Microsoft Edge Try Microsoft Edge A fast and secure browser that's designed for Windows 10 Get started

Skip to main content
Microsoft
Microsoft Support
  • Office
  • Windows
  • Surface
  • Xbox
  • Deals
  • Support
      • Windows apps
      • OneDrive
      • Outlook
      • Skype
      • OneNote
      • PCs & tablets
      • Accessories
      • VR & mixed reality
      • Microsoft HoloLens
      • Xbox games
      • PC games
      • Windows digital games
      • Movies & TV
      • Books
      • Microsoft Azure
      • Microsoft Dynamics 365
      • Microsoft 365
      • Cloud platform
      • Enterprise
      • Data platform
      • .NET
      • Visual Studio
      • Windows Dev Center
      • Docs
      • Microsoft Store
      • Free downloads & security
      • Education
      • Store locations
      • Gift cards
    • View all
    0
    Sign in
    Microsoft Support

    How to enable TLS 1.2 for Configuration Manager

    Content provided by Microsoft

    Content provided by Microsoft

    Applies to: System Center Configuration ManagerSystem Center Configuration Manager (current branch - version 1702)System Center Configuration Manager Hybrid with Intune for Government


    Summary


    This article describes how to enable TLS 1.2 for Microsoft System Center Configuration Manager. This description includes individual components, update requirements for commonly-used Configuration manager features, and high-level troubleshooting information for common problems.

    Introduction


    Multiple vulnerabilities have been identified in older communication protocols, such as SSL 3.0, TLS 1.0, and TLS 1.1.  For best results, enable TLS 1.2 for more secure communications.
    Configuration Manager relies on many different components for secure communication. The protocol that's used for a given connection depends on the capabilities of all the required components. If one component is out-of-date, the communication may use an older, less secure protocol.  
    To correctly enable Configuration Manager to support TLS 1.2, you have to enable TLS 1.2 for all required components. The specifically required components depends on your environment and the Configuration Manager features that you use.

    To learn more about TLS and why it’s important to enable TLS 1.2, see RFC 5246.

    Note

    The information in this article applies to Configuration Manager current branch, version 1702 with the Update Rollup (KB 4019926) applied, or higher versions.

     

    More Information


    Enable the TLS 1.2 protocol as a security provider

    To enable TLS 1.2, you must first enable TLS 1.2 as a security provider for each computer that is running or interacting with Configuration Manager.

    To do this, configure the "\SecurityProviders\SCHANNEL\Protocols" registry subkey setting as shown in TLS/SSL Settings.
     

    Enable TLS 1.2 for dependent components

    This section describes how to enable TLS 1.2 for components that Configuration Manager depends on for secure communication.  Additional links provide detailed information, downloads, and background information as required.

    - Update the .NET Framework

    To update the .NET Framework to support TLS 1.2, first determine your .NET version number. (For help, see KB 318785.)

    Earlier versions of the .NET Framework may require updates or registry changes to enable strong cryptography. Use these guidelines:

    • The .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2.  No further changes are needed.
    • The .NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.

    If you're using the .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows Server 2012, the relevant updates and details are also available from the Download Center.

    • The .NET Framework 4.6.1 and earlier versions must be configured to support strong cryptography.  Set the SchUseStrongCrypto registry setting to DWORD:00000001. This disables the RC4 stream cipher and requires a restart. To learn more about this setting, see Microsoft Security Advisory 296038.

    For 32-bit applications on 32-bit systems or 64-bit applications on 64-bit systems), update the following subkey value:

    HKEY_LOCAL_MACHINE\SOFTWARE\
       \Microsoft\.NETFramework\\<version>
          SchUseStrongCrypto = (DWORD): 00000001

    For 32-bit applications that are running on x64-based systems, update the following subkey value:

    HKEY_LOCAL_MACHINE\SOFTWARE\
        Wow6432Node\Microsoft\\.NETFramework\\<version>
           SchUseStrongCrypto = (DWORD): 00000001

    Do this for each version of the .NET Framework that's older than 4.6.2 and is currently used in your environment.

    - Update SQL Server and client components

    Microsoft SQL Server 2016 supports TLS 1.1 and TLS 1.2.

    Earlier versions and dependent libraries may require updates. For more information, see KB 3135244.

    Note KB 3135244 also describes requirements for SQL Server client components. Update each component that's used in your environment.

    - Update Windows and WinHTTP

    Microsoft Windows 10 and Windows Server 2016 support TLS 1.2 for client-server communications by using WinHTTP.

    Earlier versions of Windows did not enable TLS 1.1 or 1.2 by default for client-server communications through WinHTTP. Depending on your currently installed updates, you may have to change the default secure protocol that's used in these environments. For more information, see KB 3140245.

    Verify that the DefaultSecureProtocols registry setting is 0xAA0, as follows:

    HKEY_LOCAL_MACHINE\SOFTWARE\
      \Microsoft\Windows\CurrentVersion\
         Internet Settings\WinHttp\
         DefaultSecureProtocols = (DWORD): 0xAA0

    Note This change requires a restart.

    - Update Windows Server Update Services (WSUS)

    To support TLS 1.2 for client-server communications in WSUS on Windows Server 2012 and Windows Server 2012 R2, you must apply the following update on the WSUS server:

    • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
    • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.

    Tasks required for Configuration Manager features and scenarios


    This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate the items that apply to your environment, and then verify the dependencies by using the steps that are provided in the "More Information" section.

    Feature or scenario

    Update tasks

    Site servers (central, primary, or secondary)

    Update the .NET Framework, and verify strong cryptography settings.

    SMS Provider

    Update Microsoft SQL Server and its client components as appropriate for each SMS provider.

    Site system roles

    Update the .NET Framework, and verify strong cryptography settings.

    Update SQL Server and its client components.

    Service connection point
    application catalog

    Update the .NET Framework, and verify strong cryptography settings.

    SRS reporting point

    Update the .NET Framework on the site server and the SRS servers. Restart the SMS_Executive service as necessary.

    Admin console

    Update the .NET Framework, and verify strong cryptography settings.

    SCCM client with HTTPS site system roles

    Update Windows to support TLS 1.2 for client-server communications by using WinHTTP.

    Software Center

    Update the .NET Framework, and verify strong cryptography settings.

    Software Update Point

    Update WSUS.

     

    Known issues


    This section provides advice for common issues that occur when you enable TLS 1.2 support. 

    FIPS security policy enabled

    If the FIPS security policy setting is enabled for either the client or a server, Secure Channel (Schannel) negotiation can cause TLS 1.0 to be used even if the protocol is disabled using the registry.

    To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For related information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

    SQL Server communication failure

    If SQL Server communication fails and returns an "SslSecurityError" error, verify the following:

    • The .NET Framework is updated and has strong cryptography enabled on each machine.
    • SQL Server is updated on the host server.
    • SQL client components are updated on the site servers, SMS provider, site role servers, and all other systems that communicate with SQL server.

    Configuration Manager client communication failures

    If Configuration Manager client does not communicate with site role endpoints (such as distribution points, management points, and state migration points), verify that Windows has been updated to support TLS 1.2 for client-server communication by using WinHTTP.

    SRS Reporting Point fails and returns an expected error

    If the SRS Reporting Point does not configure reports, check SRSRP.log for the following error entry:

    The underlying connection was closed:
    An expected error occurred on a receive.


    To resolve this issue, follow these steps:

    1. Verify that the .NET Framework is updated and has strong cryptography enabled all relevant computers.
    2. Verify that the SMS_Executive service has been restarted after any updates are installed.

    Application catalog fails to initialize

    If the application catalog does not initialize, check the ServicePortalWebSite.svclog file for the following errors entries:

    SOAP security negotiation failed. The client and server cannot communicate, because they do not possess a common algorithm.

    To resolve this issue, follow these steps:

    1. Verify that the .NET Framework is updated and has strong cryptography enabled on all relevant computers.
    2. In the C:\Windows\System32\InetSrv folder of the application catalog server, create a W2SP.exe.config file by running the following script:
      <?xml version="1.0" encoding="utf-8" ?><configuration>  <runtime>  <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />  </runtime></configuration>

      Note This is the default file that would be created if the application was built by using The .NET Framework 4.6.3.
    3. Use HTTPS transport security for Application Catalog roles.

      Note When you use HTTP message security for Application Catalog roles, WCF is hard-coded to use SSL 3.0 and TLS 1.0 only. This prevents the use of TLS 1.2.
    4. If any changes were made, restart the computer.

    Software Center or Browser fails to communicate with Application Catalog

    To resolve communication failures between Application Catalog and Software Center or the browser, verify that:

    • The .NET Framework is updated and has strong cryptography enabled on each computer.
    • The browser is configured to support TLS 1. (Prior to Windows 10, this option was disabled by default.)
    • All computers were restarted after the changes were made.

    Service Connection Point upload failures

    If the Service Connection Point does not upload data to SCCMConnectedService, verify that the .NET Framework is updated and has strong cryptography enabled on each computer. Remember to restart the computers after the changes are made.

    Admin Console displays Intune onboarding dialog box

    If the Intune onboarding dialog box appears when the Admin Console tries to connect to the Intune portal, verify that the .NET Framework is updated and has strong cryptography enabled on each computer.  Remember to restart the computers after the changes are made.

    WSUS communication failures

    To resolve WSUS communication failures in Windows Server 2012 and Windows Server 2012 R2, apply the following update on the WSUS server:

    • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
    • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.

    Last Updated: Dec 1, 2017
    • Email
    • Print
    Thanks! Your feedback will help us improve the support experience.

    What's new

    • Surface Book 2
    • Surface Pro
    • Xbox One X
    • Xbox One S
    • VR & mixed reality
    • Windows 10 apps
    • Office apps

    Store & Support

    • Account profile
    • Download Center
    • Sales & support
    • Returns
    • Order tracking
    • Store locations
    • Support
    • Buy online, pick up in store

    Education

    • Microsoft in education
    • Office for students
    • Office 365 for schools
    • Deals for students & parents
    • Microsoft Azure in education

    Enterprise

    • Microsoft Azure
    • Enterprise
    • Data platform
    • Find a solutions provider
    • Microsoft partner resources
    • Microsoft AppSource
    • Manufacturing & resources
    • Financial services

    Developer

    • Microsoft Visual Studio
    • Windows Dev Center
    • Developer Network
    • TechNet
    • Microsoft Virtual Academy
    • Microsoft developer program
    • Channel 9
    • Office Dev Center

    Company

    • Careers
    • About Microsoft
    • Company news
    • Privacy at Microsoft
    • Investors
    • Diversity and inclusion
    • Accessibility
    • Security
    English (United States)
    • Terms of use
    • Privacy & cookies
    • Trademarks
    • © Microsoft 2018
    This site in other countries/regions
    Algérie - Français
    Argentina - Español
    Australia - English
    Belgique - Français
    België - Nederlands
    Bolivia - Español
    Bosna i Hercegovina - Hrvatski
    Brasil - Português
    Canada - English
    Canada - Français
    Chile - Español
    Colombia - Español
    Costa Rica - Español
    Crna Gora - Srpski
    Danmark - Dansk
    Deutschland - Deutsch
    Dominican Republic - Español
    Ecuador - Español
    Eesti - Eesti
    El Salvador - Español
    España - Español
    Estados Unidos - Español
    France - Français
    Guatemala - Español
    Hong Kong SAR - English
    Hrvatska - Hrvatski
    India - English
    Indonesia (Bahasa) - Bahasa
    Ireland - English
    Italia - Italiano
    Latvija - Latviešu
    Lietuva - Lietuvių
    Luxembourg - Français
    Magyarország - Magyar
    Malaysia - English
    Maroc - Français
    México - Español
    Nederland - Nederlands
    New Zealand - English
    Norge - Bokmål
    Panamá - Español
    Paraguay - Español
    Perú - Español
    Philippines - English
    Polska - Polski
    Portugal - Português
    Puerto Rico - Español
    România - Română
    Schweiz - Deutsch
    Singapore - English
    Slovenija - Slovenščina
    Slovensko - Slovenčina
    South Africa - English
    Srbija - Srpski
    Suisse - Français
    Suomi - Suomi
    Sverige - Svenska
    Tunisie - Français
    Türkiye - Türkçe
    United Kingdom - English
    United States - English
    Uruguay - Español
    Venezuela - Español
    Việt Nam - Tiếng việt
    Ísland - Íslenska
    Österreich - Deutsch
    Česká Republika - Čeština
    Ελλάδα - Ελληνικά
    България - Български
    Казахстан - Русский
    Россия - Русский
    Україна - Українська
    ישראל - עברית
    الإمارات العربية المتحدة - العربية
    المملكة العربية السعودية - العربية
    مصر - العربية
    भारत - हिंदी
    ไทย - ไทย
    中国 - 简体中文
    台灣 - 繁體中文
    日本 - 日本語
    香港特別行政區 - 繁體中文
    대한민국 - 한국어