Applies to: System Center Configuration Manager (Current Branch)
This feature was first introduced in version 1806 as a pre-release feature. Beginning with version 1810, this feature is no longer a pre-release feature.
Microsoft recommends using HTTPS communication for all Configuration Manager communication paths, but it's challenging for some customers due to the overhead of managing PKI certificates.
Configuration Manager version 1806 includes improvements to how clients communicate with site systems. There are two primary goals for these improvements:
You can secure sensitive client communication without the need for PKI server authentication certificates.
Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.
All other client communication is over HTTP. Enhanced HTTP isn't the same as enabling HTTPS for client communication or a site system.
PKI certificates are still a valid option for customers with the following requirements:
- All client communication is over HTTPS
- Advanced control of the signing infrastructure
The following scenarios benefit from these improvements:
Scenario 1: Client to management point
Azure Active Directory (Azure AD)-joined devices can communicate with a management point configured for HTTP. The site server generates a certificate for the management point allowing it to communicate via a secure channel.
This behavior is changed from Configuration Manager current branch version 1802, which requires an HTTPS-enabled management point for Azure AD-joined clients communicating through a cloud management gateway. For more information, see Enable management point for HTTPS.
Scenario 2: Client to distribution point
A workgroup or Azure AD-joined client can authenticate and download content over a secure channel from a distribution point configured for HTTP. These types of devices can also authenticate and download content from a distribution point configured for HTTPS without requiring a PKI certificate on the client. It's challenging to add a client authentication certificate to a workgroup or Azure AD-joined client.
This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. For more information, see Network access account.
Scenario 3: Azure AD device identity
An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can securely communicate with its assigned site. The cloud-based device identity is now sufficient to authenticate with the CMG and management point for device-centric scenarios. (A user token is still required for user-centric scenarios.)
The following Configuration Manager features support or require enhanced HTTP:
- Cloud management gateway
- OS deployment without a network access account
- Enable co-management for new internet-based Windows 10 devices
- App approvals via email
- Administration service
- View recently connected consoles
The software update point and related scenarios have always supported secure HTTP traffic with clients as well as the cloud management gateway. It uses a mechanism with the management point that's different from certificate- or token-based authentication.
A management point configured for HTTP client connections. Set this option on the General tab of the site system role properties.
A distribution point configured for HTTP client connections. Set this option on the General tab of the site system role properties. Don't enable the option to Allow clients to connect anonymously.
Onboard the site to Azure AD for cloud management.
- If you've already met this prerequisite for your site, you need to update the Azure AD application. In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select Azure Active Directory Tenants. Select the Azure AD tenant, select the web application in the Applications pane, and then select Update application setting in the ribbon.
For Scenario 3 only: A client running Windows 10 version 1803 or later, and joined to Azure AD. The client requires this configuration for Azure AD device authentication.
Configure the site
In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the site and choose Properties in the ribbon.
Switch to the Client Computer Communication tab.
Starting in version 1906, this tab is called Communication Security.
Select the option for HTTPS or HTTP. Then enable the option to Use Configuration Manager-generated certificates for HTTP site systems.
Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.
Starting in version 1902, you can also enable enhanced HTTP for the central administration site. Use this same process, and open the properties of the central administration site. This action only enables enhanced HTTP for the SMS Provider roles at the central administration site. It's not a global setting that applies to all sites in the hierarchy.
You can see these certificates in the Configuration Manager console. Go to the Administration workspace, expand Security, and select the Certificates node. Look for the SMS Issuing root certificate, as well as the site server role certificates issued by the SMS Issuing root.
For more information on how the client communicates with the management point and distribution point with this configuration, see Communications from clients to site systems and services.