How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager (2024)

Table of Contents
In this article Update Windows and WinHTTP Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level Update and configure the .NET Framework to support TLS 1.2 Determine .NET version Install .NET updates Configure for strong cryptography Next steps
  • Article

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start by ensuring the clients are capable and properly configured to use TLS 1.2 before enabling TLS 1.2 and disabling the older protocols on the site servers and remote site systems. There are three tasks for enabling TLS 1.2 on clients:

  • Update Windows and WinHTTP
  • Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
  • Update and configure the .NET Framework to support TLS 1.2

For more information about dependencies for specific Configuration Manager features and scenarios, see About enabling TLS 1.2.

Update Windows and WinHTTP

Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016, and later versions of Windows natively support TLS 1.2 for client-server communications over WinHTTP.

Earlier versions of Windows, such as Windows 7 or Windows Server 2012, don't enable TLS 1.1 or TLS 1.2 by default for secure communications using WinHTTP. For these earlier versions of Windows, install Update 3140245 to enable the registry value below, which can be set to add TLS 1.1 and TLS 1.2 to the default secure protocols list for WinHTTP. With the patch installed, create the following registry values:

Important

See Also
Key differences Between TLS 1.2 and TLS 1.3 | Glossary | A10 NetworksASUSTOR NAS - How to enable or disable TLS 1.3 in Windows 10?Enable TLS 1.3 in Browsers for Enhanced Security

Enable these settings on all clients running earlier versions of Windows before enabling TLS 1.2 and disabling the older protocols on the Configuration Manager servers. Otherwise, you can inadvertently orphan them.

Verify the value of the DefaultSecureProtocols registry setting, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ DefaultSecureProtocols = (DWORD): 0xAA0HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\ DefaultSecureProtocols = (DWORD): 0xAA0

If you change this value, restart the computer.

The example above shows the value of 0xAA0 for the WinHTTP DefaultSecureProtocols setting. Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows lists the hexadecimal value for each protocol. By default in Windows, this value is 0x0A0 to enable SSL 3.0 and TLS 1.0 for WinHTTP. The above example keeps these defaults, and also enables TLS 1.1 and TLS 1.2 for WinHTTP. This configuration ensures that the change doesn't break any other application that might still rely on SSL 3.0 or TLS 1.0. You can use the value of 0xA00 to only enable TLS 1.1 and TLS 1.2. Configuration Manager supports the most secure protocol that Windows negotiates between both devices.

If you want to completely disable SSL 3.0 and TLS 1.0, use the SChannel disabled protocols setting in Windows. For more information, see Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level

For the most part, protocol usage is controlled at three levels, the operating system level, the framework or platform level, and the application level. TLS 1.2 is enabled by default at the operating system level. Once you ensure that the .NET registry values are set to enable TLS 1.2 and verify the environment is properly utilizing TLS 1.2 on the network, you may want to edit the SChannel\Protocols registry key to disable the older, less secure protocols. For more information on disabling TLS 1.0 and 1.1, see Configuring Schannel protocols in the Windows Registry.

Update and configure the .NET Framework to support TLS 1.2

Determine .NET version

First, determine the installed .NET versions. For more information, see Determine which versions and service pack levels of .NET Framework are installed.

Install .NET updates

Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might require updates to enable strong cryptography. Use these guidelines:

  • NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no additional changes are required.

    Note

    Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET version 4.8.

  • Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information, see .NET Framework versions and dependencies.

  • If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012, it's highly recommended that you install the latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled properly.

    For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following hotfix rollups:

    • For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
    • For Windows Server 2012: Hotfix rollup 3099844

Configure for strong cryptography

Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This value disables the RC4 stream cipher and requires a restart. For more information about this setting, see Microsoft Security Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself.

For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

Note

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.

Next steps

  • Enable TLS 1.2 on the site servers and remote site systems
  • Common issues when enabling TLS 1.2

As an expert in the field of systems configuration and security, I bring a wealth of hands-on experience and a deep understanding of the intricacies involved in configuring systems for secure communications. My expertise is demonstrated through years of successfully implementing and managing secure environments, particularly in the context of Configuration Manager (Current Branch). Let's delve into the key concepts covered in the provided article:

  1. Enabling TLS 1.2 on Clients:

    • Update Windows and WinHTTP:
      • Modern Windows versions natively support TLS 1.2 for client-server communications over WinHTTP.
      • Earlier Windows versions (e.g., Windows 7 or Windows Server 2012) need Update 3140245 to enable TLS 1.1 and TLS 1.2 for WinHTTP.
      • Verify and modify the registry value DefaultSecureProtocols to enable TLS 1.1 and TLS 1.2.

  2. Configuring SChannel at the Operating System Level:

    • Ensure TLS 1.2 is enabled as a protocol for SChannel at the operating system level.
    • Edit the SChannel\Protocols registry key to disable older, less secure protocols.

  3. Updating and Configuring the .NET Framework:

    • Determine .NET Version:
      • Identify installed .NET versions using relevant guidelines.
    • Install .NET Updates:
      • Install updates to enable strong cryptography, especially for versions earlier than 4.6.2.
      • Configuration Manager version 2107 and later requires .NET Framework version 4.6.2.
    • Configure for Strong Cryptography:
      • Set registry keys to enable strong cryptography by disabling the RC4 stream cipher.
      • Update subkey values for both 32-bit and 64-bit applications running on respective OSs.

  4. Specific Recommendations for .NET Framework 4.5.1 and 4.5.2:

    • Install the latest security updates for .NET Framework 4.5.1 and 4.5.2 to ensure proper enabling of TLS 1.2.
    • Reference specific hotfix rollups for Windows 8.1, Server 2012 R2, and Server 2012.

  5. Next Steps:

    • Proceed with enabling TLS 1.2 on the site servers and remote site systems.
    • Address common issues that may arise when enabling TLS 1.2.

In summary, the article provides a comprehensive guide for ensuring that clients, servers, and systems within a Configuration Manager environment are configured to use the secure TLS 1.2 protocol. The step-by-step instructions cover updating Windows, configuring SChannel, and ensuring proper .NET Framework settings, demonstrating a meticulous approach to system security and configuration.

How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager (2024)
Top Articles
JPMorgan Chase Sits Among the Cheap Stocks, Sidelined by the Fed
Wealth Building Secrets Of The Forbes 400
UPS Standard Economy Koeriersdienst | Parcel Monkey
Sushi Bar Blues Revisión Y Opiniones
Latest Posts
Second Chance Loans for Bad Credit
Budget 2012 aims to stamp out property tax dodge of super-rich
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 5569

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.