WSE Health Reports, Office 365, and TLS 1.2

Andrew Solmssen 96 Reputation points
2020-10-08T10:15:32.807+00:00

Hi all - this is pretty much what it says on the tin. Office 365 is deprecating TLS 1.0 (and 1.1 I think) for security reasons, and I'd like to fix my Windows Server essentials machines that are using TLS 1.0 to send health reports to me. The machines use K1 kiosk accounts at Office 365 to send mail via SMTP to me. What's the plan of action here? There's a lot of info about disabling TLS 1.0 machine wide, and that doing that can break WSE-to-client comms. I'm loathe to do something that would break my server just to get health reports mailed, but it looks like the deadline for TLS 1.2 support is October 15 and that is hard upon us. @Susan Bradley have you solved this? thanks to all for any comments or info!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,173 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. The Office Maven 111 Reputation points
    2020-10-08T14:52:39.32+00:00

    TLS 1.2 can indeed be enabled (with TLS 1.0/1.1 disabled) on a Windows Server Essentials server without breaking server-to-client communications so long as it's done properly. I have a "how to" article about doing just that posted over on my website here:

    Enabling TLS 1.2 On Windows Server Essentials

    While the article is geared towards folks who are using my WSE RemoteApp add-in (for which I automate much of the process for them), there's a Q&A section listed at the bottom of the article that mentions how folks can perform the process manually if they're not using my add-in.

    EDIT: BTW, doing this is (obviously) NOT supported by Microsoft, and so I'll add the disclaimer "do so at your own risk". Windows Server Essentials is pretty much dead to Microsoft now, and so I seriously doubt that you'll ever see an official solution from them for enabling TLS 1.2 (or TLS 1.3) on a Windows Server 2016/2012 R2/2012 Essentials server (even though they're all still supported by Microsoft).

    1 person found this answer helpful.
  2. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,681 Reputation points Microsoft Vendor
    2020-10-09T06:00:37.43+00:00

    Hi,

    May I know your Windows Server version?

    Is it possilbe to use another email account (which support TLS 1.0) instead of Office 365 to send the heath report?

    Thanks,
    Eleven

  3. The Office Maven 111 Reputation points
    2020-10-10T21:43:46.743+00:00

    I've never looked into the SMTP/TLS issues that you've mentioned and so I can't really speak directly to any of that. However, I can 100% tell you that when TLS 1.2 is enabled on the server (and TLS 1.0 and TLS 1.1 are disabled) as per my article, the health report emailing functionality in Essentials still works just fine (with SSL/TLS over port 587). And since TLS 1.0 is disabled on the servers, there's absolutely no way that it's being used for the SMTP connections (i.e. TLS 1.2 has to be used there since it's the only protocol that is currently enabled on the servers). This is exactly how all of my own Essentials servers are configured, and they all email the health reports daily without issue.

    Additionally, I see no adverse effects of enabling TLS 1.2 (while disabling TLS 1.0/1.1) other than the minor ones that are mentioned within the article (which are very easy to work around). Everything is working just fine here (and so the reward is most definitely worth the risk IMHO).

    0 comments