Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Let’s learn more details about how to Enable ConfigMgr Enhanced HTTP Configuration. This guide helps you know more about the ConfigMgr eHttp configuration for your SCCM environment.

This is critical when you don’t use HTTPS communication and PKI for your SCCM infra. Enhanced HTTP is more interesting after releasing the 2103 version of ConfigMgr.

Microsoft recommends using PKI certificate-based HTTPS communication because PKI provides more granular controls and enterprise-class security standards.

PKI certificates are still a valid option for customers. If you are already using PKI, you still use PKI cert binding in IIS even if enhanced HTTP is turned on. Configuration Manager improved how clients communicate with site systems more securely with encrypted traffic.

Patch My PC

You can secure sensitive client communication with a self-signed certificate created by Configuration Manager (a.k.a SCCM). The SCCM self-signed certificate is the option that helps to ensure sensitive traffic between client and server.

Related PostConfigMgr HTTP only Client Communication Is Going Out Of Support | SCCM How To Manage Devices & Management Insight to evaluate HTTPS connection.

What is ConfigMgr Enhanced HTTP (ehttp)

Enhanced HTTP is a self-signed certificate solution provided by ConfigMgr server for its clients and services to have secured communication without the complex PKI implementation. If you are not using HTTPS, the best way is to get started with an enhanced HTTP option.

Once you have enhanced HTTP (e-HTTP), you don’t necessarily need to build a very complex PKI infrastructure to enable certificate authentication between client and server. But if you need to have more complex certificate management requirements, you can perform HTTPS implementation with Microsoft PKI.

What are the SCCM eHttp Features?

The following are the scenarios supported by enhanced HTTP (SCCM ehttp) communication with Configuration Manager. I think Microsoft will support all the ConfigMgr (a.k.a SCCM) scenarios with enhanced HTTP because they already announced the retirement of HTTP-only communication between client and server.

  • Client to Management Point (This scenario does not require using an HTTPS-enabled MP)
    • Bitlocker recovery key-related communications
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

NOTE! – SUP (Software Update Point) related communications are already supported to use secured HTTP. It uses a token-based authentication mechanism with the management point (MP). More details in Microsoft Docs.

How to Enable SCCM Enhanced HTTP (ehttp)

Let’s understand how to enable your ConfigMgr infrastructure’s enhanced HTTP (EHTTP) option.

  • Navigate to \Administration\Overview\Site Configuration\Sites
  • Select the primary site from the site node.
  • Right-click on the Primary server and go to properties.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Click on the Communication Security tab. Select the option for HTTPS or HTTP. Also, Enable the option to Use Configuration Manager-generated certificates for HTTP site systems.

Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

NOTE! – The Enhanced HTTP action only enables enhanced HTTP for the SMS Provider roles when you enable this option from the central administration site (a.k.a CAS server). It’s not a global setting that applies to all child primary sites in the hierarchy.

ConfigMgr Console EHttp Certificate

Now, let’s check the certificates node to confirm whether you can see the SMS Issuing certificate.

  • Navigate to \Administration\Overview\Security\Certificates
  • Search for SMS Issuing certificate. This is the self-signed certificate created by Configuration Manager for the enhanced HTTP features.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Server Side SCCM eHttp Certificates

Now, let’s go to the MMC console and check which certificates have been created & used by SCCM. I can see the following certificates on my SCCM primary server with my lab configuration.

  • Launch MMC from RUN.
  • Add Certificates.
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Select Computer Account from Certificates snap-in and click on the Next button to continue.

Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

You can now navigate the SMS folder and view the certificates related to Configuration Manager and Enhanced HTTP.

  • SMS Role SSL Certificate
  • SMS Encryption Certificate
  • SMS Signing Certificate
  • SMS Pin Reset Encryption Certificate
  • SMS Provider role certificate
  • SMS User Service Certificate
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

Client-Side SCCM eHttp Certificates

After enabling enhanced HTTP, let’s check the self-signed certificates available on the Windows 10 client device. I could see 2 (two) types of certificates on my Windows 10 device.

  • SMS Encryption Certificate
  • SMS Signing Certificate

NOTE! – I’m not 100% sure whether these are ehttp certificates or general SCCM/ConfigMgr certs or not. Let me know your experience in the comments section.

Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp
Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp

E-HTTP FAQs?

Let’s have a quick walkthrough of Enhanced HTTP FAQs.

What is ConfigMgr Enhanced HTTP?

Self Signed Certificate Managed by ConfigMgr server.

Which is the better option, HTTPS or Enhanced HTTP?

Enhanced HTTP (ehttp) is the best option when you don’t have HTTPS/PKI with your current implementation.

Any Challenges with Enhanced HTTP (ehttp) Option?

NO. I don’t see any challenges with the eHTTP option.

How many Enhanced HTTP (ehttp) certificates are available on the Client-side?

Two types of certificates are available as per my testing.

Resources

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

12 thoughts on “Best Guide to Enable ConfigMgr Enhanced HTTP Configuration | SCCM | eHttp”

  1. what process /log can we look at for troubleshooting the client install/client issues related to invalid certs after enabling the enhanced http? Are there any changes required on the client install properties?

    Reply
  2. The certs on the windows 10 machine was already there before I enabled enhanced http on the site server. Also, I don’t see any additional certificates created on the site server or site systems. Is there anything I am missing here? Thanks in advance

    Reply
  3. Hi
    In the unlikely event that enabling E-HTTP causes an issue, is it simply a case of unticking the same box that turned it on to then turn it back off? And if this is done, will ConfigMgr happily return to using plain HTTP without problems? Just want to head off the inevitable “what-if” rollback questions that are going to be raised when I ask to do this in our environment!
    Thanks!

    Reply
    • I have this same question. I have CM 2006 installed, want to enable eHTTP, then upgrade the system to 2107. Wondered if we can revert back to plain http as you asked. Any response?

      Reply
  4. Hi,

    Thanks for the guide. I have seen some user comments on other pages indicating that PXE boot stopped working after implementing this.

    Do you see any reason why this would affect PXE in any way? We want to move to 2107, but want to be sure that there will be no adverse affects to PXE.

    Thanks!

    Reply
  5. Even after selecting EHTTP, SMS Role SSL Certificate is not getting generated.
    It should be generated automatically.. but its not showing in “Personal” Certificates nor in IIS Server certificates. What can be done ?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.