How to Configure SCCM Management Point for HTTPS | ConfigMgr

Microsoft deprecated HTTP-only communication in Configuration Manager to increase security. The HTTP-only communication will not be supported with first release after Oct 31, 2022. Hence, existing infrastructure should be configured for HTTPS based communication in ConfigMgr.

The HTTPS communication can be enabled using PKI certificates. The HTTPS communication is also required for Management Point if you want to use Cloud Management Gateway (CMG) to support internet-based clients. If you are not ready for HTTPS based communication for all clients and need HTTPS management point for CMG only then dedicate a SCCM management point for CMG and configure that one for HTTPS.

In this blog post, we will walk through the SSL requirements and configuration for SCCM management point. We will use SSL certificates from Microsoft Public Key Infrastructure (PKI)

Related Post:

Configure Software Update Point for SSL | ConfigMgr | SCCM

Deploy client authentication certificate for SCCM clients

Create AD Group for ConfigMgr IIS Servers

Create an AD Group with SCCM IIS Servers name and add SCCM site system server (e.g, SCCM Management Point) member of this AD group. When we will issue a Web server authentication certificate later, the certificate enrollment permission will be granted to this AD group.

Issue Server Authentication Certificate for SCCM IIS Site System Servers

On the server running the certification authority, open the Certification Authority Console, right click Certificates Templates and select Manage

Certificate template

In the Certificate Template Management console, Right click on Web Server template and then select Duplicate Template

Certificate template

In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected in Certification Authority

Certificate template

In the General tab, enter a template name ConfigMgr Web Server Certificate, Change the validity period if needed.

Certificate template ConfigMgr Web Server Certificate

In the Subject Name tab, select Supply in the request

Certificate template Subject Name

In the Security tab, remove the Enroll permission from the Enterprise Admins security group

Choose Add, enter SCCM IIS servers in the text box and then Choose Ok

Select the Enroll and Read permission for this group

Choose Ok, Close the Certificate Templates Console

Certificate template Security

Back in the Certification Authority console, right click Certificates Templates, select New / Certificate Template to Issue

Certificate template

In the Enable Certificate Template dialog box, select the new template you just created, ConfigMgr Web Server Certificate , Click Ok

Certificate template

Enroll Certificate on IIS Server ( SCCM Management Point Site System Server)

Go to Run, type certml.msc to open Local Machine Certificate Store

Right click Certificates, select All Tasks / Request New Certificate

Certificate template

On the page, click Next

If you see the Select Certificate Enrolment Policy page, chose Next

On the Request Certificates page, identify the certificate which you have issued (ConfigMgr Web Server Certificate ) from the list, and then select More information is required to enroll for this certificate. Choose here to configure settings.

Certificate template

In the Certificate Properties dialog box, in the Subject tab

Alternative name:

o Type: DNS

o Value: Management Point Server FQDN

Click on Add

Click Ok to close the Certificate Properties dialog box

Certificate template

Back to Request Certificates page, select the certificate (ConfigMgr Web Server Certificate) from the list of available certificates, click Enroll.

Certificate template

On the Certificates Installation Results page, wait until the certificate is installed, click Finish.

Certificate template

Configure IIS Default Website for SSL

The next step is to configure web servers to use SSL certificate.

On the Management Point site system server, Open Internet Information (IIS) Manager , right click on Default Web Site and select Edit Bindings.

IIS Server Bindings

On the Site Bindings window, click on Add

IIS Server Bindings

On the Add Site Bindings window, select https, leave IP address to All Unassgined. Click on Select and choose the SSL certificate which you enrolled for Management Point.

You can now see SSL certificate under SSL Certificate. Click on Ok to return to Site Bindings windows.

IIS Server Bindings

On the Site Bindings window, click on Close

IIS Server Bindings

Configure Management Point for HTTPS

We have now completed all certificates requirements. The Management Point can now be configured for HTTPS.

Go to Site Configuration / Servers and Site System Roles, select the server with Management Point role. Select Management Point / Properties

Select HTTPS and click on Apply. Click Ok to close the window.

Configuration Manager will now reinstall the MP role with HTTPS. You can monitor mpsetup.log, mpMSI.log and mpcontrol.log file to ensure that configuration was successful and management point is working fine in HTTPS mode.

SCCM Management Point https

Related Posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top