Verify SSL Configurations of Site Roles via Compliance Settings in ConfigMgr 2012

This will be a short blog post about the locations in the registry where the SSL configurations are stored for the different site roles. This can be very useful in larger environments, with many sites, site systems and multiple administrators. These registry keys can be used as Configuration Items in a Configuration Baseline. This makes it easier to keep track of the SSL configuration of the environment.

Registry

Before providing the different locations, I think it’s good to note that the most site roles simply use 0 or 1 as values for a SSL configuration. Exceptions on this are the management point and the distribution point. These site roles can have different values based on the connection configuration (intranet and Internet, intranet-only, Internet-only) and CRL checking configuration. For all roles 0 stands for HTTP and everything greater than 0 stands for HTTPS.

Application Catalog web service point
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\SMS\AWEBSVC
Value Name: UseSSL
Compliance: UseSSL Equals 1 (UseSSL must exist)

Application Catalog website point
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\SMS\PORTALWEB
Value Name: UseSSL
Compliance: UseSSL Equals 1 (UseSSL must exist)

Distribution point
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\SMS\DP
Value Name: IISSSLState
Compliance: IISSSLState Greater than 0 (IISSSLState must exist)

Management point
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\SMS\MP
Value Name: SSLState
Compliance: SSLState Greater than 0 (SSLState must exist)

Software update point
Hive Name: HKEY_LOCAL_MACHINE
Key Name: SOFTWARE\Microsoft\Update Services\Server\Setup
Value Name: UsingSSL
Compliance: UsingSSL Equals 1 (UsingSSL must exist)

Leave a Comment