How to Migrate Configuration Manager from HTTP to HTTPS

How to Migrate Gerenciador de configuração from HTTP to HTTPS – Guia passo a passo.

1. Create the certificado Template (ConfigMgr Clients (if the workstation is not already in place), ConfigMgr IIS Servidores, e ConfigMgr DP Servers);
2. Request the certificates;
3. On the IIS servers, change the bind to allow HTTPS port (default 443) and select the certificado;
4. Export the Root CA (and any other CA) certificado and import it into SCCM. Observação, do not force the SCCM to use PKI, instead, allow it to use HTTP or HTTPS;
5. For each client, confirm that the Client Certificado is set to PKI (you can easily check the HKLM\Software\Microsoft\CCM\HttpsState and HKLM\Software\Microsoft\CCM\PKICertReady). or you can check the Report Clients incapable of HTTPS communication;
6. Confirm that you can navigate to HTTPS://;
7. From the server, confirm that you can navigate to the CRL for the certificado selected;
8. From the client, confirm that you can navigate to the CRL for the certificado;
9. On the console, add the column “Client Certificate” and confirm that it is set to PKI” for all clients (this may take a couple of days/week to be completed);
10. Once all machines are ready to use HTTPS, migrate the MP and check the logs: MPSetup, MPMSI & MPControl;
11. On the client side, check the ccmmessaging registro.

Now it is time to start migrating and testing all other roles:

For DistributionPoint:

– Import the new DP Certificado and set it to use HTTPS;

For Application Catalog:

– Set the IIS Bindings to use an IIS Certificado;

– You can easily change the app catalog website from HTTP to HTTPS, no entanto, you cannot do it for the app catalog webservice. in this case, you’ll need to uninstall and install it again.

For Software Update Point:

– Set the IIS Binding to use an IIS Certificado;

– run the WSUSUtil.exe configure SSL (check ServerCertificateName and PortNumber under HKLM\Software\Microsoft\Update Services\Server\Setup);

– Change the SUP to use SSL and confirm it is working;

– force APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService to use SSL apenas.