Applies to: Configuration Manager (current branch)
This feature was first introduced in version 1806 as a pre-release feature. Beginning with version 1810, this feature is no longer a pre-release feature.
Microsoft recommends using HTTPS communication for all Configuration Manager communication paths, but it's challenging for some customers due to the overhead of managing PKI certificates.
Configuration Manager version 1806 includes improvements to how clients communicate with site systems. There are two primary goals for these improvements:
You can secure sensitive client communication without the need for PKI server authentication certificates.
Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.
All other client communication is over HTTP. Enhanced HTTP isn't the same as enabling HTTPS for client communication or a site system.
PKI certificates are still a valid option for customers with the following requirements:
- All client communication is over HTTPS
- Advanced control of the signing infrastructure
Also, If you're already using PKI, the PKI cert bound in IIS will be used even if enhanced HTTP is turned on.
The following scenarios benefit from these improvements:
Scenario 1: Client to management point
Azure Active Directory (Azure AD)-joined devices and devices with a Configuration Manager issued token can communicate with a management point configured for HTTP if you enable enhanced HTTP for the site. With enhanced HTTP enabled, the site server generates a certificate for the management point allowing it to communicate via a secure channel.
This scenario does not require using an HTTPS-enabled management point but it is supported as an alternative to using enhanced HTTP. For more information on using an HTTPS-enabled management point, see Enable management point for HTTPS.
Scenario 2: Client to distribution point
A workgroup or Azure AD-joined client can authenticate and download content over a secure channel from a distribution point configured for HTTP. These types of devices can also authenticate and download content from a distribution point configured for HTTPS without requiring a PKI certificate on the client. It's challenging to add a client authentication certificate to a workgroup or Azure AD-joined client.
This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. For more information, see Network access account.
Scenario 3: Azure AD device identity
An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can securely communicate with its assigned site. The cloud-based device identity is now sufficient to authenticate with the CMG and management point for device-centric scenarios. (A user token is still required for user-centric scenarios.)
The following Configuration Manager features support or require enhanced HTTP:
- Cloud management gateway
- OS deployment without a network access account
- Enable co-management for new internet-based Windows 10 devices
- App approvals via email
- Administration service
- View recently connected consoles
The software update point and related scenarios have always supported secure HTTP traffic with clients as well as the cloud management gateway. It uses a mechanism with the management point that's different from certificate- or token-based authentication.
A management point configured for HTTP client connections. Set this option on the General tab of the management point role properties.
A distribution point configured for HTTP client connections. Set this option on the Communication tab of the distribution point role properties. Don't enable the option to Allow clients to connect anonymously.
Onboard the site to Azure AD for cloud management.
For Scenario 3 only: A client running Windows 10 version 1803 or later, and joined to Azure AD. The client requires this configuration for Azure AD device authentication.
Configure the site
In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the site and choose Properties in the ribbon.
Switch to the Client Computer Communication tab.
Starting in version 1906, this tab is called Communication Security.
Select the option for HTTPS or HTTP. Then enable the option to Use Configuration Manager-generated certificates for HTTP site systems.
Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.
Starting in version 1902, you can also enable enhanced HTTP for the central administration site. Use this same process, and open the properties of the central administration site. This action only enables enhanced HTTP for the SMS Provider roles at the central administration site. It's not a global setting that applies to all sites in the hierarchy.
You can see these certificates in the Configuration Manager console. Go to the Administration workspace, expand Security, and select the Certificates node. Look for the SMS Issuing root certificate, as well as the site server role certificates issued by the SMS Issuing root.
For more information on how the client communicates with the management point and distribution point with this configuration, see Communications from clients to site systems and services.
Validate the certificate
When you enable enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate. This certificate is issued by the root SMS Issuing certificate. The management point adds this certificate to the IIS default web site bound to port 443.
To see the status of the configuration, review mpcontrol.log.