So, you're here because tomorrow 1 months time on 1st September you're going to lose a bunch of Automate agents due to TLS 1.2 compatibility. https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Supportability_Statements/Supportability_Statement%3A_TLS_1.0_and_1.1_Protocols_Unsupported
So there's some measures that while not foolproof, I whipped up in a couple of hours yesterday to at least get a good head start on sorting these devices out.
1) 2 Searches, one that identifies Vista and below that will be gone no matter what you do, and one that identifies your Windows 7, Server 2008 and Server 2008 R2 machines that you can at least try to save
2) 2 remote monitors. One that looks for if the TLS 1.2 Patch is even applied to the machine, and one that checks if the DisabledByDefault registry key is set to 0
3) 2 scripts that can be used as an Autofix action to install the patch and set the registry key if necessary
So, 1). Attached are the two searches.
2) You will want two remote monitors assigned to a group that you have limited to the 7-2008-2008R2 search. The first is an EXE monitor with this as the EXE. You want to monitor for the condition of "Exists".
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "(get-hotfix -Id KB3140245,KB4019276 -ErrorAction silentlycontinue).hotfixid"
This is your monitor for if the patch is installed or not.
Second monitor is to check if the registry key is set correctly. For this you can use a Registry key remote monitor to look at the following key. You want to monitor for a condition of "0".
3) The Autofix scripts. First is "Enable TLS 1.2". You will need Darren White's Email Technician function script, otherwise just remove lines 8,9,10,13,14,15. You can then set this script as an Autofix action for your remote monitor checking for the registry key
Second is "Deploy TLS1.2 Patch". You will need to enter the URL's to the patches here which you can download from the MS website. I wasn't sure if these were static URL's or not so I downloaded them and uploaded them to our web server which is why I've stripped the URL's out. You can get the downloads from the links provided in ConnectWise's KB article at the top of this post. Again you can then set this as an Autofix action against your monitor to check if the patch is installed. This patch will also set the registry keys as well as installing the patch. NOTE! It does not do anything but download the file on servers by default. You can edit lines 22 and 25 to GOTO :Install Patch instead if you want to allow it to automatically make changes to servers as well. It will not reboot machines as the WUSA command has the /norestart switch. You can drop that if you want to force reboots.
I will throw one disclaimer out there. The Deploy TLS 1.2 script has had limited testing. We found that out of the machines that we tested that failed to have the patch installed, there was an underlying issue with patching in general.
EDIT: So it would appear that there is another registry key potentially required. And that is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and KKLM\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp for 64 bit machines. The value required is "DefaultSecureProtocols" and it needs to be set to 0x00000800
Again you can just fire up remote monitors for these, and then have an autofix script to set these appropriately. All I did for mine was copy the Enable TLS 1.2 script and swap out lines 6 and 7 appropriately like below (Note the OS Versions it runs on were changed for line 7 from Windows Server to Windows 64 bit)
EDIT EDIT: So at least 1 ConnectWise support rep has also advised that .NET Framework 4.5 or higher has to be installed on the endpoint. You can quickly setup a remote monitor for this with the below configuration, and then script the install if it fails.
Deploy TLS 1.2 Patch Script.xml Enable TLS 1.2 Script.xml XP-2003-Vista Search.xml 7-2008-2008R2 Search.xml