对 Azure AD 注册服务强制执行 TLS 1.2Enforce TLS 1.2 for the Azure AD Registration Service

Azure Active Directory (Azure AD) 设备注册服务用于通过设备标识将设备连接到云。The Azure Active Directory (Azure AD) Device Registration Service is used to connect devices to the cloud with a device identity. Azure AD 设备注册服务目前支持使用传输层安全性 (TLS) 1.2 与 Azure 进行通信。The Azure AD Device Registration Service currently supports using Transport Layer Security (TLS) 1.2 for communications with Azure. 为确保安全性与最佳加密,Microsoft 建议禁用 TLS 1.0 和 1.1。To ensure security and best-in-class encryption, Microsoft recommends disabling TLS 1.0 and 1.1. 本文档将提供以下相关信息:如何确保用于完成注册和与 Azure AD 设备注册服务通信的计算机使用 TLS 1.2。This document will provide information on how to ensure machines used to complete registration and communicate with the Azure AD Device Registration Service use TLS 1.2.

TLS 协议版本 1.2 是一种旨在提供安全通信的加密协议。The TLS protocol version 1.2 is a cryptography protocol that is designed to provide secure communications. TLS 协议主要目的在于提供隐私和数据完整性。The TLS protocol aims primarily to provide privacy and data integrity. TLS 经历了多次迭代,版本 1.2 在 RFC 5246(外部链接)中进行定义。TLS has gone through many iterations with version 1.2 being defined in RFC 5246 (external link).

当前的连接分析显示 TLS 1.1 和 1.0 使用极少,但我们提供了此信息,以便你在对 TLS 1.1 和 1.0 的支持终止之前根据需要更新所有受影响的客户端或服务器。Current analysis of connections shows little TLS 1.1 and 1.0 usage, but we are providing this information so that you can update any affected clients or servers as necessary before support for TLS 1.1 and 1.0 ends. 如果要将任何本地基础结构用于混合场景或 Active Directory 联合身份验证服务 (AD FS),请确保该基础结构可以同时支持使用 TLS 1.2 的入站和出站连接。If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services (AD FS), make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.

更新 Windows 服务器Update Windows servers

对于使用 Azure AD 设备注册服务或充当代理的 Windows 服务器,请使用以下步骤确保启用 TLS 1.2:For Windows servers that use the Azure AD Device Registration Service or act as proxies, use the following steps to ensure TLS 1.2 is enabled:

重要

更新注册表后,必须重启 Windows 服务器才能使更改生效。After you have updated the registry, you must restart the Windows server for the changes to take effect.

启用 TLS 1.2Enable TLS 1.2

确保按所示方式配置以下注册表字符串:Ensure the following registry strings are configured as shown:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\ClientHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • "DisabledByDefault"=dword:00000000"DisabledByDefault"=dword:00000000
    • "Enabled"=dword:00000001"Enabled"=dword:00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\ServerHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    • "DisabledByDefault"=dword:00000000"DisabledByDefault"=dword:00000000
    • "Enabled"=dword:00000001"Enabled"=dword:00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
    • "SchUseStrongCrypto"=dword:00000001"SchUseStrongCrypto"=dword:00000001

更新非 Windows 代理Update non-Windows proxies

在设备和 Azure AD 设备注册服务之间充当代理的任何计算机必须确保已启用 TLS 1.2。Any machines that act as proxies between devices and the Azure AD Device Registration Service must ensure that TLS 1.2 is enabled. 遵循供应商的指南以确保支持。Follow your vendor's guidance to ensure support.

更新 AD FS 服务器Update AD FS servers

任何用于与 Azure AD 设备注册服务通信的 AD FS 服务器都必须确保已启用 TLS 1.2。Any AD FS servers used to communicate with the Azure AD Device Registration Service must ensure that TLS 1.2 is enabled. 有关如何启用/验证此配置的信息,请参阅为 AD FS 管理 SSL/TLS 协议和密码套件See Managing SSL/TLS Protocols and Cipher Suites for AD FS for information on how to enable/verify this configuration.

客户端更新Client updates

由于所有客户端服务器和浏览器服务器组合都必须使用 TLS 1.2 才能与 Azure AD 设备注册服务连接,因此你可能需要更新这些设备。Since all client-server and browser-server combinations must use TLS 1.2 to connect with the Azure AD Device Registration Service, you may need to update these devices.

已知以下客户端无法支持 TLS 1.2。The following clients are known to be unable to support TLS 1.2. 请更新客户端,确保访问不中断。Update your clients to ensure uninterrupted access.

  • Android 版本 4.3 及更早版本Android version 4.3 and earlier
  • Firefox 版本 5.0 及更早版本Firefox version 5.0 and earlier
  • Windows 7 及更早版本上的 Internet Explorer 版本 8-10Internet Explorer versions 8-10 on Windows 7 and earlier
  • Windows Phone 8.0 上的 Internet Explorer 10Internet Explorer 10 on Windows Phone 8.0
  • OS X 10.8.4 及更早版本上的 Safari 版本 6.0.4Safari version 6.0.4 on OS X 10.8.4 and earlier

后续步骤Next steps

TLS/SSL 概述 (Schannel SSP)TLS/SSL overview (Schannel SSP)