How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP

preview_player
Показать описание
In this step-by-step guide, we will walk through the process of switching SCCM from HTTP to HTTPS. Justin Chalfant, a software engineer at Patch My PC and former SCCM Premier Field Engineer at Microsoft, will be performing the video guide.

In this guide, we cover installing a Microsoft Certificate Authority using Active Directory Certificate Services, Creating the certificate templates for SCCM, Deploying the certificate templates, requesting certificates in the site system(s) and client(s), create an auto-enroll GPO for clients, changing the site system to use HTTPS, Changing WSUS to require HTTPS, and verifying the clients use HTTPS to communicate with the site.

Topics in This Video:

Introduction - (0:00)
Install Active Directory Certificate Services - (0:30)
Create Certificate Templates for SCCM - (4:56)
Create Auto-Enroll GPO for the Client Certificate - (10:54)
Requesting the IIS and DP/OSD Certificate on the IIS Site System - (12:02)
Bind Requested Certificate to Site in IIS for Default and WSUS Website - (16:01)
Configure WSUS to Require SSL - (17:36)
Configure DP, MP, and SUP to use SSL - (19:36)
Verify Client Received Client Certificate and SCCM Client Changes to SSL - (28:35)
Wrap-up - (32:36)

Other Resources:

#SCCM #ConfigMgr #HTTPS
  1. Patch My PC
  2. SCCM Client Certificate
  3. SCCM Native Mode
  4. Configuration Manager Native Mode
  5. Certificates in SCCM
  6. How to configure SCCM certificates
Рекомендации по теме
Deploying A Multi-Tier 0:43:57

Deploying A Multi-Tier PKI (Public Key Infrastructure) Inside an Active Directory Domain Using ADCS

How To Configure 0:33:43

How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP

Implementing a Custom 0:24:24

Implementing a Custom Public Key Infrastructure (PKI)

Setup and Configure 0:16:44

Setup and Configure Root CA PKI Certificate Server 2016

Configuring PKI for 0:12:11

Configuring PKI for Cisco IOS Devices

Cisco IOS PKI 0:05:55

Cisco IOS PKI Server & Client

How to Setup 0:05:20

How to Setup Active Directory Certificate Services (PKI) in AWS

Configuring 2 Tier 1:01:12

Configuring 2 Tier Microsoft Certificate Services (PKI)

Certificate-Based Authentication for 0:08:10

Certificate-Based Authentication for Amazon WorkSpaces | Amazon Web Services

PKI Basics V 0:26:39

PKI Basics V - Autoenrollment

Request a PKI 0:07:25

Request a PKI Certificate from a Windows CA

Completing the PKI 0:13:26

Completing the PKI Environment Setup

How to Setup 0:14:56

How to Setup Intune Cloud PKI

How to Setup 0:06:11

How to Setup Active Directory Certificate Services (PKI) in GCP

How to configure 0:07:47

How to configure BYOCA for Intune Cloud PKI

How Client Authentication 0:00:34

How Client Authentication Uses PKI in 4 Steps

Enabling PKI-based Database 0:25:03

Enabling PKI-based Database Authentication with SPIRE

PKI Part 1 0:23:21

PKI Part 1 | ROOT CA Installation and Setup

How to Setup 0:04:27

How to Setup Active Directory Certificate Services (PKI) in Azure

Installing and configuring 0:37:17

Installing and configuring Public Key Infrastructure (PKI) under Windows server 2022

11. Verify PKI 0:15:22

11. Verify PKI health for the issued certificate | Test OCSP and CRL Access

Active Directory Certificate 0:30:55

Active Directory Certificate Services

Support Tutorials: Configure 0:05:24

Support Tutorials: Configure Your Enrollments | Managed PKI for SSL

Installing and Configuring 0:03:35

Installing and Configuring a PKI in Windows Server 2022

Комментарии
Автор

5 years later, this video is still saving Jobs

samnnamani
Автор

This is by far the best SCCM video series I have come across. Thanks so much for the high quality detailed videos :)

charlesludlow
Автор

I refer your video to all my customers. You became like the number 1 to go for PKI

Ihab.A
Автор

There was an important step missed here that will become an issue when attempting to do OS deployments using PXE. At around 20:00 in this video the Trusted Root Certificate Authorities certificate was not set in Site Properties -> Client Computer Communication tab. This will cause the PXE client to fail to securely communicate with the Management Point and will be unable to retrieve the necessary policies for OS deployment.

Using the Certificates MMC snapin in the local computer context, export your enterprise RootCA certificate in the DER encoded binary X.509 (.CER) format. Add the exported certificate on the Client Computer Communication tab by clicking Set next to Trusted Root Certification Authorities, and then restart the Web Deployment Services Server service on the Distribution Point server.

Note that it is not necessary to set any IntermediateCA certificates. Only the RootCA is required.

thesammyjenkinsexperience
Автор

Nice Step by Step Video. The only issue that I ran into was for deployment task sequences. I needed to add the Trusted Root Certification Authority to my Site Properties Communication Security, so that the DP certificate was trusted.

pedepie
Автор

I'm about to start a new SCCM deployment for my organization after not having gone through the process for 5 years (and that time I had the assistance of a PFE to get up and running). This series of videos is incredibly helpful to utilize a reference for my upcoming build. Also a big fan of Patch My PC, great service that helps a ton with my third party patch deployment... not sure how I'd get by without it :-)

Thanks a ton!

ddiemont
Автор

Thank you!
This just helped me prepare my SCCM environment for the coming change where http communication will be deprecated.
I will sleep like a baby tonight.

VerbalSnyting
Автор

Dear Justin, You really helped me. My heart is always with you.

pstz_
Автор

Just adding my two cents to maybe help others, since this guide got me over the hump... With the rapid changes going on in Azure/Intune, I wanted to point out that these steps still work as of 10/2020. Although there were two snags I had to work out:
(1). After requesting the IIS Web cert on my MECM server, I had to go back and find the request on my CA, in the "Pending Requests" node, right-click and choose "Issue" to actually issue the cert to MECM server. Then had to go to MECM server's Certs.MMC, right-click the top node (Certificates (Local Computer)), > All Tasks > Automatically Enroll and Retrieve Certificates... Finally, the IIS Web cert showed up on my MECM server.
(2) With all steps completed, my clients were still using Self-Signed certs (second line on General tab of CfgMgr client properties) and wouldn't switch to PKI cert. I had to go to MECM server registry and add the following key: ClientAuthTrustMode (DWord) = 2. Reboot was required before my clients finally used the PKI cert.
I'm still getting an error in EventViewer but not sure of its impact. "A fatal error occurred while creating a TLS client credential. The internal error state is 10013."

bahnjee
Автор

Great video series. What's holding me here is the video in minute details. I'm able to learn more things, which will certainly add value next time when I configure SCCM. Thanks.

gafoorgk
Автор

Great walkthrough. I've used your videos to go from noob to intermediate level sccm support! I do have an issue that arose though and I can't seem to figure it out, even with all the main forums for SCCM engineers blasted with the issue. I'm getting "DP not installed or configured yet" error when I try to create a new DP from the site. It was working prior to December 2023 just fine, then just stopped replicating content. After initial troubleshooting, I couldn't narrow it down to the site server, so since it was a brand new DP (not even in production yet really), I just recreated a new DP on another machine, and got the same error. I have checked all of the prerequisites for DP on the new computer. I have removed/readded the DP and site system server more times than I can count. I have made sure the site server computer account was in the local administrators group on the DP. First error in distmgr.log is above, then it's followed by errors saying it couldn't copy the ContentAuthModule.lib to the dp. Then it says can't copy ISAPI extensions. When I first kick off the DP add, the SCCM Content Lib folder is created on the DP, but nothing ever goes inside of it. I know this sounds like an easy "remove/readd permissions to site server local admin group and/or specific site server computer account to local admin", but it's not working. 4 weeks I've been banging my head on this and my company is too small to have a Premier Support account with Microsoft, nor will they pay anyone to come fix it as "you're our guru" they say to me as they pay me intermediate level moneys :)

Any insight would be amazing from anyone really.

dvgkjcz
Автор

Thank you so much, I struggled for a long time making everything work. Now it works perfectly!!

blop-mlxc
Автор

Excellent step-by-step. Very much appreciated!

davidsirrine
Автор

Wonderful presentation. I read the MS docs that run parallel to this and your work just put it all in focus. Appreciate it!

sixfishinc
Автор

Nice Job on these videos! The names on my templates are slightly different. For example, instead of mine being called "SCCM IIS Certificate", I have mine called "MECM IIS Certificate". Because of the newer name for SCCM.

IanGSully
Автор

You saved me days of search and troubleshooting. Thank you!

esquerdino
Автор

Just wanted to add a note about the client auth certificate version. I don't think a 2003 version is a requirement any longer. Our client certs use a 2012 version and everything is working correctly. We're currently running CB 1810.

adamgloyd
Автор

Excellent video, it helped to configure SCCM 2019 in my environment..

ganapathys
Автор

Thank you so much for all these videos. They are extremely valuable.

cheeseynz
Автор

You're so damn good Justin :) really awesome and amazing detailed videos.

mahmoudsami