Simple Guide to Enable SCCM Enhanced HTTP Configuration

In this post I will show you how to enable SCCM enhanced HTTP configuration. We will also discuss what exactly is the enhance HTTP configuration in SCCM, how to enable it and about the enhanced HTTP certificates, SMS Role SSL Certificate.

Enhance HTTP configuration feature was first introduced in SCCM 1806 as a pre-release feature. However starting with SCCM 1810, this Enhanced HTTP feature is no longer a pre-release feature.

Recently I published a guide on SCCM 2103 Prerequisite Check Warning about enabling site system roles for HTTPS or Enhanced HTTP. Starting with SCCM 2103 you will require to select HTTPS communication or enhanced HTTP configuration. You must plan to configure the site for HTTPS only or to use Configuration Manager-generated certificates for HTTP site systems. If you don’t select between the two you may encounter a warning during the SCCM 2103 update installation.

What is SCCM Enhanced HTTP Configuration ?

SCCM Enhanced HTTP secures sensitive client communication without the need for PKI server authentication certificates. When you enable SCCM enhanced HTTP configuration in ConfigMgr, the site server generates a certificate for the management point allowing it to communicate via a secure channel. Azure Active Directory (Azure AD)-joined devices and devices with a ConfigMgr issued token can communicate with a management point configured for HTTP if you enable SCCM enhanced HTTP.

What does Microsoft Recommends – HTTPS or Enhanced HTTP ?

Microsoft recommends using HTTPS communication for all Configuration Manager communication paths. However implementing PKI certificates for SCCM could be challenging for some customers due to the overhead of managing PKI certificates.

Is SCCM Enhanced HTTP Configuration Secure ?

Yes, the enhanced HTTP configuration is secure. When you enable Enhanced HTTP configuration in SCCM, you can secure sensitive client communication without the need for PKI server authentication certificates. Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

How to Enable SCCM Enhanced HTTP Configuration

The steps to enable SCCM enhanced HTTP are as follows.

  • Launch the SCCM console.
  • Navigate to Administration > Overview > Site Configuration > Sites.
  • Select your primary site server. Right-click the Primary server and select Properties.
  • In the Communication Security tab, under Site System setting, enable the option HTTPS or enhanced HTTP.
  • Enable Use Configuration Manager-generated certificates for HTTP site systems.
Enable SCCM Enhanced HTTP Configuration
Enable SCCM Enhanced HTTP Configuration

NOTE

The procedure to enable enhanced HTTP Configuration in SCCM remains same for Central Administration Site as well. Use this same process, and open the properties of the central administration site. This action only enables enhanced HTTP for the SMS Provider roles at the central administration site. It’s not a global setting that applies to all sites in the hierarchy.

What happens when you enable SCCM Enhanced HTTP ?

When you enable SCCM enhanced HTTP configuration, the site server generates a self-signed certificate named SMS Role SSL Certificate. Here are the steps to access the SMS Role SSL Certificate.

  • Login to the SCCM server.
  • Click Start > Run and type the command certlm.msc.
  • Under Certificates – Local computer, expand Personal > Certificates.
  • That’s where you find the SMS Role SSL Certificate. This enhanced HTTP certificate is issued by the root SMS Issuing certificate.
SMS Role SSL Certificate - Enhanced HTTP Configuration
SMS Role SSL Certificate – Enable SCCM Enhanced HTTP Configuration

Also the management point adds this certificate to the IIS default web site bound to port 443. On the Management Point server, access the IIS Manager. Right click Default Web Site and click Edit Bindings. Select HTTPS and click Edit. In the Edit Site Binding, ensure you see SMS Role SSL Certificate under SSL Certificate option.

SMS Role SSL Certificate - Enable Enhanced HTTP Configuration
SMS Role SSL Certificate – Enable SCCM Enhanced HTTP Configuration

Monitor Enhanced HTTP Configuration in MEMCM

After you enable enhanced HTTP configuration, to see the status of the configuration, review mpcontrol.log on your management point server. I found the following lines relevant to enhanced HTTP configuration.

Successfully performed Management Point availability check against local computer.
SSL is not enabled. SMS_MP_CONTROL_MANAGER
Using thread token for request SMS_MP_CONTROL_MANAGER
Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK SMS_MP_CONTROL_MANAGER
Http test request succeeded. SMS_MP_CONTROL_MANAGER
Enable Enhanced HTTP Configuration in SCCM
Enable SCCM Enhanced HTTP Configuration

SCCM Enhanced HTTP SMS Issuing Certificate

When you enable enhanced HTTP Configuration in SCCM, the SMS issuing certificate can also be found in ConfigMgr console. This is the self signed certificate created by Configuration Manager for enhanced HTTP feature.

  • Launch the Configuration Manager console.
  • Go to Administration\Overview\Security\Certificates.
  • Look for SMS Issuing Certificate.

When you right click SMS Issuing certificate and click Properties, you may notice that certificate shows as untrusted as it is not placed in trusted root certification authorities store. To eliminate that error, click Install Certificate and ensure you place the SMS Issuing certificate in trusted root certification authorities store.

Enable Enhanced HTTP Configuration in SCCM
Enable SCCM Enhanced HTTP Configuration

SCCM Enhanced HTTP Certificates on Server

The ConfigMgr Enhanced HTTP certificates on the server are located in the following path Certificates – Local computer > SMS > Certificates. Following are the SCCM Enhanced HTTP certificates that are created on server.

Certificate Issued ToCertificate Issued ByEnhanced HTTP Certificate Friendly Name
Site ServerSite ServerSite Server Signing Certificate
Site System IdentificationSite System IdentificationSite System Identification Certificate
SMSSMSSMS Encryption Certificate
SMSSMSSMS Signing Certificate
SMS Pin Reset EncryptionSMS Pin Reset EncryptionSMS Pin Reset Encryption Certificate
SMS ProviderSMS ProviderSMS Provider role certificate
SMS User ServiceSMS User ServiceSMS User Service Certificate
ConfigMgr Server NameSMS IssuingSMS Role SSL Certificate
SCCM Enhanced HTTP Certificates on Server
SCCM Enhanced HTTP Certificates on Server

SCCM Enhanced HTTP Certificates on Client Computers

Following are the SCCM Enhanced HTTP certificates that are created on client computers. The E-HTTP certificates are located in the following path Certificates – Local computer > SMS > Certificates.

Certificate Issued ToCertificate Issued ByEnhanced HTTP Certificate Friendly Name
SMSSMSSMS Signing Certificate
SMSSMSSMS Encryption Certificate
SCCM Enhanced HTTP Certificates on Client Computers
SCCM Enhanced HTTP Certificates on Client Computers

Configuration Manager Enhanced HTTP FAQ’s

Here are some of the common questions related to Configuration Manager Enhanced HTTP configuration.

What is SCCM Enhanced HTTP?

The SCCM Enhanced HTTP feature secures sensitive client communication without the need for PKI server authentication certificates in SCCM.

How do I enable SCCM Enhanced HTTP Configuration?

Navigate to Administration > Overview > Site Configuration > Sites. Right-click the Primary server and select Properties. In the Communication Security tab enable the option HTTPS or enhanced HTTP. Enable Use Configuration Manager-generated certificates for HTTP site systems.

How Secure is SCCM Enhanced HTTP Configuration?

Enhanced HTTP configuration is secure. When you enable Enhanced HTTP configuration in SCCM, you can secure sensitive client communication without the need for PKI server authentication certificates. Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

What is SMS Role SSL Certificate?

The SMS Role SSL Certificate enhanced HTTP certificate is issued by the root SMS Issuing certificate. When you enable SCCM enhanced HTTP configuration, the site server generates a self-signed certificate named SMS Role SSL Certificate.

Location of SCCM Enhanced HTTP Certificates?

The SCCM Enhanced HTTP certificates are located in the the following path – Certificates – Local computer > SMS > Certificates.

How can I see the status of Enhanced HTTP Configuration in SCCM?

To see the status of the Enhanced HTTP Configuration, review mpcontrol.log on the site server.

Need Assistance?

Send us a message or post your question in forums.

3 thoughts on “Simple Guide to Enable SCCM Enhanced HTTP Configuration”

  1. Hey there Prajwal:

    Nice article, but I do not see one thing. How do you get the Self Signed certificate that the server creates to the client machines? Does it get deployed, or do you have to do that through group policy, or is it something else entirely?

    Reply
    • Hello all

      I have the same question as Kacey. Would be really interesting to know how the SMS Issuing cert gets installed on the client.

      Kind regards
      Matias

      Reply

Leave a Comment