Enabling TLS 1.2 for the ITMS Management Platform Environment
search cancel

Enabling TLS 1.2 for the ITMS Management Platform Environment


Article ID: 170734


Updated On:


IT Management Suite Client Management Suite


Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Symantec Management Platform Altiris environment?


ITMS 8.x+


To use TLS 1.2 perform the following steps on your environment.

1.  If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from: https://www.nartac.com/Products/IISCrypto

2.  Modify the SMP Communication Profile to allow TLS 1.2

  • Settings > Agents/Plugins > Symantec Management Agent > Symantec Management Agent Communication Profile
  • Select the SMP Profile
  • Edit the "SSL Certificates are defined for current profile" adding a check for TLS 1.2


3.  Make changes necessary to the OS to accommodate TLS 1.2

  • Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"

NOTE: A system reboot is required after making this change to Registry

You should verify and check the following Microsoft article regarding the different TLS versions:  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

4.  Verify TLS settings changed by using IISCrypto.exe

You may also consider this:
In some scenarios, if the customer is allowing only TLS 1.2 on the SMP and SQL Server, .NET tries to use TLS 1.0 by default and TLS 1.2 needs to be properly called by it.
There are certain places in the registry that needs to be modified to force TLS 1.2 to be the only one in use by .NET.

  1. Add (or modify if these already exists) the following registry keys with the specified values: