SOLVED

Do we need to update Windows 7 once TLS 1.2 is mandatory for Office 365?

%3CLINGO-SUB%20id%3D%22lingo-sub-146742%22%20slang%3D%22en-US%22%3EDo%20we%20need%20to%20update%20Windows%207%20once%20TLS%201.2%20is%20mandatory%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146742%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20lot%20of%20Windows%207%20computers%20using%20Office%20365%20client%2C%20OneDrive%2C%20Skype%20for%20Business.%20We%20use%20latest%20Monthly%20channel%20version%20of%20Office%20(2016).%20Do%20we%20have%20to%20install%20TLS%201.2%20enabling%20update%20and%20make%20registry%20changes%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3140245%2Fupdate-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3140245%2Fupdate-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in%3C%2FA%3E%20Or%20will%26nbsp%3B%20Office%20365%20apps%20work%20correctly%20without%20it%20once%20TLS%201.2%20is%20mandatory%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-146742%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149103%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20to%20update%20Windows%207%20once%20TLS%201.2%20is%20mandatory%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149103%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20at%20first%20support%20engineer%20just%20provided%20me%20the%20same%20link%20about%20preparing%20to%20TLS%201%20disabling.%20When%20i%20have%20provided%20him%20my%20arguments%20and%20doubts%2C%20he%20has%20discussed%20this%20with%20other%20technical%20staff%20and%20then%20replied%20that%20we%20don't%20need%20to%20update.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWell%2C%20i%20think%20there%20is%20still%20a%20chance%20something%20was%20misunderstood%2C%20but%20at%20least%20i%20now%20have%20an%20official%20answer.%20My%20chief%20will%20have%20a%20final%20decision%20about%20this%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-146837%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20to%20update%20Windows%207%20once%20TLS%201.2%20is%20mandatory%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146837%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply.%20I%20have%20opened%20a%20request%20today%20(as%20well%20as%20asking%20by%20providing%20feedback%20on%20the%20message%20center%20message%2C%20no%20reply%20though).%20But%20i%20doubt%20i%20will%20get%20a%20useful%20response.%20Based%20on%20my%20experience%20with%20Office%20365%20support%20it%20seems%20that%20they%20only%20work%20with%20a%20limited%20list%20of%20FAQ%20and%20anything%20outside%20of%20it%20gets%20%22it's%20out%20of%20our%20scope%22%20response..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20came%20to%20the%20same%20conclusion%20that%20this%20update%20only%20covers%20specific%20scenarios%20(like%20hybrid%20one)%20and%20older%20apps%2C%20which%20are%20not%20negotiating%20TLS%20on%20their%20own%20and%20use%20system's%20available%20mechanism.%20I%20guess%20Office%20365%20ProPlus%20should%20be%20good%20(same%20as%20IE11).%20When%20i%20check%20traffic%20on%20my%20PC%20i%20see%20TLS%201.0%20and%20TLS%201.2%20connections%20going%20to%20MS%20servers%20(using%20Office%2C%20Skype%2C%20OneDrive).%20As%20TLS%201.2%20is%20disabled%20on%20Windows%207%2C%20it%20looks%20like%20apps%20are%20negotiating%20it%20on%20their%20own%20without%20problems.%20But%20TLS%201.0%20is%20still%20in%20use%20for%20some%20reason%20(maybe%20handshakes).%20Btw%2C%20we%20do%20use%20AD%20Connect%20to%20sync%20AD%20users%20to%20Azure%20AD.%20But%20AD%20Connect%20is%20up%20to%20date%20and%20on%20Windows%20Server%202012%2C%20so%20there%20shouldn't%20be%20problems%20with%20it%20connecting%20with%20Azure.%20We%20also%20use%20SMTP%20to%20relay%20messages%20from%20internal%20systems%20to%20Exchange%20Online.%20I%20only%20see%20TLS%201.2%20in%20traffic%20to%20EO%20servers%20from%20our%20SMTP%20(IIS%20on%20WS2012).%20So%20it%20seems%20it%20is%20also%20ok.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20in%20all%2C%20i%20feel%20that%20we%20most%20probably%20don't%20have%20to%20do%20anything.%20But%20i'm%20still%20a%20bit%20worried%20if%20i'm%20not%20overlooking%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-146758%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20we%20need%20to%20update%20Windows%207%20once%20TLS%201.2%20is%20mandatory%20for%20Office%20365%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-146758%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20a%20good%20question%2C%20I%20don't%20think%20so%20though%2C%20I%20have%20read%20up%20on%20the%20material%20in%20relation%20to%20Office%20365%20and%20TLS%201.2%20mandatory%20use%20(which%20could%20be%20clearer)%20and%20this%20only%20seems%20to%20apply%20to%20very%20specific%26nbsp%3Bon-prem%2C%20hybrid%26nbsp%3Bsort%20of%20workloads.%26nbsp%3B%20The%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.office.com%2FAdminPortal%2Fhome%3Fswitchtomodern%3Dtrue%23%2FMessageCenter%3Fid%3DMC126199%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMessage%20center%26nbsp%3Bpost%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F4057306%2Fpreparing-for-tls-1-2-in-office-365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esupport%20article%3C%2FA%3E%20talks%20about%20this%20and%20not%20much%20else%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22If%20you%20are%20using%20any%20on-premises%20infrastructure%20for%20hybrid%20scenarios%20or%20Active%20Directory%20Federation%20Services%2C%20make%20sure%20that%20these%20infrastructures%20can%20support%20both%20inbound%20and%20outbound%20connections%20that%20use%20TLS%201.2.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOffice%20365%20ProPlus%20should%20be%20fine%2C%20after%20all%20for%20example%20Internet%20Explorer%2011%20has%20supported%20TLS%201.2%20out%20of%20the%20box%20by%20default%20since%202013!%20For%20peace%20of%20mind%2C%20I%20probably%20would%20suggest%20opening%20a%20service%20request%20and%20get%20Microsoft%20to%20confirm%20for%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

We have a lot of Windows 7 computers using Office 365 client, OneDrive, Skype for Business. We use latest Monthly channel version of Office (2016). Do we have to install TLS 1.2 enabling update and make registry changes described here https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s... Or will  Office 365 apps work correctly without it once TLS 1.2 is mandatory?

3 Replies

It's a good question, I don't think so though, I have read up on the material in relation to Office 365 and TLS 1.2 mandatory use (which could be clearer) and this only seems to apply to very specific on-prem, hybrid sort of workloads.  The Message center post and support article talks about this and not much else:

 

"If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that these infrastructures can support both inbound and outbound connections that use TLS 1.2."

 

Office 365 ProPlus should be fine, after all for example Internet Explorer 11 has supported TLS 1.2 out of the box by default since 2013! For peace of mind, I probably would suggest opening a service request and get Microsoft to confirm for sure.

Thanks for the reply. I have opened a request today (as well as asking by providing feedback on the message center message, no reply though). But i doubt i will get a useful response. Based on my experience with Office 365 support it seems that they only work with a limited list of FAQ and anything outside of it gets "it's out of our scope" response..

 

I came to the same conclusion that this update only covers specific scenarios (like hybrid one) and older apps, which are not negotiating TLS on their own and use system's available mechanism. I guess Office 365 ProPlus should be good (same as IE11). When i check traffic on my PC i see TLS 1.0 and TLS 1.2 connections going to MS servers (using Office, Skype, OneDrive). As TLS 1.2 is disabled on Windows 7, it looks like apps are negotiating it on their own without problems. But TLS 1.0 is still in use for some reason (maybe handshakes). Btw, we do use AD Connect to sync AD users to Azure AD. But AD Connect is up to date and on Windows Server 2012, so there shouldn't be problems with it connecting with Azure. We also use SMTP to relay messages from internal systems to Exchange Online. I only see TLS 1.2 in traffic to EO servers from our SMTP (IIS on WS2012). So it seems it is also ok.

 

All in all, i feel that we most probably don't have to do anything. But i'm still a bit worried if i'm not overlooking something.

Best Response confirmed by Oleg K (Super Contributor)
Solution

So, at first support engineer just provided me the same link about preparing to TLS 1 disabling. When i have provided him my arguments and doubts, he has discussed this with other technical staff and then replied that we don't need to update.

 

Well, i think there is still a chance something was misunderstood, but at least i now have an official answer. My chief will have a final decision about this though.