How to enable TLS 1.2 for Configuration Manager

Applies to: System Center Configuration ManagerSystem Center Configuration Manager (current branch - version 1702)

Summary

This article describes how to enable TLS 1.2 for Microsoft System Center Configuration Manager. This description includes individual components, update requirements for commonly-used Configuration manager features, and high-level troubleshooting information for common problems.

Introduction

Multiple vulnerabilities have been identified in older communication protocols, such as SSL 3.0, TLS 1.0, and TLS 1.1. For the best results, enable TLS 1.2 for more secure communications.
Configuration Manager relies on many different components for secure communication. The protocol that's used for a given connection depends on the capabilities of all the required components. If one component is out-of-date, the communication may use an older, less secure protocol.  
To correctly enable Configuration Manager to support TLS 1.2, you have to enable TLS 1.2 for all required components. The specifically required components depends on your environment and the Configuration Manager features that you use.

To learn more about TLS and why it’s important to enable TLS 1.2, see RFC 5246.

More information

To enable TLS 1.2, you must first enable TLS 1.2 as a security provider for each computer that is running or interacting with Configuration Manager, and then enable TLS 1.2 for components that Configuration Manager depends on for secure communication.

Enable the TLS 1.2 protocol as a security provider

Verify the "\SecurityProviders\SCHANNEL\Protocols" registry subkey setting, as shown in Transport Layer Security (TLS) best practices with the .NET Framework.

Note TLS 1.2 is enabled by default. Therefore, no change to these keys is required to enable it. You can make changes under Protocols to disable TLS 1.0 and TLS 1.1 after you have followed the rest of the guidance in this article, and you have verified that the environment works by having only TLS 1.2 enabled.

Enable TLS 1.2 for dependent components that Configuration Manager depends on for secure communication

The following sections provide detailed information, downloads, and background information, as required.

Update .NET Framework to support TLS 1.2
Update SQL Server and client components
Update Windows and WinHTTP on Windows 8.0, Windows Server 2012 R2 and earlier
Update Windows Server Update Services (WSUS)

Update .NET Framework to support TLS 1.2

To update .NET Framework to support TLS 1.2, first determine your .NET version number. (For help, see How to determine which versions and service pack levels of the Microsoft .NET Framework are installed.)

Earlier versions of .NET Framework may require updates or registry changes to enable strong cryptography. Use these guidelines:

  • .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2.  No additional changes are required.
  • .NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.

If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows Server 2012, the relevant updates and details are also available from the Download Center.

  • All Configuration Manager client computers and site systems should have the following registry values set. SchUseStrongCrypto disables the RC4 stream cipher and requires a restart. To learn more about this setting, see Microsoft Security Advisory 296038.

For 32-bit applications that are running on 32-bit systems or 64-bit applications that are running on 64-bit systems, update the following subkey value:

HKEY_LOCAL_MACHINE\SOFTWARE\
   Microsoft\.NETFramework\v2.0.50727
      SystemDefaultTlsVersions"=dword:00000001
      SchUseStrongCrypto = (DWORD): 00000001

HKEY_LOCAL_MACHINE\SOFTWARE\
   Microsoft\.NETFramework\v4.0.30319
      SystemDefaultTlsVersions"=dword:00000001
      SchUseStrongCrypto"=dword:00000001

For 32-bit applications that are running on 64-bit systems, update the following subkey value:

HKEY_LOCAL_MACHINE\SOFTWARE\
   Wow6432Node\Microsoft\\.NETFramework\\v2.0.50727
      SystemDefaultTlsVersions"=dword:00000001
      SchUseStrongCrypto = (DWORD): 00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\
   WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
      SystemDefaultTlsVersions"=dword:00000001
      SchUseStrongCrypto"=dword:00000001


Update SQL Server and client components

Microsoft SQL Server 2016 supports TLS 1.1 and TLS 1.2.

Earlier versions and dependent libraries may require updates. For more information, see TLS 1.2 support for Microsoft SQL Server.

Note KB 3135244 also describes requirements for SQL Server client components. Update each component that's used in your environment.


Update Windows and WinHTTP

Windows 10, Windows 8.1, Windows Server 2016, and Windows Server 2012 R2 support TLS 1.2 for client-server communications over WinHTTP out of the box.

Windows 8.0, Windows Server 2012, and earlier versions of Windows did not enable TLS 1.1 or 1.2 by default for client-server communications through HTTPS. For these versions of Windows, you should install Update 3140245 to enable TLS 1.1 and TLS 1.2 as the default secure protocols in WinHTTP in Windows, and set the following registry values.

Verify that the DefaultSecureProtocols registry setting is 0xAA0, as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\
   \Microsoft\Windows\CurrentVersion\
      Internet Settings\WinHttp\
      DefaultSecureProtocols = (DWORD): 0xAA0

HKEY_LOCAL_MACHINE\SOFTWARE\
   Wow6432Node\Microsoft\Windows\CurrentVersion\
      Internet Settings\WinHttp\
      DefaultSecureProtocols = (DWORD): 0xAA0

Note This change requires a restart.


Update Windows Server Update Services (WSUS)

To support TLS 1.2 for client-server communications in WSUS on Windows Server 2012 and Windows Server 2012 R2, you must apply the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
  • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.

Tasks required for Configuration Manager features and scenarios

This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate the items that apply to your environment, and then verify the dependencies by using the steps that are provided in the "More information" section.

Feature or scenario Update tasks

Site servers (central, primary, or secondary)

Update .NET Framework, and verify strong cryptography settings.

SMS Provider

Update Microsoft SQL Server and its client components as appropriate for each SMS provider.

Site system roles

Update .NET Framework, and verify strong cryptography settings.

Update SQL Server and its client components.

Service connection point
application catalog

Update .NET Framework, and verify strong cryptography settings.

SRS reporting point

Update .NET Framework on the site server and the SRS servers. Restart the SMS_Executive service as necessary.

Admin console

Update .NET Framework, and verify strong cryptography settings.

SCCM client with HTTPS site system roles

Update Windows to support TLS 1.2 for client-server communications by using WinHTTP.

Software Center

Update .NET Framework, and verify strong cryptography settings.

Software Update Point

Update WSUS.
Management Points

Update to the latest SQL Server native client to enable Configuration Manager to talk to the latest TLS 1.2-enabled SQL Server components. See the "Client component downloads" table in TLS 1.2 support for Microsoft SQL Server.

Known issues

This section provides advice for common issues that occur when you enable TLS 1.2 support.
 

FIPS security policy enabled

If the FIPS security policy setting is enabled for either the client or a server, Secure Channel (Schannel) negotiation can cause TLS 1.0 to be used even if the protocol is disabled using the registry.

To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For related information, see How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
 

SQL Server communication failure

If SQL Server communication fails and returns an "SslSecurityError" error, verify the following:

  • .NET Framework is updated and has strong cryptography enabled on each machine.
  • SQL Server is updated on the host server.
  • SQL client components are updated on the site servers, SMS provider, site role servers, and all other systems that communicate with SQL server.


Configuration Manager client communication failures

If Configuration Manager client does not communicate with site role endpoints (such as distribution points, management points, and state migration points), verify that Windows has been updated to support TLS 1.2 for client-server communication by using WinHTTP.


SRS Reporting Point fails and returns an expected error

If the SRS Reporting Point does not configure reports, check SRSRP.log for the following error entry:


To resolve this issue, follow these steps:

  1. Verify that .NET Framework is updated and has strong cryptography enabled on all relevant computers.
  2. Verify that the SMS_Executive service has been restarted after any updates are installed.


Application catalog does not initialize

If the application catalog does not initialize, check the ServicePortalWebSite.svclog file for the following error entry: 


To resolve this issue, follow these steps:

  1. Verify that .NET Framework is updated and has strong cryptography enabled on all relevant computers.
  2. In the C:\Windows\System32\InetSrv folder of the application catalog server, create a W2SP.exe.config file by running the following script: 
    <?xml version="1.0" encoding="utf-8" ?><configuration>  <runtime>  <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />  </runtime></configuration>

    Note This is the default file that would be created if the application was built by using .NET Framework 4.6.3.
  3. Use HTTPS transport security for Application Catalog roles.

    Note When you use HTTP message security for Application Catalog roles, WCF is hard-coded to use SSL 3.0 and TLS 1.0 only. This prevents the use of TLS 1.2.
  4. If any changes were made, restart the computer.


Software Center or browser does not communicate with Application Catalog

To resolve communication failures between Application Catalog and Software Center or the browser, verify the following conditions:

  • .NET Framework is updated and has strong cryptography enabled on each computer.
  • The browser is configured to support TLS 1. (Prior to Windows 10, this option was disabled by default.)
  • All computers were restarted after the changes were made.


Service Connection Point upload failures

If the Service Connection Point does not upload data to SCCMConnectedService, verify that .NET Framework is updated and has strong cryptography enabled on each computer. Remember to restart the computers after the changes are made.


Admin Console displays Intune onboarding dialog box

If the Intune onboarding dialog box appears when the Admin Console tries to connect to the Intune portal, verify that .NET Framework is updated and has strong cryptography enabled on each computer.  Remember to restart the computers after the changes are made.


Admin Console displays failure to sign in to Azure

If the Azure Services onboarding dialog box immediately fails after you click “Sign in” when you try to create Azure AD applications, verify that .NET Framework is updated and that strong cryptography is enabled. A restart is required for these changes to take effect.


WSUS communication failures

To resolve WSUS communication failures in Windows Server 2012 and Windows Server 2012 R2, apply the following update on the WSUS server:

  • For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
  • For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.