How to configure TLS 1.2 as the default security protocol on BizTalk Server with PowerShell

Published on : Jan 5, 2021

Category : BizTalk Server

Sandro

Author

TLS 1.2 is now fully supported in newer versions of BizTalk Server. This includes all the adapters and accelerators. This is part of the default installation of BizTalk Server 2020 and it was introduced in:

  • BizTalk Server 2016 as a part of Feature Pack 2 and available also with Cumulative Update 5
  • BizTalk Server 2013 R2 as a part of Cumulative Update 8
  • BizTalk Server 2013 as a part of Cumulative Update 7

BizTalk Server 2010 and older versions don’t support this feature.

You can also disable SSL, TLS 1.0, and TLS 1.1 in BizTalk Server. But BizTalk Server came out-of-the-box and works very well with SSL (Secure Socket Layer) 3.0 or TLS (Transport Layer Security) 1.0, and these are the security protocol used. Newer versions of BizTalk Server allow us to use TLS 1.2, but that required extra manual configurations that we need to do in the environment.

Free download this blog as a PDF document for offline read.

How do I enable TLS 1.2 in PowerShell?

To enable the TLS 1.2 protocol, create an Enabled entry in either the Client or Server subkey. This entry does not exist in the registry by default.

Is it possible to enable TLS 1.2 as default in PowerShell?

To make TLS 1.2 the default security protocol, you need to manually make some changes on the registry. You can do that by adding the below DWORD values in our registry:

On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Create the following DWORD (32-bit) values
Name: DisabledByDefault
Value Data: 0
On the[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Create the following DWORD (32-bit) values
Name: DisabledByDefault
Value Data: 0
Name: Enabled
Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Create the following DWORD (32-bit) values
Name: SchUseStrongCrypto
Value Data: 1
On the[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Create the following DWORD (32-bit) value
Name: SchUseStrongCrypto
Value Data: 1

The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. A value of 0 disables strong cryptography.

To facilitate this process, I created a PowerShell script that adds or updates the above DWORD’s and keys in the registry.

PowerShell script overview

See below, a PowerShell script that adds or updates the above DWORD’s and keys in the registry.

Note: you need to execute this script on all the BizTalk machines of the BizTalk group.

# Add or Update Client DWORD's
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null

# Add or Update Server DWORD's
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType DWORD -Force | Out-Null

#######################################################################################################################
# set the .NET Framework 4.0 to use the latest version of the SecurityProtocol, by creating SchUseStrongCrypto DWORDs #
# for both 32- and 64-bit hosts                                                                                       #
#######################################################################################################################
New-ItemProperty -Path '.\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path '.\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType DWORD -Force | Out-Null

This script was tested in:

  • BizTalk Server 2020
  • BizTalk Server 2016

THIS POWERSHELL SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.

Download

You can access and download the full PowerShell script from GitHub here: PowerShell to Configure TLS 1.2 as the default security protocol on BizTalk Server