How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP

5 years later, this video is still saving Jobs

Great video series. What's holding me here is the video in minute details. I'm able to learn more things, which will certainly add value next time when I configure SCCM. Thanks.

I'm about to start a new SCCM deployment for my organization after not having gone through the process for 5 years (and that time I had the assistance of a PFE to get up and running). This series of videos is incredibly helpful to utilize a reference for my upcoming build. Also a big fan of Patch My PC, great service that helps a ton with my third party patch deployment... not sure how I'd get by without it :-)
Thanks a ton!

This is by far the best SCCM video series I have come across. Thanks so much for the high quality detailed videos :)

Amazing walkthrough. Thank you for taking the time and making this so easy to follow!

Wonderful presentation. I read the MS docs that run parallel to this and your work just put it all in focus. Appreciate it!

Excellent video, it helped to configure SCCM 2019 in my environment..

I refer your video to all my customers. You became like the number 1 to go for PKI

Thank you so much for all these videos. They are extremely valuable.

Dear Justin, You really helped me. My heart is always with you.

Thanks, helped me a lot, had some wierd issues with changing over to PKI but this just running this step by step solved it :)

Excellent step-by-step. Very much appreciated!

Fantastic video, great efforts to make it step by step. Love your work!

You're so damn good Justin :) really awesome and amazing detailed videos.

Incredible content! Thanks so much for sharing your expertise.

Wonderful... very clear and efficient. nothing to say more.. thank you Justin !

Very good walk through. You are a legend.

Thank you so much, I struggled for a long time making everything work. Now it works perfectly!!

You saved me days of search and troubleshooting. Thank you!

Great instructional videos. I like your concise training style.

Excellent video, thanks for uploading.

Thanks, this was incredibly helpful and insightful.

Thank you!
This just helped me prepare my SCCM environment for the coming change where http communication will be deprecated.
I will sleep like a baby tonight.

Thank you for this very helpful video. Very easy to follow guide.

Nice Step by Step Video. The only issue that I ran into was for deployment task sequences. I needed to add the Trusted Root Certification Authority to my Site Properties Communication Security, so that the DP certificate was trusted.

Can't thank you enough for this video!

Outstanding video!

Very good tutorial! Thank you :)

Excellent video

Just adding my two cents to maybe help others, since this guide got me over the hump... With the rapid changes going on in Azure/Intune, I wanted to point out that these steps still work as of 10/2020. Although there were two snags I had to work out:
(1). After requesting the IIS Web cert on my MECM server, I had to go back and find the request on my CA, in the "Pending Requests" node, right-click and choose "Issue" to actually issue the cert to MECM server. Then had to go to MECM server's Certs.MMC, right-click the top node (Certificates (Local Computer)), > All Tasks > Automatically Enroll and Retrieve Certificates... Finally, the IIS Web cert showed up on my MECM server.
(2) With all steps completed, my clients were still using Self-Signed certs (second line on General tab of CfgMgr client properties) and wouldn't switch to PKI cert. I had to go to MECM server registry and add the following key: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel ClientAuthTrustMode (DWord) = 2. Reboot was required before my clients finally used the PKI cert.
I'm still getting an error in EventViewer but not sure of its impact. "A fatal error occurred while creating a TLS client credential. The internal error state is 10013."

Thank you for this!

Great walkthrough. I've used your videos to go from noob to intermediate level sccm support! I do have an issue that arose though and I can't seem to figure it out, even with all the main forums for SCCM engineers blasted with the issue. I'm getting "DP not installed or configured yet" error when I try to create a new DP from the site. It was working prior to December 2023 just fine, then just stopped replicating content. After initial troubleshooting, I couldn't narrow it down to the site server, so since it was a brand new DP (not even in production yet really), I just recreated a new DP on another machine, and got the same error. I have checked all of the prerequisites for DP on the new computer. I have removed/readded the DP and site system server more times than I can count. I have made sure the site server computer account was in the local administrators group on the DP. First error in distmgr.log is above, then it's followed by errors saying it couldn't copy the ContentAuthModule.lib to the dp. Then it says can't copy ISAPI extensions. When I first kick off the DP add, the SCCM Content Lib folder is created on the DP, but nothing ever goes inside of it. I know this sounds like an easy "remove/readd permissions to site server local admin group and/or specific site server computer account to local admin", but it's not working. 4 weeks I've been banging my head on this and my company is too small to have a Premier Support account with Microsoft, nor will they pay anyone to come fix it as "you're our guru" they say to me as they pay me intermediate level moneys :)
Any insight would be amazing from anyone really.

There was an important step missed here that will become an issue when attempting to do OS deployments using PXE. At around 20:00 in this video the Trusted Root Certificate Authorities certificate was not set in Site Properties -> Client Computer Communication tab. This will cause the PXE client to fail to securely communicate with the Management Point and will be unable to retrieve the necessary policies for OS deployment.
Using the Certificates MMC snapin in the local computer context, export your enterprise RootCA certificate in the DER encoded binary X.509 (.CER) format. Add the exported certificate on the Client Computer Communication tab by clicking Set next to Trusted Root Certification Authorities, and then restart the Web Deployment Services Server service on the Distribution Point server.
Note that it is not necessary to set any IntermediateCA certificates. Only the RootCA is required.

Good One!

You have helped me a lot, Thank you so much!!!

Nice Job on these videos! The names on my templates are slightly different. For example, instead of mine being called "SCCM IIS Certificate", I have mine called "MECM IIS Certificate". Because of the newer name for SCCM.

Nice vidéo. thanks

Thanks you so much, i did it

Great video ... please make more SCCM Videos

Hi, great video.
2 Years is up and my IIS and OSD certs are expiring soon. What do I need to do to renew them? Really struggling :(

Another great video. One small question if none of my clients or the CA are Windows 2003 can I make the compatibility mode 2008R2 or even 2012? I wasn't sure why the compatibility had to be such a old version.

Hi Justin, thank you for the fantastic tutorial. Can I use this blog as a reference for creating my own blog in a different language?

Thanks Justin - when specifying the private key toward the start of the AD CS Config, is it possible to use a wildcard cert that we have purchased for our domain name through GoDaddy as an example ?

Great video. This looks after machines on the corporate LAN - what about if I want to look after machines in a DMZ? as well as internet based clients (mobile devices) that are sometimes on our LAN but mostly not... Is this possible....?

Excellent video, many thanks for your time.
How can I deal with PKI's for machines in a DMZ, I have a management point in the same dmz network for authentication but the machines are on a completely different domain and do not have access to my subca where my MECM server resides

I love your video it's very educative. Please could you give me a guide on how to get a PKI on a window server. I have been struggling with it

First, I must say; fantastic video! Very clear, detailed instructions with explanations of why you're doing these things. Seriously great stuff!
I do have a question. In my lab, I have mostly domain-joined endpoints to manage, but also a few workgroup clients. I followed this guide, which resulted in my environment being configured to handle https or http. However, it seems that the workgroup clients I have stopped being able to communicate after making these changes. Is there a specific reason why? On the workgroup computers, I have added the FQDN of the SCCM server into the hosts file, which essentially gives me DNS resolution. I also have Windows firewalls turned off, no network ports blocked in between, etc.
Furthermore, it seems that the obvious *best* way forward would be to install the certificate manually on the workgroup systems. I *shouldn't* necessarily need to do this, since it should accept http or https, but if I did want to manually install the certificate(s) on the workgroup clients, what would be the best way to achieve that?
Thanks again for the quality content!

thanks bud

Hi, I followed the procedure without encountering any difficulties but in the Configuration Manager console I see the devices with CLINET CERTIFICATE like Self-Signed and not PKI, any suggestions on what I could check?
Thank you and your guides are very helpful and informative

Im enjoying your videos about SCCM. for this chapter, can we use Wildcard SSL on the WSUS or SCCM ?

Can you put your SCCM 2012 RC - Step by Step video back up? That was a very helpful setup primer

Just wanted to add a note about the client auth certificate version. I don't think a 2003 version is a requirement any longer. Our client certs use a 2012 version and everything is working correctly. We're currently running CB 1810.

Great video. Thanks!
Is there a reason you didn’t enable "https only" and instead selected “https or http”? From what I understand "https only" shouldn’t require any additional configuration besides what you've already done? In my experience removing https bindings on your DP, just makes the client being stuck on downloading 0% in Software Center.

Hi, Thank you for videos. I have question regrading WSUs and SCCm. My SCCM and WSUS server are on different servers. Do I need to import the Cert (IIS) on both servers and assign binding to site and when running the wsusutil what server i'm putting for https. will be sccm server or wsus. my wsus server has the software dp site install on

As http has deprecated, is configuring PKI for SCCM a mandatory step or are there are other way to configure and enable https only communication? Please suggest.

Hi Justin,
Hope you are doing well!
It was a great video.Thanks a lot. This is the first time I am making changes in a live environment, however I am currently facing a challenge.
In our environment we have SUP role installed in CAS and PRI. We have set up one web server certificate for CAS and another web server certificate for PRI in the WSUS administration (port 8531) we have even done the ssl settings as per your video and ran wsusutil with the diffrent server FQDN on both CAS and PRI however, we are getting error in the logs stating"The request failed with Http status 403" .
Please help me out!

Hi Justin,
Nice video.
But how did you manage to get the OSDcert?

Great video, awesome resource! Question - I have multiple DP's (14), do I need to request the DP Cert from EACH DP?
...and IF YES, do I also need to import THAT SPECIFIC exported Certificate on the DP Tab for that same DP? Thank you in advance...

Sir You are amazing.....
Thank you so much!
I have just one question:
I created templates for Web Server and Windows Authentication PKI certificates. I don't want to create DP certificate for now, but in CM I set DP communication to HTTP and on primary site both https and http.
I am creating all this because Client wants the CM to deploy Bitlocker to their machines, so the MP has to use PKI.
Did everything like you explained, I have one PC that is in the PKI TEST collection. Created GPOs, PC received PKI, changed MP communication to HTTPS, everything looks fine.
BUT - now in devices, the icon next to a PC turned to grey X, and when I deploy apps or run scripts to that PC nothing happens.
MP is green in Monitoring, in all Log files everything is the same as is in your logs.
I can access the PC using remote control but thats it...
Can you PLEASE help me... this has to work in 9 hours :( :(

Hi Justin thanks for fantastic video. One thing I want to clear you mentioned cert are required for CMG , If I don't want my internal machines to usi PKI how can I ignore that. Based on your 2 videos it looks like I am moving my infrastructure from self signed to PKI.Please advise . ?

This guide is great but I can't my client push working. Are there some additional installation properties required now i'm using https

Excellent video! One question: how about the certificates for OSD boot media? Can I use the DP certificate or do I need another one?

Hi Justin, I just wanna know is there a command that'd pick the correct cert if the client installation is taking wrong cert, from a bunch of certificates. how to go about it?

Great video. Question about remote DPs though, only a single cert for all DPs for OSD? I have 20 DPs, wouldn't the client want the cert to match the ones they're connected to? Also, after the import, can the .pfx be deleted (I didn't see it get stored anywhere else).

Great video, but I have a question. Why would you configure https but then have the option to use https or http with pki as preferred instead of forcing https only?

Great video, how would you go about installing the client certificate for a different domain, this works perfectly for domain XYZ but my other domain obviously is not getting the certificate form AD/GPO.

When importing the OSDCert into IE, i still cant access the site because its not accepting the imported cert? Why is that? Maybe because i have exported it with a SHA256 encryption?

Is it possible to skip the CA setup and to just use a public wildcard cert?

I have to say FANTASTIC VIDEO!! Very detailed. Just have one question. For reason when I enabled SSL communication, when I pxe boot and get to the SCCM password screen It will not load my Task Sequences jobs and errors out then restarts.

So I have my DP and WSUS servers separate from the primary site system. Would I need to create a different IIS SSL for each of those servers with the local hosts DNS name?

Justin, As always your videos are very well done, educational and has helped me very much. Even experienced IT Pro's learn from your videos.
I wanted know if you can answer something. I followed this process exactly and it worked. All my systems that were in SCCM automatically got upgraded to PKI and a system that I added to the domain manually also got PKI certificate. The issue I am having since I configured to PKI, when i PXE boot (using PXE responder) to build a new system via task sequence, the Task Sequence Wizard never comes up and the system reboots. I restored my system to non-PKI and the task sequence wizard comes up ok and allows me to select a task sequence and image. I need to get PKI to work because i'm working on BitLocker integration (CM version 1910) and PKI is required. I have been looking for an answer for a couple of weeks now with no luck. Any suggestions will be greatly appreciated .
P.S. do you have a video on how BitLocker Integration?

Hi Justin,
Just to clarify, I have multiple DPs for each city in my company. Do I need to interactively log in to each server individually, request the certs for OSD and then import it in the console?
Or can I login to the Configuration Manager console and just import the OSD cert?

Client certificate in SCCM console didn't change from "Self signed" to "PKI" any one know way ? 33:25

Just FYI, I know this is two years later, but at 20:50 I had to specify Trusted Root Certification Authority. Without it, Imaging failed. It was just a case of exporting the root CA from the server and importing it there. Just if anyone else gets caught on this

same installation for pro environment ?????

I just try to build new Windows 7 machine and its failing to apply OS.
In SSL, but with no client cert.
We use Windows 10 Enterprise machine which are acting as DP for local sites

This is a very helpful video, but there are some topics it doesn't cover. 1. It needs to create a CRL distribution point on http and on share, and configure CA accordingly. Otherwise PXE will stop working, also it needs to import Root CA to Site Properties. Clients need the possibility to check the revocation list. 2. Currently (2211) there is a bug - console shows Client Certificate as Self-Signed for Devices, while it is PKI on a client.

In admin console still selfsigned showing but in client pki is showing. Pls let me know if I need to do any changes

Hey, this is is still valid for implementation.

Hi Justin,
thanks for the upload!
getting two errors at the moment
Http test request failed, status code is 403, 'Forbidden'.
Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden
Followed on from video one but made some changes:
sccm and sql are both separated server,
i have also install a AD CS Two-Tier PKI Hierarchy
docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v%3Dws.11)
any help would be great

When you switch over to 443 should you resync Azure?

Hi Justin. I am following your complete video series about SCCM and is the first learning source I recommend to any SCCM novice.
After following this guide, when I test MP as you shown I am getting error:
HTTP Error 403.2 - Forbidden
You have attempted to view a resource that does not have Read access.
I followed guide and verified each steps and still I am getting above error. Any help or direction would be grateful.
Thanks in advance.

I seem to be good the entire way until I enable https on my MP then boom all clients instantly go inactive. All the certs are there on both clients and sccm box but i fail as soon I add MP to secure. So I stopped and rolled back

I'm getting stuck at about the 13:30 minute mark. Auto-enroll works but I don't see the templates I created being imported. The SCCM Client Certificate doesn't import. I only see Kerberos Authentication, Directory Email Replication, and Domain Controller Authentication. This is on an existing network with CA already setup. Did I miss a setting?