Enforce TLS 1.2 for the Azure AD Registration Service

The Azure Active Directory (Azure AD) Device Registration Service is used to connect devices to the cloud with a device identity. The Azure AD Device Registration Service currently supports using Transport Layer Security (TLS) 1.2 for communications with Azure. To ensure security and best-in-class encryption, Microsoft recommends disabling TLS 1.0 and 1.1. This document will provide information on how to ensure machines used to complete registration and communicate with the Azure AD Device Registration Service use TLS 1.2.

The TLS protocol version 1.2 is a cryptography protocol that is designed to provide secure communications. The TLS protocol aims primarily to provide privacy and data integrity. TLS has gone through many iterations with version 1.2 being defined in RFC 5246 (external link).

Current analysis of connections shows little TLS 1.1 and 1.0 usage, but we are providing this information so that you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.

Update Windows servers

For Windows servers that use the Azure AD Device Registration Service or act as proxies, use the following steps to ensure TLS 1.2 is enabled:

Important

After you have updated the registry, you must restart the Windows server for the changes to take effect.

Enable TLS 1.2

Ensure the following registry strings are configured as shown:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • "DisabledByDefault"=dword:00000000
    • "Enabled"=dword:00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    • "DisabledByDefault"=dword:00000000
    • "Enabled"=dword:00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
    • "SchUseStrongCrypto"=dword:00000001

Update non-Windows proxies

Any machines that act as proxies between devices and the Azure AD Device Registration Service must ensure that TLS 1.2 is enabled. Follow your vendor's guidance to ensure support.

Update AD FS servers

Any AD FS servers used to communicate with the Azure AD Device Registration Service must ensure that TLS 1.2 is enabled. See Managing SSL/TLS Protocols and Cipher Suites for AD FS for information on how to enable/verify this configuration.

Client updates

Since all client-server and browser-server combinations must use TLS 1.2 to connect with the Azure AD Device Registration Service, you may need to update these devices.

The following clients are known to be unable to support TLS 1.2. Update your clients to ensure uninterrupted access.

  • Android version 4.3 and earlier
  • Firefox version 5.0 and earlier
  • Internet Explorer versions 8-10 on Windows 7 and earlier
  • Internet Explorer 10 on Windows Phone 8.0
  • Safari version 6.0.4 on OS X 10.8.4 and earlier

Next steps

TLS/SSL overview (Schannel SSP)