This monitor checks the overall compliance for TLS 1.2 Enforcement. It checks to ensure that all the less secure providers are disabled and that TLS 1.2 is enabled as well as ensuring Strong Cryptography is enabled and that Applications are allowed to use the OS Defaults.
This Monitor assesses the value of the following registry keys and values:
HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
For SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 Client AND Server see the value and settings below
Value | Setting |
DisabledByDefault | 0 |
Enabled | 0 |
For TLS 1.2 Client AND Server see the value and settings below
Value | Setting |
DisabledByDefault | 1 |
Enabled | 1 |
For Strong Cryptography and Use of OS default TLS Settings the following values are evaluated for all keys below:
Key |
HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 |
HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 |
HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 |
Value | Setting |
SchUseStrongCrypto | 1 |
SystemDefaultTlsVersions | 1 |
If TLS 1.2 is not enabled, any other protocol is not completely disabled, strong cryptography, AND/OR allowing applications to use default OS settings is not enabled this will be unhealthy.
Review the dashboard and understand the settings for your device. See Key below.
Not Set | Indicates there are no registry keys for this particular protocol |
Negotiable | Indicates that keys are present but both required registry keys and values to disable are not present |
Disabled | The protocol is both disabled by default and disabled |
Enabled | The protocol is both enabled by default and enabled |
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Target | Security.Protocol.Provider.Class | ||
Parent Monitor | System.Health.SecurityState | ||
Category | SecurityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | TLS.Compliance.Monitor.UnitMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="TLS.Compliance.Monitor" Accessibility="Public" Enabled="true" Target="Security.Protocol.Provider.Class" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="TLS.Compliance.Monitor.UnitMonitorType" ConfirmDelivery="false">
<Category>SecurityHealth</Category>
<AlertSettings AlertMessage="TLS.Compliance.Monitor.Alert.Message">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/Property[@Name='TLS 1.2']$</AlertParameter1>
<AlertParameter2>$Data/Context/Property[@Name='Less Secure Protocols']$</AlertParameter2>
<AlertParameter3>$Data/Context/Property[@Name='StrCrypto']$</AlertParameter3>
<AlertParameter4>$Data/Context/Property[@Name='App Default Security']$</AlertParameter4>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Compliant" MonitorTypeStateID="Compliant" HealthState="Success"/>
<OperationalState ID="NonCompliant" MonitorTypeStateID="NonCompliant" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<TimeoutSeconds>120</TimeoutSeconds>
<IntervalSeconds>900</IntervalSeconds>
</Configuration>
</UnitMonitor>