Steps to disable TLS 1.0 and 1.1 on MBAM servers and force the use of TLS 1.2
This article describes the steps to disable the Transport Layer Security (TLS) 1.0 and 1.1 on the Microsoft BitLocker Administration and Monitoring (MBAM) servers and force the use of TLS 1.2.
Applies to: Windows 10 – all editions, Windows Server 2012 R2
Original KB number: 4558055
Symptoms
Microsoft is planning to disable older TLS protocols, in preparation for disabling TLS 1.0 and TLS 1.1 by default. See Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default.
For enterprise customers, it may require disabling TLS 1.0 and 1.1 in their environment for Microsoft BitLocker Administration and Monitoring (MBAM) Infrastructure.
Resolution
Follow these steps to disable TLS 1.0 and 1.1 on MBAM servers, and force the use of TLS 1.2.
Download and install the latest available version of Microsoft .NET Framework on all MBAM servers that are:
- Web Servers running IIS roles
- SQL Servers running SQL Server database Engine, and SQL Server Reporting Services
Refer to: Microsoft .NET Framework 4.8 offline installer for Windows
Execute the PowerShell scripts below. They're used to disable TLS 1.0 and 1.1, and force the use only TLS 1.2.
Reboot the servers, then test the MBAM web applications. Confirm that the MBAM clients can communicate with the server to back up recovery information.
<Tighten_DotNet.PS1>
#Tighten up the .NET Framework
$NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
$NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
<Force_TLS1.2.PS1>
$ProtocolList = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault = "DisabledByDefault"
$Enabled = "Enabled"
$registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"
foreach($Protocol in $ProtocolList)
{
Write-Host " In 1st For loop"
foreach($key in $ProtocolSubKeyList)
{
$currentRegPath = $registryPath + $Protocol + "\" + $key
Write-Host " Current Registry Path $currentRegPath"
if(!(Test-Path $currentRegPath))
{
Write-Host "creating the registry"
New-Item -Path $currentRegPath -Force | out-Null
}
if($Protocol -eq "TLS 1.2")
{
Write-Host "Working for TLS 1.2"
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
}
else
{
Write-Host "Working for other protocol"
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
}
}
}
Exit 0
More information
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for