locked
Unable to disable TLS 1.0 completely RRS feed

  • Question


  • I was following guide https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1
    TLS was disabled on all FE and backend SQLs, exept Edge. But FE some of the services communicates with edge servers in TLS1.0. Running on Windows Server 2019. Latest updates and patches are installed.
    Tuesday, December 10, 2019 1:14 PM

All replies

  • Hi Tarique A!

    In my research, we recommend you consider the prerequisites when disabling TLS1.0 on Edge Servers.

    1. Check if your Edge Server support disable TLS1.0;
    2. Make sure you have completed all prerequisites and updated Skype for Business Servers.
    3. Ensure your registry is complete.

    For more details about disabling TLS1.0 in Skype for Business 2015, please refer to:

    https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Disabling-TLS-1-0-1-1-in-Skype-for-Business-Server-2015-Part-1/ba-p/621485

    Best Regards,
    Jimmy Yang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, December 11, 2019 11:24 AM
  • All prerequisite via registry entry were added as per recommendations.

    Customer is  unable to disable TLS 1.0 on the Edge due to federation

    Wednesday, December 18, 2019 2:22 PM
  • Hi Tarique A!

    Thank you for your timely update on this case!

    Do you have any relevant error messages?

    In my experience, you could try to disable the federation then disable TLS1.0 again. Run the command:

    Set-CsAccessEdgeConfiguration -AllowedFederatedUser $false

    For more details about enable and disable federation in Skype for Business, you can refer to:

    https://social.technet.microsoft.com/Forums/lync/en-US/ca251d6c-c03d-44d3-a534-86f56e054618/unable-to-disable-tls-10-completely?forum=sfbfr

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Friday, December 20, 2019 12:06 PM
  • We have Windows server 2019, Skype server 2019 on prem, Updated to CU1 September patch.



    We will not disable TLS1.0 on the Skype Edge 2019 

    Monday, December 23, 2019 4:55 PM

  • We have Windows server 2019, Skype server 2019 on prem, Updated to CU1 September patch.

    We are not able disable TLS 1.0 on the Edge due to federation.


    Is it possible to disable TLS1.0 completely on FE?



    We are not able disable TLS 1.0 on the Edge due to federation.TLS was disabled on all FE and backend SQLs, exept Edge. But FE some of the services communicates with edge servers in TLS1.0. Running on Windows Server 2019. Latest updates and patches are installed.

    We have Windows server 2019, Skype server 2019 on prem, Updated to CU1 September patch.

    All prerequisite via registry entry were added as per recommendations. It is ensured that necessary changes were made.

    Customer was following these reference articles: https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1

    https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Disabling-TLS-1-0-1-1-in-Skype-for-Business-Server-2015-Part-1/ba-p/621485

    https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Disabling-TLS-1-0-1-1-in-Skype-for-Business-Server-2015-8211/ba-p/621487

    https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Disabling-TLS-1-0-1-1-in-Skype-for-Business-Server-2015-On/ba-p/621514

    Error message: Microsoft network Monitor 3.4 was used to capture traffic. FE AVMCUSvc.exe service negotiates and completes Server Hello with edge in TLS1.0


    Wednesday, December 25, 2019 2:30 PM
  • Hi Tarique A!

    What is your version of Edge Server?

    Does it affect the normal use of user when you cannot disable TLS1.0 on Edge Server?

    Is there any other error message in the Front End Server? 

    We found only Lync Server 2013 Edge role fully support disabling of TLS1.0 and 1.1.

    Then you must carefully plan for and consider the impact of disabling TLS1.0/1.1 on your Edge servers. Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to federate with your organization.

    For more details about considerations when disabling TLS1.0 on Edge Servers, you can refer to:

    https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1#federation-considerations-when-disabling-tls-1011-on-edge-servers

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Thursday, December 26, 2019 5:25 AM
  • Windows Server 2019

    Edge version 2019, same version and patching as FE

    Customer has followed above shared article.

    Friday, December 27, 2019 2:36 PM
  • Hi Tarique A!

    Can you provide any other error messages in the Front End Server or Edge Server?

    Does it affect the normal use of user when you cannot disable TLS1.0 on Edge Server?

    At present, I didn't find any valuable information or error about this issue.

    Looking forward to your kindness reply!


    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Tuesday, December 31, 2019 9:05 AM