How to enable TLS 1.2 on the site servers and remote site systems

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start with enabling TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site systems second. Finally, test client to site system communications before potentially disabling the older protocols on the server side. The following tasks are needed for enabling TLS 1.2 on the site servers and remote site systems:

  • Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
  • Update and configure the .NET Framework to support TLS 1.2
  • Update SQL Server and client components
  • Update Windows Server Update Services (WSUS)

For more information about dependencies for specific Configuration Manager features and scenarios, see About enabling TLS 1.2.

Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level

TLS 1.2 is enabled by default. Therefore, no change to these keys is needed to enable it. You can make changes under Protocols to disable TLS 1.0 and TLS 1.1 after you've followed the rest of the guidance in these articles and you've verified that the environment works when only TLS 1.2 enabled.

Verify the \SecurityProviders\SCHANNEL\Protocols registry subkey setting, as shown in Transport layer security (TLS) best practices with the .NET Framework.

Update and configure the .NET Framework to support TLS 1.2

Determine .NET version

First, determine the installed .NET versions. For more information, see How to determine which versions and service pack levels of the Microsoft .NET Framework are installed.

Install .NET updates

Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might require updates to enable strong cryptography. Use these guidelines:

  • NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no additional changes are required.

  • Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information, see .NET Framework versions and dependencies.

  • If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1 or Windows Server 2012, the relevant updates and details are also available from the Download Center.

Configure for strong cryptography

Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This value disables the RC4 stream cipher and requires a restart. For more information about this setting, see Microsoft Security Advisory 296038.

Make sure to set the following registry keys on any computer that communicates across the network with a TLS 1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the site server, and the site server itself.

For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
      "SystemDefaultTlsVersions" = dword:00000001
      "SchUseStrongCrypto" = dword:00000001

Note

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.

Update SQL Server and client components

Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and dependent libraries might require updates. For more information, see KB 3135244: TLS 1.2 support for Microsoft SQL Server.

Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2 (13.2.50.26) or later.

SQL Server Native Client

Note

KB 3135244 also describes requirements for SQL Server client components.

Make sure to also update the SQL Server Native Client to at least version SQL Server 2012 SP4 (11.*.7001.0). Starting in version 1810, this requirement is a prerequisite check (warning).

Configuration Manager uses SQL Server Native Client on the following site system roles:

  • Site database server
  • Site server: central administration site, primary site, or secondary site
  • Management point
  • Device management point
  • State migration point
  • SMS Provider
  • Software update point
  • Multicast-enabled distribution point
  • Asset Intelligence update service point
  • Reporting services point
  • Application catalog web service
  • Enrollment point
  • Endpoint Protection point
  • Service connection point
  • Certificate registration point
  • Data warehouse service point

Update Windows Server Update Services (WSUS)

To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, install update 4022721 or a later rollup update.
  • For WSUS server that's running Windows Server 2012 R2, install update 4022720 or a later rollup update.

Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2 updates are only needed on Windows Server 2012 and Windows Server 2012 R2 WSUS servers.

Next steps