Best security practice is to use the latest version of TLS available.  Microsoft does not enable TLS 1.2 by default on many Operating Systems and TLS 1.3 is only supported on Windows Server 2022/Windows 11 and later Operating Systems.  How do we enable TLS 1.2 and 1.3 communications in our Symantec Management Platform Altiris environment?

ITMS 8.x+

To use TLS 1.2 and 1.3, perform the following steps on your environment.

Before proceeding, refer to Microsoft documentation for OS support per TLS protocol. Microsoft does not support TLS 1.3 on Windows 10 or Server 2019 and earlier:  Protocols in TLS/SSL (Schannel SSP)

1.  Optional: on a test system verify current TLS settings by downloading and running 3rd party application IISCrypto.exe from the desktop (does not install anything). Download from: IIS Crypto

2.  Modify the SMP Communication Profile to allow TLS 1.2 and optionally TLS 1.3

• Settings > Agents/Plugins > Symantec Management Agent > Symantec Management Agent Communication Profile
• Select the SMP Profile
• Edit the "SSL Certificates are defined for current profile" adding a check for TLS 1.2 (and/or TLS 1.3 if required)

3.  Make changes if necessary to the OS to accommodate TLS 1.2.

NOTE: The steps below are generally not required for TLS 1.3 because it is enabled by default on Supported Operating Systems. TLS 1.3 is supported starting in Windows 11 and Windows Server 2022. Enabling TLS 1.3 on earlier versions of Windows is not a safe system configuration per Microsoft.

• Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001

You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"

NOTE: A system reboot is required after making this change to Registry

You should verify and check the following Microsoft article regarding the different TLS versions: Protocols in TLS/SSL (Schannel SSP)

4.  Verify TLS settings changed by using IISCrypto.exe

Note: You may also consider this:
In some scenarios, if the administrator is allowing only TLS 1.2 on the SMP and SQL Server, .NET tries to use TLS 1.0 by default and TLS 1.2 needs to be properly called by it.

There are certain places in the registry that need to be modified to force TLS 1.2 to be the only one in use by .NET.

Add (or modify if these already exists) the following registry keys with the specified values:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001