none
Implementing TLS 1.2 with SCOM 2012 R2 RRS feed

  • Question

  • Hi All,

    We have a plan to implement TLS 1.2 in our SCOM 2012 R2 environment. Currently we are running UR13 which will soon be updated with UR14 patch level, since UR 14 is required for TLS 1.2.

    SCOM Management Server are running Windows Server 2012 R2 Operating System.

    We are following Kevin Holman's bolg on implementing TLS 1.2:

    https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/?unapproved=4158&moderation-hash=55206c62853d52307de59246f58909e6#comment-4158

    Also we are checking the following blog on TLS 1.2:

    https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

    As per this blog to Enable or Disable TLS 1.2 or any older version of TLS we need to add Registry key under the Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

    So I logged into our SCOM Management Servers to see which version of TLS we are currently running and I noticed under the Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, we only find SSL 2.0 > Client but the Value for DisabledByDefault is 1, so it means SSL 2.0 is disabled.

    But the question is which Security protocol is currently running on our SCOM servers.

    In Kevin's blog he also mentioned that after enforcing TLS 1.2, we can always switch back and enable TLS 1.0 quickly if needed, its just a registry change and reboot away. But since the registry keys are not present by default how do we do it.

    Then I came accross this article where it is mentioned all the TLS versions are enabled on Windows Server 2012 R2.

    So is it indeed that all the TLS version are running together, if so then do we need to use Kevin Holman's blog to Enforce TLS 1.2, since TLS 1.2 should be enabled by default. I am confused with this. Any help will be appreciated to clarify this.

    https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    Thanks,

    Sreejeet

    Wednesday, January 22, 2020 10:30 AM

Answers

All replies

  • Hi,

    The link: Protocols in TLS/SSL (Schannel SSP) will tell you which TLS protocols are used on your Windows Servers hosting your SCOM environment, TLS 1.2 is enabled by default in Windows Server 2012 R2 so there's no need to change anything there.

    You can then follow the following guide from Microsoft:
    How to implement Transport Layer Security 1.2

    or the guide from Kevin Holman:
    Implementing TLS 1.2 enforcement with SCOM

    Basically if Windows Server is already using TLS 1.2, all you need to do install Update Rollup 14 for SCOM 2012 R2, and then only configure SCOM to use TLS 1.2.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, January 22, 2020 10:42 AM
  • Thank you Leon for the information.

    I will keep this post open for sometime, if I have any doubt related to TLS 1.2 implementation with SCOM 2012 R3, I will post it here, to get advice.

    Regards,

    Sreejeet

    Wednesday, January 22, 2020 12:55 PM
  • Sounds good, let us know if you have any more concerns!

    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, January 22, 2020 12:57 PM
  • One thing to remember for this...

    SCOM 2016, you need to enable TLS 1.0 when doing the initial install (SCOM server and SQL target), as the installer contains the same code from previous versions. If you don't enable TLS 1.0 on your boxes, SCOM install will fail and the logs are kind of cryptic.

    Also, once you build your environment, in the future if you want to add a new SCOM management server, once again you have to enable TLS 1.0 on the new management server, and on SQL.

    So much fun, lemme tell ya.


    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Wednesday, January 22, 2020 11:18 PM
    Moderator
  • Hi Sreejeet,
     
    How's everything going? Did the above suggestions help? if there's anything else we can help, feel free to let us know.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 27, 2020 7:03 AM
  • Hi Crystal,

    We are yet to implement TLS 1.2 in our SCOM 2012 R2 environment.

    I will update you here after it has implemented.

    Thanks,

    Sreejeet

    Monday, January 27, 2020 7:27 AM
  • Hi Sreejeet,

    Thanks for your response. If there's anything we can help when you implement TLS 1.2 in the future, feel free to post back.

    Have a nice day!

    Best regards.
    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 27, 2020 8:29 AM