Let’s learn more details about how to Enable ConfigMgr Enhanced HTTP Configuration. This guide helps you know more about the ConfigMgr eHttp configuration for your SCCM environment.
This is critical when you don’t use HTTPS communication and PKI for your SCCM infra. Enhanced HTTP is more interesting after releasing the 2103 version of ConfigMgr.
Microsoft recommends using PKI certificate-based HTTPS communication because PKI provides more granular controls and enterprise-class security standards.
PKI certificates are still a valid option for customers. If you are already using PKI, you still use PKI cert binding in IIS even if enhanced HTTP is turned on. Configuration Manager improved how clients communicate with site systems more securely with encrypted traffic.
You can secure sensitive client communication with a self-signed certificate created by Configuration Manager (a.k.a SCCM). The SCCM self-signed certificate is the option that helps to ensure sensitive traffic between client and server.
What is ConfigMgr Enhanced HTTP (ehttp)
Enhanced HTTP is a self-signed certificate solution provided by ConfigMgr server for its clients and services to have secured communication without the complex PKI implementation. If you are not using HTTPS, the best way is to get started with an enhanced HTTP option.
Once you have enhanced HTTP (e-HTTP), you don’t necessarily need to build a very complex PKI infrastructure to enable certificate authentication between client and server. But if you need to have more complex certificate management requirements, you can perform HTTPS implementation with Microsoft PKI.
What are the SCCM eHttp Features?
The following are the scenarios supported by enhanced HTTP (SCCM ehttp) communication with Configuration Manager. I think Microsoft will support all the ConfigMgr (a.k.a SCCM) scenarios with enhanced HTTP because they already announced the retirement of HTTP-only communication between client and server.
- Client to Management Point (This scenario does not require using an HTTPS-enabled MP)
- Bitlocker recovery key-related communications
- Client to Distribution Point
- SMS Provider
- Administration Service
- App Approvals via eMail
- Recently connected consoles
- CMG – Cloud Management Gateway
- OSD without Network Access Account
- Enable Co-Management for NEW internet-connected Intune-managed Windows 10 devices.
NOTE! – SUP (Software Update Point) related communications are already supported to use secured HTTP. It uses a token-based authentication mechanism with the management point (MP). More details in Microsoft Docs.
How to Enable SCCM Enhanced HTTP (ehttp)
Let’s understand how to enable your ConfigMgr infrastructure’s enhanced HTTP (EHTTP) option.
- Navigate to \Administration\Overview\Site Configuration\Sites
- Select the primary site from the site node.
- Right-click on the Primary server and go to properties.
Click on the Communication Security tab. Select the option for HTTPS or HTTP. Also, Enable the option to Use Configuration Manager-generated certificates for HTTP site systems.
NOTE! – The Enhanced HTTP action only enables enhanced HTTP for the SMS Provider roles when you enable this option from the central administration site (a.k.a CAS server). It’s not a global setting that applies to all child primary sites in the hierarchy.
ConfigMgr Console EHttp Certificate
Now, let’s check the certificates node to confirm whether you can see the SMS Issuing certificate.
- Navigate to \Administration\Overview\Security\Certificates
- Search for SMS Issuing certificate. This is the self-signed certificate created by Configuration Manager for the enhanced HTTP features.
Server Side SCCM eHttp Certificates
Now, let’s go to the MMC console and check which certificates have been created & used by SCCM. I can see the following certificates on my SCCM primary server with my lab configuration.
- Launch MMC from RUN.
- Add Certificates.
Select Computer Account from Certificates snap-in and click on the Next button to continue.
You can now navigate the SMS folder and view the certificates related to Configuration Manager and Enhanced HTTP.
- SMS Role SSL Certificate
- SMS Encryption Certificate
- SMS Signing Certificate
- SMS Pin Reset Encryption Certificate
- SMS Provider role certificate
- SMS User Service Certificate
Client-Side SCCM eHttp Certificates
After enabling enhanced HTTP, let’s check the self-signed certificates available on the Windows 10 client device. I could see 2 (two) types of certificates on my Windows 10 device.
- SMS Encryption Certificate
- SMS Signing Certificate
NOTE! – I’m not 100% sure whether these are ehttp certificates or general SCCM/ConfigMgr certs or not. Let me know your experience in the comments section.
Let’s have a quick walkthrough of Enhanced HTTP FAQs.
What is ConfigMgr Enhanced HTTP?
Self Signed Certificate Managed by ConfigMgr server.
Which is the better option, HTTPS or Enhanced HTTP?
Enhanced HTTP (ehttp) is the best option when you don’t have HTTPS/PKI with your current implementation.
Any Challenges with Enhanced HTTP (ehttp) Option?
NO. I don’t see any challenges with the eHTTP option.
How many Enhanced HTTP (ehttp) certificates are available on the Client-side?
Two types of certificates are available as per my testing.
- ConfigMgr HTTP only Client Communication Is Going Out Of Support | SCCM
- Management Insight to evaluate HTTPS connection
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.