Use this post when the SCOM WebConsole gets flagged for HTTP Redirect.  The IIS configuration is pretty easy to set up.  When your Security team contacts you to resolve VulnID 121040, the steps below should resolve the compliance finding.  Use the Microsoft learn site for more details.

Add HTTP Redirect role from Server Manager

Time to Configure ‘SCOM WebConsole HTTP Redirect’

RDP to server, open Server Manager

Click on Manage on top right

Click Next on the ‘before you begin popup’

Click Next

Click Next

Expand the ‘Web Server’ drop down menu

Expand Web Server drop down menu

Expand Common HTTP Features

Check box for HTTP Redirection

Click Next

Click Next at the Features tab

Click Install to install the feature

NOTE the checkbox to ‘Restart if required is NOT selected’

Most change processes don’t allow this on the fly (unplanned outage)

Wait while the feature(s) install

Click Close once complete

Setup Redirection in IIS Manager

Open IISManager

NOTE If IISManager was open before the feature was closed, exit and open IISManager again.   IISManager refresh does NOT make HTTP Redirect reappear (even if restarting IIS service).

Click on your webServer > Double click on HTTP Redirect

Check the ‘Redirect requests to this destination:’ check box

Enter the WebConsole URL for your installation.

NOTE SCOM default WebConsole URL is http://<webserverName>/OperationsManager

Check the two (2) boxes for Redirect behaviors

IISManager HTTP Redirect configuration screen

Click Apply

Recommend restart/reboot of server (off hours) to apply configuration before having Security team scan server.

Verify HTTP Redirect after reboot

After reboot, verify current settings (shown are default)

Click on ‘Default WebSite’ dropdown > Select HTTP Redirect

Contact Security team to re-scan server

Happy mitigating!