Feb 13 2021 02:17 PM - edited Feb 13 2021 02:18 PM
Hi Server Team,
it is great to see that Server vNext has enabled only TLS 1.2 and TLS 1.3 left experimental state in Internet Options (Windows System / IE)
However the remark from @Aria Carley
Changes to improve security for Windows devices scanning WSUS - Microsoft Tech Community
does not yet match completely / consistently in Server vNext (not even speaking about productive release as 1607 and later)
I would like to plea for following changes:
1. Server vNext should enable TLS 1.2 for PowerShell 5.1. Currently it is not enabled by default an so blocking access to repositories as github, PSget, nuGet etc
2. Upgrading WSUS to Server 2022 should enable TLS for WSUS by default (I know there are no GUI or wizard changes)
3. Server vNext should enable TLS 1.2 for SQL and .net by default
4. Server vNext should use TLS 1.2 for SChannel. Every supported OS (including domain controllers) support this.
You should consider to disable TLS 1.0 / 1.1 for each of these
@Mary Hoffman
Currently I am deploying actively these changes in mixed custmer enviroments using script / GPOs ranging from Server 2008-2019, SQL 2012-2019, Exchange 2013-2019, and do not face issues that cannot mitigated.
However I would expect the standards to be higher with Server 2022 in compliance with what Aria stated.
Thanks for your feedback
Mar 24 2021 04:10 PM