How to enable TLS 1.2 for Configuration Manager

Applies to: System Center Configuration Manager

Summary

This article describes how to enable TLS 1.2 for Microsoft System Center Configuration Manager. This description includes individual components, update requirements for commonly-used Configuration manager features, and high-level troubleshooting information for common problems.

Introduction

Multiple vulnerabilities have been identified in older communication protocols, such as SSL 3.0, TLS 1.0, and TLS 1.1. For the best results, enable TLS 1.2 for more secure communications.
Configuration Manager relies on many different components for secure communication. The protocol that's used for a given connection depends on the capabilities of all the required components. If one component is out-of-date, the communication may use an older, less secure protocol.  
To correctly enable Configuration Manager to support TLS 1.2, you have to enable TLS 1.2 for all required components. The specifically required components depends on your environment and the Configuration Manager features that you use.

To learn more about TLS and why it’s important to enable TLS 1.2, see RFC 5246.

More information

Enable the TLS 1.2 protocol as a security provider

To enable TLS 1.2, you must first enable TLS 1.2 as a security provider for each computer that is running or interacting with Configuration Manager.

To do this, configure the "\SecurityProviders\SCHANNEL\Protocols" registry subkey setting, as shown in TLS/SSL Settings.
 

Enable TLS 1.2 for dependent components

This section describes how to enable TLS 1.2 for components that Configuration Manager depends on for secure communication.  Additional links provide detailed information, downloads, and background information as required.

Update .NET Framework

To update .NET Framework to support TLS 1.2, first determine your .NET version number. (For help, see KB 318785.)

Earlier versions of .NET Framework may require updates or registry changes to enable strong cryptography. Use these guidelines:

  • .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2.  No further changes are needed.
  • .NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.

If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows Server 2012, the relevant updates and details are also available from the Download Center.

  • .NET Framework 4.6.1 and earlier versions must be configured to support strong cryptography.  Set the SchUseStrongCrypto registry setting to DWORD:00000001. This disables the RC4 stream cipher and requires a restart. To learn more about this setting, see Microsoft Security Advisory 296038.

For 32-bit applications on 32-bit systems or 64-bit applications on 64-bit systems), update the following subkey value:

HKEY_LOCAL_MACHINE\SOFTWARE\
   \Microsoft\.NETFramework\\<version>
      SchUseStrongCrypto = (DWORD): 00000001

For 32-bit applications that are running on x64-based systems, update the following subkey value:

HKEY_LOCAL_MACHINE\SOFTWARE\
    Wow6432Node\Microsoft\\.NETFramework\\<version>
       SchUseStrongCrypto = (DWORD): 00000001

Do this for each version of .NET Framework that's older than 4.6.2 and is currently used in your environment.

Update SQL Server and client components

Microsoft SQL Server 2016 supports TLS 1.1 and TLS 1.2.

Earlier versions and dependent libraries may require updates. For more information, see KB 3135244.

Note KB 3135244 also describes requirements for SQL Server client components. Update each component that's used in your environment.

Update Windows and WinHTTP

Microsoft Windows 10 and Windows Server 2016 support TLS 1.2 for client-server communications by using WinHTTP.

Earlier versions of Windows did not enable TLS 1.1 or 1.2 by default for client-server communications through WinHTTP. Depending on your currently installed updates, you may have to change the default secure protocol that's used in these environments. For more information, see KB 3140245.

Verify that the DefaultSecureProtocols registry setting is 0xAA0, as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\
  \Microsoft\Windows\CurrentVersion\
     Internet Settings\WinHttp\
     DefaultSecureProtocols = (DWORD): 0xAA0

Note This change requires a restart.

Update Windows Server Update Services (WSUS)

To support TLS 1.2 for client-server communications in WSUS on Windows Server 2012 and Windows Server 2012 R2, you must apply the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
  • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.

Tasks required for Configuration Manager features and scenarios

This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate the items that apply to your environment, and then verify the dependencies by using the steps that are provided in the "More information" section.

Feature or scenario Update tasks

Site servers (central, primary, or secondary)

Update .NET Framework, and verify strong cryptography settings.

SMS Provider

Update Microsoft SQL Server and its client components as appropriate for each SMS provider.

Site system roles

Update .NET Framework, and verify strong cryptography settings.

Update SQL Server and its client components.

Service connection point
application catalog

Update .NET Framework, and verify strong cryptography settings.

SRS reporting point

Update .NET Framework on the site server and the SRS servers. Restart the SMS_Executive service as necessary.

Admin console

Update .NET Framework, and verify strong cryptography settings.

SCCM client with HTTPS site system roles

Update Windows to support TLS 1.2 for client-server communications by using WinHTTP.

Software Center

Update .NET Framework, and verify strong cryptography settings.

Software Update Point

Update WSUS.

Known issues

This section provides advice for common issues that occur when you enable TLS 1.2 support. 

FIPS security policy enabled

If the FIPS security policy setting is enabled for either the client or a server, Secure Channel (Schannel) negotiation can cause TLS 1.0 to be used even if the protocol is disabled using the registry.

To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For related information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

SQL Server communication failure

If SQL Server communication fails and returns an "SslSecurityError" error, verify the following:

  • .NET Framework is updated and has strong cryptography enabled on each machine.
  • SQL Server is updated on the host server.
  • SQL client components are updated on the site servers, SMS provider, site role servers, and all other systems that communicate with SQL server.

Configuration Manager client communication failures

If Configuration Manager client does not communicate with site role endpoints (such as distribution points, management points, and state migration points), verify that Windows has been updated to support TLS 1.2 for client-server communication by using WinHTTP.

SRS Reporting Point fails and returns an expected error

If the SRS Reporting Point does not configure reports, check SRSRP.log for the following error entry:


To resolve this issue, follow these steps:

  1. Verify that .NET Framework is updated and has strong cryptography enabled on all relevant computers.
  2. Verify that the SMS_Executive service has been restarted after any updates are installed.

Application catalog does not initialize

If the application catalog does not initialize, check the ServicePortalWebSite.svclog file for the following error entry: 


To resolve this issue, follow these steps:

  1. Verify that .NET Framework is updated and has strong cryptography enabled on all relevant computers.
  2. In the C:\Windows\System32\InetSrv folder of the application catalog server, create a W2SP.exe.config file by running the following script: 
    <?xml version="1.0" encoding="utf-8" ?><configuration>  <runtime>  <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />  </runtime></configuration>

    Note This is the default file that would be created if the application was built by using .NET Framework 4.6.3.
  3. Use HTTPS transport security for Application Catalog roles.

    Note When you use HTTP message security for Application Catalog roles, WCF is hard-coded to use SSL 3.0 and TLS 1.0 only. This prevents the use of TLS 1.2.
  4. If any changes were made, restart the computer.

Software Center or browser does not communicate with Application Catalog

To resolve communication failures between Application Catalog and Software Center or the browser, verify the following conditions:

  • .NET Framework is updated and has strong cryptography enabled on each computer.
  • The browser is configured to support TLS 1. (Prior to Windows 10, this option was disabled by default.)
  • All computers were restarted after the changes were made.

Service Connection Point upload failures

If the Service Connection Point does not upload data to SCCMConnectedService, verify that .NET Framework is updated and has strong cryptography enabled on each computer. Remember to restart the computers after the changes are made.

Admin Console displays Intune onboarding dialog box

If the Intune onboarding dialog box appears when the Admin Console tries to connect to the Intune portal, verify that .NET Framework is updated and has strong cryptography enabled on each computer.  Remember to restart the computers after the changes are made.

WSUS communication failures

To resolve WSUS communication failures in Windows Server 2012 and Windows Server 2012 R2, apply the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
  • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.