Enable TLS 1.2 in Windows Server 2012 running Exchange 2013 via IIS 8.0

I got some issues getting the TLS 1.2 protocol running on one of our Windows Server 2012 machines. I checked this using ssllabs.com by Qualys and also tested with a powershell script and the linux tool "cipherscan".

The server hosts one Exchange 2013 SP1 (CU4) Server, with IIS 8.0. The certificate used is issued by our company CA. Another Windows Server 2012 with the same Exchange 2013 SP1 (CU4) installation works perfectly with the same certificate.

As I could research Windows Server 2012 uses TLS 1.2 by default. However this setting can be configured using the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD "DisabledByDefault" Value "0x00000000"
DWORD "Enabled" Value "0x00000001" or "0xffffffff"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
DWORD "DisabledByDefault" Value "0x00000000"
DWORD "Enabled" Value "0x00000001" or "0xffffffff"

Microsoft also mentions that this local group policy setting might help:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

As this setting should be set inside the operating system Microsoft also recommends to enable TLS 1.2 usage in the Internet Options of Internet Explorer.

I tried all of these 3 options, but none worked for me. Just to make this clear. The server (not just the IIS Service) was rebooted serveral times after enabling each of the settings.

Most guides and Scripts (e.g. powershell) just set the corresponding keys in the registry. I don't know exactly what else I could try.

I hope that somebody got the clue where to enable this.

One other option to enable SSL/TLS on your Windows Server is to use SSL crypto to updates the registry keys.

Furthermore you have the possibility to manage the cipher suite (Ciphers, Hashes and Key Exchanges).

https://www.nartac.com/Products/IISCrypto