Enforcing UseStrongCrypto & TLS 1.2
  • 09 Apr 2025
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Enforcing UseStrongCrypto & TLS 1.2

  • Dark
    Light

Article summary

Versions of .NET 4.5 and older have TLS configurations independent of system-level TLS settings. Administrators will often secure servers and workstations by disabling the older TLS 1.0 protocol. If the lower protocols have been disabled on either or of the clients or server, a client to server sync will fail because a secure connection on the same protocol cannot be established between the two.

The following are instructions, in the necessary order, for enabling and enforcing TLS 1.2 and UseStrongCrypto, and disabling TLS 1.0 and 1.1 on your MFA server.

Backups

Before continuing, please take a backup of your server with a snapshot, or a backup of the server's registry and MFA Server Key.

About UseStrongCrypto (from Microsoft's knowledge base)

The HKLM\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure. A value of 0 disables strong cryptography. For more information, see documentation about the SCH_USE_STRONG_CRYPTO flag. This registry setting affects only outgoing client connections in your application.

If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. That's a secure default that we recommend. If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

To read more, visit Microsoft's TLS KB article.

Download the File

Download the file by clicking 👉 here 👈


The TLS1.2+UseStrongCrypto.reg file makes the following changes:

  • Disables IPv6
  • Disables SSLv2
  • Disables SSLv3
  • Disables TLS 1.0
  • Disables TLS 1.1

If your environment requires the lower protocols to stay intact for any reason, edit the downloaded file and adjust the flags as necessary, or remove the registry keys that disable the lower protocols entirely.


Updating the MFA Server

  1. Update the MFA SQL database settings by using the following query to insert the necessary values into the dbo.Settings table. This tells the MFA server software it is using TLS 1.2. It can also be done manually using the "Edit Top 200 Rows" option.

    --if your db name is different than 'ONE', be sure to update this query before running
    USE [ONE]
    INSERT INTO Settings
    VALUES ('UseTLS12','True',1);
    
  2. Create a backup of your server's registry settings (if you have not already).

  3. Run or 'Merge' the TLS1.2+UseStrongCrypto.reg file.

  4. Restart your MFA server for the changes to fully take effect.


Updating the MFA Clients

For updating your clients to TLS 1.2 as well, run the same registry file on your client computers and perform a restart.


Was this article helpful?

What's Next