How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Justin shellphone I'm a software engineer with patch my PC in former SCC MP EFI at Microsoft in this video we're going to be covering how you can switch your SCCM environment from HTTP to require HTTPS to secure your client and server communications within your hire I'm pretty excited about this topic because I actually put a post up on Twitter Facebook and read it and this was by far the most voted for topic for the next video so we'll go ahead and jump right into this what I've got is I'm logged into my domain controller and I don't have any certificate authority set up I figured this would be a good place to start because many of you guys might not have that configured in your lab as well so what I'm gonna do I'm gonna install a Enterprise certificate authority on my domain controller now I do want to note I am in no way a PCI expert and in fact I know that this is not going to be best practice generally speaking if you were in a production environment you would issue a Enterprise certificate authority and then you would have subordinates under that on different servers and the root level one would most likely go offline to prevent the key from being compromised but since this is just the lab but I'm only using this certificate authority for SCCM I'm okay with just having the one certificate authority and having that also issue my certificates but I will link out to the PKI guides for the microsoft docs as well as some additional resources if you did want to go into more details about how you could configure this in a more best practice type wet so on my domain controller I'm gonna go ahead and choose to add a new role I'll choose next on this page next on the role next on the server and I'm going to choose Active Directory certificate services just the default options for the features and then next next on the features default here just next for the role service the only thing that I really need and that you would need for se TM would just be the certificate authority we wouldn't need any of the webservice components of this to do this within a lab so I'll choose next here and then install so this will take a minute or so I'll go ahead and pause it and then we'll walk through the post installation tasks all right so that install is done we could either click right here to configure it or we could go ahead and close and launch it from the wizard here to launch the post install task alright so on the credentials page we do need to have a Enterprise administrator in order to install a new certificate authority within your domain so just note that it's going to login with the credentials that you're currently using if you needed to we could change that in my case I'm using my default administrated minister so that's going to have all the permissions that we need for the rural services we want to configure the certificate authority all right so I'm gonna choose a enterprise CA so this is gonna be what we need to actually issue certificates but like I mentioned if this was a production environment you would most likely go with a standalone one for the top level and then take that offline and then you could add subordinates under that but for what we're doing in this lab we'll just go ahead and proceed with just the one we want to have it as the root CA so there's going to be the top level we're gonna create a new private key if we if you had an existing one you could go ahead and import that from the certificate we're gonna leave the default for the cryptography default for the CA name if you wanted to change your root CA what would show up in your certificates at the root level for your clients you could give that a common name if you wanted default I'm just going to change this to ten but like I said obviously I'm not really too worried about best practices here I'm just because this is a lab environment but I will link out to those Doc's that will give you a better idea on some of the best configurations that you would want to do here I'm gonna leave the default for the database path and then choose configure looks like that is done so if we go ahead and close this looks like we're all set here so what I'm going to do now is open my certificate authority okay so for SCCM we're going to create a few certificate templates that we're going to use for our is servers for operating system deployment and for our clients before we go and create those I do want to create a new security group within Active Directory and we're going to call it SCCM iis servers and then we're going to go ahead and add our computer of any the computer account of any of your SCCM site systems that would be running IES so this would be things like distribution points management points application catalog website points software update point any site system you would go ahead and put in this group so for this lab I'm just going to do it on my one server and I'm going to go ahead and reboot that secm server if you don't reboot before you try to enroll a certificate after adding it to a security group it won't take effect and you would get denied when you try to request it so if we come back to our certificate authority what we're going to want to do is manage our certificate templates so there's a couple of default ones that are going to go out but what we want to do is right-click certificate templates and then choose manage the first one that I'll create is my SCCM is server so we're going to duplicate the web server as a template we do need to make sure that it's using Windows Server 2003 for the certificate authority under the general tab I'm going to go ahead and name this SCCM IAS cert okay under request handling we want to make sure the private key is not allowed to be exported and under the subject name we're going to verify that supply in the request is selected so we can configure what type of DNS name we want here under security we're going to add the SCCM is servers to be able to read and to enroll in this certificate optionally if you want to take away the enroll permissions for some of the default accounts this is mentioned in the SCCM Docs you could remove that for like the domain admin and enterprise admins in my case I'm not too worried about that so I'll go ahead and choose ok the next certificate that we need to create is for our distribution point now this one is a little misleading because it's not actually going to be used for the distribution point for the is part of it but instead it's going to be imported into the distribution point site system in our console but it's actually going to be used for the OSD so for clients that aren't domain joined it would actually make use of this certificate that is on the distribution point to authenticate to any IAS system ok I'm gonna go ahead and make this a bit longer just because I would have to renew this Andrian port it whenever that were to expire in my lab now one thing that we do have to change in the request is we need to allow the private key to be exported because what's going to happen here we're going to request this certificate from our distribution point server and then we're going to export it as a PF X file and we need to include that private key because we're then going to import that sort into our console and then our clients going to make use of that during imaging or if it was a workgroup client in order to authenticate back to our site and it would need that private key so it looks good under the security tab I'm going to go ahead and give the SCC Mis servers and role permissions here and then okay on that actually let me jump back into that and just to be safe I'm also going to remove it looks like the domain computers by default they have enrolled but they don't have read so they shouldn't be able to see this but just to be safe I'm going to go ahead and take the main computers out there and now the next certificate we're actually going to create for our SCCM client so we're gonna go ahead and make sure 2003 is also checked and we're going to name this SCCM client certificate I'm gonna also set this to three years and under the subject name we can verify that build from active directory is selected request handling we don't want to allow the private key so that all looks good and then under security under domain computers we're gonna give them read and auto-enroll permissions I'm gonna go ahead and apply that setting and then choose okay that should be all that we need to do as far as our certificate templates go so now that we have those three created we're going to go ahead and right-click our certificate templates and then choose new certificate template to issue and at this point we're going to go ahead and select all three of those certificate templates we just created and choose okay so at this point they're all deployed and we should be ready on the client side to actually go ahead and request some of those certificates now for the actual client certificate we want to make sure that clients can auto enroll in that so in order to do that there's a group policy that we want to target them for so I've got a couple of different SCCM sites configured within my lab I only want to enable HTTPS on one of them so what I've got here if we come and look at my Active Directory computers I've got a oh you that contains my site server and it contains one client that we're managing so in my case I'm just gonna enable auto enrolment for my computers within this specific ou you if you wanted all your computers to have the HTTP s enabled on the SCCM side you would want to enable it at a top level that would affect all those computers so under computer configuration policies Windows settings security settings and then public key policies there's going to be a setting called certificate services client auto enrolment we want to make sure we set that to enabled and that we set it to renew expired and then update certificates that use templates and then go ahead and choose okay and that should be pretty much everything on the certificate side of things so if I come back to my SCCM site server I'm going to go ahead and open a new MMC console and then we're gonna add the certificate snap-in so we're gonna go ahead and add these certificates and we want to make sure that we add it for the computer account of this this computer okay and then which is okay now under the computer account under the personal store we can see that we've already got a couple of certificates already issued here so we have the sequel one and then the SCCM signing certificate that would get created what I'll do here is let's see if we do a gpupdate forward slash force we can see if we get that client certificate to auto enroll okay so let's come back here refresh it looks like that worked just fine so we got that new policy and we can see that the certificate template that issued this client certificate was that one that we created for SCCM client cert so it looks like auto enrollment is working and will also verify that on our Windows client our Windows 10 client that we that were managing when we jump over to that part so the next thing we want to do is request a new certificate we're going to request it from Active Directory and then we're going to request the distribution point cert and the is certificate so these are showing up here because we targeted that group now for the is certificate since we configure that setting that we need to supply the additional DNS names within the request that's why we're getting notified that we need to configure this so within the alternative name here we want to choose the DNS option and this is where we're going to add the DNS name for our for our site system that we're requesting this for so I'm gonna add the host name and I'm also going to add the fully qualified domain name here as well okay that looks good we'll add that now if we were going to use Internet based client management this is where we could also add the public name so something like IBC m-dot contoso com in this video we won't be talking about that but this video is actually gonna cover probably about 80 to 90% of what we need in order to actually enable internet-based client management so we we might have a follow up video on IBC M if it's something that I get feedback that would be used and the only other thing I'm going to do is give this a friendly name so I'm going to call it s CCM is cert so this is what will show up in hi ask when we go to bind this certificate and which is okay and then enroll so that looks good so we've got our is certificate and then we have our distribution point certificate now for the distribution point certificate what we want to do is export so remember I mentioned that we're actually going to export this and import it to our console so clients during imaging can have a client certificate they can use to authenticate so for this option we do need to export it with the private key we'll choose the default options here and then give it a password that we're going to use when we import it back into our console ok for now I'm just going to save this to my desktop and then next and then finish all right so if we come into is this is where we are now at a point where we can come and bind the certificates to our IAS websites so if I come in here and look at my sites I'm going to have two different sites I'm gonna have the default website that's going to be port 80 and 443 this is going to be where our management point our distribution point are running as well as the application catalog if you had that configured in your site so what we're going to do come into the HTTP section of this and we're going to go ahead and choose that is certificate I'll go ahead and choose ok and then close so if we wanted to we should be able to just kind of verify that's working so if we go to HTTPS SEC m3 looks like that is secure and just to verify that we did the DNS name right in the request would do contoso dot local and verify that's also secure with no errors now I also have my wsus website running by default in Server 2012 and above wsus will install on a separate website so it's actually I'm using port eight eight five thirty and eight five thirty one so we're also going to want to make sure that we bind that certificate to that website as well and then close now there's some additional configurations that we need to perform when we actually switch a wsus to require SSL I will link out to the following post this is going to describe what I'm doing here but we have to make sure that we require SSL on a few of the is virtual directories for wsus okay so we're gonna go to the API remoting 3.30 and SSL settings we need to require SSL and verify the client certificates are set to ignore we're going to do the same exact setting on the client web service and on the auth web service and on the sync web service and on the simple off web service okay now that that's done we can actually go into a command prompt and we want to change wsus to require HTTPS or SSL so to do that we're going to go into the install folder which is going to be Program Files Update Services and then the tools folder within the tools folder there's going to be a tool called wsus util so what we're gonna do we're gonna run wsus util configure SSL and then you're going to enter the fully qualified domain the computer name for the server that we're running on to tell it what server to configure for HTTPS so we can see that that was successful and we've now made it so that we only have port 8 531 listening okay so that should be most of the configurations that we would have to do on the back end so what I'm going to do now is come back into my console and we're going to switch our SCCM site over to HTTPS now there's a few different ways we can do this if you had every site system that you want to use HTTPS for if you had all the certs configured you can actually do this globally under the site properties and under client communication you could switch it to HTTPS only in my case I'm just going to have it so it could use either or and by default we're going to use PK I if we select this option here so if a client had a certificate it would prefer to talk to any of our site systems like our management points distribution points and software update points that are configured for HTTPS if it had all the requirements on the client side it would prefer to use that if there were both HTTP and HTTPS site systems in your environment so yeah we want to make sure under the client computer communication that we do check the box to use client use PKI client certificate when available in my case I'm not going to force everything to http I'm going to leave it under both modes and go ahead and apply that setting and choose ok now we're going to come into our site systems and change the different roles that are going to require HTTPS so the first one will come in towards our distribution point and we'll tell our distribution point to switch over to HTTPS now we'll notice that the only setting that we have is Internet only clients that's because we haven't configured a external public dns name we'll cover that in an internet-based client management video if that's something that you guys would like to see now for the certificate this is we're going to employ our distribution point certificate that's going to be used by clients during OSD and other operations if it was a workgroup client so I'm gonna go ahead and browse to that and enter in my password it looks like that took successfully so we should be good for our distribution point now the next thing we'll go ahead and configure is our management point so we're switch that over to HTTPS and will allow our intranet only communications and then choose ok now for the management point it will actually need to reinstall it so if we come into our logs and then site comp log this is the site component manager that would handle any installations of new components within our site we can see that it's actually now installing some of the management point components it's going to reinstall that on Arsenal ok so just let that sit a couple of seconds and it looks like we are now installing the management point so from site comp if we close that log and jump over to our MP setup dot log this is actually going to be the install file for the management point so what we can see here is once we're reinstalling the management point and we're having it so that it uses SSL ports and it's setting that port to 443 so we'll just wait a couple minutes while this completes and then we'll come back to the video all right so the MP setup just completed we can see that it looked like it was successful so if we minimize this log file we should be able to check out the MP control dot log so this is the log file that actually monitors whether the management point is online and whether we can request and and see that it's available so it's basically querying is to see if that's available it looks like it hasn't quite kicked in yet so I'll pause it and we'll look at the the check looks like it actually just successfully checked it so we can see that it looks like the MP is online and we can check it now just a bonus thing here let's see if I can show you how we can manually check whether the management point is working in HTTPS mode so it's a little bit more tricky so I'll kind of show you what we can do to do this so what we're doing here is just a MP list so we're just pointing out to the management point a server and then we're just appending the four / SMS underscore mp4 / SMS underscore aut question MP list now in HTTP mode this is actually pretty easy because we don't require a certificate on the management point side of things but since we switched to HTTPS you can see that we're not allowing you to check it because it says we need to client cert so what we can actually do just to show you if you did want to manually check this it's been a little while let me see if I can remember what we're doing here under content in IE under certificates what we should be able to do is import that distribution point certificate so that's going to be our client certificate that also has that private key so it's on my desktop I'm going to just add the asterisks here so we can filter all files and then choose my certificate here I'm gonna enter in the password what I'm not going to do is I'm not going to allow that to be exported so we're not going to allow the private key to be exported from Internet Explorer but we will have the certificate that we should be able to use to check that so if we click on that looks good now if we refresh this this might require IE to restart let's see if it will work after a restart and there we go so we can see that we can actually request that on our client side just by using the URL as long as we import that client cert in to IE now that the checks done I'll go ahead and just pull that certificate out and then choose okay okay now before we do our software update point what I'm going to do on my client machine just so we're not sitting here waiting around we're gonna do a GP update forward slash force and let that go ahead and get that certificate so that looks good so we'll go back into our system and go to our software update point and what we're going to choose here is to require SSL communication so what that's going to do is make it so your software update point is only configuring clients to scan against the ssl port so that looks good will do okay on that and we're gonna look at the WCM dot log so this is the component that configures our wsus server so it kind of syncs our SCCM software updates with the wsus configuration so we can see we just got a notification saying that we need to update it so that's going to be where it's setting it to HTTPS only so we'll wait for that configuration to happen okay so it looks like that configuration was successful so we've now switched over our SCCM site to use SSL for software update point scanning and I think that's all these site systems that I have within my environment that are going to be applicable for HTTPS now if you had something like the application catalog web service point you would want to go in and configure that we can see in my environment it's very basic I'm running all my site system roles on my primary site server but if you had remote management points and distribution points you would have to go through the process to request the is certificate on each of those distribution points and configure that one thing to note if you do have remote distribution points you can actually reuse that client certificate that we would come in here with so that doesn't have to be server specific so we could actually just request that and reuse that if you wanted to you would just have to make sure you go through the is certificate request and bind that certificate to is on any remote site systems that you would want to configure for HTTP so on the client side let's just see what we have going on here let's just see if we've got our certificate yet and do that computer account local computer and then under the personal store it looks like we do in fact have it so we can see it got it from that certificate template for our SCCM client so what we can do is we can check in control panel under the config manager applet under system and security to see whether or not it's actually switched over yet so in our case it looks like it is still self signed so what we're going to do is go look at our client log files and I'm going to look at my client ID manager startup so this is the log file that's going to show us when we're registering with our site so now the site requires HTTPS we can see that it still currently looks like it's trying to use HTTP so if we look at CCM messaging on the client this is going to be when we try to send request to our management point we can see that it looks like we're still trying to use HTTP so what I'm going to do is just try to request a machine policy update and see if I get any of those new site settings okay so it looks like we haven't quite updated yet so if we go checkout location services that's where we check for our management points and things like that we can see that we have failed to contact the management point three times the threshold is five so it can take a little time before the clients actually going to kind of restart and look up to our information we're publishing to ad to see that the site has switched so just I'm going to try to force this to be a little bit faster so restarting the service should basically have it reach out and do all these checks for us just to speed that up so we don't have to wait for this client to kind of restart usually it can take maybe thirty minutes or so before it hits that interval but here's what I wanted to show you in client ID manager startup so what we can see now that the service is restarted this would also happen on the client itself after a few a few failed attempts this would just happen itself so we can see that within client ID manager startup we can now see the PKI certificate is available so client ID manager startup is the component on the client that handles the registration with the server so anytime that we had a new certificate we're going to we're going to attempt to re-register with the site now the the ID of the system still going to stay the same it's just going to do that registration just to verify that it is in fact working with the new certificate so we can see it's now registered so if I come back in here and reopen my control panel applet because it doesn't open on the fly it won't update that value what we can see here is on the client we are now using PKI so that's using our certificate that we issued through our PKI server within AD so we come back to our CCM messaging log this is going to be where we're sending is requests to our management point we can see that we're now looking like it's all successful here so everything looks good we're successfully sending messages we've got our client switched over to HTTPS so at this point we are pretty much good to go and I think that's all I was planning to cover within this video but like I was mentioning this could tie in very well to a future video on internet-based client management as well as the cloud management gateway within SCCM so that's all I have today looks like everything is going well we've got our client reporting back we can see that it just rear edge' stirred but this will come back green and then if we look here it should change to PKI for the communication so under the client certificate so you can just kind of verify that your clients are switched over by adding that column here and you can just verify that that all looks so that's all I have today if you have any questions or comments feel free to leave a comment in the accompanying blog post and youtube comment section of this video
Info
Channel: Patch My PC
Views: 93,921
Rating: 4.9527025 out of 5
Keywords: SCCM Client Certificate, SCCM HTTPS Mode, SCCM Native Mode, Switch SCCM to HTTPS, Configuration Manager HTTPS, Configuration Manager Native Mode, Certificates in SCCM, How to configure SCCM certificates
Id: nChKKM9APAQ
Channel Id: undefined
Length: 33min 42sec (2022 seconds)
Published: Sun May 27 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.