Configuration Manager Enhanced HTTP Support

Enhanced HTTP is a feature implemented in Configuration Manager to enable administrators to secure client communication with site systems without the need for PKI server authentication certificates. Primarily this feature is used to support a Cloud Management Gateway (CMG) or to support Azure AD joined devices, both of which scenarios would otherwise require Management Points to be configured to use HTTPS with a PKI Server Authentication certificate.

Enhanced HTTP also allows clients to download content from a Distribution Point without the need for a Network Access Account, PKI client authentication certificates or Windows authentication as it establishes a new endpoint on the Distribution Point CCMTOKENAUTH that uses token-based access.

Refer to the Microsoft documentation for a full explanation of Enhanced HTTP and how to configure site systems to use it. refer to Enhanced HTTP.

Supported scenarios

Content Distribution supports downloading content from Distribution Points configured to use Enhanced HTTP without the need for a Network Access Account in the following scenarios. These scenarios assume the Management Point is configured to use HTTP (not HTTPS) as required for Enhanced HTTP.

Clients and site systems on the corporate network

Scenario	Clients supported	Notes
Configuration Manager Package, Application, Software Update and Task Sequence Deployments	Workgroup AD Domain-joined Azure AD-joined Hybrid-joined	When content is deployed through Configuration Manager, Content Distribution needs to obtain the access token for the Enhanced HTTP DP endpoint from the Management Point, which it is able to do using HTTP. For Task Sequences, the access token is available in the _SMSTSDPAuthToken Task Sequence variable, so Content Distribution does not need to obtain it from the MP.
Content Distribution Pre-caching	Workgroup AD Domain-joined Azure AD-joined Hybrid-joined	Pre-caching requires Content Distribution to access the Management Point to locate the content and DP access token, which it is able to do using HTTP.

Scenario

Clients supported

Notes

Configuration Manager Package, Application, Software Update and Task Sequence Deployments

Workgroup

AD Domain-joined

Azure AD-joined

Hybrid-joined

When content is deployed through Configuration Manager, Content Distribution needs to obtain the access token for the Enhanced HTTP DP endpoint from the Management Point, which it is able to do using HTTP.

For Task Sequences, the access token is available in the _SMSTSDPAuthToken Task Sequence variable, so Content Distribution does not need to obtain it from the MP.

Content Distribution Pre-caching

Workgroup

AD Domain-joined

Azure AD-joined

Hybrid-joined

Pre-caching requires Content Distribution to access the Management Point to locate the content and DP access token, which it is able to do using HTTP.

These scenarios are also supported if the client on the corporate network gets a Cloud DP as a source.

Internet clients with CMG / Cloud DP

For the purpose of this discussion, Cloud DP refers to either a classic Cloud DP or a content-enabled CMG.

Scenario	Clients supported	Notes
Configuration Manager Package, Application, Software Update and Task Sequence Deployments	Workgroup AD Domain-joined Azure AD-joined Hybrid-joined	When content is deployed through Configuration Manager, Content Distribution is able to obtain the access token for Cloud DP from the Configuration Manage client (1). If there are multiple Cloud DPs, the client will be able to download content from the Cloud DP for which the Configuration Manage client queued the download job using the Cloud DP access token provided by the Configuration Manager client. If that DP becomes unavailable, Content Distribution will attempt to connect to the other Cloud DPs in the list and will query the CMG for the new Cloud DP access token. If Content Distribution is unable to authenticate with the CMG (1) it will continue to retry the available DPs returned by the Configuration Manage client until it is able to connect to the original DP.
Content Distribution Pre-caching	Workgroup AD Domain-joined Hybrid-joined	Pre-caching requires Content Distribution to access the CMG to locate the content and obtain the Cloud DP access token (1).

Scenario

Clients supported

Notes

Configuration Manager Package, Application, Software Update and Task Sequence Deployments

Workgroup

AD Domain-joined

Azure AD-joined

Hybrid-joined

When content is deployed through Configuration Manager, Content Distribution is able to obtain the access token for Cloud DP from the Configuration Manage client (1).

If there are multiple Cloud DPs, the client will be able to download content from the Cloud DP for which the Configuration Manage client queued the download job using the Cloud DP access token provided by the Configuration Manager client. If that DP becomes unavailable, Content Distribution will attempt to connect to the other Cloud DPs in the list and will query the CMG for the new Cloud DP access token. If Content Distribution is unable to authenticate with the CMG (1) it will continue to retry the available DPs returned by the Configuration Manage client until it is able to connect to the original DP.

Content Distribution Pre-caching

Workgroup

AD Domain-joined

Hybrid-joined

Pre-caching requires Content Distribution to access the CMG to locate the content and obtain the Cloud DP access token (1).

(1) If the Configuration Manager client is not using a PKI client authentication certificate to authenticate with the CMG, Content Distribution will not be able to request content location or obtain the Cloud DP access token from the CMG. Note that Configuration Manager requires Workgroup and AD Domain-joined clients to have a PKI client authentication certificate, refer to CMG server authentication certificate, so this will only affect Azure AD Joined / Hybrid devices that use Azure AD or token-based authentication with the CMG.