I got part of the way there, but I am not sure how to finish it up, as there appears to be a dependancy on making sure the HP Smart Client (MS ClickOnce Technology) communicates in a TLS 1.2 fashion.

Original Setup: Windows 2008 Server R2, SQL Server 2008 SP3, .NET Framework 4.5.2, HP WJA 10.4 SR1, with FeaturePack 4

Steps taken so far.

1.) Make sure KB3080079 is installed. If you don't install this patch you won't be able to RDP into the server once TLS 1.0 is disabled. Installing this patch allows RDP to communicate via TLS 1.1 and TLS 1.2.

Source: https://support.microsoft.com/en-us/kb/3080079

2.) Update SQL Server 2008. In my instance I needed to upgrade to SP4 and then install a TLS 1.2 Patch

SQL Server 2008 SP4: https://www.microsoft.com/en-us/download/details.aspx?id=44278

TLS 1.2 Patch: https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server (Note this URL is for all SQL versions that need to support TLS 1.2

3.) Everything is upgraded at this point and working fine, so I disabled TLS 1.0 via the IIS registry key. (Left TLS 1.1 and 1.2 as is)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\ and changed the "Enabled" value to "0".  Thus disabling the service. Then I restarted the server.

Source: (Scroll down to the "For later versions of Windows" about 3/4 of the way down) https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-alg...

4.) So TLS 1.0 is now disabled in IIS, and the website https://serverIP:8443 properly has it disabled. So it gives you a TLS conneciton error if using TLS 1.0 and properly starts to load on TLS 1.1 or TLS 1.2. Here is the problem now. The website loads and starts to launch the Smart client (MS ClickOnce Technoloy) and it fails. It appears the ClickOnce smart client software still uses a TLS 1.0 connection, but the browser is properly using a TLS 1.1/TLS1.2 connection.

5.) So even though .NET Framework 4.5.2 is installed, I noticed there were some issues that were addressed with TLS connections with Click Once. I downloaded this Patch KB3146716 as it resolves "ClickOnce has been updated to support TLS 1.1 and 1.2. ClickOnce will automatically detect which TLS protocol is required at runtime. There are no extra steps required in ClickOnce to enable this functionality."

Source: https://support.microsoft.com/en-us/help/3146716/hotfix-rollup-3146716-for-the-.net-framework-4.6-an...

6.) After it is installed and rebooted, it still has no luck the smart client will not connect.  So I then upgraded .NET Framework to 4.6.2 (The most current version at the moment) and rebooted.  Same issue. I also upgraded my client (running Windows 7) to .NET Framework 4.6.2 to make sure it was not a client side issue and it still produces the same error message, so I changed the registry value back to enable TLS 1.0 and everything works again. Disabled it again and it breaks, enabled it and it works.

Current Setup at the Moment: Windows 2008 Server R2, SQL Server 2008 SP4 W/TLS 1.2 Patch, .NET Framework 4.6.2, HP WJA 10.4 SR1, with FeaturePack 4

So here is where I am stuck. My server browser appears to be good and only accepts TLS 1.2 connections when I disable the registry key and the SQL Server 2008 appears to be good now, however the problem appears to be with how HP WJA is using the MS ClickOnce software as it appears it is still forcing a connection via TLS 1.0, since I can turn off TLS 1.0 and it breaks at the ClickOnce items and then I turn it back on and it works properly.  My guess is maybe somethig has to be updated in the actual HP WJA smart client code, but that is just a guess. I could be completely wrong.  If anyone has any advice or comments I would love to hear them.

Thanks

Hi, I am also facing the same issue. I did the same steps as you mentioned. 

But I am seeing this issue only in few machines. Where as in another machines my smart client clickonce application is working fine.

Is your provlem resolved? If yes, could you please suggest what steps you have taken apart from the one which you mentioned in this post.

Yes we did manage to get it working.

So it was working fine, however immediately after making it work we had an enterprise mandate to update our server from 2008. So we built a new server 2012 R2 and installed the latest HP WJA versions with the SQL 2012 out of the box that WJA comes with. We patched it to SP3 and then the latest cumulative update. Note I believe the latest SQL 2012 is SP4 as of writing this. We did a backup from the old / restore to the new and were good to go as far as getting WJA to function properly.

At first we could not get TLS 1.0/TLS 1.1 disabled properly. It took a lot of troubleshooting, but it was related to a group policy that was pulling down for the new machine to enabled FIPS. In Group Policy it is Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options -> System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.  -> This was enabled on ours, so after troubleshooting we found out we need to disabled the setting for the server to properly block TLS 1.0/TLS1.1 and only respond to TLS 1.2. We also disabled some other algorithms manaully in the registry as well at the request of our security team. This is the article related to FIPS enabling just for reference (Note we had to disable the Group Policy Settings in order to disable TLS1.0/TLS1.1 properly, thus negating the value of the article, but here is is for reference - https://support.hp.com/my-en/document/c04918389 )

After the server was properly secured and no longer listening on TLS 1.0/TLS 1.1 we got an error when the clients attempted to connect to it, it said "Error contacting the HP Web Jetadmin Web Service" This error only happened from the clients, when you launched it on the server it was just fine.  So after multiple rounds of troubleshooting we figured out a fix to it. It took a lot of digging, but appears to be related around .NET Framework used for the ClickOnce technologies. Basically we had to add a registry key to each PC to force strong encryptions. The key is : [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Once we added that to the client PCs, no issues connecting to WJA and the server has been secured to only use TLS 1.2 for connections.  The IE 11 browser is still a 32 version so that is why it is in the WOW6432Node Key. If you are using a 64bit IE browser the key would change slightly to the correct location.  Note the clients are all Windows 7-64bit with IE 11 for connection. 

As a side note: in WJA we force SNMPv3 for security for communications between WJA and the printers which matches nicely now that the FutureSmart 4/4.5 has the SNMPv1/2 write values disabled by default on new arrivals.  We just turn off the SNMPv1/2 and go with SNMPv3 only for communications.

That is all we have done and it works fine and is secure. A few months later we upgraded to HP WJA 10.4 SR3 and the upgrade worked fine. All of the settings were the same and WJA works fine still.