Purpose

This document outlines the steps necessary to ensure that Ivanti Patch for Windows can make use of TLS 1.2 when TLS 1.0 and TLS 1.1 are disabled.

Symptoms

When TLS 1.0 and TLS 1.1 are disabled, the Deployment Tracker will remain stuck at "Scheduled" or Executing".

Cause

The target machine has a process to send status updates back to the console. If TLS 1.2 isn't properly configured on the client machines and the protect console, these updates will fail to reach the console.

Resolution

1. SQL Server needs to be updated per https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server 
   
2. Follow Microsoft recommendations outlined here: Microsoft Security Advisory 2960358
   
3. For machines running Windows 7, 2K8R2, or 2K12, follow the instructions in https://support.microsoft.com/en-us/kb/3140245 to create the needed registry key and then install patch MSWU-1964.

Registry changes will need to be made to both client machines, and to the Ivanti Patch for Windows console.

Additional Info

This document explains how to deploy registry changes via group policy: https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx

Affected Product(s)

Ivanti Patch for Windows 9.3+