Implementing TLS 1.2 with SCOM 2012 R2
Question
-
Hi All,
We have a plan to implement TLS 1.2 in our SCOM 2012 R2 environment. Currently we are running UR13 which will soon be updated with UR14 patch level, since UR 14 is required for TLS 1.2.
SCOM Management Server are running Windows Server 2012 R2 Operating System.
We are following Kevin Holman's bolg on implementing TLS 1.2:
Also we are checking the following blog on TLS 1.2:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
As per this blog to Enable or Disable TLS 1.2 or any older version of TLS we need to add Registry key under the Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
So I logged into our SCOM Management Servers to see which version of TLS we are currently running and I noticed under the Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, we only find SSL 2.0 > Client but the Value for DisabledByDefault is 1, so it means SSL 2.0 is disabled.
But the question is which Security protocol is currently running on our SCOM servers.
In Kevin's blog he also mentioned that after enforcing TLS 1.2, we can always switch back and enable TLS 1.0 quickly if needed, its just a registry change and reboot away. But since the registry keys are not present by default how do we do it.
Then I came accross this article where it is mentioned all the TLS versions are enabled on Windows Server 2012 R2.
So is it indeed that all the TLS version are running together, if so then do we need to use Kevin Holman's blog to Enforce TLS 1.2, since TLS 1.2 should be enabled by default. I am confused with this. Any help will be appreciated to clarify this.
https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Thanks,
Sreejeet
Answers
-
Hi,
The link: Protocols in TLS/SSL (Schannel SSP) will tell you which TLS protocols are used on your Windows Servers hosting your SCOM environment, TLS 1.2 is enabled by default in Windows Server 2012 R2 so there's no need to change anything there.
You can then follow the following guide from Microsoft:
How to implement Transport Layer Security 1.2or the guide from Kevin Holman:
Implementing TLS 1.2 enforcement with SCOMBasically if Windows Server is already using TLS 1.2, all you need to do install Update Rollup 14 for SCOM 2012 R2, and then only configure SCOM to use TLS 1.2.
Best regards,
LeonBlog:
https://thesystemcenterblog.com
LinkedIn: 
- Proposed as answer by Crystal ShenMicrosoft contingent staff Thursday, January 23, 2020 5:36 AM
- Marked as answer by Sreejeet Monday, January 27, 2020 7:28 AM
All replies
-
Hi,
The link: Protocols in TLS/SSL (Schannel SSP) will tell you which TLS protocols are used on your Windows Servers hosting your SCOM environment, TLS 1.2 is enabled by default in Windows Server 2012 R2 so there's no need to change anything there.
You can then follow the following guide from Microsoft:
How to implement Transport Layer Security 1.2or the guide from Kevin Holman:
Implementing TLS 1.2 enforcement with SCOMBasically if Windows Server is already using TLS 1.2, all you need to do install Update Rollup 14 for SCOM 2012 R2, and then only configure SCOM to use TLS 1.2.
Best regards,
LeonBlog:
https://thesystemcenterblog.com
LinkedIn: - Proposed as answer by Crystal ShenMicrosoft contingent staff Thursday, January 23, 2020 5:36 AM
- Marked as answer by Sreejeet Monday, January 27, 2020 7:28 AM
-
Sounds good, let us know if you have any more concerns!
Blog:
https://thesystemcenterblog.com
LinkedIn:
