Migrate Clients to a ConfigMgr HTTPS Site

Chiyo OdikaConfigMgr, SCCMLeave a Comment

Happy Holidays friends! I’ve been rather busy with several riveting initiatives of recent, and thought I’d share one of them. In this case, some ideas on migrating clients to a ConfigMgr destination hierarchy that is configured for HTTPS which means that all client to server communication happens over HTTPS.

This article will expressly cover ideas on said migration. This article will not cover the steps for configuring HTTPs communication in ConfigMgr. Refer to the links below for some guidance on HTTPS configuration for ConfigMgr.



I strongly recommend that you acquaint yourself with the concepts and material covered in both articles and elesewhere steps before continuing with this article. Additionally, I recommend reading the fairly detailed conceptual guidelines on ConfigMgr migration from Microsoft.  Unless otherwise noted, all steps below are required.

Before Migration Perform the following tasks:

  1. The first step is to ensure that you already have a ConfigMgr site configured for HTTPS based on links above. That’s where you must start.
  2. Ensure that clients have auto-enrolled and installed client certificates which authenticate the client to site system servers that run IIS and that are set up to use HTTPS.
  3. [OPTIONAL] Communicate migration plan and schedules with relevant team(s) and stakeholders.
  4. Use the Create Migration Job wizard to migrate ALL content that will be required by clients once migrated over to the destination hierarchy.
  5. Share distribution points. This will enable migrated clients to be able to access content without the need to re-distribute content over the network to new DPs. ALTERNATIVELY, you can create distribution points in the destination hierarchy and distribute to them any content that will be required by clients.


  6. Install HTTPS server and client authentication certificate on shared distribution point or newly created distribution point(s) for the target site. Ensure that the server authentication certificate is created from the Web Server Microsoft certificate template according to recommended guidelines, and that the client authentication certificate is created from the Workstation Authentication template according to recommended guidelines in links above. Both certificates should be installed in the Personal certificate store on the shared distribution point.
  7. Configure SSL binding of server authentication certificate for HTTPs in IIS if IIS is required on the site system.


  8. Ensure that your client push account has the requisite permissions to install clients on systems. This step need only be performed once using a GPO or other means.
  9. Define preferred site systems in the Boundary group(s) for target site(s). (The local distribution point, and any other required site system roles can be configured as reference site systems in the boundary group for the target site.
  10. In the target site boundary group, where necessary, define any fallback boundary group for the target site. This will provide clients access to fallback site systems (DP, SUP, etc.) where necessary.
  11. Validate that all relevant boundaries for pilot sites and any other pilot sites are migrated.
  12. [OPTIONAL] Confirm that collections for target site(s) have been migrated over OR create a collection(s) of clients for the pilot or targeted migration site(s). Having collections of clients makes it easy to manage a logical grouping of clients, rather than individual clients.
  13. Validate that target boundaries, and boundary groups have been migrated over, and are properly configured.
  14. Confirm that the target AD site boundary does not have a duplicate boundary. Delete the extraneous boundary if one exists.
  15. Use the Reassign distribution point wizard to configure the client certificate for the local DP site system role in ConfigMgr. Note that this step will remove the DP from source hierarchy and make the selected computer and its DP a site system server of the site that you select in the destination hierarchy. This will also initiate the distribution of the ConfigMgr client package to the newly re-assigned distribution point. 



  16. [OPTIONAL] Pre-stage ConfigMgr client packages where necessary. This will significantly reduce the wait times for client package distribution to the local DP, and shorten the overall migration time. 


    At Scheduled Migration time:


  17. Communicate scheduled migration commencement with relevant teams where necessary.
  18. Migrate target site(s)
    1. [OPTIONAL] Query AD for target site ConfigMgr Site Assignment tag, using either OR both queries below:

      Boundary with Subnet:


      Boundary Overlap Check:



    2. In old ConfigMgr Site (Source site).
      1. Remove selection in Boundary group for Site Assignment. Deselect the option to Use this boundary group for site assignment


      2. Remove local DP as a resource from Boundary Group (if not already done by migration wizard)
      3. Remove Boundary from Boundary Group (if not already done by migration wizard)
    3. [OPTIONAL] Query AD and confirm ConfigMgr Site Assignment tag, is no longer present
    4. In new ConfigMgr site – (Destination site)
      1. Validate Boundary (migrated or created)
      2. Validate Boundary Group (migrated or created).
        1. Add Boundary to boundary group if not in group.
        2. Enable boundary group for Site assignment. Select the option to Use this boundary group for site assignment.


        3. Add local site server as a resource.
        4. If you have any fallback boundary group configurations, confirm that fallback boundary group(s) is added as a fallback boundary group to the boundary group for your target site(s). Modify fallback times where necessary.


    5. [OPTIONAL] Query AD for target site ConfigMgr Site Assignment tag, and confirm that it now shows destination site code.
  19. Confirm that ConfigMgr client package has been distributed to the local distribution point.


  20. After confirming client package distribution to the local distribution point is complete, manually deploy clients to target site collection from console. You can also wait for clients to check in and automatically register with destination site.
  21. [OPTIONAL] Deploy a client to the newly re-assigned local distribution point. If the local distribution point is configured as a Pull distribution point, this will be required for the Pull DP to get content from a HTTPS source distribution point in the ConfigMgr hierarchy. This step is not required if the pull DP will get content from a HTTP source DP. See below. 

    After Clients are migrated:


  22. [OPTIONAL] After a client is installed on the newly reassigned local distribution point, you can configure the local distribution point as a Pull distribution point and it will now be able to get content from a HTTPS source DP. To do this, in the ConfigMgr console, navigate to Administration and click Distribution Points. Select the local distribution Point from the list of distribution points and open the properties of the DP. In the Properties menu, select the Pull Distribution Point tab and check the box to Enable this distribution point to pull content from other distribution points and proceed to add available source distribution points.


  23. Perform UAT checks and validate. 

    After ALL sites have been migrated:


  24. Stop data gathering
  25. Clean up migration data.
The following two tabs change content below.
Strategist. Technologist. Skeptic. Friend.
Chiyo OdikaMigrate Clients to a ConfigMgr HTTPS Site