mlaMemberMay 31, 2017 at 7:14 am #167037
I have a situation…
for accessing some https sites users need to have TLS 1-1.2 enabled. In current situation TLS settings are UNCHECKED. When the user checks TLS boxes in Advanced of IE11 he can access the sites.
after computer restart the checkmarks for TLS are wiped out.
THE CAUSE: I guess… GPO :)
The GPO is managed by few people and is old heritage… First I run resultant in GPMC for regular user and regular machine – affected. I was sure that I will find the GPO responsible for TLS/SSL settings with the option “don’t use TLS”.
Didn’t find any…
I did a simple thing:
1. created OU TestTLS in the OU Workstations.
2. Moved one affected computer from Workstations to TestTLS.
3. Created GPO object TLS config.
Enabled TLS 1 to 1.2 in computer settings (to be sure that it will take precedence if some User thingy leaking)
4. Linked it to OU TestTLS
5. Restarted computer. The result is POSITIVE – GPO applied. TLS settings are set in IE (with no uncheck possibility).
How to find what causing UNCHECK TLS when my “push” TLS GPO is not turned ON?
Since I cannot find the GPO that has an opposite setting “do not use TLS” I want to ask the forum where from it could “leak” and how to deal with the issue
Sure I can just push my GPO on top of the Domain and forget. But I feel uncomfortable in our computer business :)… until I find the answer.
Here is a screamshot for the GPO I set for enabling TLSs.
I asked the same question on MS GPO forum. Had an advice that didn’t lead to a problem finding…
Also, when link the TLS CONFIG gpo to Root of domain, moved to be first GPO, filtered to one computer in bottom OU with 17 inherited GPOs it perfectly works and I cannot find what causing the problem without this GPO applied to wipe out TLS settings set manually in browser.
You must be logged in to reply to this topic.