Share via

What happens when I enforced TLS 1.2 for Managed Domain Services

Gary C 0 Reputation points
2025-04-30T16:10:42.4166667+00:00

I received a health alert that TLS 1.2 will be enforced by August 31, 2025. I created a Compliance Policy "Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode" and see one compliance violation that shows Domain Services (which is managed) is using TLS 1.1 (screenshot below). We use Managed Entra (AD).User's image

I also see where to enable TLS 1.2 Only Mode under "Security Settings" in "Microsoft Entra Domain Services".

TLS 1.2 Only Mode

Enable or disable TLS 1.2 only mode for your managed domain. When this mode is enabled, any client making a request that is not using TLS 1.2 will fail.

  • Disable
  • Enable

My concern or question is, what happens when I enable TLS 1.2 Only Mode? Again, the only thing reported from the Policy I created shows Domain Services. So, will Domain Services stop working or will it now utilize TLS 1.2?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator
    2025-05-02T14:27:57.7566667+00:00

    Hello Gary C,

    As per Health Alert recommendations, you have created a compliance policy all domains should use TLS 1.2 and you found one machine with TLS 1.1.

    And as you mentioned when you enable TLS 1.2 any client making a request with TLS 1.1 will fail.

    The Microsoft Entra Device Registration Service is used to connect devices to the cloud with a device identity. The Microsoft Entra Device Registration Service currently supports using Transport Layer Security (TLS) 1.2 for communications with Azure. To ensure security and best-in-class encryption, Microsoft recommends disabling TLS 1.0 and 1.1.

    Backward Compatibility Issues

    Any client (browser, application, or service) that does not support TLS 1.2 will no longer be able to establish a secure connection with your server.

    The following clients are known to be unable to support TLS 1.2. Update your clients to ensure uninterrupted access.

    Android version 4.3 and earlier

    Firefox version 5.0 and earlier

    Internet Explorer versions 8-10 on Windows 7 and earlier

    Internet Explorer 10 on Windows Phone 8.0

    Safari version 6.0.4 on OS X 10.8.4 and earlier

    Please check the below registry keys to confirm which version of TLS is enabled.

    -Press the Windows key + R to start Run, type regedit, and press Enter or click OK.

    -Now go to the following key and check it. If it’s present, the value should be 0:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault

    -Also, check the following key. If you find it, its value should be 1:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled

    -If you can’t find any of the keys or if their values are not correct, then TLS 1.2 is not enabled.

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.