Remove TLS 1.0/1.1 and 3DES Dependencies

Steel Contributor

When I went to http://servicetrust.microsoft.com to see any users still using TLS 1.9/1.1. How do I remove TLS 1.0/1.1. How do I go about making these compatible so they work come February 28, 2019 when Office 365 retires 3DES? Thank you for your help. Here is what I get:

Notice: This report includes 3DES and TLS1.0/1.1 usages.    
     
UserName / IP address Protocol Agent Count Report Date
xxxx@wynnetr.comTLS1.0/1.1Microsoft+BITS/7.5121/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)21/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)11/30/2019
xxxx@wynnetr.comTLS1.0/1.1Android-SAMSUNG-SM-G930V/101.8000011/30/2019
xxxx@wynnetr.comTLS1.0/1.1Android-SAMSUNG-SM-G360V/101.5010121/30/2019
xxxx@wynnetr.comTLS1.0/1.1Apple-iPhone8C4/1507.7711/30/2019
xxxx@wynnetr.comTLS1.0/1.1Microsoft+BITS/7.581/30/2019
11 Replies
Good question! I don’t understand why Windows+NT+10.0 myself. So looking for an answer too. In fact I asked such a question here before.

I had learned that BITS is used to download the address book (OAB). So those lines should…mean Windows 7, but given we saw win10 above…

Even I went ahead and tried to research on the topic, no such information is available. 

 Protocol Agent
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.7190;+Pro)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+6.3;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Android-SAMSUNG-SM-G570F/101.80000
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.7190;+Pro)
TLS1.0/1.1Android-SAMSUNG-SM-G570F/101.700
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.11126;+Pro)
TLS1.0/1.1Apple-iPhone8C1/1602.92
TLS1.0/1.1-
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1MacOutlook/14.7.2.170228+(Intel+Mac+OS+X+10.9.6)
TLS1.0/1.1Microsoft+BITS/7.5
TLS1.0/1.1

Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro)

 

 

Not sure why Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro) still using TLS 1.0/1.1 ?

My report Also shows the +(Windows+NT+10.0;+Microsoft+Outlook+16.0.10730;+Pro) still using TLS 1.0/1.1 and
Several Apple-iPhone
What / Why would the two items be on the list?

This is a great question. I have read that the issue with the Apple mail native iPhone app was corrected in iOS 10, but I still see iPhones with iOS 10 showing up on the report. I also see one Microsoft Office 2016 client showing up on the report (using Windows 10 OS). I have no idea why that client machine would be using a lower flavor of TLS. I could disable TLS 1.0 and 1.1 on the client machine, but unfortunately, many websites still use 1.0 for whatever reason.

 

I received an email from Office 365 urging me to run this report, probably like most of you. I ran it and see some TLS 1 usage. It would be nice to get some guidance on this subject from Microsoft. Any pointers anyone can provide would be awesome!

 

Eric


@Alan McFarlane wrote:
I had learned that BITS is used to download the address book (OAB). So those lines should…mean Windows 7, but given we saw win10 above…

 

That sounds like something that Microsoft has to update, as our systems (Office 2016 & Windows 7) support TLS 1.2 for the services that are at that level. But if their services (BITS) isn't supporting it from their end how can we be "compliant"?

Looking on Sunday night at the reports of my ~20 client tenants, there seems to have been a change. None of them now contain any Win10 (Office16/15) entries. So I’m wondering if there was a bug in the reports and it’s been fixed!

Anyone see the same?

The reports look a bit sparse also however. MNy have no rows. Perhaps the school holidays last week meant less folk were connecting? The reports clearly aren’t cumulative over all time, as entries from an older report don’t always appear in a later one. I wonder what needs to happen to make a device appear, is it just to connect to read mail etc, or it that it needs to re-authenticate e.g. after 14 days etc?

I just re-ran the report this morning and have different results also and I did not make any changes or modifications. Here is what I show now and not sure how to fix them. Most of them are on either Android or Apple phones. I still show 1 on Office, not sure what Microsoft+BITS/7.5 is??

The differences in reports on different days might be due to the fact that if a user does not work on a particular day (hence doesn't connect to Office 365) then for that day's report the user will not show up, even though the user is still not compliant. 

 

Then how do we know for sure everyone is compliant, I do not have much clue. Microsoft should have keep listing all users it detected earlier until it detects a compliant connection from the same user.

But iOS is on ver 12 now?!? Who's still on 10?

Found this thread trying to figure out why I have one iPhone (out of a half dozen) showing on my report.

No one figured that out yet?

 

@AliceChained  I have been researching the same thing for the past few hours.  I even went so far as to post a question on the Apple Community .

I am pulling my hair out because I do not use iPhone and unsure how to force them to use TLS 1.2 . 

In my Security Score Report this is what I see;

 Protocol Agent Count
TLS1.0/1.1Apple-iPhone11C8/1604.572
TLS1.0/1.1Apple-iPhone8C1/1604.391
TLS1.0/1.1Apple-iPhone10C4/1604.573

 

I may have found a clue on one of the other MS Exchange blog sites. About half way down in the Notes.  It seems if the client is using Authenticated SMTP the Exchange server logs it wrong and TLS 1.2 may be used after all. This blog is referring to Exchange on-Prem servers so not sure how relevant it is.

If anyone here knows how to configure TLS 1.2 on iPhone native mail app please give me some clues.

Thanks

@Forrest Hoffman From what I've been able to figure out, sometimes these devices just glitch and fail to resolve 1.2, so they fall back to 1.1. Once there is no 1.1 they will stop attempting fall back and will continue to try 1.2 until it succeeds.  

This is so far only my somewhat researched theory. But for example, I will see one iPhone fail today, but succeed tomorrow. This seems to suggest they aren't only able to connect to just 1.1.