Enable Site System Roles for HTTPS or Enhanced HTTP

During SCCM 2103 prerequisite check you encounter Enable site system roles for HTTPS or Enhanced HTTP warning. In this post I will cover how to fix this warning.

When you install or update to SCCM 2103, there are several new warning prerequisite checks added. One among them is Enable site system roles for HTTPS or Enhanced HTTP. The other one is if you have a secondary site that uses SQL Server Express edition, this check warns if the version is earlier than SQL Server 2016 with service pack 2 (13.0.5026.0).

Most of us are going to encounter the same warning during SCCM 2103 prerequisite check. Although this is a warning and will not halt your SCCM 2103 upgrade but it is important that you fix this warning. First let us understand why this warning comes up and how to fix the warning.

If you haven’t performed SCCM 2103 upgrade, here is the upgrade guide – https://www.prajwaldesai.com/sccm-2103-upgrade-guide/.

Enable site system roles for HTTPS or Enhanced HTTP

So why do we get Enable site system roles for HTTPS or Enhanced HTTP warning during SCCM 2103 prerequisite check ?. The answer is if your site is configured to allow HTTP communication without enhanced HTTP, you’ll see this warning. To improve the security of client communications, in SCCM 2103 will require HTTPS communication or enhanced HTTP. You must plan to configure the site for HTTPS only or to use Configuration Manager-generated certificates for HTTP site systems.

Here is a screenshot of what you would see during the SCCM 2103 prerequisite check. The prerequisite check passed with warnings.

SCCM 2103 Prerequisite check warning
SCCM 2103 Prerequisite check warning

If you review the ConfigMgrPrereq.log file located on root drive of site server, the entire warning is visible.

[Completed with warning] Description: HTTPS or Enhanced HTTP are not enabled for client communication. HTTP-only communication is deprecated and support will be removed in a future version of Configuration Manager. Enable a more secure communication method for the site either by enabling HTTPS or Enhanced HTTP.

SCCM 2103 Prerequisite check warning
SCCM 2103 Prerequisite check warning

Fix SCCM 2103 Prerequisite Check Warning – Enable site system roles for HTTPS or Enhanced HTTP

So how do I fix Enable site system roles for HTTPS or Enhanced HTTP warning ?. The answer is already answered in the SCCM 2103 prerequisite check warning.

  • HTTPS or Enhanced HTTP are not enabled for client communication – When I viewed the Communication Security tab of my site properties, the communication method was set to HTTPS or HTTP. Microsoft either wants you to select HTTPS only or Enhanced HTTP.
  • HTTP-only communication is deprecated and support will be removed in a future version of Configuration Manager – This is a change introduced in SCCM 2103 and going forward this will apply to all the Configuration Manager current branch releases.
  • Enable a more secure communication method for the site either by enabling HTTPS or Enhanced HTTP – To fix this warning, select HTTPS only or enhanced HTTP. If you have PKI certificates for SCCM, select HTTPS only. Other wise select Use Configuration Manager generated certificates for HTTP site systems.
Enable site system roles for HTTPS or Enhanced HTTP
Enable site system roles for HTTPS or Enhanced HTTP

I am going to select HTTPS only option here as I have the PKI certificates implemented in my setup. When I do that Use PKI client certificate when available option is greyed out.

Note – You still got an option to switch to enhanced HTTP mode whenever you require to do so.

Fix Enable site system roles for HTTPS or Enhanced HTTP Warning
Fix Enable site system roles for HTTPS or Enhanced HTTP Warning

After you make the above changes, run the SCCM 2103 prerequisite check again and the warning Enable site system roles for HTTPS or Enhanced HTTP should not appear. If you have got SCCM secondary sites, you don’t need to make any changes on them. It’s just the top level site that you need to make the changes.

Prajwal Desai

Hi, I am Prajwal Desai. For last few years I have been working on multiple technologies such as SCCM / Configuration Manager, Intune, Azure, Security etc. I created this site so that I can share valuable information with everyone.
Photo of author

13 thoughts on “Enable Site System Roles for HTTPS or Enhanced HTTP”

  1. Hi,

    I am also having PxE issues, when I enabled the Enhanced HTTP we could not get PXE boot, the device would get an IP and then reboot with a failed boot message, I remove the Enhanced HTTP and it works again.

    Please let me know which logs would be useful in troubleshooting this issue.

    Reply
  2. Hi Prajwal,

    I was wondering if you can please point me to the right directions. In our Primary Site i’ve changed from Https or http to https Only and clicked on ‘Apply’…..We now can’t image any PCs. We are stuck on ‘Start PXE over IPv4. Also, all of our devices in SCCM are showing ‘offline’ plus none of the applications in software center are visible.

    -I’ve changed the setting back to HTTP Only – But still the same result
    -Reboot the Primary Server and Site System Server – No change
    -Check IIS – But not sure what certificates are missing in Bindings.

    Any help is much appreciated.

    Thanks,
    Daniel

    Reply
    • Hi, I am also having the same issue. After navigating to Administration > Site Configuration > Sites > Properties of site > Communication Security I ticked the box that says ‘Use Configuration Manager -generated certificates for HTTP site systems.

      After ticking this box I am no longer able to PXE boot devices. The clients don’t receive a PXE response.

      Reply
  3. Okay, I have questions! Obviously a full PKI implementation is preferred but I don’t have the time to get that setup SO what happens with enhanced HTTP? Do I have to create) deploy certificates or is that automatically handled? What about existing clients? What about OSD to be machines? I don’t have a lab environment to test this stuff, I’m a longer admin doing everything in a medium-sized school..

    Reply
    • Sorry, lots of typos above, I’ll try again..
      “Okay, I have questions! Obviously a full PKI implementation is preferred but I don’t have the time to get that setup SO what happens with enhanced HTTP? Do I have to create/deploy certificates or is that automatically handled? What about existing clients? What about OSD to new machines? I don’t have a lab environment to test this stuff, I’m a lone admin doing everything in a medium-sized school..”

      Reply
        • Thanks Prajwal.

          For clarity – We can enable the option on our Primary Site and select :

          Use Configuration Manager-generated certificates for HTTP site systems

          and this option will handle all client communication requirements, for OSD, for App deployment and for management, etc.

          Is there any further action required for sites that do NOT have HTTPS or PKI setup?

          Thanks ever so much Man, Love your site!!!

          Reply
          • If you haven’t implemented PKI in your setup, you can switch to Use Configuration Manager-generated certificates for HTTP site systems. When you do that it shouldn’t affect OSD, app deployment etc. However I am seeing some comments where people are complaining that PXE boot isn’t working. I haven’t got any log files to review so I can’t comment much.

            Reply
            • Im have the same issues after update to 2103 – and the pre-req warning…
              I found that the DHCP Policies we had before was disabled and the Option 66 and 67 was unticked and empty.
              So after adding back the DHCP Policies and options, I am now stuck with the BCD 0x089 error.

              The SMSPXE log shows a
              CryptVerifySignature failed, 80090006 error
              followed by
              untrusted certificate: xxxxxx,
              PXE::MP_InitializeTransport failed; 0x80090006 PXE::MP_LookupDevice failed; 0x80070490
              PXE Provider failed to process message.
              Element not found. (Error: 80070490; Source: Windows)

              Looking at the Management Point – HTTPS was not selected. I Selected this again.
              Both the Enrollment and Enrollment Proxy Point already had HTTPS selected
              Logs now showed a slightly different error:
              PXE::MP_GetList failed; 0x80070490
              PXE::MP_LookupDevice failed; 0x80070490
              PXE::MP_ReportStatus failed; 0x80070490
              PXE Provider failed to process message.
              Element not found. (Error: 80070490; Source: Windows)

              The Management point seems to revert back to HTTP.
              The log also continues to show
              Using Management Point: http://
              and
              CLibSMSMessageWinHttpTransport::Send: WinHttpOpenRequest – URL: :80 GET /SMS_MP/.sms_aut?MPKEYINFORMATIONEX

              PS: I reinstalled PXE / WDS a few times with no benefit to this.

              So maybe the underlaying issue is a SCCM installation not setup properly for HTTPS?

              Reply
              • Hi AJ, did you or anyone get this resolved? I am upgrading to 2103 and need to know this for my org as we use PXE and it cannot go down whatsoever. Thanks.

                Reply

Leave a Comment