Implement Transport Layer Security 1.2

This article describes how to allow System Center Operations Manager to utilize Transport Layer Security (TLS) 1.2.

Note

Operations Manager will use the protocol configured at the Operating System level. For example, if TLS 1.0, TLS 1.1, and TLS 1.2 are enabled at the Operating System Level, then Operations Manager will select one of the three protocols in the following order of preference:

  1. TLS version 1.2
  2. TLS version 1.1
  3. TLS version 1.0

The Schannel SSP then selects the most preferred authentication protocol that the client and server can support.

Perform the following steps to implement TLS protocol version 1.2 in Operations Manager:

Note

Microsoft OLE DB Driver 18 for SQL Server (recommended) is supported with Operations Manager 2016 UR9 and later.

  1. Install SQL Server 2012 Native Client 11.0 or Microsoft OLE DB Driver (x64) on all management servers and the web console server.
  2. Install Microsoft ODBC Driver (x64) on all management servers and the web console server.
  3. Install the Required SQL Server update that supports TLS 1.2.
  4. Install a minimum of Update Rollup 4 for SCOM 2016 on all components.
  5. Ensure your servers have a minimum .NET 4.6 installed as compatible with your OS: .NET Framework versions and dependencies
    1. Do not install .NET 4.8, as there have been known issues with SCOM 2016 incompatibilities.
  6. Configure Windows to only use TLS 1.2.
  7. Configure .NET to utilize TLS 1.2 by default.
  8. Configure Audit Collection Services if installed.
  1. Install Microsoft OLE DB Driver for SQL version 18.7.4 on all management servers and the web console server.
  2. Install Microsoft ODBC Driver for SQL version 17.10.6 on all management servers and the web console server.
  3. Configure Windows to only use TLS 1.2.
  4. Configure .NET to utilize TLS 1.2 by default.
  5. Configure Audit Collection Services if installed.

Note

If utilizing SQL Server connection encryption, you will need to install these driver versions instead:

More information about configuring SQL connection encryption can be found here: Configure SQL Server Database Engine for encrypting connections

Operations Manager generates SHA1 and SHA2 self-signed certificates. This is required to enable TLS 1.2. If CA-signed certificates are used, ensure that the certificates are either SHA1 or SHA2.

Note

If your security policies restrict TLS 1.0 and 1.1, installing a new Operations Manager 2016 management server, gateway server, Web console, and Reporting services role will fail because the setup media doesn't include the updates to support TLS 1.2. The only way you can install these roles is by enabling TLS 1.0 on the system, apply Update Rollup 4, and then enable TLS 1.2 on the system. This limitation doesn't apply to Operations Manager version 1801.

Configure Windows Operating System to only use TLS 1.2 protocol

Use one of the following methods to configure Windows to use only the TLS 1.2 protocol.

Method 1: Manually modify the registry

Important

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Use the following steps to enable/disable all SCHANNEL protocols system-wide. We recommend that you enable the TLS 1.2 protocol for all incoming communications and outgoing communications.

Note

Making these registry changes doesn't affect the use of Kerberos or NTLM protocols.

  1. Sign in to the server by using an account that has local administrative credentials.

  2. Start Registry Editor by selecting and holding Start, enter regedit in the Run textbox, and select OK.

  3. Locate the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  4. Create a subkey under Protocols for:

    1. SSL 2.0
    2. SSL 3.0
    3. TLS 1.0
    4. TLS 1.1
    5. TLS 1.2.
  5. Create a Client and Server subkey under each protocol version subkey you created earlier. For example, the subkey for TLS 1.0 would be

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
  6. To disable each protocol, create the following DWORD values under Server and Client:

    • Enabled [Value = 0]
    • DisabledByDefault [Value = 1]
  7. To enable the TLS 1.2 protocol, create the following registry keys:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server:
  8. Then create the following DWORD values under Server and Client:

    • Enabled [Value = 1]
    • DisabledByDefault [Value = 0]
  9. Close the Registry Editor.

Method 2: Automatically modify the registry

Run the following Windows PowerShell script as Administrator to automatically configure your Windows Operating System to use only the TLS 1.2 Protocol:

$ProtocolList       = @("SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1", "TLS 1.2")
$ProtocolSubKeyList = @("Client", "Server")
$DisabledByDefault  = "DisabledByDefault"
$registryPath       = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"

foreach ($Protocol in $ProtocolList)
{
    foreach ($key in $ProtocolSubKeyList)
    {
        $currentRegPath = $registryPath + $Protocol + "\" + $key
        Write-Output "Current Registry Path: `"$currentRegPath`""

  if (!(Test-Path $currentRegPath))
  {
    Write-Output " `'$key`' not found: Creating new Registry Key"
    New-Item -Path $currentRegPath -Force | out-Null
  }
  if ($Protocol -eq "TLS 1.2")
  {
    Write-Output " Enabling - TLS 1.2"
    New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $currentRegPath -Name 'Enabled' -Value "1" -PropertyType DWORD -Force | Out-Null
  }
  else
  {
    Write-Output " Disabling - $Protocol"
    New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $currentRegPath -Name 'Enabled' -Value "0" -PropertyType DWORD -Force | Out-Null
  }
  Write-Output " "
}

Configure .NET Framework to use only TLS 1.2

.NET typically requires the application to define what TLS protocol to use for communication, in the instance of SCOM however, we will need to tell .NET system-wide what protocol to use.

After completing the configuration of all prerequisites for Operations Manager, perform the following steps on all management servers, the server hosting the Web console role, and on any Windows computer the agent is installed on.

Important

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before making any modifications, back up the registry for restoration in case problems occur.

Note

SCOM running on Windows OS 2012 needs additional changes to use TLS 1.2 over HTTP for UNIX/LINUX monitoring. In order to enable TLS 1.2 as default security protocols in WinHTTP in Windows, the following changes need to be made as per Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

  1. Install KB3140245 on the Management Servers/Gateways Servers in the UNIX/LINUX Resource Pool.
  2. Back up the registries that are modified as mentioned in the KB article.
  3. Download and run the Easy Fix tool on the Management Servers/Gateways in the UNIX/LINUX Resource Pool.
  4. Reboot the servers.

Manually modify the registry

  1. Open the Registry Editor
  2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
    1. Create the following DWORD value pairs:
      • SchUseStrongCrypto [Value = 1]
      • SystemDefaultTlsVersions [Value = 1]
  3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727
    1. Create the following DWORD value pairs:
      • SchUseStrongCrypto [Value = 1]
      • SystemDefaultTlsVersions [Value = 1]
  4. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    1. Create the following DWORD value pairs:
      • SchUseStrongCrypto [Value = 1]
      • SystemDefaultTlsVersions [Value = 1]
  5. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
    1. Create the following DWORD value pairs:
      • SchUseStrongCrypto [Value = 1]
      • SystemDefaultTlsVersions [Value = 1]
  6. Restart the system for the settings to take effect.

Automatically modify the registry

Run the following Windows PowerShell script in Administrator mode to automatically configure .NET Framework to prevent framework-inherited TLS 1.0 dependencies:

# Tighten up the .NET Framework
$NetRegistryPath1 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" 
New-ItemProperty -Path $NetRegistryPath1 -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null 
New-ItemProperty -Path $NetRegistryPath1 -Name "SystemDefaultTlsVersions" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath2 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" 
New-ItemProperty -Path $NetRegistryPath2 -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $NetRegistryPath2 -Name "SystemDefaultTlsVersions" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath3 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" 
New-ItemProperty -Path $NetRegistryPath3 -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null 
New-ItemProperty -Path $NetRegistryPath3 -Name "SystemDefaultTlsVersions" -Value "1" -PropertyType DWORD -Force | Out-Null

$NetRegistryPath4 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" 
New-ItemProperty -Path $NetRegistryPath4 -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $NetRegistryPath4 -Name "SystemDefaultTlsVersions" -Value "1" -PropertyType DWORD -Force | Out-Null

Additional settings

If this is being implemented for System Center 2016 - Operations Manager, after applying Update Rollup 4, ensure to import the management packs that are included in this rollup located in the following directory: \Program Files\Microsoft System Center 2016\Operations Manager\Server\Management Packs for Update Rollups.

If you're monitoring a supported version of Linux server with Operations Manager, follow the instructions on the appropriate website for your distro to configure TLS 1.2.

Audit Collection Services

For Audit Collection Services (ACS), you must make additional changes in the registry on ACS Collector server. ACS uses the DSN to make connections to the database. You must update DSN settings to make them functional for TLS 1.2.

  1. Sign in to the server by using an account that has local administrative credentials.

  2. Start Registry Editor by selecting and holding Start, enter regedit in the Run textbox, and select OK.

  3. Locate the following ODBC subkey for OpsMgrAC: HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC.

    Note

    The default name of DSN is OpsMgrAC.

  4. Under ODBC Data Sources subkey, select the DSN name OpsMgrAC. This contains the name of the ODBC driver to be used for the database connection. If you have ODBC 11.0 installed, change this name to ODBC Driver 11 for SQL Server, or if you have ODBC 13.0 installed, change this name to ODBC Driver 13 for SQL Server.

  5. Under the OpsMgrAC subkey, update the Driver for the ODBC version that is installed.

    • If ODBC 11.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql11.dll.
    • If ODBC 13.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql13.dll.
    • If ODBC 17.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql17.dll.
    • If ODBC 18.0 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql18.dll.

Registry File

Alternatively, create and save the following .reg file in Notepad or another text editor. To run the saved .reg file, double-click the file.

  • For ODBC 11.0, 13.0, 17.x, or 18.x. Create the following file ODBC.reg and (replace with the ODBC version being used) :

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
    "OpsMgrAC"="ODBC Driver 18 for SQL Server"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
    "Driver"="%WINDIR%\system32\msodbcsql18.dll"
    

PowerShell

Alternatively, you can run the following PowerShell commands to automate the change.

  • For ODBC 11.0, run the following PowerShell commands:

    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC" -Name "Driver" -Value "%WINDIR%\system32\msodbcsql11.dll" -PropertyType STRING -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources" -Name "OpsMgrAC" -Value "ODBC Driver 11 for SQL Server" -PropertyType STRING -Force | Out-Null
    
  • For ODBC 13.0, run the following PowerShell commands:

    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC" -Name "Driver" -Value "%WINDIR%\system32\msodbcsql13.dll" -PropertyType STRING -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources" -Name "OpsMgrAC" -Value "ODBC Driver 13 for SQL Server" -PropertyType STRING -Force | Out-Null
    

Audit Collection Services

For Audit Collection Services (ACS), you must make additional changes in the registry on ACS Collector server. ACS uses the DSN to make connections to the database. You must update DSN settings to make them functional for TLS 1.2.

  1. Sign in to the server by using an account that has local administrative credentials.
  2. Start Registry Editor by selecting and holding Start, enter regedit in the Run textbox, and select OK.
  3. Locate the following ODBC subkey for OpsMgrAC: HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC.

Note

The default name of DSN is OpsMgrAC.

  1. Under ODBC Data Sources subkey, select the DSN name OpsMgrAC. This contains the name of the ODBC driver to be used for the database connection. If you have ODBC 17 installed, change this name to ODBC Driver 17 for SQL Server.
  2. Under the OpsMgrAC subkey, update the Driver for the ODBC version that is installed.
    • For example, if ODBC 17 is installed, change the Driver entry to %WINDIR%\system32\msodbcsql17.dll.
    • Check the name of the DLL for the current version of the ODBC driver installed if different.

Registry File

Alternatively, create and save the following .reg file in Notepad or another text editor. To run the saved .reg file, double-click the file.

  • For ODBC 17, create the following ODBC 17.reg file:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources]
    "OpsMgrAC"="ODBC Driver 17 for SQL Server"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC]
    "Driver"="%WINDIR%\system32\msodbcsql17.dll"
    

PowerShell

Alternatively, you can run the following PowerShell commands to automate the change.

  • Ensure to replace the dll file path to an appropriate version if using a ODBC driver version other than 17.

    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\OpsMgrAC" -Name "Driver" -Value "%WINDIR%\system32\msodbcsql7.dll" -PropertyType STRING -Force | Out-Null
    New-ItemProperty -Path "HKLM:\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources" -Name "OpsMgrAC" -Value "ODBC Driver 17 for SQL Server" -PropertyType STRING -Force | Out-Null
    

Next steps