[0:00]HTTPS communication in our configuration manager lab. Even if you don't configure HTTPS in your configuration manager lab, still you can learn a lot. However, if you would like to expand your learning further, there are no set limits. Configuring HTTPS will open more parts towards this learning experience. Hello everyone, this is Jay Singh, welcome to my channel Technic Solutions. If you are new to this channel, hit the subscribe button and also click on the bell icon as well to get all the latest updates from this channel. Any links mentioned in this video you will find in the description below. Let's get started.Okay, so before we proceed further with this video, I would like to mention that I have configured and performed some of the settings, which were demonstrated in my previous video series. So, I will show you.So, if you look at, this is the video series, I did client push install, and it worked fine, and also I have tested operating system deployment, and I have configured SCCM reporting services, and if I scroll down, and I have also configured software update point as well, and I have tested manual software updates, which worked fine. Pre-requisites for HTTPS communication.So, the very first pre-requisite is Public Key Infrastructure.So, you must have Public Key Infrastructure, so you can configure certificates, you can issue certificates, and then you can use these certificates to enroll, or you might have to export some of the certificates where we need to actually import these certificates in the Configuration Manager console. So, in this video, I'm going to show you how you can utilize Active Directory Certificate Services to achieve this task. PKI, Public Key Infrastructure has certain requirements for Configuration Manager. So, the certificate must be signed with SHA-2, and also the key length that we will use, it has to be minimum length. So, the length is mentioned in Microsoft documentation.In this video, I'm going to use 2048, which will fit in the most scenarios that you need for Configuration Manager. So, let's have a quickly look at the documentation which is provided by Microsoft. So, this is the document you will find in the description below. So, you can see that there's an information provided here, that about the Public Key Infrastructure. Apart from that, the important part here, which is mentioned that you need SH-2, and the public key, and the length is mentioned as well. So, you will find that length mentioned, it's not mentioned here actually. So, SH-256 is mentioned here.
[2:41]Um, length you will find here in PKI certificates for servers. So, the length if I go here, for example this certificate, and this is for web server. So, the length will be mentioned, okay, for that set, there's no length mentioned. So, we scroll down, and web server here, and this is for Cloud-based Distribution Point, and the length you can see here, supported key lengths, 4096 bits. And here we have server authentication for SQL Server, and maximum supported key length. So, this is the maximum length, it supports 2048. And if we keep scrolling down, this is a client authentication, we will talk about it more in this video. So, that's workstation authentication template, and the length, maximum length it supports 2048.
[3:39]So, what we will be using 2048 in this video, and this will fit in most of the scenarios. For Active Directory Certificate Services, I have configured a dedicated server. So, this server will be used as cert authority, or certificate authority, or you can call it a CA. So, if you have limited resources, for example, you do not have hardware, there's a limit on the RAM, how much RAM you have, how much storage you have, and, so you can utilize any other member server within the lab. However, in production you will have a dedicated server. So, if for example, if you have DC1, for example, we configure in this video series, you can utilize that DC01 as your certificate authority. So, I have configured a virtual machine, installed Windows Server 2019 standard on it, and I will show you the my VM configuration, if you would like to configure a dedicated server you can do that. Otherwise, you can utilize any other member server in your lab. So, I will show you what is the configuration of my virtual machine. So, if I open Hyper-V Manager, and Technic-CA1. So, this is the virtual machine that I have configured. If I go to settings, and this is a Gen 2 virtual machine, and memory I have provided it 2GB. Later on I'm going to drop it down to 1GB.So, for now it is 2048 because we are going to work on it. And, so storage, I have given it about I think 30GB or 40GB, and network adapter is important. I have configured in 01 for this virtual machine. So, in 01 is what I have been using in my lab, Configuration Manager server has in 1 connected as well, and here you can see that, and DC01, it has also in 01 connected. All right, so once you have made a decision either you want to create a new certificate authority dedicated server, or you want to utilize your existing member server, and then the next step is we're going to configure our Active Directory. In Active Directory, we will create a new computer account, a user account, and if we need any other group, we will create that as well. So, let's do that on Technic-DC01. All right, so here I will log on to DC01, and I will open Active Directory users and computers. So, here what I'm going to do, I'm going to create a new computer object for my virtual machine, which I created a dedicated server for certificate authority. If you want to use your member server, you don't have to do that. You can skip that part. So, I will click on Technic computers, extend that, and we have member servers. So, here I will create a new computer object, and I will name it Technic-CA01. Click okay.So, this computer object is ready, and also I'm going to create a dedicated user for that as well, which I will use to log on to CA01. So, in Technic users, in administrative users, I will create a new user. I will select user here, and I will name it CA and last name, I will name it Admin, and user log on CA admin. And click next here, and then provide password twice, and I will also check this these two boxes, user cannot change password, password never expires. Click next and click finish. So, our user is ready as well. And also this CA admin account, I will double click on that, and I will go to member of and I'm going to add it to a member group, which is Domain Admins. So, Domain Admins, check names, click okay, hit apply, click okay. So, we will use this group when we provide permissions for certificate enrollment.
[8:26]Okay, so our Active Directory is ready. Next step is, we will prepare our CA server. If you're utilizing your member server like DC01, you don't have to perform this step. So, in this step, we are going to give CA server a static IP and domain join it to our domain. So, let's do that. Okay, so here I have logged on to CA01, and what I'm going to do here in Local Server, I will change its IP address. So, in Ethernet, IPV4, it's given by DHCP server, I'm going to make sure that it has static IP address. So, I will use the following. Okay, so the IP address is 10.0.0.4, subnet mask 255.255.255.0, and default gateway is, um, 10.0.0.2. That's IP address of our DC01, and DNS is DC01 as well, which is 10.0.0.2. Click okay and click close. So, once you have given the static IP, make sure you go here and open PowerShell, and try pinging to Technic.local or your domain. So, you should get a reply back. Here you go, it's resolving the IP address, which means it's the DNS of this device is working correctly. So, I will minimize that, and close this one. So, click on computer name, and now in this step, I'm going to domain join this computer. So, I will click on change, and computer name is Technic-CA01, and domain is Technic.local, and click okay. It will prompt for Administrator username and password. So, I'm using my administrator account, and provided the password, and click okay. So, welcome to the Technic.local domain. Click okay. We will restart it, and I will come back and log in with the username which we created, which is CA admin. So, click okay. Click close. Restart now. So, once our CA server is ready, so the next step we are going to do, in this step, we are going to add Active Directory Certificate Services role. So, let's do that. All right, so this is CA01, I have logged in with this account, which is CA admin. So, in Server Manager, we will click on Add Roles. Click next, and role based or feature based installation, click next. So, server, this server is selected, Technic-CA01, click next. So, roles, very first one, Active Directory Certificate Services. Select that, and these are the management tools, we are going to select Add Features. And click next. So, click next again, next again in roles services, we will select only certificate authority, which is already pre-checked. So, click next, so that's the confirmation, and we can tick this box. It's not going to restart. So, click install. I will be back as soon as this is ready. Okay, so this is ready, it took about 1-2 minutes. I will click on close. All right, so once Active Directory Certificate Services is installed, the next step is to configure that. So, now we are going to configure Active Directory Certificate Services. Okay, so I have logged on to Technic-CA01, and you can see that in Server Manager, we have yellow triangle here. So, if you click on yellow triangle, we have an option to configure Active Directory Certificate Services. So, click on that. Okay, so here, the credentials. So, this is very important. So, this account has to be a member of Enterprise Admins group. So, I'm pretty sure the account that we are using here, CA admin is not part of Enterprise Admins. So, we can check who is the member, who is a member of this group, so you can log on to DC01 and check it out, or you can use a PowerShell to check it out. So, I will quickly use the PowerShell to check this out. Okay, so in PowerShell, I will enter PS session to Technic-DC01, and the account that I'm using CA admin. This account is a Domain Admin. So, it is able to log on to DC01. So, let's go back and I'm going to clear here, and we would like to check AD group, group member actually. So, the group member identity of that group is Enterprise Admins. Okay, so we have get AD group member identity Enterprise Admins. If I hit enter, you can see that these two members, so name CM admin is part of that group, and administrator account is part of that group. So, what I will do, I will change here, and I will enter the username administrator, and provided the password for that user. Okay, so this user is populated here. So, we will click next. So, the role services is certificate authority. So, click next again, so setup type, it's Enterprise CA. This is not a stand alone CA. So, we will select Enterprise CA and click next. So, next option is CA type, it's a root CA, not subordinate, because this is very first CA in our domain. So, we will select root CA, click next, private key, create a new private key. Click next, cryptography. So, this is what we were talking about earlier. So, SHA 256 is auto selected, and key length is 2048. Okay, so we select that, and click next. So, CA name, you can update that name. So, I will get rid of that first bit, so it's Technic-CA01-CA, and click next. So, validity period, five years, it's plenty, and click next. Certificate database, I will leave it as it is. Click next and this is the confirmation, and these are the options we have selected. So, we will click on configure. And we are done. So, we will click on close. Our certificate authority is ready to be used. So, now we are going to configure certificate templates. So, we are going to configure all together three certificate templates. So, the first one is going to be client authentication template. So, that template will be used by clients to communicate with the sites, which are HTTPS enabled. The second certificate template, it will be for our distribution point. So, distribution point, it this will use it for two purposes. So, the first one would be distribution point. It will use it to communicate with any management point, which is HTTPS enabled. So, the second purpose is this will be used by PXE enabled clients to communicate with HTTPS enabled management point. So, the third one we are going to use for our Configuration Manager IIS servers. So, this certificate, this will encrypt the data, and this will authenticate servers to the clients. So, let's log on to our certificate authority and configure those templates. So, in Technic-CA01, or the certificate authority role where you have installed and configured, so click on tools and we are going to select very first option, which is certification authority. Click on that. Here we will click on Technic-CA01. So, extend that, we have these different options. So, on certificate templates, right click, click on manage. So, this will open a new window. So, in this window, we have all these available templates. So, the template that for the first one we are going to use is workstation authentication. So, right click on that, and select duplicate template. And this will open this wizard. So, here what we are going to do, uh, we are going to leave everything default, except two options. So, general, so give it a name, and I will name it CM Client Certificate. And we will update the security. So, security, you can see that domain computers, so domain computers, they have enroll permission. Enroll permission is checked here. So, what we are going to do is we are going to provide read permission and auto enroll permission. And basically that's all. So, we can click here, apply and click okay. So, you will see CM Client Certificate is ready here. So, again we are going to select workstation authentication, right click, duplicate template. And in general, we will update the name. So, I will name it CMDP Certificate. Validity, I'm not changing it, I'm leaving one here, and we will select request handling. So, this is very important. Here, you have to tick this box, allow private key to be exported. And then we will update security. So, we can remove Domain Computers. We don't need these computers here. So, click on remove. We will add here our IIS server group, so CM IIS servers, so I will click on check names. You can see that this is populated, and our Configuration Manager server is part of this group. Click okay, and we are going to provide enroll permissions, read and enroll is checked, and also Microsoft recommends to remove permissions which Domain Admin has. So, Domain Admins group, this has enroll permission. We will undo that, and Enterprise Admins, we can remove enroll as well.
[19:02]Okay, so this looks pretty good, and we will click on apply. And also subject name, so you can see that supply in the request is selected. So, I haven't changed anything else, and we will click okay. Okay, so our certificate templates are ready, so what we have to do, we have to issue these templates. So, in certificate authority here, we will right click on certificate templates, click new, and certificate template to issue. So, click on that, and here from the list, we will select these three certificate templates. So, we have CM Client Certificate, CMDP Certificate, CM IIS servers certificate. Click okay on that, and that's it. So, this is done. We can see in certificate templates, CM IIS servers, DP, and Client Certificate listed here. Okay, so once our certificate templates are ready, so they're ready to enroll, issue, or we have to export wherever applicable. So, let's have a look at that how we can do this. So, the first one we are going to do, the client authentication certificate. So, for that one, we have to use a GPO. So, on DC01, we are going to create a GPO. And let's have a look at that how we can do it. Okay, so I have logged on to Technic-DC01, I will click on tools, Server Manager is open. So, in tools, we will select group policy management. So, it's here, click on that. Okay, so what we are going to do, we are going to create a new group policy object. So, I am going to create a new group policy object, then I'm going to link it to Technic Computers. So, I will create a new group policy object, and I will name it C_Client Authentication Cert. So, either you can add to your existing group policy objects, it's up to you. So, I'm going to create a new one here. So, click okay, and this is available right here. I will right click, and select edit. So, this is a computer based policy, and we will here select policies under computer configuration, extend that, Windows settings, and then in Windows settings, we are going to extend further security settings. So, in security setting, we have public key policies. Double click on that, and we will find this policy at the end. Certificate Services Client-Auto-Enrollment. So, double click on that, we are going to enable this, and here we are going to check this renew expired certificates, and check this as well, update certificates that use certificate templates. Click apply, click okay. Basically that is all. So, I will close this, and now what we are going to do, we are going to link this policy. So, here, so on Technic Computers. So, remember one thing that we have to link this policy to any site server, which has management point role installed as well.
[22:13]So, in our case, we have member servers, where we have our Configuration Manager server, there's only one server, and it has management point role installed. So, that server definitely needs this client certificate as well. So, this is why I'm linking it at the top, Technic Computers. So, this will install this client certificate on all the machines within Technic Computers organizational unit. So, right click here, link an existing GPO, and we will select client authentication cert. I will click okay on that, and I will right click here, and let's just update group policy. Click yes. And also we can test this out. So, to do that, uh we can minimize this, we'll go back and log on to PC01 or 02. So, I have two computers there. Before we do GP update, I would like to show you the local machine search. So, what will we'll do, we can open local machine search with certlm.msc. Click okay, and say yes to it. So, we can see that local computer certificates. So, in personal, so you can see that nothing is there. Okay, so the policy hasn't kicked in yet. So, what we'll do, we'll do GP update. So, we will type GP update /force and click okay. It's updating the policy, and here what we can do, we can refresh it. So, in some cases you might have to restart the device as well. So, certificates, there you go. So, it actually came across. So, this is a client authentication certificate. Okay, so now the next part is we have two more certificates. One is for distribution point, and other one is for our IIS servers. So, what we are going to do, we will log on to CM01. So, Technic CM01, and here we are going to enroll this two certificate. You know that we have made a group membership change, so which means we might have to restart this server. So, otherwise maybe we won't be able to enroll these certificates. So, what I'm going to do, quickly, I'm going to close these everything here, and I will give it a quick reboot.
[24:36]All right, so I have restarted CM01. So, I will open certlm.msc to see local computer certificate. Say yes to it. And here we have local computer personal store, and certificates. So, we should get that client certificate, which is listed right here. So, you can see that Technic-CA01-CA client authentication. So, which is good. And also in trusted root certification authorities, we will see Technic-CA01 listed as well. So, let's come back to personal certificates, and right click here, and we are going to all tasks, and request new certificate. So, here, click next again, and Active Directory enrollment policy, and then click next. So, here we can see that we have few certificates, which we have permission on. So, we can select CMDP certificate and also CMIIs servers certificate. So, here we will provide more information. So, select that, and in alternative name here, we will select DNS, and provide computer name. So, which is Technic-CM01. So, this is the computer name of our site server, say add. And also we will provide fully qualified domain name as well, so which is Technic-CM01.Technic.local. Click add, and also we will provide a general name as well. So, friendly name, so I will name it CM IIS servers certificate. Okay, so once we have provided this information in subject, and general, hit apply, click okay, and click on enroll. So, I have selected CMDP certificate, and provided extra information for CM IIS servers certificate. So, click on enroll, and it has succeeded, click finish. Okay, so now we can see that DP certificate is there. CM Client Certificate is there, which is came across with the help of group policy, and we have IIS servers certificate is available as well. And also you may have remembered for CMDP certificate, we allowed exporting of the private key. So, what we are going to do here is we right click here, and then all tasks, and we are going to export it. So, select export, click next here, yes, export the private key as well. So, click next, and we are selecting personal information exchange. So, here we will uncheck that, and we will only select include all certificates in the certification path if possible. So, click next here, and provide a password. So, click next, and here we will select a file name. I will save it on the same server in documents, and here we will name it DP certificate, and click save. So, click next, and finish. The export was successful. Click okay. Okay, so now we have requested certificate, we exported, and also we have issued certificate with the group policy. So, the next part here is we are going to now configure our IIS server and WSU server to use HTTPS. So, this is what we are going to do on our Configuration Manager server, where IIS server is available, and WSU role is installed. Let's have a look at that how we can do it. Okay, so I'm on CM01, and what I will do, I will go to tools, and let's open IIS Manager. So, in IIS Manager, I will extend here, and we can see that sites, let's extend sites. We can see default website and WSU administration. So, let's update default website first. Select default website, and in actions, select bindings, and here in 443, click edit, and we will select here SSL certificate, and we will select CM IIS servers certificate, and click okay on that, and click close. So, now what we can do, if you open Internet Explorer, and if you do HTTPS, and we will say Technic-CM01, and hit enter. So, you can see that this is working, if you click here and view certificate, and certification path, you can see that this has been provided to Technic-CM01. So, click okay on that, and also we can test for fully qualified domain as well, .Technic.local. So, hit enter, and this is resolved. So, which is good, and same thing we will do for WSU administration. Select that, and select bindings, and here 8543 port HTTPS, click edit, and we will edit here SSL certificate, and extend that, and we will select CM IIS servers certificate, and click okay, and close. All right, so with WSUS, uh we have to do slightly more than what we have done for default website option. So, here, uh let's have a look at this documentation from Microsoft with WSUS for HTTPS. So, they recommend to perform the following steps. Here you can see that for API Remoting 30, Client web service, DSS Auth web service, server sync web service, and simple auth web service. So, we have to go to properties, and then we have to update the require SSL and ensure that ignore client certificates is selected. Okay, so let's just do that. So, let's go back to CM01, and API Remoting 30, and here we will select SSL settings. Double click on that, require SSL, and hit apply. And same thing we are going to do for Client Web Service as well. So, SSL settings, double click here and require SSL, ignore, make sure this is selected, hit apply. And DSS Auth web service, same thing we will do. SSL settings, double click on that, require SSL, hit apply. And then server sync web service. So, we will select SSL settings, double click on that, and require SSL, click apply. And simple auth web service, same thing we are going to do. Double click SSL, require, ensure this is selected, and hit apply. Okay, so this is done here within IIS. However, we have to make sure that we will enable SSL for WSUS. To do that, we will open file Explorer, and we will go to Local Disk C, and this is where we have installed WSUS role. So, Program Files, and then we have update services here. So, in update services, we will find tools. So, we have WSUS UTL.exe. So, click on file, and open with PowerShell as administrator. Say yes to that. And if you type WSUS UTL or WSUS and hit tab, and forward slash with question mark. So, you can see that this is the help file here. So, we would like to configure SSL. Okay, so I'm going to select that. Let's paste here. Let's see what the help says. Okay, this didn't work because for a reason. So, we have to type WSUS and then help configure SSL. So, dot back slash was missing. So, that's why we have seen this error. So, hit enter. So, we can see this help here. So, in example, we can see that enable SSL on the WSUS web service. If you just type WSUS UTL and for the current machine, from the machine where you run it. However, if you want to ensure that it's configured properly, and it uses fully qualified domain name. So, it's better that we run this one. So, WSUS UTL configure SSL WSUS 01.corp.contoso.com. This is the fully qualified domain name for this example. However, in our case, we have a different fully qualified domain name. So, we will run this utility. So, I will clear this one here. So, just type WSUS and then hit tab. So, you will see this WSUS UTL.exe, and we will type configure SSL, and type in fully qualified domain name. So, Technic-CM01.Technic.local. So, make sure you type it correctly, and then hit enter. So, okay, so here you can see that URL HTTPS Technic-CM01.Technic.local. And 8531 is the port. Okay, so this is done. Okay, so all the hard work is now done. So, now what we have to do, we have to open Configuration Manager console, and update our site. So, let's do that on Technic-CM01. So, here I am on Technic-CM01 in Configuration Manager console. I will change it to administration, and then we will look at site configuration, then sites. So, you will see your site listed here. I will right click here, and then we will go to properties. So, in properties, we have communication security.
[34:17]All right, so here we have an option, either to go on HTTPS fully, or still we can utilize HTTP, or HTTPS wherever available. So, I would suggest to use the second option, HTTP and HTTPS to start with, and later on you can fully go on HTTPS mode. So, let's uh just tick that box here. So, use PKI certificate, where when available. So, tick that box, and, so basically that's all we have to do here. We can come back, we have to update trusted root certification authority for our PXE deployment. Okay, so PXE boot might not work if you have not provided trusted root certification authorities here. Okay, so you have to set it here. So, we'll come back to this. So, hit apply here, and then click okay. So, that's done. All right, so this is how you update and you tell Configuration Manager who is the root CA. So, we can test it again. Minimize this, we'll go back here, PC02, double click, and start it. So, it's starting, and we will hit enter when it will prompt. I will provide the password.
[35:34]Click next, and I will see the task sequence, which is available here.
[35:49]And if I go back to Configuration Manager, and in our logs, so this is SMSPXE.log file. And you can see that prioritizing local MP HTTP. This is the management point. It's it was trying to connect earlier. So, it has given that error. So, it failed to connect. However, this time around, we can see that this has actually connected successfully. Okay, so this looks good. So, this is why I highly recommend that you go ahead and update your sites, and you update your CA here, within Communication security. So, this is here. So, root CA specified. So, make sure you set that root CA. All right, so that's all for this video. If you find this video informative, give it a thumbs up and show your support. Subscribe to my channel and click on the bell icon as well to get all the latest updates. And also if you have any questions, leave it in the comments box below, I'm more than happy to help you. I will see you in the next video, have a good one in the meantime.
