Enhanced HTTP and anynomous client access - Precheck warning MECM

appuser10 21 Reputation points
2022-09-07T01:44:18.073+00:00

Just looking at prereqs for EHTTP: A distribution point configured for HTTP client connections. Set this option on the Communication tab of the distribution point role properties. Don't enable the option to Allow clients to connect anonymously. Question: We have “allow clients to connect anonymously” checked to help with communications with non domain devices. Does the site token issued to each client with EHTTP remove the need for any possible anonymous connection setting on the DP for workgroup joined devices? I am just trying to understand how our scenario may be helped with EHTTP and disabling the anonymous checkbox.

Thank you

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Simon Ren-MSFT 32,221 Reputation points Microsoft Vendor
    2022-09-07T08:59:13.87+00:00

    Hi,

    ==>Does the site token issued to each client with EHTTP remove the need for any possible anonymous connection setting on the DP for workgroup joined devices?

    Per my experience, yes. The reason why we use Enhanced HTTP here is to force authenticated secure communication. So there should not have any anonymous connection for the DP and we don't enable the option to "Allow clients to connect anonymously".

    From a client perspective, the management point issues each client a token. Then the client uses this token to secure communication with the site systems.

    Hope it helps. Have a nice day!

    Best regards,
    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Jason Sandys 31,196 Reputation points Microsoft Employee
    2022-09-07T15:39:50.493+00:00

    We have “allow clients to connect anonymously” checked to help with communications with non domain devices.

    This has never been required or recommended and is independent of your enhanced HTTP enablement status. Anonymous connections were added to support the original, now deprecated, MDM functionality included in ConfigMgr 2012. Windows management has never required this regardless of domain status as ConfigMgr agent managed clients have always connected using an identity certificate.