Hi fellow Remote Desktop Services admins,

I'm becoming increasingly confused on how well, and exactly under what requirements Windows Server 2012 R2 running the RDS role, supports the use of TLS 1.2 with clients ranging from Win. XP SP3 to Win. 8.1.

So what I understand is:

That TLS 1.2 is supported and enabled by default on Windows Server 2012R2. So I could buy a certificate that uses the SHA256 hash algorithm.

- But am I right that clients ranging from Windows XP SP3 up to Windows 8.1 supports this scenario?

- Would it be necessary to manually enable TLS 1.2 on these clients, in order for them to be able to negotiate the use of TLS 1.2?

- If TLS 1.2 isn't manually enabled on, let's say a Windows 7 client, would the RDS server and the client be able to negotiate the use of TLS 1.0 instead - now that the certificate is SHA256? Because as I understand it, SHA256 is not supported by TLS 1.0. Therefore the same certificate would have to support SHA1, as the communication with a TLS 1.0 client would require SHA1. Correct?

What I have done

Crawled through forums, Wikipedia, blogs and search-machine results. In order to understand possible scenarios and what RDS in Win. 2012R2 supports. But I find it quite hard to get a solid understanding on how things exactly are.

For example: https://technet.microsoft.com/en-us/library/dd320345(v=ws.10).aspx - applies to Win. 2012. But does it also apply to 2012R2? Out of TLS 1.0 and TLS 1.2 - TLS 1.0 is the only one mentioned.

At the same time though, this blog: http://blogs.msdn.com/b/openspecification/archive/2012/07/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx - seems to indicate that RDP on at least Win. 2012 server, pointing to the posts date, supports TLS 1.2.

However it is really hard to find a clear-cut specification from Microsoft on this. I would really appreciate someone that could clarify this for me. Especially because SHA1 certificates is being phased out (start 2017 if I'm not mistaken) and I would therefore strongly prefer to invest in a SHA256 type certificate.

Looking forward to hear from you.

Thank you very much.

Hi,

Here is the most recent and useful blog I can find:

Support for SSL/TLS protocols on Windows

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/10218922.aspx

According to the blog, Windows 7 and Windows server 2008 R2 (and above of course) are the only 2 operating systems out there which include support for TLS 1.1 and TLS 1.2. These are not enabled by default and should be enabled via registry.

In addition, according to the answerer of the thread below:

RDP protocol TLS1.1 Support

https://social.technet.microsoft.com/Forums/en-US/9a6ac988-061a-4594-849c-dc8f037a70ad/rdp-protocol-tls11-support?forum=winserverTS

RDC client will not send anything higher than TLS1.0 and the server will not accept TLS.1.1 or TLS1.2 (if you send it client hellos with TLS1.2 in the header it just responds with TLS1.0). If you disable TLS1.0 and below you cannot connect.

Here are some more related threads below for you:

Remote Desktop stopped working after disabling SSL 2.0 and TLS 1.0

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10?forum=smallbusinessserver

RDP protocol TLS1.2 Support

https://social.technet.microsoft.com/forums/windowsserver/en-US/e308a2ac-2443-4a24-abc7-fab6079fac86/rdp-protocol-tls12-support

Best Regards,