How to enable TLS 1.2 on the site servers and remote site systems

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start with enabling TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site systems second. Finally, test client to site system communications before potentially disabling the older protocols on the server side. The following tasks are needed for enabling TLS 1.2 on the site servers and remote site systems:

  • Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
  • Update and configure the .NET Framework to support TLS 1.2
  • Update SQL Server and client components
  • Update Windows Server Update Services (WSUS)

For more information about dependencies for specific Configuration Manager features and scenarios, see About enabling TLS 1.2.

Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level

TLS 1.2 is enabled by default. Therefore, no change to these keys is needed to enable it. You can make changes under Protocols to disable TLS 1.0 and TLS 1.1 after you've followed the rest of the guidance in these articles and you've verified that the environment works when only TLS 1.2 enabled.

Verify the \SecurityProviders\SCHANNEL\Protocols registry subkey setting, as shown in Transport layer security (TLS) best practices with the .NET Framework.

Update and configure the .NET Framework to support TLS 1.2

Determine .NET version

First, determine the installed .NET versions. For more information, see Determine which versions and service pack levels of .NET Framework are installed.

Install .NET updates

Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might require updates to enable strong cryptography. Use these guidelines:

  • NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no additional changes are required.

    Note

    Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET version 4.8.

  • Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information, see .NET Framework versions and dependencies.

  • If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows Server 2012, it's highly recommended that you install the latest security updates for the .Net Framework 4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled properly.

    For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following hotfix rollups:

Configure for strong cryptography

Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This value disables the RC4 stream cipher and requires a restart. For more information about this setting, see Microsoft Security Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself.

For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001

Note

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.

Update SQL Server and client components

Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and dependent libraries might require updates. For more information, see KB 3135244: TLS 1.2 support for Microsoft SQL Server.

Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2 (13.2.50.26) or later.

SQL Server Native Client

Note

KB 3135244 also describes requirements for SQL Server client components.

Make sure to also update the SQL Server Native Client to at least version SQL Server 2012 SP4 (11.*.7001.0). This requirement is a prerequisite check (warning).

Configuration Manager uses SQL Server Native Client on the following site system roles:

  • Site database server
  • Site server: central administration site, primary site, or secondary site
  • Management point
  • Device management point
  • State migration point
  • SMS Provider
  • Software update point
  • Multicast-enabled distribution point
  • Asset Intelligence update service point
  • Reporting services point
  • Enrollment point
  • Endpoint Protection point
  • Service connection point
  • Certificate registration point
  • Data warehouse service point

Update Windows Server Update Services (WSUS)

To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, install update 4022721 or a later rollup update.

  • For WSUS server that's running Windows Server 2012 R2, install update 4022720 or a later rollup update.

Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2 updates are only needed on Windows Server 2012 and Windows Server 2012 R2 WSUS servers.

Next steps