How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1

In a previous series of guides I showed you how to configure PKI in a lab on Windows Server 2016. In another series, I also showed you how to install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017. In this lab, I will show you how to configure SCCM to utilize that PKI environment. This series is based upon an excellent video by the talented former Microsoft Premier Field Engineer Justin Chalfant here. If you havn’t seen it yet, do check it out.

The intention here is that after you’ve completed this PKI enabled SCCM lab you can then use this in future guides, and to dig deeper into new technologies from Microsoft, for example enabling a Cloud Management Gateway and/or Cloud Distribution Point and using later on, using Co-Management.

Note: To complete this lab you must first complete the PKI Lab series (8 parts) and then install a new virtual machine within that PKI lab running System Center Configuration Manager (Current Branch) version 1802 utilizing this series (4 parts), that installation of Configuration Manager will be in HTTP mode. In addition, you must configure the Software Update Point role (in HTTP mode) on CM01 See this guide (step 2 onward) for details. For details how to configure that, see this post. It will take some time to setup but you’ll be glad you did. Also, don’t do this in production without consulting with a PKI Expert. I don’t claim to be one, I’m just helping you get it up and running in a lab. This is intended for use in a lab only.

Step 1 – Create an Active Directory Security Group

In this step you’ll create an active directory group which will contain all your site systems that use Configuration Manager server roles which utilize IIS (Internet Information Systems) such as the below (1):

  • Management point
  • Distribution point
  • Software update point
  • State migration point
  • Enrollment point
  • Enrollment proxy point
  • Application Catalog web service point
  • Application Catalog website point
  • A certificate registration point

On the Active Directory domain controller (DC01), open Active Directory Users and Computers, and expand the windowsnoob organisational unit (OU) created in this Step 1, part 5 of this blog post.

Click on Security Groups, and then right click and choose New, select Group. Give the group a name, SCCM IIS Servers.

SCCM IIS Servers.png

Once done, right click on the SCCM IIS Servers Active Directory Security Group, choose Properties and click on the Members tab, click on Add, for Object Types make sure Computers are selected. Add the Configuration Manager server (CM01) to that group.

cm01 added to active directory security group.png

Once done, reboot the Configuration Manager server (CM01) using the following command otherwise you might get access denied when trying to request a certificate.

shutdown /r

you are about to be signed out.png

to read the rest of this guide on click here.

This entry was posted in 1802, PKI. Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.