How to force MS web deploy using TLS1.2

Web Deploy (msdeploy) simplifies deployment of Web applications and Web sites to IIS servers. Administrators can use Web Deploy to synchronize IIS servers or to migrate to newer versions of IIS. Web Deploy Tool also enables administrators and delegated users to use IIS Manager to deploy ASP.NET and PHP applications to an IIS server.

By default, Web deploy is using TLS1.0 to synchronize. I’ve met some customers who want to set TLS1.2 as default protocol.

Web Deploy needs to be running in windows 2008 R2/Windows 7 or above with .NET Framework 4.5.x or .Net Framework 4.6 installed, since TLS 1.2 /RFC 5246 was released to industry in Aug. 2008. Any earlier version of windows and .NET Framework cannot support TLS 1.2 runtime. To use TLS1.2, you’ll first need to update .NET framework to meet the requirement.

ALSO, below changes should be implemented only on the client (where msdeploy.exe is running) and not on the server (where IIS web server is running).

  1. Create key about TLS1.2 if don’t exist.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client



     2. Create keys to force client use TLS1.2

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ v4.0.30319

            "SchUseStrongCrypto" =DWORD32:1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol

           "C:\Program Files\IIS\Microsoft Web Deploy V3\msdeploy.exe" =String:"tls12"

       The above name should be the location your msdeploy.exe installed in your machine.

     3. Reboot machine

More reference: