On July 1st, the GPO: DI – DOI Cryptography Baseline v.1.0 will be linked to the regional OUs in the GS domain. Sites testing the Cryptography Baseline have reported issues with connectivity to Microsoft SQL Servers. Many MSSQL Server instances will need to be updated to support TLS 1.2, which will be enforced in the Windows registry with the implementation of the Cryptography Baseline. Applications that come with embedded SQL may need vendor updates to support TLS 1.2. Where TLS 1.2 is not supported, a deviation GPO will need to be applied to allow TLS 1.0 and/or 1.1. Legacy ODBC drivers do not support TLS 1.2. Clients using legacy OBDC drivers will need to update to use the Microsoft OLE DB Driver for SQL Server.
TLS 1.2 support for Microsoft SQL Server
Known Issues – Resolvable Without a Deviation
FlexiCapture – Versions 12+ support TLS 1.2
Veritas BackupExec – Versions 20.1+ use TLS 1.2
Known Issues – Deviation Required
IHS Kingdom Software – TLS Registry Deviation GPO Required (as of June 2019) :
DI – USGS Windows Client Approval Needed Deviation – Cryptography Allow TLS 1.0 & 1.1 Registry
Clients and servers that require TLS 1.0 and 1.1 for applications (such as applications that use Microsoft SQL that still do not support TLS 1.2 This GPO has an Active Directory security filter applied. Sites that need to apply the deviation can create an AD group for TLS Registry Deviation computers and make it a member of the group: “IGSGBWTST Deviation Computers – Allow TLS 1.0 1.1 Registry”. Click here to view the settings in this GPO.