Disabling TLS 1.0 and 1.1 for NHS Identity Agent

The National Cyber Security Centre (NCSC) and Microsoft advise that TLS 1.0 and TLS 1.1 should no longer be used. Organisations should upgrade to at least TLS 1.2 to maintain security.

Microsoft further recommends removing dependencies on TLS 1.0 and TLS 1.1 from systems and disabling it at the operating system level wherever possible.

To align with modern security standards and avoid manual registry configurations, we strongly recommended you upgrade from version 2.3.2.0, and earlier versions, to the latest Identity Agent version.

Upgrading to version 2.4.5.0 or later ensures compatibility with TLS 1.2+, reduces reliance on outdated security protocols, and removes the need for manual registry modifications.

Download the latest version of Identity Agent.

Version 2.3.2.0 and previous Identity Agent versions rely on .NET Framework 3.5, which by default uses TLS 1.0 and TLS 1.1.

These dependencies require specific registry configurations to enable the Identity Agent to work when either TLS 1.0 or TLS 1.1 is disabled.

However, starting from version 2.4.5.0, the Identity Agent uses .NET Framework 4.8 or later, which natively supports stronger cryptographic protocols like TLS 1.2. Therefore, legacy configurations for TLS 1.0 and TLS 1.1 are no longer required for these versions.  

If TLS 1.0 and TLS 1.1 have been explicitly disabled using the following registry settings:    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  
"Enabled" = dword:00000000    
"DisabledByDefault" = dword:00000001   

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  
"Enabled" = dword:00000000    
"DisabledByDefault" = dword:00000001

Then, version 2.3.2.0 and previous Identity Agent versions require additional configurations to function.  

However, versions 2.4.5.0 and later are unaffected, as they use .NET Framework 4.8 or later, which defaults to TLS 1.2 or higher and does not require manual registry modifications for TLS protocol handling.

For legacy systems running version 2.3.2.0 or earlier versions, the following registry configurations must be applied to ensure TLS 1.2 support.

32 and 64-bit systems must apply: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

64-bit systems must additionally apply:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
"SystemDefaultTlsVersions" = dword:00000001   
"SchUseStrongCrypto" = dword:00000001   

For systems running the current Identity Agent (version 2.4.5.0 or higher), no additional TLS configurations are necessary. These versions automatically use the system's default secure TLS settings due to their reliance on .NET Framework 4.8 or later.