Home Applications Asset Management Microsoft Endpoint Configuration Manager (MECM) Ensuring MECM Clients Support HTTPS Communication

Ensuring MECM Clients Support HTTPS Communication

The DOI is requiring the MECM environment be changed from its current unencrypted HTTP mode to encrypted HTTPS for all communications.  This requirement involves multiple MECM related services that each must be enabled to complete the process. The first service in the environment we will be focusing on are the DP’s. 

In order to support the needed changes, USGS first needed to link a GPO in the environment to help Windows clients auto-enroll DOI issued certificates.  This change was approved to the Default Domain Policy (DDP) GPO on September 29, 2019.  The GPO configures the following settings related to certificate enrollment for the system.

For the MECM client to operate successfully, it must switch from Self Certificate mode to PKI mode as shown below in the Configuration Manager Properties on the system.

This information can also be viewed in the MECM console by viewing the members of a site’s All Systems computer collection and adding the Client Certificate column by right-clicking on the column header and selecting it from the list.

For systems that still are showing Self-signed, the following steps can be tried to get the needed certificates installed.  

  1. Make sure the computer is connected to the internal USGS network and open a CMD prompt as Administrator.  
  2. Type the command gpupdate /force and press Enter.
  3. This command will force a GPO update and should attempt to apply the DI – USGS Certificates GPO settings.  
  4. Restart the computer and inspect the Configuration Manager Properties as shown previously.  If the Client certificate mode has changed to PKI the issue is resolved.  If not continue to the next step.
  5. Open a CMD prompt as Administrator and type MMC and Enter.  This will launch the Microsoft Management Console.  
  6. Load the Certificates snap-in by going to File -> Add/Remove Snap-ins.  Select Certificates and click Add.  
  7. Choose Computer account, Local Computer, and Finish.  Click OK.
  8. Expand the snap-in and browse to Personal -> Certificates.  There should be two certificates with the computer name listed as shown below. One should be the DOI Workstation Cert template.

  9. If this certificate is missing, continue following the steps below to manually enroll the DOI workstation certificate.
  10. Right-click on Certificates and choose All Tasks -> Request New Certificate and click Next.

  11. Click Next.

  12. Click the checkbox for DOI Workstation Cert and Click Enroll.

  13. The template should install with the following result.

  14. Restart the computer and check the MECM Configuration Manager Properties in the Control Panel again to confirm the PKI mode is set.

Comments are closed.