Microsoft has recently started blocking TLS 1.0 and 1.1 in the PowerShell APIs for Azure AD and Exchange Online.
As a result, applications connecting with TLS 1.0 or TLS 1.1 may start to fail.
To many admins, it comes as a surprise that even though their operating system supports TLS 1.2, it may not be the default protocol used by their system (and applications).
To ensure your applications start using TLS 1.2, you’ll need to cover three steps:
- Does your OS support TLS 1.2?
- Is TLS 1.2 enabled in your OS?
- Is TLS 1.2 the default protocol for your applications?
(in most cases, the third step is the culprit)
Continue reading for more details on these three steps.
1. Windows Support for TLS 1.2
The first step in enabling TLS 1.2 in your system is to ensure your system supports TLS 1.2.
Windows 8.1, Windows Server 2012 R2, and later versions natively support TLS 1.2.
For Windows 7 and Windows Server 2012, you will need to patch your system and enable the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0
2. Enable TLS 1.2 in the Operating System
Once you’ve verified that your system supports TLS 1.2, you need to ensure that TLS 1.2 is enabled.
You enable TLS 1.2 by configuring the following registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
3. Set TLS 1.2 as Default in the .Net Framework
It is best practice for .Net Framework applications to follow the default protocol settings configured in your system. This strategy gives system admins complete control of the TLS protocol selection in applications without requiring code changes.
That is also why, even though your .Net Framework version supports TLS 1.2, your .Net Framework applications may still effectively use TLS 1.0 or TLS 1.1 to connect to servers.
You can set the default TLS protocol version for .Net Framework applications to TLS 1.2 with the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
Always ensure you’re up to date with the latest version of the .Net Framework:
.Net Framework 4.6.2 and later natively supports TLS 1.2. .Net Framework 4.5.1, 4.5.2, and 4.6 can support TLS 1.2 with updates. Check your version here if in doubt.
Consolidated AD and Office 365 Management with TLS 1.2 Support
Easy365Manager is a snap-in to Active Directory Users & Computers that integrates Office 365 management with your daily AD management.
This unique approach has helped hundreds of companies worldwide to become more productive.
Additionally, Easy365Manager can help you eliminate Exchange on-premises without having to depend on gruesome PowerShell scripting for daily management.
Easy365Manager takes only a couple of minutes to install and configure, and it doesn’t make any changes to your infrastructure.
With a 30-day fully-functional trial, there is practically no downside to trying it out.
With Easy365Manager, you can even perform many tasks that normally require PowerShell, like, e.g., delegation of calendar permissions:
You’ll find a complete feature list here.