MSEndpointMgr

How to setup ConfigMgr PKI – Part 1 (Roles and Certificates)

It has been lots of discussion about Enhanced HTTP and HTTPs, quote from Microsoft documentation “Enhanced HTTP isn’t the same as enabling HTTPS for client communication or a site system, Microsoft recommends using HTTPS communication for all Configuration Manager communication paths”. In these serial posts, I will walk you through how to configure PKI for ConfigMgr.

In my test lab, I setup one Primary Site (CM02.zit.local), since this is test lab, I have all the roles in same box.

  • CM02.zit.local (site system server):
    • Distribution point (https)
    • Management Point (https)
    • Software Update Point (https)
    • Cloud Management Gateway connection point

In order to walk you through the entire process of setting up the ConfigMgr PKI, I am going to break this down into a number of parts;

Setup – Roles & Certificates

Management Point

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client Authentication certificate for domain joined clients

Distribution Point

Certificates are required.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients
  3. Certificate for distribution point

Software Update Point

Certificates are not required, but recommended.

  1. Web server cert for server authentication
  2. Client authentication certificate for domain joined clients

Cloud Management Gateway (Optional)

Devices communicate over the internet to ConfigMgr via the Cloud Management Gateway, it’s recommended use public Authority certificate, but you can use your internal PKI certificate as long as you find your way deploy Root CA to your clients.

Next in How to setup ConfigMgr PKI – Part 2 (Create Certificates), we will create certificates for these roles.

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

4 comments

  • Hi Zeng, I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?

    Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?

    • ConfigMgr client will enroll the device to Intune. Co-Management or ConfigMgr doesn’t functional as VPN, so it won’t help the 30 days computer account password expiration.

  • Hi – Excellent write-up on CMG and CDP. Followed all the steps and so far completed part 1 – part 5. Everything working as it should. Thanks for sharing your notes.

    Look forward to new topics in the future.

    Thanks

    Ram

    • Hello Ram, thank you for reading, I am glad they are useful to you.

      Thanks, Sandy

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.