MicrosoftDocs
Signing and Encryption
Two of these options (Require signing & Require SHA-256) are becoming enabled by default since 2103 and we have started to see more cases opened with symptoms that are mentioned in the 'Warning' statement:
Warning
Don't Require SHA-256 without first confirming that all clients support this hash algorithm. These clients include ones that might be assigned to the site in the future.
If you choose this option, and clients with self-signed certificates can't support SHA-256, Configuration Manager rejects them. The SMS_MP_CONTROL_MANAGER component logs the message ID 5443.
Ask: We shouldn't enable these settings by default, exactly because of the warning that we make in this document, the customer doesn't have the chance to test this if they don't realize it's been enabled by default, and then it puts support in a difficult position having to explain why. This warning is accurate, it does cause issues in many environments so it should not be enabled in the product by default.
Thanks
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 1dc1b7c8-1005-c581-b9d5-dd3769fb3ca5
- Version Independent ID: 85c42241-97da-f8d4-39f5-48f60f2a47dd
- Content: Configure security - Configuration Manager
- Content Source: memdocs/configmgr/core/plan-design/security/configure-security.md
- Product: configuration-manager
- Technology: configmgr-core
- GitHub Login: @aczechowski
- Microsoft Alias: aaroncz
