Forum Discussion

Tim Hunter's avatar
Tim Hunter
Steel Contributor
Feb 01, 2019

Remove TLS 1.0/1.1 and 3DES Dependencies

When I went to http://servicetrust.microsoft.com to see any users still using TLS 1.9/1.1. How do I remove TLS 1.0/1.1. How do I go about making these compatible so they work come February 28, 2019 when Office 365 retires 3DES? Thank you for your help. Here is what I get:

Notice: This report includes 3DES and TLS1.0/1.1 usages.    
     
UserName / IP address Protocol Agent Count Report Date
xxxx@wynnetr.comTLS1.0/1.1Microsoft+BITS/7.5121/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)21/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)11/30/2019
xxxx@wynnetr.comTLS1.0/1.1Android-SAMSUNG-SM-G930V/101.8000011/30/2019
xxxx@wynnetr.comTLS1.0/1.1Android-SAMSUNG-SM-G360V/101.5010121/30/2019
xxxx@wynnetr.comTLS1.0/1.1Apple-iPhone8C4/1507.7711/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+BITS/7.581/30/2019
Exchange Server
office 365
TLS
  • Eric1972's avatar
    Eric1972
    Copper Contributor
    Feb 07, 2019

    This is a great question. I have read that the issue with the Apple mail native iPhone app was corrected in iOS 10, but I still see iPhones with iOS 10 showing up on the report. I also see one Microsoft Office 2016 client showing up on the report (using Windows 10 OS). I have no idea why that client machine would be using a lower flavor of TLS. I could disable TLS 1.0 and 1.1 on the client machine, but unfortunately, many websites still use 1.0 for whatever reason.

     

    I received an email from Office 365 urging me to run this report, probably like most of you. I ran it and see some TLS 1 usage. It would be nice to get some guidance on this subject from Microsoft. Any pointers anyone can provide would be awesome!

     

    Eric

    • AliceChained's avatar
      AliceChained
      Copper Contributor
      Mar 04, 2019

      But iOS is on ver 12 now?!? Who's still on 10?

      Found this thread trying to figure out why I have one iPhone (out of a half dozen) showing on my report.

      No one figured that out yet?

       

      • Forrest_H's avatar
        Forrest_H
        Steel Contributor
        Mar 25, 2019

        AliceChained  I have been researching the same thing for the past few hours.  I even went so far as to post a question on the Apple Community .

        I am pulling my hair out because I do not use iPhone and unsure how to force them to use TLS 1.2 . 

        In my Security Score Report this is what I see;

         Protocol Agent Count
        TLS1.0/1.1Apple-iPhone11C8/1604.572
        TLS1.0/1.1Apple-iPhone8C1/1604.391
        TLS1.0/1.1Apple-iPhone10C4/1604.573

         

        I may have found a clue on one of the other MS Exchange blog sites. About half way down in the Notes.  It seems if the client is using Authenticated SMTP the Exchange server logs it wrong and TLS 1.2 may be used after all. This blog is referring to Exchange on-Prem servers so not sure how relevant it is.

        If anyone here knows how to configure TLS 1.2 on iPhone native mail app please give me some clues.

        Thanks

  • guptashash's avatar
    guptashash
    Copper Contributor
    Feb 02, 2019

    Even I went ahead and tried to research on the topic, no such information is available. 

     Protocol Agent
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.7190;+Pro)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+6.3;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Android-SAMSUNG-SM-G570F/101.80000
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.7190;+Pro)
    TLS1.0/1.1Android-SAMSUNG-SM-G570F/101.700
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
    TLS1.0/1.1Apple-iPhone8C1/1602.92
    TLS1.0/1.1-
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
    TLS1.0/1.1Microsoft+BITS/7.5
    TLS1.0/1.1

    Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro)

     

     

    Not sure why Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro) still using TLS 1.0/1.1 ?

    • David Kamp's avatar
      David Kamp
      Brass Contributor
      Feb 04, 2019
      My report Also shows the +(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro) still using TLS 1.0/1.1 and
      Several Apple-iPhone
      What / Why would the two items be on the list?
      • Alan_McFarlane's avatar
        Alan_McFarlane
        Iron Contributor
        Feb 19, 2019
        Looking on Sunday night at the reports of my ~20 client tenants, there seems to have been a change. None of them now contain any Win10 (Office16/15) entries. So I’m wondering if there was a bug in the reports and it’s been fixed!

        Anyone see the same?

        The reports look a bit sparse also however. MNy have no rows. Perhaps the school holidays last week meant less folk were connecting? The reports clearly aren’t cumulative over all time, as entries from an older report don’t always appear in a later one. I wonder what needs to happen to make a device appear, is it just to connect to read mail etc, or it that it needs to re-authenticate e.g. after 14 days etc?
  • Alan_McFarlane's avatar
    Alan_McFarlane
    Iron Contributor
    Feb 01, 2019
    Good question! I don’t understand why Windows+NT+10.0 myself. So looking for an answer too. In fact I asked such a question here before.

    I had learned that BITS is used to download the address book (OAB). So those lines should…mean Windows 7, but given we saw win10 above…
    • C_the_S's avatar
      C_the_S
      Bronze Contributor
      Feb 07, 2019
      Alan_McFarlane wrote:
      I had learned that BITS is used to download the address book (OAB). So those lines should…mean Windows 7, but given we saw win10 above…

       

      That sounds like something that Microsoft has to update, as our systems (Office 2016 & Windows 7) support TLS 1.2 for the services that are at that level. But if their services (BITS) isn't supporting it from their end how can we be "compliant"?

Resources