Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Let’s learn more details about how to Enable ConfigMgr Enhanced HTTP Configuration. This guide helps you to know more about ConfigMgr eHttp configuration for your SCCM environment. This is critical when you don’t use HTTPS communication and PKI for your SCCM infra. Enhanced HTTP is more interesting after the release of the 2103 version of ConfigMgr.

Well, Microsoft recommends using PKI certificate-based HTTPS communication because PKI provides more granular controls and more enterprise-class security standards. PKI certificates are still a valid option for customers. If you are already using PKI, you still use PKI cert binding in IIS even if enhanced HTTP is turned on.

Configuration Manager improved how clients communicate with site systems in a more secured way with encrypted traffic. You can secure sensitive client communication with a self-signed certificate created by Configuration Manager (a.k.a SCCM). The SCCM self-signed certificate is the option that helps to secure sensitive traffic between client and server.

Related PostConfigMgr HTTP only Client Communication Is Going Out Of Support | SCCM How To Manage Devices & Management Insight to evaluate HTTPS connection.

What is ConfigMgr Enhanced HTTP

Patch My PC
Advt

Enhanced HTTP is a self-signed certificate solution provided by ConfigMgr server for its clients and services to have secured communication without the complex PKI implementation. If you are not using HTTPS, then the best way is to get started with an enhanced HTTP option.

Once you have enhanced HTTP (e-HTTP), you don’t necessarily need to build a very complex PKI infrastructure to enable certificate authentication between client and server. But if you need to have more complex certificate management requirements, you can perform HTTPS implementation with Microsoft PKI.

Features

The following are the scenarios supported by enhanced HTTP communication with Configuration Manager. I think Microsoft will support all the ConfigMgr (a.k.a SCCM) scenarios with enhanced HTTP because they already announced the retirement of HTTP-only communication between client and server.

  • Client to Management Point (This scenario does not require using an HTTPS-enabled MP)
    • Bitlocker recovery key-related communications
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

NOTE! – SUP (Software Update Point) related communications are already supported to use secured HTTP. It uses a token-based authentication mechanism with the management point (MP). More details in Microsoft Docs.

How to Enable Enhanced HTTP

Let’s understand how to enable the enhanced HTTP(E-HTTP) option for your ConfigMgr infrastructure.

  • Navigate to \Administration\Overview\Site Configuration\Sites
  • Select the primary site from sites node.
  • Right-click on the Primary server and go to properties.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
  • Click on the Communication Security tab.
  • Select the option for HTTPS or HTTP.
  • Also, Enable the option to Use Configuration Manager-generated certificates for HTTP site systems.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

NOTE! – The Enhanced HTTP action only enables enhanced HTTP for the SMS Provider roles when you enable this option from central administration site (a.k.a CAS server). It’s not a global setting that applies to all child primary sites in the hierarchy.

ConfigMgr Console E-Http Certificate

Now, let’s check certificates node to confirm whether you can see SMS Issuing certificate.

  • Navigate to \Administration\Overview\Security\Certificates
  • Search for SMS Issuing certificate. This is the self signed certificate created by Configuration Manager for enhanced HTTP feature.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Server Side eHttp Certificates

Now, let’s go to the MMC console and check which certificates have been created & used by SCCM. I can see the following certificates on my SCCM primary server with my lab configuration.

  • Launch MMC from RUN.
  • Add Certificates.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
  • Select Computer Account from Certificates snap-in and click on Next button to continue.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
1E Nomad
Advt

You can now navigate the SMS folder and view the certificates related to Configuration Manager and Enhanced HTTP.

  • SMS Role SSL Certificate
  • SMS Encryption Certificate
  • SMS Signing Certificate
  • SMS Pin Reset Encryption Certificate
  • SMS Provider role certificate
  • SMS User Service Certificate
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Client Side eHttp Certificates

Let’s check the self-signed certificates available at the Windows 10 client device after enabling enhanced HTTP. I could see 2 (two) types of certificates on my Windows 10 device.

  • SMS Encryption Certificate
  • SMS Signing Certificate

NOTE! – I’m not 100% sure whether these are ehttp certificates or general SCCM/ConfigMgr certs or not. Let me know your experience in the comments section.

Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

E-HTTP FAQs?

Let’s have a quick walkthrough of Enhanced HTTP FAQs.

  1. What is ConfigMgr Enhanced HTTP?

    Self Signed Certificate Managed by ConfigMgr server.

  2. Which is the better option HTTPS or Enhanced HTTP?

    Enhanced HTTP is the best option when you don’t have HTTPS/PKI with your current implementation.

  3. Any Challenges with Enhanced HTTP Option?

    NO. I don’t see any challenges with E-HTTP option.

  4. How many Enhanced HTTP certificates are available on Client side?

    Two types of certificates available as per my testing.

Resources

Sharing is caring!

7 thoughts on “Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp”

  1. what process /log can we look at for troubleshooting the client install/client issues related to invalid certs after enabling the enhanced http? Are there any changes required on the client install properties?

    Reply
  2. The certs on the windows 10 machine was already there before I enabled enhanced http on the site server. Also, I don’t see any additional certificates created on the site server or site systems. Is there anything I am missing here? Thanks in advance

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.