Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO

June 8, 2023

How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO

In this article, we will show how to disable legacy versions of the Transport Layer Security protocol in Windows using Group Policies. TLS 1.0 and 1.1 versions are no longer secure and should be disabled by default for all services. If you have migrated all your services to TLS 1.2 or TLS 1.3, you can disable support for the legacy protocol on your Windows clients and servers using GPO.

You can get a list of supported SSL/TLS protocols on a server using SSL Labs online services (see an example in the article Site Can’t Provide a Secure Connection).

check supported TLS versions on the server side

On Windows client, you can view a list of enabled TLS protocol versions for a browser in the Internet Options (inetcpl.cpl). This screenshot shows that TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled. When establishing a connection to a server, the highest TLS version supported by both a client and a server is selected for encryption.

Disable TLS vetsions in Internet Explorer Properties

If you disable support of old TLS versions, users won’t able to connect to legacy services. Therefore, we recommend testing new settings in advance on pilot groups of computers and servers.

You can set a list of TLS/SSL protocols enabled in the Internet Options tab on a client using the Turn Off Encryption Support GPO option under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page.

Enable the policy and select which TLS/SSL versions your users will be allowed to use in the Secure Protocol combinations dropdown list.

GPO Secure Protocol combinations

This GPO setting matches the SecureProtocols registry parameter in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key.

You will have to restart your computer to apply new GPO settings, Open Internet Options again and make sure that only those TLS versions are available that you have allowed in GPO. The user won’t be able to change these settings (note Some settings are managed by your system administrator message).

disable legacy SSL and TLS versions in Windows

Unfortunately, you cannot leave only TLS 1.3 and TLS 1.2 enabled here, since there is no such option in GPO. Also, it doesn’t disable TLS 1.0 and TLS 1.1 support on the side of your Windows Server (in IIS or Exchange, for example).

So, it is better to disable legacy TLS versions directly through the registry. You can use the GPO to deploy registry parameters you need to domain computers.

In order to disable TLS 1.0 on Windows both for a client and a server, add the following options to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

You can disable other protocols In the same way. It is enough to replace the highlighted path in the registry with SSL 2.0, SSL 3.0, TLS 1.1, etc.

To force enable TLS 1.2, add the registry entries below:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Thus. you will see the following in the Computer Configuration -> Preferences -> Windows Settings -> Registry section of GPO.

disable tls 1.0 and 1.2 via gpo

Restart Windows to apply settings.

Besides changing the settings of available TLS versions in the registry, you need to allow using TLS 1.2 for NET 3.5 and 4.x apps, and for WinHTTP. For example, Outlook is using encryption settings for WinHTTP (learn more in this article).

To enable system encryption protocols for .Net 3.5 and 2.0:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

For .Net 4.x:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

To enable using TLS 1.2 for WinHTTP:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

On Windows Server, you can also use the ISS Crypto GUI tool (https://www.nartac.com/Products/IISCrypto/Download) to view and configure SCHANNEL settings.

ISS Crypto - enable TLS 1.2

 

0 comment
3
Facebook Twitter Google + Pinterest
Group PoliciesWindows 10Windows 11Windows Server 2016Windows Server 2019
previous post
Error: There are Currently No Logon Servers Available
next post
How to Enable Maintenance Mode on Exchange Server

Related Reading

How to Repair EFI/GPT Bootloader on Windows 10...

March 16, 2024

How to Restore Deleted EFI System Partition in...

March 11, 2024

How to Allow Multiple RDP Sessions on Windows...

March 15, 2024

How to Run Program without Admin Privileges and...

June 8, 2023

Wi-Fi (Internet) Disconnects After Sleep or Hibernation on...

March 15, 2024

How to Install Remote Server Administration Tools (RSAT)...

March 17, 2024

How to Repair Windows Boot Manager, BCD and...

March 11, 2024

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows
  • Allow Non-admin Users RDP Access to Windows Server
  • Configuring FSLogix Profile Containers on Windows Server RDS
  • How to Backup and Copy Local Group Policy Settings to Another Computer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top