Share via

Azure security recommendation unclear

Laura Hodge 0 Reputation points
2026-04-06T18:50:45.92+00:00

Hi, I’m going through my Microsoft Azure security recommendations for my server. I’ve run into a recommendation I can’t make sense of. The title is, “Windows servers should be configured to use secure communication protocols”. It recommends 3 steps:

1.     “Enable Guest Configuration extension and system assigned identity”. I did that last week.

2.     “Enable TLS on your machine. … For Windows 2012 R2 Server or later, no updates are necessary.” The server is Windows Server 2019, so nothing is necessary.

3.     “Update the Windows and WinHTTP registry keys (or verify that they're correct) according to the information here: https://docs.microsoft.com/dotnet/framework/network-programming/tls#configuring-schannel-protocols” This says it’s about setting registry keys, but the page it links to for details is all about code – it’s basically a lecture about how apps should let the OS choose the TLS version. Which ours does.

Since we’ve already done everything this recommendation asks, what do we need to do to be recognized as being in compliance?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sridevi Machavarapu 27,315 Reputation points Microsoft External Staff Moderator
    2026-04-07T00:06:09.2933333+00:00

    Hello Laura Hodge,

    This recommendation is checking OS-level configuration rather than how your application negotiates TLS.On Windows Server 2019, TLS 1.2 is already available, but the policy requires older protocols to be explicitly disabled. If TLS 1.0 or TLS 1.1 are still enabled in the registry, the recommendation will remain non-compliant.

    Please check: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    Ensure TLS 1.0 and TLS 1.1 (both Client and Server) are set with Enabled=0 and DisabledByDefault=1, and TLS 1.2 is set with Enabled=1 and DisabledByDefault=0.

    Also verify: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319

    Set SchUseStrongCrypto=1 and SystemDefaultTlsVersions=1.

    After making these changes, restart the server and allow some time for Defender for Cloud to refresh the status.

    In short, even though your setup is already using modern TLS, the policy requires these settings to be explicitly defined in the registry to be considered compliant.

    Hope this helps! Feel free to reach out for further queries.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.