Applies To:
GroupID 8.x
Business Scenario:
We would like to enforce GroupID to use TLS 1.2 because multiple vulnerabilities have been identified in older communication protocols, such as SSL 3.0, TLS 1.0, and TLS 1.1. For more secure communication, we require TLS 1.2.
Summary:
This article describes how to enable TLS 1.2 for Microsoft System Center Configuration Manager. The description includes individual components and update requirements for commonly used Configuration Manager features.
More Information:
Configuration Manager relies on different components for secure communication. The specifically required components depend on your environment and the Configuration Manager features that you use.
The protocol that's used for a given connection depends on the capabilities of all the required components. If one component is out-of-date, the communication may use an older, less secure protocol.
To correctly enable Configuration Manager to support TLS 1.2, you have to enable TLS 1.2 for all the required components.
To learn more about TLS and why it’s important to enable TLS 1.2, see RFC 5246.
| Note: | The information in this article applies to Configuration Manager current branch, version 1702 with the Update Rollup (KB 4019926) applied, and higher versions. |
Steps:
Enable the TLS 1.2 protocol as a security provider
To enable TLS 1.2, you must first enable TLS 1.2 as a security provider for each computer that is running or interacting with Configuration Manager.
To do this, configure the "\SecurityProviders\SCHANNEL\Protocols" registry subkey setting as shown in TLS/SSL Settings.
Enable TLS 1.2 for dependent components
This section describes how to enable TLS 1.2 for components that Configuration Manager depends on for secure communication. Additional links provide detailed information, downloads, and background information as required.
1 - Update the .NET Framework
To update the .NET Framework to support TLS 1.2, first determine your .NET version number. (For help, see KB 318785.)
Earlier versions of the .NET Framework may require updates or registry changes to enable strong cryptography. Use these guidelines:
- .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2. No further changes are needed.
- .NET Framework 4.6 and earlier versions must be updated to support TLS 1.1 and TLS 1.2.
If you're using the .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows RT 8.1, or Windows Server 2012, the relevant updates and details are also available in the Download Center.
-
.NET Framework 4.6.1 and earlier versions must be configured to support strong cryptography. Set the SchUseStrongCrypto registry setting to DWORD:00000001. This disables the RC4 stream cipher and requires a restart. To learn more about this setting, see Microsoft Security Advisory 296038.
For 32-bit applications on 32-bit systems or 64-bit applications on 64-bit systems, update the following subkey value:
HKEY_LOCAL_MACHINE\SOFTWARE\
\Microsoft\.NETFramework\\version\
SchUseStrongCrypto = (DWORD): 00000001
For 32-bit applications that are running on x64-based systems, update the following subkey value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Wow6432Node\Microsoft\\.NETFramework\\version\
SchUseStrongCrypto = (DWORD): 00000001
Do this for each version of the .NET Framework that's older than 4.6.2 and is currently used in your environment.
2 - Update SQL Server and client components
Microsoft SQL Server 2016 supports TLS 1.1 and TLS 1.2.
Earlier versions and dependent libraries may require updates. For more information, see KB 3135244.
| Note: | KB 3135244 also describes requirements for SQL Server client components. Update each component that's used in your environment. |
3 - Update Windows and WinHTTP
Microsoft Windows 10 and Windows Server 2016 support TLS 1.2 for client-server communications by using WinHTTP.
Earlier versions of Windows did not enable TLS 1.1 or 1.2 by default for client-server communications through WinHTTP. Depending on your currently installed updates, you may have to change the default secure protocol that's used in these environments. For more information, see KB 3140245.
Verify that the DefaultSecureProtocols registry setting is 0xAA0, as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\
\Microsoft\Windows\CurrentVersion\
Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0
| Note: | This change requires a restart. |
4 - Update Windows Server Update Services (WSUS)
To support TLS 1.2 for client-server communications in WSUS on Windows Server 2012 and Windows Server 2012 R2, you must apply the following update on the WSUS server:
- For WSUS server that's running Windows Server 2012, apply update 4022721 or a later update.
- For WSUS server that's running Windows Server 2012 R2, apply update 4022720 or a later update.
Tasks required for Configuration Manager features and scenarios:
This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate the items that apply to your environment, and then verify the dependencies by using the steps that are provided in the Steps section.
| Feature or scenario | Update tasks |
| Site servers (central, primary, or secondary) | Update the .NET Framework and verify strong cryptography settings. |
| SMS Provider | Update Microsoft SQL Server and its client components as appropriate for each SMS provider. |
| Site system roles | Update the .NET Framework and verify strong cryptography settings. Update SQL Server and its client components. |
| Service connection point application catalog |
Update the .NET Framework and verify strong cryptography settings. |
| SRS reporting point | Update the .NET Framework on the site server and the SRS servers. Restart the SMS_Executive service as necessary. |
| Admin console | Update the .NET Framework and verify strong cryptography settings. |
| SCCM client with HTTPS site system roles | Update Windows to support TLS 1.2 for client-server communications by using WinHTTP. |
| Software Center | Update the .NET Framework and verify strong cryptography settings. |
| Software Update Point | Update WSUS. |