Enabling TLS 1.2 for the ITMS Management Platform Environment

book

Article ID: 170734

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Symantec Management Platform Altiris environment?
 

Environment

ITMS 8.x+

Resolution

To use TLS 1.2 perform the following steps on your environment.

1.  If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from: https://www.nartac.com/Products/IISCrypto

2.  Modify the SMP Communication Profile to allow TLS 1.2

  • Settings > Agents/Plugins > Symantec Management Agent > Symantec Management Agent Communication Profile
  • Select the SMP Profile
  • Edit the "SSL Certificates are defined for current profile" adding a check for TLS 1.2

    

3.  Make changes necessary to the OS to accommodate TLS 1.2

  • Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001

You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"

NOTE: A system reboot is required after making this change to Registry

You should verify and check the following Microsoft article regarding the different TLS versions:  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

4.  Verify TLS settings changed by using IISCrypto.exe