How to Secure SCCM: Full HTTPS Only Migration Guide

by · 18 September 2025

In the previous post, we prepared the required PKI certificates on the internal Certification Authority (CA). If you haven’t completed that yet, make sure to follow that guide first before continuing with this part.

Now it’s time to move into the SCCM configuration itself. In this guide, we will configure Distribution Point (DP), Management Point (MP), IIS bindings, and finally enforce HTTPS only communication from the SCCM console. This setup will ensure that your Configuration Manager environment communicates securely with clients using SSL/TLS.

Before I begin, I should mention that this guide focuses only on configuring SCCM roles (DP, MP, and site communication) for HTTPS. The WSUS and Software Update Point (SUP) configuration is not included here, because I already covered that in a separate post. If you haven’t set up WSUS and SUP for HTTPS yet, you can find that guide here.

Step 1: Request and Export the DP Certificate

The Distribution Point is one of the most critical SCCM roles, as it handles content delivery (applications, updates, OS images) to all clients. Securing it with a certificate ensures clients can trust the DP and verify they are connecting to the correct server.

Open MMC → Certificates (Local Computer) on your DP server and request a new certificate.

Select the DP certificate template, provide the server FQDN if required

Open the Certificates snap-in, right-click the certificate, and select Export.

Make sure you include the private key during the export process.

Choose the .PFX format and protect it with a strong password. This step ensures that the certificate remains secure while being transferred between roles.

Step 2: Bind the Certificate in IIS for the DP

Once the certificate is ready, we need IIS (which the DP role uses) to actually serve it to clients. Without this step, the certificate just sits in the certificate store and isn’t used in real communication.

Open IIS Manager on the DP and go to Default Web Site → Bindings → https.

Select the certificate SSL certificate and click apply.

Step 3: Configure the Management Point (MP) Certificate

The Management Point is the heart of client communication. Every client talks to the MP for policy requests, inventory reporting, and compliance checks. That makes securing the MP with HTTPS absolutely essential.

On the MP server, request a certificate from the template you created earlier.

Assign the server’s FQDN as the Alternative name.

Step 4: Bind the Certificate in IIS for the MP

Just like the DP, the MP’s IIS site also needs to be bound to the certificate so all client communication routes securely over HTTPS.

Open IIS Manager

Go to Default Web Site → Bindings → https.

Select the MP certificate.

At this stage, both DP and MP are ready to handle secure HTTPS requests.

Step 5: Configure SCCM Console – DP and MP Settings

Now we move into the SCCM console to assign the certificates to each site role. Importing the correct certificate into the console ensures SCCM itself validates and trusts the communication.

Open the SCCM Admin Console.

Navigate to Administration → Site Configuration → Servers and Site System Roles.

Select your Distribution Point, open its properties, and import the exported certificate (PFX file).

Repeat the process for the Management Point and configure it to use HTTPS.

Step 6: Switch the Site to HTTPS-Only Communication

This final step flips the switch all communication in your SCCM environment is now encrypted and certificate-based.

In the SCCM Console, go to Administration → Site Configuration → Sites → Properties, then open the Communication Security tab.

Select HTTPS only to enforce secure communication.

Under Trusted Root Certification Authorities, add the Root CA certificate you exported from your internal CA. This step ensures that clients trust the DP, MP, and other site system roles.

Important: Without the Root CA, clients may reject the connection even if the IIS bindings are correct.

Final Thoughts

Why is this important? Because modern IT environments are under increasing pressure from compliance, audit, and cyber security requirements. Running SCCM over HTTPS ensures:

  • Clients only talk to trusted servers
  • Data in transit is encrypted and protected
  • You are aligned with best practices for ConfigMgr security

With these changes in place, you not only harden your SCCM infrastructure but also future-proof it against evolving security demands.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *