Enrolling an Out-of-Date Lync Phone Edition Phone With SHA-2 Signed SSL Certificates

Recently there has been an industry-wide push to phase out SHA-1 signed SSL certificates in favor of SHA-2.  This is a good thing from a security perspective, but presents an interesting problem for Microsoft Lync deployments that use Lync Phone Edition (Aries) phones as common area phones.  In order for Lync Phone Edition phones (henceforth, "Lync phones") to connect to Lync servers after transitioning to SHA-2, the firmware must be up-to-date.  Older firmwares did not support SHA-2 and the phone would simply not be able to log into Lync if you tried.  I had trouble finding the exact firmware version where SHA-2 support was added, but I do know that 4.0.7577.4444 and newer work.

Well, this is fine for all your phones already connected to your Lync deployment.  You simply use one of the numerous guides on the internet to push out firmware updates before you switch to a SHA-2 certificate.  But what about if you buy a phone with an older firmware after transitioning to SHA-2?  The phone has to connect to Lync to get a firmware update and it can't connect to Lync until it has the firmware update.  This is a classic chicken/egg problem.  Unfortunately, Microsoft, in their infinite wisdom, provides no means to sideload new firmware to a Lync phone.

Fortunately, there is an easy solution if your phone has a USB connector.  Connect the phone via USB to any computer with the Lync desktop application installed.  Log into your Lync account when prompted.  The Lync desktop application does all the heavy lifting here, so the phone gets all the configuration information it needs without having to connect to the pesky SHA-2 SSL web services on its own.  Now, you just have to wait for the phone (and computer too, I suppose) to be idle for a while.  I suggest doing this towards the end of the day or before a long lunch break.  It will eventually install the firmware update.  You can check that it's installed by looking at the System Information section in the phone's menu.  Now sign out of the phone.  Your phone is ready to be deployed!

I have tested this method successfully with PolyCom CX3000 phones, but the method should work on any Aries-series phone with USB connectivity.  There may be some really old firmwares (such as the phones from the MD5-era certificate devices) where this won't work.  I don't know as I haven't tested.  And, sadly, if you are trying to enroll a PolyCom CX500 or other device without a USB connection, you are still out of luck.  :-(