Please note, this scenario is different from asimilar one:
How do I disable TLS 1.0 without breaking RDP?
The linked question is about RDP and disabling TLS 1.0.
This question is about RemoteApp's and disabling TLS 1.0
I already have straight RDP over port 3389 working with TLS 1.2.
We have a 2012R2 Server hosting RemoteApp's.
We have the RD Gateway, RD Web Access, RD Connection Broker, RD Session Host roles installed on this server.
RemoteApp's are served through the RD Gateway over https. The only public port we have open is 443.
We have a public CA supplied wildcard SSL certificate installed in all of the RD Roles and IIS, so everything traces back to a trusted root cert.
The cert supports TLS 1.2, I see this in a webbrowser when I view the RDWeb website.
We are tying to disable TLS 1.0 on this server to tighten up the security.
We are using IISCrypto 2.0 to disable TLS 1.0
When we disable TLS 1.0 two things are observed:
1.The RemoteApp's stop working. They cannot be launched from an end user machine.
2.Straight RDP connections work just fine.
When we re-enable TLS 1.0 the RemoteApp's work again.
SChannel logging confirms that RemoteApps are using TLS 1.2, so I would expect the RemoteApps to continue working when TLS 1.0 is disabled. However that is not what I am observing.
All client's are using fully updated/patched versions of Windows 8.1 and 10.
Best Answer
After almost a year, I finally figured out a working solution for disabling TLS 1.0/1.1 without breaking RDP and Remote Desktop Services connectivity.
Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.
On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.
Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.
Let me know if this works for you as well.