Project Description

SSLMode – A ConfiMgr SSL Mode Flag Converter Tool

This tool converts a number like 224 to binary and then enumerates the bit flags set in the flags used by the Task Sequence Environment. The tool only takes one input on the command line, typically this is the %_SMSTSIISSSLState% Task Sequence Environment variable.

So 224 turns into E0 in hex which in binary is 11100000. So that means the “last three” bit flags are set, get it? There are also “combined” flags like “hybrid mode” which uses the value of multiple other flags.

The following flags can be set, in some random order from the SDK:

enum CcmHttpSslStates
MixedMode = 0,
Disabled = 0,
Enabled = 1,
Required = 2,
ClientAuthEnabled = 4,
ClientAuthRequired = 8,
Use128BitEncryption = 16,
NativeMode = 31,
EnableClientCrlChecking = 32,
AllowHttpFallback = 64,
UseSslWhenEnabled = 128,
HybridMode = 159,
AllowPkiCertReRegistration = 256,

And this is their meaning, the flags are documented (ish) in the MP API:

  • Disabled – SSL is completely disabled
  • Enabled – Native mode is enabled
  • Required – Native mode is required (used only by MP)
  • ClientAuthEnabled – Client authentication is enabled (used only by MP)
  • ClientAuthRequired – Client authentication is required (used only by MP)
  • Use128BitEncryption – Use 128-bit encryption (used only by MP)
  • EnableClientCrlChecking – Enable client CRL checking
  • AllowHttpFallback – Allow HTTP fallback
  • UseSslWhenEnabled – Use SSL when enabled
  • AllowPkiCertReRegistration – Client will re-register with PKI cert when it’s available
  • MixedMode – Client is in mixed mode
  • NativeMode – Client is in native mode
  • HybridMode – Client is in native mode with SSL optional
Kudos to Adam for helping me out on pointing to the right place in the SDK!

Get SSLMode