Hi All,

 

One of my Customer requested he get a MP, Once imported will display his Agents where TLS 1.2 Is enabled and SSL 2.0, 3.0, TLS 1.0, 1.1 is disabled.

Since the TLS 1.2 is enabled and older protocols are disabled via registry, I thought of writing a registry based discovery to discover them as well so my customer can have a discovery to view the data.

  1. Import the Management pack downloaded from here.

  2. Navigate to SCOM Console  --> Monitoring --> Discovered Inventory --> Click Tasks button on Top ->> Select Change Target type --> Type “TLS” and you should see 2 discoveries as below:


    The Discovery “Servers with SSL 2.0, 3.0, TLS 1.0, TLS 1.1 Disabled” will show you the servers where the protocol is disabled if you have applied the registry as per the Microsoft Documentation, Below is the set of servers in mine where the SSL 2.0, 3.0, TLS 1.0, TLS 1.1 is Disabled:


    The Discovery “Servers with TLS 1.2 Enabled for SCOM” will show us the servers where the TLS 1.2 is enabled via registry and the .NET key is added to enforce TLS 1.2, Below is a example of mine:



  3. The discovery runs 1 day once, If you have made the changes to enable TLS 1.2 on servers today, the same will be reflected in SCOM the next day.

NOTE - If you have missed to add any one of the registry as per the documentation then the servers will not appear in the console, This is a condition that you can detect that the registry has not been added correct to get the registry added correctly.

Some customers may have there own style of disabling the TLS 1.0, 1.1 / Enabling TLS 1.2 in the registry by using 0xffffffff instead of 1 or 0,

More on that is published here: https://support.microsoft.com/en-in/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

If you are using 0xffffffff then the MP XML has to be modified accordingly to capture "0xffffffff" in the registry, The MP has been built based on the registry settings porvided by SCOM TLS 1.2 Article as below

Links to Enable TLS 1.2 for SCOM 2012 R2 and 2016 are below:

SCOM 2012 R2: https://support.microsoft.com/en-in/help/4055768

SCOM 2016: https://support.microsoft.com/en-us/help/4051111