It has been lots of discussion about Enhanced HTTP and HTTPs, quote from Microsoft documentation “Enhanced HTTP isn’t the same as enabling HTTPS for client communication or a site system, Microsoft recommends using HTTPS communication for all Configuration Manager communication paths”. In these serial posts, I will walk you through how to configure PKI for ConfigMgr.
In my test lab, I setup one Primary Site (CM02.zit.local), since this is test lab, I have all the roles in same box.
- CM02.zit.local (site system server):
- Distribution point (https)
- Management Point (https)
- Software Update Point (https)
- Cloud Management Gateway connection point
In order to walk you through the entire process of setting up the ConfigMgr PKI, I am going to break this down into a number of parts;
- How to setup ConfigMgr PKI – Part 1 (Roles and Certificates) – This post
- How to setup ConfigMgr PKI – Part 2 (Create Certificates)
- How to setup ConfigMgr PKI – Part 3 (Cloud Management Gateway)
- How to setup ConfigMgr PKI – Part 4 (Management point and Software Update point)
Setup – Roles & Certificates
Management Point
Certificates are not required, but recommended.
- Web server cert for server authentication
- Client Authentication certificate for domain joined clients
Distribution Point
Certificates are required.
- Web server cert for server authentication
- Client authentication certificate for domain joined clients
- Certificate for distribution point
Software Update Point
Certificates are not required, but recommended.
- Web server cert for server authentication
- Client authentication certificate for domain joined clients
Cloud Management Gateway (Optional)
Devices communicate over the internet to ConfigMgr via the Cloud Management Gateway, it’s recommended use public Authority certificate, but you can use your internal PKI certificate as long as you find your way deploy Root CA to your clients.
Next in How to setup ConfigMgr PKI – Part 2 (Create Certificates), we will create certificates for these roles.
Hi Zeng, I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?
Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?
ConfigMgr client will enroll the device to Intune. Co-Management or ConfigMgr doesn’t functional as VPN, so it won’t help the 30 days computer account password expiration.
Hi – Excellent write-up on CMG and CDP. Followed all the steps and so far completed part 1 – part 5. Everything working as it should. Thanks for sharing your notes.
Look forward to new topics in the future.
Thanks
Ram
Hello Ram, thank you for reading, I am glad they are useful to you.
Thanks, Sandy