Configure security in Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

Use the information in this article to help you set up security-related options for Configuration Manager. It covers the following security options:

Configure settings for client PKI certificates

If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use Internet Information Services (IIS), use the following procedure to configure settings for these certificates.

To configure client PKI certificate settings

  1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the primary site to configure.

  2. In the ribbon, choose Properties. Then switch to the Client Computer Communication tab.


    Starting in version 1906, this tab is called Communication Security.

  3. Select the settings for site systems that use IIS.

    • HTTPS only: Clients that are assigned to the site always use a client PKI certificate when they connect to site systems that use IIS.

    • HTTPS or HTTP: You don't require clients to use PKI certificates.

    • Use Configuration Manager-generated certificates for HTTP site systems: For more information on this setting, see Enhanced HTTP.

  4. Select the settings for client computers.

    • Use client PKI certificate (client authentication capability) when available: If you chose the HTTPS or HTTP site server setting, choose this option to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. If you chose HTTPS only, this option is automatically chosen.

    When more than one valid PKI client certificate is available on a client, choose Modify to configure the client certificate selection methods.

    For more information about the client certificate selection method, see Planning for PKI client certificate selection.

    • Clients check the certificate revocation list (CRL) for site systems: Enable this setting for clients to check your organization's CRL for revoked certificates.

    For more information about CRL checking for clients, see Planning for PKI certificate revocation.

  5. To import, view, and delete the certificates for trusted root certification authorities, choose Set.

    For more information, see Planning for the PKI trusted root certificates and the certificate issuers List.

Repeat this procedure for all primary sites in the hierarchy.

Configure signing and encryption

Configure the most secure signing and encryption settings for site systems that all clients in the site can support. These settings are especially important when you let clients communicate with site systems by using self-signed certificates over HTTP.

To configure signing and encryption for a site

  1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the primary site to configure.

  2. In the ribbon, select Properties, and then switch to the Signing and Encryption tab.

    This tab is available on a primary site only. If you don't see the Signing and Encryption tab, make sure that you're not connected to a central administration site or a secondary site.

  3. Configure the signing and encryption options for clients to communicate with the site.

    • Require signing: Clients sign data before sending to the management point.

    • Require SHA-256: Clients use the SHA-256 algorithm when signing data.


    Don't Require SHA-256 without first confirming that all clients support this hash algorithm. These clients include ones that might be assigned to the site in the future.

    If you choose this option, and clients with self-signed certificates can't support SHA-256, Configuration Manager rejects them. The SMS_MP_CONTROL_MANAGER component logs the message ID 5443.

    • Use encryption: Clients encrypt client inventory data and status messages before sending to the management point. They use the 3DES algorithm.

Repeat this procedure for all primary sites in the hierarchy.

Configure role-based administration

Role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. A scope includes the objects that a user can view in the console, and the tasks related to those objects that they have permission to do. Role-based administration configurations are applied at each site in a hierarchy.

For more information, see Configure role-based administration. This article details the following actions:

  • Create custom security roles

  • Configure security roles

  • Configure security scopes for an object

  • Configure collections to manage security

  • Create a new administrative user

  • Modify the administrative scope of an administrative user


Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user. For information about planning for role-based administration, see Fundamentals of role-based administration.

Manage accounts that Configuration Manager uses

Configuration Manager supports Windows accounts for many different tasks and uses. To view accounts that are configured for different tasks, and to manage the password that Configuration Manager uses for each account, use the following procedure:

To manage accounts that Configuration Manager uses

  1. In the Configuration Manager console, go to the Administration workspace, expand Security, and then choose the Accounts node.

  2. To change the password for an account, select the account in the list. Then choose Properties in the ribbon.

  3. Choose Set to open the Windows User Account dialog box. Specify the new password for Configuration Manager to use for this account.


    The password that you specify must match this account's password in Active Directory.

For more information, see Accounts used in Configuration Manager.

Configure Azure Active Directory

Integrate Configuration Manager with Azure Active Directory (Azure AD) to simplify and cloud-enable your environment. Enable the site and clients to authenticate by using Azure AD. For more information, see the Cloud Management service in Configure Azure services.

Configure SMS Provider authentication

Starting in version 1810, you can specify the minimum authentication level for administrators to access Configuration Manager sites. This feature enforces administrators to sign in to Windows with the required level. For more information, see Plan for the SMS Provider.

See also