TLS 1.0 and TLS 1.1 End is Near!

If you are an Office 365 admin like myself, you may have received many notifications from Microsoft regarding the TLS 1.0 being deprecated in their infrastructure which in result will affect their customers if they don’t move to TLS 1.2 in time. They’ve 1st informed this will be valid from 31st Oct 2018, but have extended the support until 1st June 2020.

This has been announced as they’ve found out vulnerabilities with current TLS versions as it causes many security issues, specially the POODLE attack.
And almost all the web services are preparing for the change.

This simply means the Client-Server and Client-Browser connections must use TLS 1.2 going forward.

This article will be a quick guide on what you need to check and how to prepare for the change for Office 365 services.

Where to look for the notification in the Admin Center?

By now you may have received the message MC186218 as below.

How does this affect to the MS Ecosystem?

Microsoft announced an upcoming change for secure connections in Office 365 will only initiate and accept connections secured by TLS 1.2

Outlook client will stop connecting to Office 365 to authenticate if the client computer does not have TLS 1.2 enabled.
And it is recommended that dependencies on all security protocols older than TLS 1.2 be removed where possible (TLS 1.1/1.0/ SSLv3/SSLv2).

Microsoft doc https://docs.microsoft.com/en-us/security/solving-tls1-problem mentions below.
Also note that Microsoft Edge and Internet Explorer 11 will both drop TLS 1.0/1.1 support in 2020. More information on TLS version support by browser can be found here: https://caniuse.com/#search=tls


Connectors and Partner connections in Exchange Online
If you don’t have a 3rd party SPAM filter or a partner Exchange or Email system sitting in between Office 365 and Internet, you should be fine. If not, the EXO connectors and that partner system should be configured by enabling TLS 1.2 to accept the connections coming from Office 365 end.

Following Clients are known to be unable to use TLS 1.2

  • Android 4.3 and earlier versions
  • Firefox version 5.0 and earlier versions
  • Internet Explorer 8-10 on Windows 7 and earlier versions
  • Internet Explorer 10 on Windows Phone 8
  • Safari 6.0.4/OS X10.8.4 and earlier versions

More on Windows Operating Systems

As per the Microsoft article here, it explains how its working in different operating systems.
The key is – Both TLS 1.1 and TLS 1.2 are enabled by default on Windows 8.1 and later versions. Prior that, it was disabled by default and it needs to be enabled manually via a GPO (which I’ve explained below) or per user basis.
Below table will give you a better view of the matrix.

How to get the TLS deprecation report on the users from Office 365 Admin Center?

  • login to https://protection.office.com with your Office 365 Global Admin credentials.
  • Go to Microsoft Secure Score in the homepage ( https://securescore.microsoft.com/)
  • Navigate to Improvement actions and you’ll see the action item ” Remove TLS 1.0/1.1 and 3DES dependencies” and if you click on it, you’ll see the status as Completed or Not Completed.
  • Click on Review button and you’ll be redirected to the Microsoft Service Trust Portal
  • Download the “TLS deprecation report”
  • The downloaded file will look like this and you’ll be able to identify the computers according to the usernames and it show what OS and Office Clients they are running.

Check for SMTP CLients in the environments that uses TLS 1.0 or TLS 1.1 to connect to Office 365 to for mail relay services

  • Click ‘SMTP Auth Clients Report‘, it will show pivot for TLS version usage
  • Click ‘report’ link
  • The TLS pivot shows the summary of TLS usage for your organization. Click ‘View details table’. It will show TLS usage per user

Where to look what?

As I’ve explained before, this is solely an OS dependency and needs to be check in Internet Properties because that is where the OS starts communicating with the internet for the security protocols configuration.

As we all know the settings are sitting in IE Tools -> Internet Options -> Advanced and look under Security section. This shows the protocols which is supported by SCHANNEL component of the OS.

Below is what you can see in a Windows 10 machine.


A group policy to enable TLS 1.2

This will be a Group Policy which basically changes few Registry edits.

Reminder: Please create the HKLM edits in Computer Configuration and HKUC edits in User Configuration in the GPO.

Basically you can target your aged OSes for this GPO but recommended to upgrade it to the latest Windows 10 OS as Windows 7 will soon go out of support soon (extended support ends on January 14, 2020)

The recommended registry Key that needs to be created and updated is
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DisabledByDefault
REG_DWORD
0


But if you don’t see that has worked in IE settings as above, you may need to check below as well as it addresses all the parts in the registry for TLS 1.2

HiveKey pathValue NameValue typeValue Data
HKEY_CURRENT_USERSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSecureProtocolsREG_DWORD0xA80
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault REG_DWORD0
HKEY_LOCAL_MACHINE SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpDefaultSecureProtocolsREG_DWORD0xA80
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols REG_DWORD 0xA80
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\ClientEnabledREG_DWORD0xFFFFFFFF
Computer Configuration
User Configuration

More resources to refer

Please refer below articles that will be helpful you to make aware of this upcoming change and how you can make your environment free of TLS vulnerabilities.

Solving the TLS 1.0 Problem
Preparing for TLS 1.2 in Office 365
More on protocols

Featured photo credits: https://www.pexels.com/photo/broken-lock-gym-locker-locker-room-809598/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.