identify the certificate which you have issued (ConfigMgr Web Server Certificate ) from the list, and then select More information is required to enroll for this certificate. Choose here to configure settings.
In the Certificate Properties dialog box, in the Subject tab
Alternative name:
o Type: DNS
o Value: Management Point Server FQDN
Click on Add
Click Ok to close the Certificate Properties dialog box
Back to Request Certificates page, select the certificate (ConfigMgr Web Server Certificate) from the list of available certificates, click Enroll.
On the Certificates Installation Results page, wait until the certificate is installed, click Finish.
Configure IIS Default Website for SSL
The next step is to configure web servers to use SSL certificate.
On the Management Point site system server, Open Internet Information (IIS) Manager , right click on Default Web Site and select Edit Bindings.
On the Site Bindings window, click on Add
On the Add Site Bindings window, select https, leave IP address to All Unassgined. Click on Select and choose the SSL certificate which you enrolled for Management Point.
You can now see SSL certificate under SSL Certificate. Click on Ok to return to Site Bindings windows.
On the Site Bindings window, click on Close
Configure Management Point for HTTPS
We have now completed all certificates requirements. The Management Point can now be configured for HTTPS.
Go to Site Configuration / Servers and Site System Roles, select the server with Management Point role. Select Management Point / Properties
Select HTTPS and click on Apply. Click Ok to close the window.
Configuration Manager will now reinstall the MP role with HTTPS. You can monitor mpsetup.log, mpMSI.log and mpcontrol.log file to ensure that configuration was successful and management point is working fine in HTTPS mode.
Related Posts:
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Configure Software Update Point for SSL | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
- SCCM CMG Part 1 | Cloud Management Gateway (CMG) Setup Guide
- SCCM CMG Part 2 | Issue, Enroll & Export Server Authentication Certificate
- SCCM CMG Part 3 | Configure SCCM Site for SSL
- SCCM CMG Part 4 | Integrate Azure Active Directory with ConfigMgr
- SCCM CMG Part 5 | Setup Cloud Management Gateway
- SCCM CMG Part 6 | Validate CMG Health & Client Communication
- Location of smsts.log file during Operating System Deployment (OSD)
- Schedule SCCM Client Reboot through ConfigMgr
- Check Software Center Business Hours of Remote Computer
- SCCM Software deployment strategy
- How to deal with wrong deployment in ConfigMgr
- How to Initiate SCCM client agent actions using PowerShell
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.