09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.

2 overview - Configuration Manager | Microsoft Docs

How to enable TLS 1.2

Article • 11/25/2021 • 5 minutes to read • 4 contributors  

In this article
Enabling TLS 1.2
Tasks for Configuration Manager clients, site servers, and remote site systems
Features and scenario dependencies
Frequently asked questions
Additional resources
Next steps

Applies to: Configuration Manager (Current Branch)

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data secure when being
transferred over a network. These articles describe steps required to ensure that Configuration Manager secure communication uses
the TLS 1.2 protocol. These articles also describe update requirements for commonly used components and troubleshooting common
problems.

Enabling TLS 1.2

Configuration Manager relies on many different components for secure communication. The protocol that's used for a given
connection depends on the capabilities of the relevant components on both the client and server side. If any component is out-of-
date or not properly configured, the communication might use an older, less secure protocol. To correctly enable Configuration

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 1/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Manager to support TLS 1.2 for all secure communications, you must enable TLS 1.2 for all required components. The required
components depend on your environment and the Configuration Manager features that you use.

） Important

Start this process with the clients, especially previous versions of Windows. Before enabling TLS 1.2 and disabling the older
protocols on the Configuration Manager servers, make sure that all clients support TLS 1.2. Otherwise, the clients can't
communicate with the servers and can be orphaned.

Tasks for Configuration Manager clients, site servers, and

remote site systems
To enable TLS 1.2 for components that Configuration Manager depends on for secure communication, you'll need to do multiple tasks
on both the clients and the site servers.

Enable TLS 1.2 for Configuration Manager clients

Update Windows and WinHTTP on Windows 8.0, Windows Server 2012 (non-R2) and earlier
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
Update and configure the .NET Framework to support TLS 1.2

Enable TLS 1.2 for Configuration Manager site servers and remote site
systems
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 2/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Update and configure the .NET Framework to support TLS 1.2

Update SQL Server and the SQL Server Native Client
Update Windows Server Update Services (WSUS)

Features and scenario dependencies

This section describes the dependencies for specific Configuration Manager features and scenarios. To determine the next steps, locate
the items that apply to your environment.

Feature or scenario Update tasks

Site servers (central, primary, - Update .NET Framework

or secondary) - Verify strong cryptography settings

Site database server Update SQL Server and its client components

Secondary site servers Update SQL Server and its client components to a compliant version of SQL Server Express

Site system roles - Update .NET Framework and verify strong cryptography settings
- Update SQL Server and its client components on roles that require it, including the SQL Server Native Client

Reporting services point - Update .NET Framework on the site server, the SQL Server Reporting Services servers, and any computer with the
console

- Restart the SMS_Executive service as necessary

Software update point Update WSUS

Cloud management gateway Enforce TLS 1.2

Configuration Manager - Update .NET Framework

console - Verify strong cryptography settings

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 3/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Feature or scenario Update tasks

Configuration Manager Update Windows to support TLS 1.2 for client-server communications by using WinHTTP
client with HTTPS site
system roles

Software Center - Update .NET Framework

- Verify strong cryptography settings

Windows 7 clients Before you enable TLS 1.2 on any server components, update Windows to support TLS 1.2 for client-server
communications by using WinHTTP. If you enable TLS 1.2 on server components first, you can orphan earlier versions of
clients.

Frequently asked questions

Why use TLS 1.2 with Configuration Manager?

TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Essentially, TLS 1.2
keeps data being transferred across the network more secure.

Where does Configuration Manager use encryption protocols like TLS 1.2?
There are basically five areas that Configuration Manager uses encryption protocols like TLS 1.2:

Client communications to IIS-based site server roles when the role is configured to use HTTPS. Examples of these roles include
distribution points, software update points, and management points.
Management point, SMS Executive, and SMS Provider communications with SQL. Configuration Manager always encrypts SQL
Server communications.

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 4/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Site Server to WSUS communications if WSUS is configured to use HTTPS.

The Configuration Manager console to SQL Server Reporting Services (SSRS) if SSRS is configured to use HTTPS.
Any connections to internet-based services. Examples include the cloud management gateway (CMG), the service connection
point sync, and sync of update metadata from Microsoft Update.

What determines which encryption protocol is used?

HTTPS will always negotiate the highest protocol version that is supported by both the client and server in an encrypted conversation.
On establishing a connection, the client sends a message to the server with its highest available protocol. If the server supports the
same version, it sends a message using that version. This negotiated version is the one that is used for the connection. If the server
doesn't support the version presented by the client, the server message will specify the highest version it can use. For more
information about the TLS Handshake protocol, see Establishing a Secure Session by using TLS.

What determines which protocol version the client and server can use?
Generally, the following items can determine which protocol version is used:

The application can dictate which specific protocol versions to negotiate.

Best practice dictates to avoid hard coding specific protocol versions at the application level and to follow the configuration
defined at the component and OS protocol level.
Configuration Manager follows this best practice.
For applications written using the .NET Framework, the default protocol versions depend on the version of the framework they
were compiled upon.
.NET versions before 4.6.3 did not include TLS 1.1 and 1.2 in the list of protocols for negotiation, by default.
Applications that use WinHTTP for HTTPS communications, like the Configuration Manager client, depend on the OS version,
patch level, and configuration for protocol version support.

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 5/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Additional resources
Cryptographic controls technical reference
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server

 Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers

Recommended content

Common issues when enabling TLS 1.2 - Configuration Manager

Describes common issues when enabling Transport Layer Security (TLS) 1.2

Enable TLS 1.2 on servers - Configuration Manager

Information about how to enable Transport Layer Security (TLS) 1.2 for Configuration Manager site servers and remote site systems.

How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager
Information about how to enable TLS 1.2 for Configuration Manager clients.

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 6/7
09/03/2022, 16:29 Enable Transport Layer Security (TLS) 1.2 overview - Configuration Manager | Microsoft Docs

Transport Layer Security (TLS) registry settings

Learn about supported registry setting information for the Windows implementation of the Transport Layer Security (TLS) protocol.

Manage Transport Layer Security (TLS)

Learn how to manage the Transport Layer Security.

Restrict cryptographic algorithms and protocols - Windows Server

Discusses how to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

Solving the TLS 1.0 Problem - Security documentation

This document presents guidance on rapidly identifying and removing Transport Layer Security (TLS) protocol version 1.0 dependencies in
software built on top of Microsoft operating systems. It is intended to be used as a starting point for building a migration plan to a TLS 1.2+
network environment.

.NET Framework versions and service pack levels - .NET Framework

This article describes how to determine which versions of the .NET Framework are installed on a computer, and helps you determine which .NET
Framework service packs have been applied.

Show more Ｓ

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 7/7