News

Microsoft Revises October Deadline on Using TLS 1.0 and 1.1 in Office 365

• By Kurt Mackie
• 10/26/2018

Microsoft recently clarified its previously declared position that it had planned to drop support for Transport Layer Security (TLS) 1.0 and 1.1 protocols used with Office 365 services by the end of this month.

The software industry has been moving away from the TLS 1.0 and 1.1 protocols for security reasons in favor of TLS 1.2. In February, Microsoft declared it would stop supporting the older TLS protocols in its Office 365 services on Oct. 31, 2018. Microsoft had suggested back then that this action could have effects for organizations that continued to use those protocols in browsers and applications.

However, Microsoft has since updated its advisory, without much public notice. The new language in the advisory, updated on Oct. 24, clarifies that the Oct. 31 end date is really just the date when Microsoft's developers will internally stop providing software updates for the older TLS protocols. Moreover, the TLS 1.0 and 1.1 protocols won't get blocked on the Oct. 31 date for Office 365 users.

Here's the revised Oct. 24 language in Microsoft's TLS Office 365 advisory:

Note This doesn't mean Office 365 will block TLS 1.0 and 1.1 connections. There is no official date for disabling or removing TLS 1.0 and 1.1 in the TLS service for customer connections. The eventual deprecation date will be determined by customer telemetry and is not yet known. After a decision is made, there will be an announcement six months in advance unless we become aware of a known compromise, in which case we may have to act in less than six months to protect customers who use the services.

Microsoft's current prospective advice to IT pros is to "make sure that all client-server and browser-server combinations use TLS 1.2 (or a later version) to maintain connection to Office 365 services."

The changed language in the advisory was noted in a blog post by Tom Arbuthnot, a Microsoft MVP focused on Skype for Business technologies. The clarification might have gone unnoticed by many, since the Knowledge Base article was quietly revised by Microsoft.

"I am not a fan of Microsoft changing the text in these KB's without a clear change log and explanation," Arbuthnot bluntly noted.

Microsoft's revised advisory also has new information for users of the Microsoft Surface Hub and Skype Room Systems conferencing devices, as well as Skype for Business Server and Skype for Business Online. The advisory is telling them to not disable TLS 1.0 and 1.1. Here's how that's described:

Microsoft Surface Hub and Skype Room Systems Version 2 (SRS v2) currently use TLS 1.0 or 1.1, and they will continue to work after October 31, 2018. Microsoft will update Surface Hub, Skype Room Systems V2, Skype for Business Online, and server products to support TLS 1.2 before TLS 1.0 and 1.1 are deprecated for Office 365. These products are expected to support TLS 1.2 by the first half of 2019. Skype for Business Online and on-premises customers should not disable TLS 1.0 and 1.1 until that time if they are using these meeting and calling devices.

There's also new information in the revised advisory for organizations using Windows Server 2008 and Windows Server 2008 R2, where Microsoft is advising against disabling TLS 1.1 and 1.2:

We have identified protocol mismatch issues that are generated by on-premises servers that are running Windows Server 2008 and 2008 R2. You have to enable TLS 1.1 and 1.2 to let them continue to function after October 31, 2018.

Still, the writing is on the wall for the end of TLS 1.0 and 1.1. Major browser makers recently declared that they'll no longer support those protocols by the end of the first half of 2020.