How to disable TLS 1.0 without breaking RemoteApps on server 2012 R2

Solution 1:

After almost a year, I finally figured out a working solution for disabling TLS 1.0/1.1 without breaking RDP and Remote Desktop Services connectivity.

Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.

On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.

Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.

Let me know if this works for you as well.

Solution 2:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

This secretly re-enables the older protocols again. Microsoft is even not recommending use of the setting anymore.

I've been fighting this as well. I haven't found the right solution yet.

Microsoft DOC on setting

Microsoft Article not recommending

Solution 3:

Old posting, but I just happened to read an article that says if you are using the internal SQL server (WID) for the connection broker database, the connection broker needs TLS 1.0 enabled to talk to WID. You can get around this by using a "real" SQL Server database for the connection broker instead of the internal SQL WID.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/rds-connection-broker-or-rdms-fails-caused-by-disabled-tls-10