Open rybal06 opened 3 months ago
Springstone
commented
3 months ago Hi @rybal06! Thanks for raising the issue, which is a great callout. We'll add it to our backlog and raise with respective owners, but this will likely take quite a bit of time to land, as most policies are maintained by the respective resource owners. To help prioritize, I would encourage you to create support tickets for resources that are blocked by policy when deploying TLS 1.3.
Springstone
commented
1 month ago @rybal06 please note that all ALZ custom policies have been updated as part of Policy Refresh Q1 FY25 to support TLS 1.3. However, for built-in policies, I would suggest raising a support ticket for the ones blocking you currently. We are working with the various product groups to raise this concern, but as we don't own the policies, we have to wait for them to resolve the issue.
rybal06
commented
1 week ago Support cases have been opened and it looks like the product teams are starting to update built-in policies to now require TLS 1.3. It seems premature for the defender / policy team to start flagging TLS 1.2 as a risk. Updating the condition to be greater or equal to TLS 1.2 seems like a more sensible default at this point in time.
Yes, individual customers can fork these policies and make updates (like changing the condition to greater than or equal to 1.2); however, they become unlinked from Defender for Cloud rules and require additional operational burden.
Describe the bug All TLS policies in this repo are denying TLS 1.3 from being used.
Steps to reproduce
Recommendation