TLS1.2

So with PCI compliance we have to disable TLS1.0 and 1.1. Does anyone know of the right way to do this. Here is what we have tried, according to Microsoft we did it wrong.

Upgrade to needed CU of exchange

Exchange Server 2016

Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.

Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

Exchange Server 2013

Install CU19 in production for TLS 1.2 support and be ready to upgrade to CU20 after its release if you need to disable TLS 1.0 and TLS 1.1.

Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

Install needed updates

Windows Server 2016

TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.

Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

Windows Server 2012 R2

TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP

Ensure your server is current on Windows Updates.

This should include security update KB3161949 for the current version of WinHTTP.

If you rely on SHA512 certificates; please seeKB2973337.

Windows Server 2012

TLS 1.2 is the default security protocol for Schannel.

Ensure your server is current on Windows Updates.

This should include security update KB3161949 for the current version of WinHTTP.

If you rely on SHA512 certificates; please seeKB2973337.

Exchange 2010 Installs Only: Install 3154519 for .NET Framework 3.5.1.

Create the following reg keys for .NET 4.X and TLS 1.2

DOTNet Reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SystemDefaultTlsVersions"=dword:00000001

TLS Reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001