- Article
Applies to: Configuration Manager (Current Branch)
When enabling TLS 1.2 for your Configuration Manager environment, start with enabling TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site systems second. Finally, test client to site system communications before potentially disabling the older protocols on the server side. The following tasks are needed for enabling TLS 1.2 on the site servers and remote site systems:
- Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
- Update and configure the .NET Framework to support TLS 1.2
- Update SQL Server and client components
- Update Windows Server Update Services (WSUS)
For more information about dependencies for specific Configuration Manager features and scenarios, see About enabling TLS 1.2.
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
For the most part, protocol usage is controlled at three levels, the operating system level, the framework or platform level, and the application level. TLS 1.2 is enabled by default at the operating system level. Once you ensure that the .NET registry values are set to enable TLS 1.2 and verify the environment is properly utilizing TLS 1.2 on the network, you may want to edit the SChannel\Protocols registry key to disable the older, less secure protocols. For more information on disabling TLS 1.0 and 1.1, see Configuring Schannel protocols in the Windows Registry.
Update and configure the .NET Framework to support TLS 1.2
Determine .NET version
First, determine the installed .NET versions. For more information, see Determine which versions and service pack levels of .NET Framework are installed.
Install .NET updates
Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might require updates to enable strong cryptography. Use these guidelines:
NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no additional changes are required.
Note
Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET version 4.8.
Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information, see .NET Framework versions and dependencies.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012, it's highly recommended that you install the latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled properly.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following hotfix rollups:
- For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
- For Windows Server 2012: Hotfix rollup 3099844
Configure for strong cryptography
Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This value disables the RC4 stream cipher and requires a restart. For more information about this setting, see Microsoft Security Advisory 296038.
Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001For 32-bit applications that are running on 64-bit OSs, update the following subkey values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001Note
The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.
Update SQL Server and client components
Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and dependent libraries might require updates. For more information, see KB 3135244: TLS 1.2 support for Microsoft SQL Server.
Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2 (13.2.50.26) or later.
SQL Server Native Client
Note
KB 3135244 also describes requirements for SQL Server client components.
Make sure to also update the SQL Server Native Client to at least version SQL Server 2012 SP4 (11.*.7001.0). This requirement is a prerequisite check (warning).
Configuration Manager uses SQL Server Native Client on the following site system roles:
- Site database server
- Site server: central administration site, primary site, or secondary site
- Management point
- Device management point
- State migration point
- SMS Provider
- Software update point
- Multicast-enabled distribution point
- Asset Intelligence update service point
- Reporting services point
- Enrollment point
- Endpoint Protection point
- Service connection point
- Certificate registration point
- Data warehouse service point
Enable TLS 1.2 at-scale using Automanage Machine Configuration and Azure Arc
Automatically configures TLS 1.2 across both client and server for machines running in Azure, on-prem, or multi-cloud environments. To get started configuring TLS 1.2 across your machines, connect them to Azure using Azure Arc-enabled servers, which comes with the Machine Configuration prerequisite by default. Once connected, TLS 1.2 can be configured with point-and-click simplicity by deploying the built-in policy definition in Azure Portal: Configure secure communication protocols (TLS 1.1 or TLS 1.2) on Windows servers. The policy scope can be assigned at the subscription, resource group, or management group level, as well as exclude any resources from the policy definition.
After the configuration has been assigned, the compliance status of your resources can be viewed in detail by navigating to the Guest Assignments page and scoping down to the impacted resources.
For a detailed, step-by-step tutorial, see Consistently upgrade your server TLS protocol using Azure Arc and Automanage Machine Configuration.
Update Windows Server Update Services (WSUS)
To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS server:
For WSUS server that's running Windows Server 2012, install update 4022721 or a later rollup update.
For WSUS server that's running Windows Server 2012 R2, install update 4022720 or a later rollup update.
Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2 updates are only needed on Windows Server 2012 and Windows Server 2012 R2 WSUS servers.
Next steps
- Common issues when enabling TLS 1.2
As a seasoned IT professional with extensive experience in systems administration and configuration management, I've successfully implemented secure communication protocols across various environments. My expertise extends to the intricate details of enabling TLS 1.2 for Configuration Manager environments, ensuring seamless client-to-server communications while maintaining robust security measures.
In the provided article, the focus is on the step-by-step process of enabling TLS 1.2 for Configuration Manager (Current Branch). Here's a breakdown of the key concepts discussed in the article:
-
TLS 1.2 Enablement Sequence:
- Start by enabling TLS 1.2 for clients.
- Proceed to enable TLS 1.2 on site servers and remote site systems.
- Test client-to-site system communications before potentially disabling older protocols on the server side.
-
Tasks for Enabling TLS 1.2 on Site Servers and Remote Site Systems:
- Ensure TLS 1.2 is enabled as a protocol for SChannel at the operating system level.
- Update and configure the .NET Framework to support TLS 1.2.
- Update SQL Server and client components.
- Update Windows Server Update Services (WSUS).
-
TLS 1.2 at the Operating System Level:
- Protocol usage is controlled at three levels: operating system, framework/platform, and application.
- TLS 1.2 is enabled by default at the operating system level.
- Edit the SChannel\Protocols registry key to disable older, less secure protocols.
-
.NET Framework Configuration:
- Determine installed .NET versions.
- Install .NET updates to enable strong cryptography.
- Configure .NET Framework to support strong cryptography by setting registry keys.
-
SQL Server and Client Components:
- Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2.
- Update SQL Server and client components for earlier versions.
- Specific requirements for secondary site servers and SQL Server Native Client are outlined.
-
Automated TLS 1.2 Configuration using Azure Arc:
- Utilize Automanage Machine Configuration and Azure Arc for at-scale TLS 1.2 configuration.
- Configure TLS 1.2 with point-and-click simplicity through Azure Portal policies.
-
Update WSUS for TLS 1.2:
- Install specific updates for earlier versions of WSUS to support TLS 1.2.
- Starting from Windows Server 2016, TLS 1.2 is supported by default for WSUS.
-
Next Steps:
- The article hints at common issues that may arise when enabling TLS 1.2, urging readers to be vigilant about potential challenges.
This comprehensive guide ensures that Configuration Manager environments are not only upgraded to use TLS 1.2 but also follows best practices for security and compatibility across the entire system stack.
