Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Enabling strong authentication in ConfigMgr Admin Console

Posted on March 6, 2020March 6, 2020 by Jörgen Nilsson

This post started as a poll I did on twitter on how many has enabled Strong Authentication in Configuration Manager as a requirement to access the Configuration Manager Admin Console(SMS Provider). The result was interesting..

96,2 percent use Windows authentication… that is a way to high number. Configuration Manager basically owns all devices in your environment, if you managed servers using Configuration Manager it owns them as well. Only require Username and Password to access the system of all systems that control all the others is way to weak!

Hopefully many of the responses that uses Windows Authentication use other measures like using Privileged access workstations and control communication to the Configuration Manager SMS Providers using other options. The feature to require MFA (Smart card or Windows Hello for Business) has been around since Configuration Manager 1702 https://support.microsoft.com/en-us/help/4042963/multi-factor-authentication-for-sms-provider-calls-configuration-manag

So how do we get started? Well I for one like Windows Hello for Business, so I enabled it for my hybrid joined devices, here is a guide on Microsoft Docs https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust
To be able to enable and configure Strong Authentication we need to have authenticated on the machine we run the Admin Console from using the method we want to configure. In my case I need to log on to the computer using Windows Hello for Business otherwise we will get an error message like this when we try to enable strong authentication.

How do we enable it? Under Hierachy Settings and under the Authentication tab we have the option to enable either certificate based authentication or require Windows Hello for Business.

We can also in the dialog above select which service accounts/use account that are to be excluded from the requirement. Creating a break the glass admin account that is disabled in the domain could be a good idea, you never know what will happen.
Once we are done with the configuration and save it we get a question if we are really sure about this.

That is it! we are done! If I log on using username and password we get this well-known error message.. which is a general connect failure which we have seen many times before.

We can troubleshoot and see why the authentication failed in the SmsAdminUI.log file, it clearly states “Description = “current thread is not authenticated with the minimal allowed level”

Call to action! Secure your Configuration Manager environment and sleep tight at night!

1 thought on “Enabling strong authentication in ConfigMgr Admin Console”

  1. Pingback: System Center Mart 2020 Bülten – Sertaç Topal

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT