| title | Enable TLS 1.2 on servers |
|---|---|
| description | Information about how to enable Transport Layer Security (TLS) 1.2 for Configuration Manager site servers and remote site systems. |
| ms.date | 06/20/2024 |
| ms.subservice | core-infra |
| ms.topic | how-to |
| ms.collection | tier3 |
Applies to: Configuration Manager (Current Branch)
When enabling TLS 1.2 for your Configuration Manager environment, start with enabling TLS 1.2 for the clients first. Then, enable TLS 1.2 on the site servers and remote site systems second. Finally, test client to site system communications before potentially disabling the older protocols on the server side. The following tasks are needed for enabling TLS 1.2 on the site servers and remote site systems:
- Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
- Update and configure the .NET Framework to support TLS 1.2
- Update SQL Server and client components
- Update Windows Server Update Services (WSUS)
For more information about dependencies for specific Configuration Manager features and scenarios, see About enabling TLS 1.2.
[!INCLUDE Enable TLS 1.2 protocol as a security provider]
[!INCLUDE Update and configure the .NET framework to support TLS 1.2]
Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and dependent libraries might require updates. For more information, see KB 3135244: TLS 1.2 support for Microsoft SQL Server.
Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2 (13.2.50.26) or later.
Note
KB 3135244 also describes requirements for SQL Server client components.
Make sure to also update the SQL Server Native Client to at least version SQL Server 2012 SP4 (11.*.7001.0). This requirement is a prerequisite check (warning).
Configuration Manager uses SQL Server Native Client on the following site system roles:
- Site database server
- Site server: central administration site, primary site, or secondary site
- Management point
- Device management point
- State migration point
- SMS Provider
- Software update point
- Multicast-enabled distribution point
- Asset Intelligence update service point
- Reporting services point
- Enrollment point
- Endpoint Protection point
- Service connection point
- Certificate registration point
- Data warehouse service point
Automatically configures TLS 1.2 across both client and server for machines running in Azure, on-prem, or multi-cloud environments. To get started configuring TLS 1.2 across your machines, connect them to Azure using Azure Arc-enabled servers, which comes with the Machine Configuration prerequisite by default. Once connected, TLS 1.2 can be configured with point-and-click simplicity by deploying the built-in policy definition in Azure Portal: Configure secure communication protocols (TLS 1.1 or TLS 1.2) on Windows servers. The policy scope can be assigned at the subscription, resource group, or management group level, as well as exclude any resources from the policy definition.
After the configuration has been assigned, the compliance status of your resources can be viewed in detail by navigating to the Guest Assignments page and scoping down to the impacted resources.
For a detailed, step-by-step tutorial, see Consistently upgrade your server TLS protocol using Azure Arc and Automanage Machine Configuration.
TLS 1.2 is supported by default for WSUS on all currently supported version of Windows Server.
To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS server:
-
For WSUS server that's running Windows Server 2012, install update 4022721 or a later rollup update.
-
For WSUS server that's running Windows Server 2012 R2, install update 4022720 or a later rollup update.
Note
On October 10th, 2023, Windows Server 2012 and Windows Server 2012 R2 entered the Extended Support Updates phase. Microsoft will no longer provide support for Configuration Manager site servers or roles installed to these Operating Systems. For more information, see Extended Security Updates and Configuration Manager.