Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business
Published Aug 01 2018 02:13 PM 85.3K Views
Microsoft

INTRODUCTION

 

The purpose of this blog post is to provide the necessary guidance for our Skype for Business Server, Lync Server, and Skype for Business Online customers to prepare for the deprecation of TLS 1.0 and 1.1 in Office 365. 

 

Please carefully review all the information in this blog post as you prepare for the mandatory use of TLS 1.2 in Office 365.  Note that there may be many dependencies and connectivity considerations in your environment so extensive planning and testing is advised.

 

BACKGROUND

 

We are planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Microsoft Office 365 on October 31, 2018.  This was previously announced in the following support article. https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

 

This change will provide our customers with the best-in-class encryption for our customers.  For more details on TLS, please consult the following whitepaper: here

 

For additional background understanding of TLS (and a great resource for Exchange customers), see the following blog post.

 

HOW TO PREPARE

 

If you would like to prepare your environments for the upcoming TLS 1.2 change, there are three general scenarios you should review and, if applicable to your organization, adequately plan and prepare for.

  1. Lync/Skype client connectivity to Office 365
  2. On-premises server integration w/Office 365
  3. 3rd party integration with Skype for Business Online

We will cover each of these scenarios independently in the following sections.

 

Lync/Skype client connectivity to Office 365


Lync and Skype for Business clients may connect to Skype for Business Online, Exchange Online or both depending on where the account for these services are homed (online or on-premises). For example, if a Skype for Business client has their account homed in Lync Server 2013 on-premises, the client will still connect to Exchange Online if respective mailbox for the user is homed in Office 365.


As such, you need to follow the proceeding guidance if you fall into one of the following 3 client connectivity scenarios that has been flagged as ‘Preparation required”.

 

Mailbox Location

Lync/Skype account location

Preparation Required

Online

Online

Yes

On-premises

Online

Yes

Online

On-premises

Yes

On-premises

On-premises

No*

 

*although you are not required to prepare for client connectivity scenarios, you still may be required to remediate your on-premises infrastructure if you federate with any customers that reside in Skype for Business Online.  This scenario will be covered further in the next section.

 

To prepare your organization for the client connectivity scenarios, you should ensure that your clients meet the following minimum versions.

 

  • Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 0.5023.1000 and higher
  • Skype for Business 2016 Desktop Client, MSI 0.4678.1000 and higher, including Basic
  • Skype for Business 2016 Click to Run Require the April 2018 Updates:
    • Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
    • Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher
  • Skype for Business on Mac 16.15 and higher
  • Skype for Business for iOS and Android 6.19 and higher

 

The following clients and devices do not fully support TLS 1.2, and therefore, you must transition to a fully TLS 1.2 capable version in the list.

 

            • Lync for Mac 2011
            • Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone
            • Lync "MX" Windows Store client
            • All Lync 2010 clients
            • Lync Phone Edition.  There is further guidance provided for these devices is located here.
            •  Lync Room System (a.k.a. SRS v1) –  LRS has reached end of support on October 9, 2018 and will not be updated to support TLS 1.2. Customers should consider migrating to SRS V2. See details here.

               

 

The following devices are actively working on supporting TLS 1.2 and are committed to providing support for TLS 1.2 before TLS 1.0/1.1 deprecation.

 

Skype Room System (a.k.a. 'SRSv2' or Rigel)  and Surface Hub guidance - 

 

Microsoft Teams Rooms (previously Skype Room System V2 SRS V2) support TLS 1.2 since December 2018.  Room device should have Microsoft Teams Room app version 4.0.64.0. ( See Release Notes). The changes are backward and forward compatible.  Surface Hub released TLS 1.2 support in May 2019.

 

TLS 1.2 support for Microsoft Teams Rooms and Surface Hub products also requires server side code changes:

  • Skype for Business Online server changes were made live in April 2019 and now support connecting Microsoft Teams Rooms & Surface Hub devices using TLS 1.2.
  • Skype for Business Server customers need a cumulative update install for them to use TLS 1.2 with Teams Rooms Systems and Surface Hub.
  • Skype for Business Server 2015 – This is CU9 that is already released in May 2019.
  • Skype for Business Server 2019- This is CU1 that was previously planned for April 2019 but is delayed to June 2019.

 

Skype for Business on-premise customer should not disable TLS 1.0/1.1 prior to installing specific CUs for SfB Server.

 

In addition to the preceding client remediation, it is important to ensure that the underlying OS and default browser supports TLS 1.2. For Microsoft OS support, you can consult our TLS whitepaper.  Note: Windows 7 by default does not have TLS 1.2 enabled by default.  The aforementioned whitepaper includes guidance on how to enable TLS 1.2 in Windows 7.  The following link will provide you with guidance on TLS 1.2 capability for browsers. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

 

On-premises server integration w/Office 365

 

There are several hybrid topologies that are covered under this scenario.  This includes any integration or Hybrid with Skype for Business Online or Exchange Online.  For your reference, all the supported on-premises Skype to Exchange integration scenarios are covered here.

 

The following table provides an overview of the scenarios that require preparation and where to find the respective guidance.

 

Deployed on-premises

Integration/Hybrid with

Preparation Required

Guidance

Skype for Business Server or Lync Server on-premises

Skype for Business Online

Yes

This article

Skype for Business Server or Lync Server on-premises

Federation with other customers or partners in Office 365 (current or future)

Yes

This article

Skype for Business Server or Lync Server on-premises

Exchange Server

Yes

This article

Exchange Server on-premises

Skype for Business Online

 

Yes

Follow the guidance in the Exchange blog series.

Cloud Connector Edition (CCE)

Skype for Business Online

No

CCE already communicates with Skype for Business Online with TLS 1.2 only.

Skype for Business Server or Lync Server on-premises

Exchange Server on-premises

No.   (ensure you do not federate with customers in Office 365 as described in the first scenario)

N/A

 

If your organization falls under the first four scenarios, you are required to upgrade your on-premises server environment to one of the following versions.

 

 

If you are a customer that is running Lync Server 2010, we recommend that you upgrade to Skype for Business Server 2015 HF2 6.0.9319.516 or higher.  Note: Hybrid or integration scenarios with Office Communications Server 2007 R2 or earlier are not supported. 

 

If you want to confirm Skype for Business Server TLS 1.2 support has been properly configured please install On-Premises Diagnostics for Skype for Business Server and execute 'Check to see if TLS 1.0/1.1 deprecation is properly configured' diagnostic. For more details please refer to How to use OPD.

 

3rd Party integration with Skype for Business Online

 

Skype for Business Online provides several supported SDKs and APIs.  If you are using a product from a 3rd party vendor that integrates with the SDKs or APIs, then consult your vendor to ensure that it fully supports TLS 1.2.  If you have written a custom in-house application that integrates with Skype for Business Online via these APIs and SDKs, then it is highly recommended that you follow the guidance in our TLS white paper.  The white paper provides guidance to ensure your application is fully TLS 1.2 capable and provide guidance on how to validate through testing.   

 

OTHER CONSIDERATIONS

 

Your organization’s environment may be comprised of various networking or security devices that may include; proxy servers and load balancers, or other networking components.  Be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.

 

 

49 Comments
Silver Contributor

I have asked in the forums in March i think (when it was still planned to switch earlier) if we really need to do something about Windows 7. Didn't get 100% answer. But here it says that Windows 7 has no default support for TLS 1.2 (i know that, but IE11 works perfectly on Win7 and it supports TLS 1.2, so maybe if an app/browser has support it can work without changing anything on the OS). So, we MUST do something about this with Windows 7?

@wroot, as per https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365 :

 

  • If you have Windows 7 clients connected to Office 365, make sure that TLS 1.2 is the default secure protocols in WinHTTP in Windows. For more information see KB 3140245.

So yes, there's something to be done in Windows 7, explained here https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s...

 

I believe Internet explorer 11 manually establishes the highest version of TLS as default (that's just my belief, have not contrast that yet), and as stated in the article "This update will not change the behavior of applications that are manually setting the secure protocols instead of pass the default flag." Referring with the default flag to WINHTTP_OPTION_SECURE_PROTOCOLS, for the  DefaultSecureProtocols registry entry.

Copper Contributor

Can I ask for clarification that Lync 2010 Hybrid customers are "required" to upgrade to SfB Server 2015 prior to October 31 2018? 

Brass Contributor

@Pamela Arimoto Am I understanding correctly that Lync 2010 customers will not have a direct migration path to SfB online after October 31st?

Microsoft

Hi @Rob Kennedy and @Clayton Jay Martin - Lync Server 2010 is not in scope for TLS 1.0/1.1 disable support.  Refer to: https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-se...

 

If you are still running an On-Premises Lync Server 2010 Hybrid with Skype for Business Online environment you will need to take steps to ensure connectivity beyond the deprecation date.  That could include upgrading to a version of On-Premises server that does support TLS 1.0/1.1 disabling, or it could mean accelerating migration to 100% Online for your Lync/Skype for Business workloads.  

Copper Contributor

Thanks Corbin. The Nexthop article you reference discussed disabling TLS 1.0/1.1 rather than enabling TLS 1.2. Isn't the requirement for October 31 2018 to enable TLS 1.2? This article published yesterday appears to be the first announcement stating that Lync 2010 won't support TLS 1.2 and isn't supported for hybrid which doesn't leave a great deal of time to make alternate plans.

Iron Contributor

@Rob Kennedy - The Oct 31 date was never about enabling TLS 1.2, as TLS 1.2 is already enabled within Office365 and secured communications can succeed over that protocol version today if the client endpoint supports TLS 1.2 (otherwise it would succeed over TLS 1.1 or TLS 1.0).  The Oct 31 date has always been about enforcing and requiring a minimum of TLS 1.2 for secured communications with Office365, which requires that TLS 1.0 and TLS 1.1 be disabled and restricted from TLS cipher negotiations.

 

https://support.microsoft.com/en-ae/help/4057306/preparing-for-tls-1-2-in-office-365

 

The NextHop blog article from April 2018 explicitly states that Lync Server 2010 is out of scope and will not function in a TLS 1.2 enforced configuration, so the information has been publicly available since April 2018.  If you've got hybrid established to Office365 via Lync Server 2010, then you absolutely need to get your topology updated to at a minimum Lync Server 2013 (ideally Skype for Business Server 2015) in order to keep hybrid functional once MSFT makes the changes on Oct 31.

Copper Contributor
I would disagree that the article is clear on support for hybrid . The theme of the nexthop article is very much focused on disabling TLS 1.0/1.1 for the purposes of security and PCI compliance. I'm aware that O365 is already enabled for TLS 1.2, the issues is getting on prem infrastructure ready for TLS 1.2. The below KB article clearly states that TLS 1.2 has to be enabled and TLS 1.0/1.1 can remain enabled. I agree that the next shop states that Lync 2010 is out-of-scope of disabling but what it doesn't state is that Lync Server 2010 won't be supported for TLS 1.2 or Hybrid.
 
"Using TLS 1.2 with Office 365 does not mean you must have TLS 1.0/1.1 disabled in your environments by October 31, 2018. If parts of your environment require the use of TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled. However, TLS 1.2 will have to be enabled and used for communication with Office 365 to avoid any interruption in service."
https://support.microsoft.com/en-ae/help/4057306/preparing-for-tls-1-2-in-office-365
Iron Contributor

I'll concede the point that the blog post (this one) is primarily about the PCI DSS 3.2 standards.  However, I tend to view the PCI DSS 3.2 and the O365 enforcement as one in the same, because many customers are viewing it that way.

 

For 2010 hybrid, you've really got a few access methods for Hybrid:

Edge Servers to O365 (hybrid and federation)

PowerShell on FE's (for user moves to O365)

Client Access to O365 (S4BO)

Client Access to O365 (ExO)

Client Access to O365 (AzureAD)

Client/Server access to AD-FS

 

Assuming you've got a Windows Server OS with TLS 1.2 enabled today, you could examine Wireshark/NetMon/MessageAnalyzer for #1 and #2 above for your flows to O365 and determine what TLS protocol is being negotiated.  If TLS 1.2 is used, then in theory, you don't have to do anything with on-premises server infrastructure and things will probably remain functional after 31-Oct.  If TLS 1.2 is not used (even though the host OS has it enabled), then you have your answer.  I actually don't have a 2010 lab to test this with, so I can't tell you authoritatively unfortunately.

 

Either way, with 2010 out of mainstream support (and the fact that many voice pieces in the hybrid topology now require a 2015 edge server and FE in order to function with all call flows), it likely is not the best approach to leave 2010 in place and a take a gamble.

Microsoft

Sorry, let me clarify; @rovert506 has it correct.  As I have used it in this discussion, the terminology "TLS 1.0/1.1 disable support" = "enable TLS 1.2".  TLS 1.2 requires updates to Skype for Business Server 2015 and Lync Server 2013* (and extensive dependency updates to .Net, SQL, and the OS in some cases).  Lync Server 2010 was never in scope for software updates to enable it to use TLS 1.2.  We appreciate the feedback and will work to more clearly, explicitly call out the Hybrid scenarios here and in the On-Premises blog series.  

 

*Lync Server 2013 is a special case - be sure to read the On-Premises blog series carefully to understand our stance.  While Lync Server 2013 can be updated to use TLS 1.2 - you cannot disable TLS 1.0/1.1 on a Lync Server 2013 Front End or Standard Edition machine; we did this for back compat, Federation and Hybrid scenarios.  

Brass Contributor
Hi there, The link for more guidance on Lync Room Systems appears to have restricted access. Would you be able to share information on how to get these systems up to date? I'm specifically concerned about the Crestron RL2, since I have a few of these in my environment. I would be thrilled to get them on SRS v2! Kind regards, Charlie
Copper Contributor

@Pamela Arimoto I also would like to see the article regarding room systems. I have a Crestron RL1, which has been upgraded to 15.15.12. I'm not sure if that is enough.

Copper Contributor

@Pamela Arimoto, when you say CU10 for Lync 2013, do you mean the 10th CU in the list.

  • December 31, 2014 cumulative update (5.0.8308.866)

Or do you mean the lastest CU that came out in July of 2018? Sorry if this sounds like a dumb question, I just don't see a reference to CU 10 anywhere.

Microsoft

@Jacob Jones we're specifically referring to the July, 2018 Update for Lync Server 2013 not an individual component fix from that list.  2013 CU10 = July 2018; we will clarify in the blog, thanks for raising that!

Copper Contributor

For the "Lync Room System (a.k.a. SRSv1)" you say "LRS Options - Upgrading SRSv1 (LRS) Systems to SRS v2 – Further guidance is coming soon". All I can say to that is I hope the guidance will state that support for TLS 1.2 is being included in an upgrade or update coming soon for current SRSv1 Systems. Some SRS v1 customers who are all in with Microsoft have already upgraded to TLS 1.2 elsewhere and are anxiously waiting on the update to SRS v2. 

hi

 

how we can identify how many clients affected in our environment. we are using skype for business online

hi

 

how we can identify how many clients affected in our environment. we are using skype for business online and what will the impact to the users if we failure to upgrade the client to office2016 or skype 2016

Deleted
Not applicable

How about Skype for business update CU 6 to support TLS 1.2 but don't disable TLS 1.0 for Lync phone edition ? 

Copper Contributor

We don't want to disable TLS 1.0 / 1.1. If we just want to enable TLS 1.2 on SFB/Lync onprem do we have to do all the stuff mentioned here. 

- For post CU6 HF2 steps required for SFB Server 2015 – please refer to https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-se...

- Post CU10 steps required for Lync Server 2013 are exactly the same as SFB Server 2015.

 

Can someone explain just the enable TLS 1.2 Scenario. 

 

Best Regards - Bueschu

Deleted
Not applicable

Hello, 

 

Is there any news on Skype Room Systems and the surface hubs?  

 

Kind Regards, 


Gerard

Copper Contributor

Am I missing something? The requirements for Skype:

Skype for Business 2016 Click to Run Require the April 2018 Updates:

  • Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher
  • Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher

in essence say that any Skype for Business 2016 clients older than the April 2018 version will not work and/or are not supported after the October 31, 2018 mandate of TLS 1.2.  That is only 6 months of support.  Microsoft states in multiple articles that we are supported for 18 months using the Semi-Annual channel. Here:

https://www.microsoft.com/en-us/microsoft-365/blog/2017/04/20/office-365-proplus-updates/

https://docs.microsoft.com/en-us/DeployOffice/overview-of-update-channels-for-office-365-proplus

 

We cannot get all our clients upgraded by that time and the above article was posted only 1 month ago.  This is not enough lead time.  Can you please explain the version requirements and limited 6 months of support?

 

Best regards,

Chris

 

Skype is part of office 365 upgrade. whether we need to upgrade the office version . if we need to upgrade which version of office will support Tls1.2

 

for windows 7, they have requested to install KB to support TLS1.2 for the office365 communication. whether we need to upgrade officeproplus+windows 7 or windows 7 alone works

Copper Contributor

Hello Microsoft, 

I would like to echo a couple other requests for information. 

 

Is there any news on Skype Room Systems and the Surface hubs?

We have a number of these deployed globally with hundreds of uses per week.    

 

Allowing testing time, change-management and notifications, any changes in this area area already into the danger-zone for IT departments to handle this efficiently and effectively.    We need to hear back on updates ASAP. 

 

In other words - It is time to change '...we should provide further guidance later.  Keep checking back here for updates.'.  into real updates and software delivery.   

 

THANKS!

Brass Contributor

I have to agree with @William Adams.  It's been a month and a half since this blog post, and we haven't heard what to do about the Skype Room Systems.  This is putting a pretty substantial strain on us--we've stalled a few deployments of new rooms with Crestron's RL2, and are reworking alternatives since we don't have information.  @Pamela Arimoto are you able to offer any updates?

 

Kind regards,

Charlie

Copper Contributor

I was informed by Microsoft while I was in their Seattle office that the date for LPE phones (only) has been moved to December 31st, 2018

 

Please confirm. 

It may be prudent that this article be updated with the new date as well, this Oct 31st date is causing slight panic. 

Brass Contributor

@William Adams, in case you haven't heard about this yet:  Microsoft provided updated guidance on 9/21.  I learned about it today at Ignite.  You can find more about LRS systems here.

 

Kind regards,

Charlie

Brass Contributor

@Charlie Vogtand @William Adams

According to latest Crestron info it goes like this:

Users of the original RL (the TWO rack unit box!) are out of luck. Go visit LRSUpgrade@crestron.com and beg for an upgrade deal aka hardware buy back or so. These boxes dont get any love anymore. As you can see, there are still security updates (latest was Aug2018) but nothing on the Skype/Teams/Lync side of things. According to the mentioned document, even this will end next week, aka Oct, 9th!!!

 

If you are having RL2 systems (the ONE rack unit box!) then they do offer an upgrade path.

QUOTE: ..RL2 ..has the ability to upgrade from Microsoft’s Lync/SRSv1 solution to Microsoft’s current SRSv2 solution

QUOTE: Existing Crestron RL2 customers can acquire an upgrade package ... a for a minimal cost per device.

 

Some time ago there were rumours, that it is essentially a replacement HD/SSD with all the new Win10/SRSv2 goodies preloaded to be installed in the existing RL2 box. So, no multi-GB patch but rather a disc swap with only some latest patches to be fetched after installation.

I fthis is true, then mostl likely you do have to re-join the box to your environment as all your credentials are gone with the old disc, right? However, as there is no official info out yet, dont kick the messenger! ;)

 

Hope this helps.

HST

Deleted
Not applicable

@Pamela Arimoto

 

Is there any news for surface hubs?

 

Kind Regards, 


Gerard

Copper Contributor

I have one skype front end server and one edge server with Skype for Business Server 2015 HF2 6.0.9319.516 already updated. I have few O365 customer domains federated with us .my question here is

Do i need to enable TLS 1.2 in both front end and edge server ? only with edge would be enough ?

Is it mandatory to disable TLS 1.0 and 1.1 after TLS 1.2 enabled ?

Is it mandaory to enable TLS 1.2 in my back end server also ?

Regards,
Anandan

Silver Contributor

You don't have to disable TLS 1.0 and 1.1. Your system has to be able to switch to TLS 1.2 when contacting Office 365 systems. When i did a registry change file for our Windows 7 systems i have left both TLS 1.1 and 1.2 enabled in the registry key. Obviously can't check if it is ok before they switch 1.2 requirement on. I even think we won't need that script that i've only prepared for a few percents chance that we actually need it (not talking about servers, just regular PCs). Have no experience with SfB server so can't comment on that. Logic tells that you would only have to fix the Edge server. But maybe both servers still have to support same TLS version to operate correctly.

Deleted
Not applicable

Is there any chance of this date getting pushed back again?

 

Crestron still don't have a concrete answer on the upgrade path for their RL2 units.

 

Still have not heard any info on Surface Hub and support for TLS 1.2.

 

We have about 2 weeks left until 31st Oct, at this rate our only option is to move all our room mailboxes back on-premises.

Copper Contributor

We have some Surface Hubs with on-premises mailboxes and skype for business accounts as well as office365 mailboxes and skype for business.

I hope there will be some news regarding the skype for business app on surface hub and tlsv1.2 support, but we are now actively looking for replacing the skype for business app with the Microsoft teams app (which requires all Office365 mailbox + skype I guess, not sure yet).

 

I am using this article as guidance: https://docs.microsoft.com/en-us/microsoftteams/teams-surface-hub

the teams app can replace the skype for business app on all places on the surface hub, if I have some sort of issues or results I will report back.

Maybe this can be an alternative for other surface hub customers too?

Brass Contributor

@Deleted

There is a concrete answer althought it might not yet have been made officially. Email me privately, I might be able to shine some light onto the topic.

Deleted
Not applicable

 @Harald Steindl Do you mean for the surface hubs. If so i'm interested as well for this concrete answer. 

Brass Contributor

Gerard,

NO info for the Surface Hub from my side, sorry.

Just know a word or to about the Crestron RL2.

 

HST

Copper Contributor

I'm also interested in an update regarding the Surface Hubs. Do I understand correctly that even with the last available update the SfB client on the Surface Hub will not be able to utilize TLS 1.2 and therefore will not be able to login to O365 on November 1st 2018? If this is the case I find it embarrasing that on October 12th there is still no update released that fixes this situation...

Deleted
Not applicable

Hmm is this chunk of text new? Don't remember seeing that before.

 

So they are still working on an update for the Surface Hub?

 

The following devices are actively working on supporting TLS 1.2 and are committed to providing support for TLS 1.2 before TLS 1.0/1.1 deprecation.

 

  • Skype Room System (a.k.a. 'SRSv2' or Rigel)  and Surface Hub guidance - 

    Microsoft Surface Hub and Skype Room Systems Version 2 (SRS v2) will continue to work past October 31, 2018. Microsoft will update Surface Hub and Skype Room Systems V2 to support TLS 1.2 before TLS 1.0 and TLS 1.1 will be deprecated. Skype for Business on premise customers should not enable TLS 1.2 until Surface Hub and Skype Room Systems V2 provide a software update. 

Deleted
Not applicable

Looks like Crestron is also waiting on Microsoft, this is what we were told.

 

"Currently timing is being dictated by Microsoft and completion of Software Development for SRSv2."

I'm going to give up and move all our meeting rooms back on-premises as this is ridiculous.

Copper Contributor

Is it being depricated or not?

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365
Please note: This is NOT when Microsoft Office 365 will officially deprecate TLS 1.0 and 1.1.

Deleted
Not applicable

@Deleted  I think you are indeed correct and they have changed the text! 

 

Skype Room System (a.k.a. 'SRSv2' or Rigel)  and Surface Hub guidance - 

Microsoft Surface Hub and Skype Room Systems Version 2 (SRS v2) will continue to work past October 31, 2018. Microsoft will update Surface Hub and Skype Room Systems V2 to support TLS 1.2 before TLS 1.0 and TLS 1.1 will be deprecated. Skype for Business on premise customers should not enable TLS 1.2 until Surface Hub and Skype Room Systems V2 provide a software update. 

Deleted
Not applicable

Looks like comms has been updated. https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

 

As of October 31, 2018, Office 365 will no longer support TLS 1.0 and 1.1. This means that Microsoft will not fix new issues that are found in clients, devices, or services that connect to Office 365 by using TLS 1.0 and 1.1.

** Note ** This doesn't mean Office 365 will block TLS 1.0 and 1.1 connections.

 

Microsoft Surface Hub and Skype Room Systems Version 2 (SRS v2) currently use TLS 1.0 or 1.1, and they will continue to work after October 31, 2018. Microsoft will update Surface Hub, Skype Room Systems V2, Skype for Business Online, and server products to support TLS 1.2 before TLS 1.0 and 1.1 are deprecated for Office 365. These products are expected to support TLS 1.2 by the first half of 2019. Skype for Business Online and on-premises customers should not disable TLS 1.0 and 1.1 until that time if they are using these meeting and calling devices.

Brass Contributor

Long story short: MS changed plans at the very last minute.

This might be good news for many users not being able to update/change in time.

 

However, as a consultant who made big efforts to inform all clients and working overtime to find solutions and such, I do feel cheated!!

Next week, when there is nothing happening as everything still works, customers will point at me and declaring that all the "panicking" was for nothing although all I was doing was to take their word for real.

Well done MS, well done! :(

Iron Contributor

@Deleted, @Harald Steindl, et all - Yes, you are 100% correct.  There was a change, made in the 11th hour, by the Product Group and Sustainable Engineering teams that reverted the stance that TLS 1.2 was going to be enforced for connections to Office365 (Skype4B included).  They still however, are moving forward with only "supporting" TLS 1.2 as of 31-Oct-2018.

 

A few thoughts:

  • I do consider it a huge win because there are many customers that simply weren't ready and the potential for large scale production outages resulted in an intense backlash to MSFT.
  • While they aren't technically enforcing a connection via TLS 1.2, they have made a "support" statement that they won't fix new bugs if the client/device/service connects to Office365 via TLS 1.0 or TLS 1.1.
    • This is an interesting wrinkle that could cause additional backlash, especially if this is taken very literally in the sense that any ticket opened with Office365 that is deemed to be connecting with TLS 1.0 is "out of supportability" and thus may not be worked or acknowledged as an issue.
  • Surface Hub and Skype Room System V2 are listed as expecting TLS 1.2 by H1 CY 2019
    • This is a huge change and a significant delay, which to me indicates someone bit off more they could chew.
  • Words matter and clear, concise, accurate explanations can reduce confusion for the betterment of all.
    • The semantics of "supported" is not used consistently within MSFT and published documentation for customers.  Sometimes it means it may work but the Product Group doesn't test it, or other times it means it flat-out won't work, or in this case it more closely aligns with MSFT's usage of "deprecated": "fully functional but will be removed at a future date so we want to you stop using it and start planning for the alternatives we've provided".

 

In the end, this was a colossal boondoggle.  Far too much time spent by customers, consultants, and MSFT employees trying to manage this.  I do believe this change is for the better - especially considering there are current products that aren't yet ready to support these new requirements - but my overall concern is that MSFT could silently decide to change their minds back to their original stance.  After all....if they did it this time....it absolutely could be done in the future.

Copper Contributor

Agreed. Far too much time spent by customers on this!

Silver Contributor

I'm one of these customers who spent a lot of time researching this, checking our systems, traffic, investigating what older systems might be affected by this, nagging our partners for answers, preparing group policies to push needed updates and registry changes on 10.31. Although back in my mind i was expecting it to be postponed again. There are just too many old systems in the world. And i'm not sure when TLS 1.2 would be safe to be enforced, probably when 1.8 is released and 1.2 would be deprecated :D Seriously though, it feels like an unwinnable battle. MS tries to stay as safe as possible and can't, because customers won't/can't update (although in this case it seems they can't even update their own software). I have experience in software development and i know how users tend to stick to older versions because they are used to it, don't want to change settings, etc. Often for them it is better than stay secure. Well, will see what the next date will be.

Brass Contributor

Update:
Quoting new information from Crestron to their customers/dealers:

 

There is no official date for disabling or removing TLS 1.0 and 1.1 in the TLS service for customer connections. The eventual deprecation date will be determined by customer telemetry and is not yet known. After a decision is made, there will be an announcement six months in advance unless we become aware of a known compromise, in which case we may have to act in less than six months to protect customers who use the services.

 

Which is in essence nothing more than we already knew since lately but it sure sounds more official.... ;)

Copper Contributor

Hi,

According to the above: CCE already communicates with Skype for Business Online with TLS 1.2 only.

I took a trace and I see that CCE host use TLSv1 (CCE managment service) 

And when we disable TLSv1 the CCE stop getting calls

The OS is updates and running the latest CCE bits

Erez

Iron Contributor

@ErezGGG - Please read this article carefully:  https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-se...

 

The article is very clear that CCE *supports* TLS 1.2 as an encryption protocol version.  It also clearly states that you cannot disable TLS 1.0 or TLS 1.1 for CCE.  What this means is that CCE can utilize TLS 1.2 for remote endpoints that support TLS 1.2, but it cannot be forced to *only use* TLS 1.2.  You've got to leave CCE VMs and CCE Hyper-V hosts with the as-built configuration.  Do not disable TLS versions on anything CCE related.

Copper Contributor

I had a question about the TLS report in SecureScore, maybe somebody here could help me out? I can't find a definite answer on the date range included in the report. If I ran a report today (Feb 15), each row in the report would show a 'Report Date' of Feb 13; two days prior to the current date. Does that mean the data in the report includes only the connections made during that 24-hour period? Or is the data cumulative, and if so, what is the reporting window?

Co-Authors
Version history
Last update:
‎Dec 22 2021 02:50 AM
Updated by: