Thursday, November 21, 2019

Enforce TLS 1.2 via ConfigMgr Compliance Setting

One of the products in our environment is deprecating support for earlier TLS versions 1.0 and 1.1 (Yay!). This means we are being required to support TLS 1.2 for this product on Windows 7, Windows Server 2008 R2, and Windows Server 2012. It is default on more recent OSes, such as Windows 8 and Windows Server 2012 R2 and greater. TLS 1.2 should be enabled via  KB3140245. While installed on the majority, we found it actually was not enabled on all of the fleet even though this KB was applied a while ago.

So Piers came to the rescue with a Compliance Setting to manage this. Luckily TLS is set at the OS level via registry keys so it is not that difficult to manage. Piers enjoys using PowerShell so he went that route to mitigate.


Piers created a compliance baseline in ConfigMgr which reports on the following:

Windows 7 requirements for TLS 1.2
  • KB3140245 must be installed
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    • "DisabledByDefault"=dword:00000000
Windows 2008 R2 and 2012 requirements for TLS 1.2
(Note this is slightly different.)
  • KB3140245 must be installed
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    • "DisabledByDefault"=dword:00000000
    • "Enabled=dword:00000001"
      • Or "Enabled=dword:0xFFFFFFFF" (It equates to decimal 1 – see info here)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    • "DisabledByDefault"=dword:00000000
    • "Enabled=dword:00000001"
      • Or "Enabled=dword:0xFFFFFFFF"
This is checking both server and workstations for TLS 1.2 enablement at the OS level. This overrides any TLS settings set explicitly for IE, as we understand it, so I don’t believe we need to check IE-specific settings (see the section "How the DefaultSecureProtocols registry entry works" in this article).
  • Firefox has had TLS 1.2 support enabled since version 27
  • For Chrome, TLS 1.2 is automatically enabled from version 29


We created several compliance items to detect TLS 1.2 and enable if not. For servers, they were eventually split out for Server and Client functions of TLS for IIS, etc. and to make use of nice features such as Supported Platforms so we can target them specifically for advertisements.

We are using the following discovery script for the client keys:

 $RegPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'  
 $RegName = 'DisabledByDefault'  
 $RegData = '0'  
 $Return = 'Not Found'  
 $RegLookUp = Get-ItemProperty -Name $RegName -Path $RegPath -ErrorAction SilentlyContinue  
 if ($RegLookUp.$RegName -eq $RegData) {  
   $Return = 'Found'  
 if ( $RegLookUp -and ($RegLookUp.$RegName -ne $RegData) ) {  
   $Return = 'Value='+$RegLookUp.$RegName  
 Write-Host $Return  

He is using a remediation script adapted fromRoger Zander:

 # Reg2CI (c) 2019 by Roger Zander  
 if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -force -ea SilentlyContinue };  
 New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;  

The Compliance rule is pretty straightforward. It looks for "Found" from the Discovery Script.

The configuration baselines are pretty straightforward as well.

The Client baseline contains both workstation and Server OS versions.

We have two advertisements: one to monitor, and one to remediate. The monitor is run daily and remediate is run every couple hours.

The advertisement is going to a collection that calls out the affected Operating Systems only.

For the server settings, just change the relevant registry path, as the rest is the same.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

This is a good read on it from a Dev perspective via a Microsoft Security post.

No comments:

Post a Comment