In this post, I will show you how to enable SCCM enhanced HTTP configuration. We will also discuss what exactly is the enhanced HTTP configuration in SCCM, how to enable it and the enhanced HTTP certificates, SMS Role SSL Certificate.

Enhance HTTP configuration feature was first introduced in SCCM 1806 as a pre-release feature. However, starting with SCCM 1810, this Enhanced HTTP feature is no longer a pre-release feature.

Recently, I published a guide on SCCM 2103 Prerequisite Check Warning about enabling site system roles for HTTPS or Enhanced HTTP. Starting with SCCM 2103 you will require to select HTTPS communication or enhanced HTTP configuration. You must plan to configure the site for HTTPS only or to use Configuration Manager-generated certificates for HTTP site systems. If you don’t select between the two you may encounter a warning during the SCCM 2103 update installation.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

What is SCCM Enhanced HTTP Configuration?

SCCM Enhanced HTTP secures sensitive client communication without the need for PKI server authentication certificates. When you enable SCCM enhanced HTTP configuration in ConfigMgr, the site server generates a certificate for the management point allowing it to communicate via a secure channel. Azure Active Directory (Azure AD)-joined devices and devices with a ConfigMgr issued token can communicate with a management point configured for HTTP if you enable SCCM enhanced HTTP.

What does Microsoft recommend, HTTPS or Enhanced HTTP?

Microsoft recommends using HTTPS communication for all Configuration Manager communication paths. However implementing PKI certificates for SCCM could be challenging for some customers due to the overhead of managing PKI certificates.

Is SCCM Enhanced HTTP Configuration Secure?

Yes, the enhanced HTTP configuration is secure. When you enable Enhanced HTTP configuration in SCCM, you can secure sensitive client communication without the need for PKI server authentication certificates. Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

How to Enable SCCM Enhanced HTTP Configuration

The steps to enable SCCM enhanced HTTP are as follows:

  • Launch the SCCM console.
  • Navigate to Administration > Overview > Site Configuration > Sites.
  • Select your primary site server. Right-click the primary server and select Properties.
  • In the Communication Security tab, under Site System setting, enable the option HTTPS or enhanced HTTP.
  • Enable Use Configuration Manager-generated certificates for HTTP site systems.
Enable SCCM Enhanced HTTP Configuration
Enable SCCM Enhanced HTTP Configuration

Note: The procedure to enable enhanced HTTP Configuration in SCCM remains same for Central Administration Site as well. Use this same process, and open the properties of the central administration site. This action only enables enhanced HTTP for the SMS Provider roles at the central administration site. It’s not a global setting that applies to all sites in the hierarchy.

What happens when you enable SCCM Enhanced HTTP ?

When you enable SCCM enhanced HTTP configuration, the site server generates a self-signed certificate named SMS Role SSL Certificate. Here are the steps to access the SMS Role SSL Certificate.

  • Login to the SCCM server.
  • Click Start > Run and type the command certlm.msc.
  • Under Certificates – Local computer, expand Personal > Certificates.
  • That’s where you find the SMS Role SSL Certificate. This enhanced HTTP certificate is issued by the root SMS Issuing certificate.
SMS Role SSL Certificate - Enhanced HTTP Configuration
SMS Role SSL Certificate – Enable SCCM Enhanced HTTP Configuration

Also the management point adds this certificate to the IIS default web site bound to port 443. On the Management Point server, access the IIS Manager. Right click Default Web Site and click Edit Bindings. Select HTTPS and click Edit. In the Edit Site Binding, ensure you see SMS Role SSL Certificate under SSL Certificate option.

SMS Role SSL Certificate - Enable Enhanced HTTP Configuration
SMS Role SSL Certificate – Enable SCCM Enhanced HTTP Configuration

Monitor Enhanced HTTP Configuration in MEMCM

After you enable enhanced HTTP configuration, to see the status of the configuration, review mpcontrol.log on your management point server. I found the following lines relevant to enhanced HTTP configuration.

Successfully performed Management Point availability check against local computer.
SSL is not enabled. SMS_MP_CONTROL_MANAGER
Using thread token for request SMS_MP_CONTROL_MANAGER
Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK SMS_MP_CONTROL_MANAGER
Http test request succeeded. SMS_MP_CONTROL_MANAGER
Enable Enhanced HTTP Configuration in SCCM
Enable SCCM Enhanced HTTP Configuration

SCCM Enhanced HTTP SMS Issuing Certificate

When you enable enhanced HTTP Configuration in SCCM, the SMS issuing certificate can also be found in ConfigMgr console. This is the self-signed certificate created by Configuration Manager for enhanced HTTP-feature.

  • Launch the Configuration Manager console.
  • Go to Administration\Overview\Security\Certificates.
  • Look for SMS Issuing Certificate.

When you right-click SMS Issuing certificate and click Properties, you may notice that certificate shows as untrusted as it is not placed in the trusted root certification authorities store. To eliminate that error, click Install Certificate and ensure you place the SMS issuing certificate in trusted root certification authorities-store.

Enable Enhanced HTTP Configuration in SCCM
Enable SCCM Enhanced HTTP Configuration

SCCM Enhanced HTTP Certificates on Server

The ConfigMgr Enhanced HTTP certificates on the server are located in the following path Certificates – Local computer > SMS > Certificates. Following are the SCCM Enhanced HTTP certificates that are created on server.

Certificate Issued ToCertificate Issued ByEnhanced HTTP Certificate Friendly Name
Site ServerSite ServerSite Server Signing Certificate
Site System IdentificationSite System IdentificationSite System Identification Certificate
SMSSMSSMS Encryption Certificate
SMSSMSSMS Signing Certificate
SMS Pin Reset EncryptionSMS Pin Reset EncryptionSMS Pin Reset Encryption Certificate
SMS ProviderSMS ProviderSMS Provider role certificate
SMS User ServiceSMS User ServiceSMS User Service Certificate
ConfigMgr Server NameSMS IssuingSMS Role SSL Certificate
SCCM Enhanced HTTP Certificates on Server
SCCM Enhanced HTTP Certificates on Server

SCCM Enhanced HTTP Certificates on Client Computers

Following are the SCCM enhanced HTTP certificates that are created on client computers. The E-HTTP certificates are located in the following path: Certificates – Local computer > SMS > Certificates.

Certificate Issued ToCertificate Issued ByEnhanced HTTP Certificate Friendly Name
SMSSMSSMS Signing Certificate
SMSSMSSMS Encryption Certificate
SCCM Enhanced HTTP Certificates on Client Computers
SCCM Enhanced HTTP Certificates on Client Computers

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.