Summary
Introduction
To learn more about TLS and why it’s important to enable TLS 1.2, see RFC 5246.
Note
The information in this article applies to Configuration Manager current branch, version 1702 with the Update Rollup (KB 4019926) applied, or higher versions.
More Information
Enable the TLS 1.2 protocol as a security provider
To enable TLS 1.2, you must first enable TLS 1.2 as a security provider for each computer that is running or interacting with Configuration Manager.
To do this, configure the "\SecurityProviders\SCHANNEL\Protocols" registry subkey setting as shown in TLS/SSL Settings.
Enable TLS 1.2 for dependent components
This section describes how to enable TLS 1.2 for components that Configuration Manager depends on for secure communication. Additional links provide detailed information, downloads, and background information as required.
- Update the .NET Framework
To update the .NET Framework to support TLS 1.2, first determine your .NET version number. (For help, see KB 318785.)
Earlier versions of the .NET Framework may require updates or registry changes to enable strong cryptography. Use these guidelines:
- The .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2. No further changes are needed.
- The .NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.
If you're using the .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows Server 2012, the relevant updates and details are also available from the Download Center.
- The .NET Framework 4.6.1 and earlier versions must be configured to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This disables the RC4 stream cipher and requires a restart. To learn more about this setting, see Microsoft Security Advisory 296038.
For 32-bit applications on 32-bit systems or 64-bit applications on 64-bit systems), update the following subkey value:
HKEY_LOCAL_MACHINE\SOFTWARE\
\Microsoft\.NETFramework\\<version>
SchUseStrongCrypto = (DWORD): 00000001
For 32-bit applications that are running on x64-based systems, update the following subkey value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Wow6432Node\Microsoft\\.NETFramework\\<version>
SchUseStrongCrypto = (DWORD): 00000001
Do this for each version of the .NET Framework that's older than 4.6.2 and is currently used in your environment.
- Update SQL Server and client components
Microsoft SQL Server 2016 supports TLS 1.1 and TLS 1.2.
Earlier versions and dependent libraries may require updates. For more information, see KB 3135244.
Note KB 3135244 also describes requirements for SQL Server client components. Update each component that's used in your environment.
- Update Windows and WinHTTP
Microsoft Windows 10 and Windows Server 2016 support TLS 1.2 for client-server communications by using WinHTTP.
Earlier versions of Windows did not enable TLS 1.1 or 1.2 by default for client-server communications through WinHTTP. Depending on your currently installed updates, you may have to change the default secure protocol that's used in these environments. For more information, see KB 3140245.
Verify that the DefaultSecureProtocols registry setting is 0xAA0, as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\
\Microsoft\Windows\CurrentVersion\
Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0
Note This change requires a restart.
- Update Windows Server Update Services (WSUS)
To support TLS 1.2 for client-server communications in WSUS on Windows Server 2012 and Windows Server 2012 R2, you must apply the following update on the WSUS server:
Tasks required for Configuration Manager features and scenarios
This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate the items that apply to your environment, and then verify the dependencies by using the steps that are provided in the "More Information" section.
Feature or scenario | Update tasks |
Site servers (central, primary, or secondary) | Update the .NET Framework, and verify strong cryptography settings. |
SMS Provider | Update Microsoft SQL Server and its client components as appropriate for each SMS provider. |
Site system roles | Update the .NET Framework, and verify strong cryptography settings. Update SQL Server and its client components. |
Service connection point | Update the .NET Framework, and verify strong cryptography settings. |
SRS reporting point | Update the .NET Framework on the site server and the SRS servers. Restart the SMS_Executive service as necessary. |
Admin console | Update the .NET Framework, and verify strong cryptography settings. |
SCCM client with HTTPS site system roles | Update Windows to support TLS 1.2 for client-server communications by using WinHTTP. |
Software Center | Update the .NET Framework, and verify strong cryptography settings. |
Software Update Point | Update WSUS. |
Known issues
This section provides advice for common issues that occur when you enable TLS 1.2 support.
FIPS security policy enabled
If the FIPS security policy setting is enabled for either the client or a server, Secure Channel (Schannel) negotiation can cause TLS 1.0 to be used even if the protocol is disabled using the registry.
To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For related information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
SQL Server communication failure
If SQL Server communication fails and returns an "SslSecurityError" error, verify the following:
- The .NET Framework is updated and has strong cryptography enabled on each machine.
- SQL Server is updated on the host server.
- SQL client components are updated on the site servers, SMS provider, site role servers, and all other systems that communicate with SQL server.
Configuration Manager client communication failures
If Configuration Manager client does not communicate with site role endpoints (such as distribution points, management points, and state migration points), verify that Windows has been updated to support TLS 1.2 for client-server communication by using WinHTTP.
SRS Reporting Point fails and returns an expected error
If the SRS Reporting Point does not configure reports, check SRSRP.log for the following error entry:
The underlying connection was closed:
An expected error occurred on a receive.
To resolve this issue, follow these steps:
- Verify that the .NET Framework is updated and has strong cryptography enabled all relevant computers.
- Verify that the SMS_Executive service has been restarted after any updates are installed.
Application catalog fails to initialize
If the application catalog does not initialize, check the ServicePortalWebSite.svclog file for the following errors entries:
SOAP security negotiation failed. The client and server cannot communicate, because they do not possess a common algorithm.
To resolve this issue, follow these steps:
- Verify that the .NET Framework is updated and has strong cryptography enabled on all relevant computers.
- In the C:\Windows\System32\InetSrv folder of the application catalog server, create a W2SP.exe.config file by running the following script:
<?xml version="1.0" encoding="utf-8" ?><configuration> <runtime> <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" /> </runtime></configuration>
Note This is the default file that would be created if the application was built by using The .NET Framework 4.6.3. - Use HTTPS transport security for Application Catalog roles.
Note When you use HTTP message security for Application Catalog roles, WCF is hard-coded to use SSL 3.0 and TLS 1.0 only. This prevents the use of TLS 1.2. - If any changes were made, restart the computer.
Software Center or Browser fails to communicate with Application Catalog
To resolve communication failures between Application Catalog and Software Center or the browser, verify that:
- The .NET Framework is updated and has strong cryptography enabled on each computer.
- The browser is configured to support TLS 1. (Prior to Windows 10, this option was disabled by default.)
- All computers were restarted after the changes were made.
Service Connection Point upload failures
If the Service Connection Point does not upload data to SCCMConnectedService, verify that the .NET Framework is updated and has strong cryptography enabled on each computer. Remember to restart the computers after the changes are made.
Admin Console displays Intune onboarding dialog box
If the Intune onboarding dialog box appears when the Admin Console tries to connect to the Intune portal, verify that the .NET Framework is updated and has strong cryptography enabled on each computer. Remember to restart the computers after the changes are made.
WSUS communication failures
To resolve WSUS communication failures in Windows Server 2012 and Windows Server 2012 R2, apply the following update on the WSUS server: