Steps to disable the TLS 1.0 and 1.1 on the MBAM Servers and force the use of TLS 1.2

Applies to: Microsoft BitLocker Administration and Monitoring 2.5 Service Pack 1

Symptoms


Microsoft is planning to disable older TLS protocols, in preparation for disabling Transport Layer Security (TLS) 1.0 and 1.1 by default. See Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default.

For enterprise customers, this may require disabling TLS 1.0 and 1.1 in their environment for Microsoft Bitlocker Administration and Monitoring (MBAM) Infrastructure.

Resolution


The following are the steps to disable the TLS 1.0 and 1.1 on the MBAM Servers, and force the use of TLS 1.2.

  1. Download and install the latest available version of Microsoft .Net Framework on all MBAM servers which are Web Servers running IIS roles, SQL Servers running SQL Server database Engine, and SQL Server Reporting Services.

Refer to: Microsoft .NET Framework 4.8 offline installer for Windows

  1. Execute the PowerShell Scripts below. They are used to disable TLS 1.0 and 1.1 and force the use only TLS 1.2.
  2. Reboot the servers, then test the MBAM web applications and confirm that the MBAM clients can communicate with the server to backup recovery information.

<Tighten_DotNet.PS1>

# Tighten up the .NET Framework$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null

<Force_TLS1.2.PS1>

$ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")$ProtocolSubKeyList = @("Client", "Server")$DisabledByDefault = "DisabledByDefault"$Enabled = "Enabled"$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"foreach($Protocol in $ProtocolList){    Write-Host " In 1st For loop"foreach($key in $ProtocolSubKeyList){$currentRegPath = $registryPath + $Protocol + "\" + $keyWrite-Host " Current Registry Path $currentRegPath"if(!(Test-Path $currentRegPath)){    Write-Host "creating the registry"New-Item -Path $currentRegPath -Force | out-Null}if($Protocol -eq "TLS 1.2"){    Write-Host "Working for TLS 1.2"New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-NullNew-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null}else{    Write-Host "Working for other protocol"New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-NullNew-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null}}}Exit 0