Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO?

November 10, 2022 Group PoliciesWindows 10Windows 11Windows Server 2016Windows Server 2019

How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO?

In this article, we will show how to disable legacy versions of the Transport Layer Security protocol in Windows using Group Policies. TLS 1.0 and 1.1 versions are no longer secure and should be disabled by default for all services. If you have migrated all your services to TLS 1.2 or TLS 1.3, you can disable support for the legacy protocol on your Windows clients and servers using GPO.

You can get a list of supported SSL/TLS protocols on a server using SSL Labs online services (see an example in the article Site Can’t Provide a Secure Connection).

check supported TLS versions on the server side

On Windows client, you can view a list of enabled TLS protocol versions for a browser in the Internet Options (inetcpl.cpl). This screenshot shows that TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled. When establishing a connection to a server, the highest TLS version supported by both a client and a server is selected for encryption.

Disable TLS vetsions in Internet Explorer Properties

If you disable support of old TLS versions, users won’t able to connect to legacy services. Therefore, we recommend testing new settings in advance on pilot groups of computers and servers.

You can set a list of TLS/SSL protocols enabled in the Internet Options tab on a client using the Turn Off Encryption Support GPO option under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page.

Enable the policy and select which TLS/SSL versions your users will be allowed to use in the Secure Protocol combinations dropdown list.

GPO Secure Protocol combinations

This GPO setting matches the SecureProtocols registry parameter in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key.

You will have to restart your computer to apply new GPO settings, Open Internet Options again and make sure that only those TLS versions are available that you have allowed in GPO. The user won’t be able to change these settings (note Some settings are managed by your system administrator message).

disable legacy SSL and TLS versions in Windows

Unfortunately, you cannot leave only TLS 1.3 and TLS 1.2 enabled here, since there is no such option in GPO. Also, it doesn’t disable TLS 1.0 and TLS 1.1 support on the side of your Windows Server (in IIS or Exchange, for example).

So, it is better to disable legacy TLS versions directly through the registry. You can use the GPO to deploy registry parameters you need to domain computers.

In order to disable TLS 1.0 on Windows both for a client and a server, add the following options to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

You can disable other protocols In the same way. It is enough to replace the highlighted path in the registry with SSL 2.0, SSL 3.0, TLS 1.1, etc.

To force enable TLS 1.2, add the registry entries below:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Thus. you will see the following in the Computer Configuration -> Preferences -> Windows Settings -> Registry section of GPO.

disable tls 1.0 and 1.2 via gpo

Restart Windows to apply settings.

Besides changing the settings of available TLS versions in the registry, you need to allow using TLS 1.2 for NET 3.5 and 4.x apps, and for WinHTTP. For example, Outlook is using encryption settings for WinHTTP (learn more in this article).

To enable system encryption protocols for .Net 3.5 and 2.0:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

For .Net 4.x:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

To enable using TLS 1.2 for WinHTTP:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

On Windows Server, you can also use the ISS Crypto GUI tool (https://www.nartac.com/Products/IISCrypto/Download) to view and configure SCHANNEL settings.

ISS Crypto - enable TLS 1.2

 

0 comment
2
Facebook Twitter Google + Pinterest
previous post
Error: There are Currently No Logon Servers Available
next post
Outlook Attachment Preview Error: This File Cannot Be Previewed

Related Reading

How to Run Program without Admin Privileges and...

March 24, 2023

Configure Network Settings on Windows with PowerShell: IP...

March 24, 2023

Attaching Host USB Devices to WSL or Hyper-V...

March 20, 2023

Print Screen Key Not Working in Windows

March 17, 2023

Fix: Remote Desktop Services Is Currently Busy

March 15, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Run Program without Admin Privileges and Bypass UAC Prompt?

    March 24, 2023
  • Configure Network Settings on Windows with PowerShell: IP Address, DNS, Default Gateway, Static Routes

    March 24, 2023
  • Exchange Offline Address Book Not Updating in Outlook

    March 21, 2023
  • Attaching Host USB Devices to WSL or Hyper-V VM

    March 20, 2023
  • Sending an E-mail to a Microsoft Teams Channel

    March 17, 2023
  • How to Restore Deleted Users in Azure AD (Microsoft 365)?

    March 16, 2023
  • Fix: Remote Desktop Services Is Currently Busy

    March 15, 2023
  • Send-MailMessage: Sending E-mails with PowerShell

    March 14, 2023
  • Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

    March 13, 2023
  • Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

    March 6, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows?
  • How to Find the Source of Account Lockouts in Active Directory?
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Disable or Enable USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top