Contents x
    Enforcing UseStrongCrypto & TLS 1.2
    • 09 Apr 2025
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Enforcing UseStrongCrypto & TLS 1.2

    • Updated on 09 Apr 2025
    • 2 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Versions of .NET 4.5 and older have TLS configurations independent of system-level TLS settings. Administrators will often secure servers and workstations by disabling the older TLS 1.0 protocol. If the lower protocols have been disabled on either or of the clients or server, a client to server sync will fail because a secure connection on the same protocol cannot be established between the two.

    The following are instructions, in the necessary order, for enabling and enforcing TLS 1.2 and UseStrongCrypto, and disabling TLS 1.0 and 1.1 on your MFA server.

    Backups

    Before continuing, please take a backup of your server with a snapshot, or a backup of the server's registry and MFA Server Key.

    About UseStrongCrypto (from Microsoft's knowledge base)

    The HKLM\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure. A value of 0 disables strong cryptography. For more information, see documentation about the SCH_USE_STRONG_CRYPTO flag. This registry setting affects only outgoing client connections in your application.

    If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. That's a secure default that we recommend. If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

    This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

    To read more, visit Microsoft's TLS KB article.

    Download the File

    Download the file by clicking 👉 here 👈


    The TLS1.2+UseStrongCrypto.reg file makes the following changes:

    • Disables IPv6
    • Disables SSLv2
    • Disables SSLv3
    • Disables TLS 1.0
    • Disables TLS 1.1

    If your environment requires the lower protocols to stay intact for any reason, edit the downloaded file and adjust the flags as necessary, or remove the registry keys that disable the lower protocols entirely.

    Updating the MFA Server

    1. Update the MFA SQL database settings by using the following query to insert the necessary values into the dbo.Settings table. This tells the MFA server software it is using TLS 1.2. It can also be done manually using the "Edit Top 200 Rows" option.

      --if your db name is different than 'ONE', be sure to update this query before running
USE [ONE]
INSERT INTO Settings
VALUES ('UseTLS12','True',1);

    2. Create a backup of your server's registry settings (if you have not already).

    3. Run or 'Merge' the TLS1.2+UseStrongCrypto.reg file.

    4. Restart your MFA server for the changes to fully take effect.

    Updating the MFA Clients

    For updating your clients to TLS 1.2 as well, run the same registry file on your client computers and perform a restart.

    Was this article helpful?
    What's Next