Symantec Endpoint Encryption 11.3.0 and above disables TLS 1.0 and TLS 1.1 by default.
If Symantec Endpoint Encryption 11.3.0 or older are being used, Symantec recommends upgrading to the current versions for best security parameters.
Symantec never recommends using TLS 1.0 and all the new versions support TLS 1.2 only.
For Legacy clients, TLS 1.0 needs to be enabled for clients running releases prior to 11.1.0. SEE Clients running release 11.1.0 and above will therefore connect to the Endpoint Encryption Management Server (SEEMS) using TLS 1.2 automatically.
Of note, prior to release 11.3.0, Endpoint Encryption Management Server (SEEMS) used SQLOLEDB, the Microsoft OLE DB Provider for SQL Server, to connect to the Endpoint Encryption SQL Server database. SQLOLEDB does not support TLS 1.2. As a result, we highly recommend upgrading to the latest release of the SEE Management Server and SEE Clients.
In release 11.3.0 and above, SEEMS uses MSOLEDBSQL, the Microsoft OLE DB Driver for SQL Server to connect to the database. MSOLEDBSQL can use TLS 1.2.
If a TLS connection is being used to connect to the database, SEEMS releases prior to 11.3 cannot be configured to use only TLS 1.2.
If SEEMS is not using a TLS connection to connect to the database, the Windows Server hosting SEEMS can be updated to disable TLS 1.0 and 1.1 and enable TLS 1.2 for SEEMS releases 11.2 and 11.2.1.
To allow only TLS 1.2 to be used, upgrade the SEE Management Server and the SEE clients to the latest release of the software. As of this writing, SEE version 12 is the latest version and supports only TLS 1.2. Just be sure to check the option "Disable TLS 1.0 and TLS 1.1" in the SEEMS Configuration Manager to allow TLS 1.2. A reboot of the Windows server will be required.
Reference: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry key.
For further insight, reach out to Symantec Encryption Support.
EPG-22799