In this article, we will show how to disable legacy versions of Transport Layer Security Protocol in Windows using Group Policies. TLS 1.0 and 1.1 versions are no longer secure and should be disabled by default for all services. If you have migrated all your services to TLS 1.2 or TLS 1.3, you can disable support for legacy protocols on your Windows clients and servers by using a GPO.
On the Windows client, you can see a list of enabled TLS protocol versions for the browser internet options ,inetcpl.cpl) This screenshot shows that TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3 are enabled. When establishing a connection to the server, the highest TLS version supported by both the client and the server is selected for encryption.
If you disable support for older TLS versions, users will not be able to connect to legacy services. Therefore, we recommend testing the new settings in advance on pilot groups of computers and servers.
You can set a list of TLS/SSL protocols enabled on the client in the Internet Options tab turn off encryption support GPO Options under Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Pages.
Enable the policy and choose which TLS/SSL versions your users will be allowed to use secure protocol combination drop down list.
This GPO setting matches secure protocol Registry parameter in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key.
You will need to restart your computer for the new GPO settings to apply, open Internet Options again and make sure that only the TLS versions are available that you have allowed in the GPO. The user will not be able to change these settings (note Some settings are managed by your system administrator message,
Unfortunately, you can’t just leave TLS 1.3 and TLS 1.2 enabled here, as there is no such option in the GPO. Also, it does not disable TLS 1.0 and TLS 1.1 support on your Windows Server side (eg in IIS or Exchange).
Therefore, it is better to disable legacy TLS versions directly through the registry. You can use GPOs to deploy required registry parameters to domain computers.
To disable TLS 1.0 on Windows for both the client and the server, add the following option to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
You can disable other protocols in the same way. It is enough to replace the path highlighted in the registry with SSL 2.0, SSL 3.0, TLS 1.1, etc.
To force-enable TLS 1.2, add the registry entries below:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
thus. You will see the following in Computer Configuration -> Preferences -> Windows Settings -> Registry section of GPO.
Restart Windows for the settings to apply.
In addition to changing the TLS versions setting available in the registry, you must allow TLS 1.2 to be used for .NET 3.5 and 4.x apps, and for WinHTTP. For example, Outlook is using the encryption settings for WinHTTP (learn more in this article).
To enable system encryption protocols for .Net 3.5 and 2.0:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001
For Net 4.х:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001
To enable use of TLS 1.2 for WinHTTP:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "DefaultSecureProtocols"=dword:00000800 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "DefaultSecureProtocols"=dword:00000800
On Windows Server, you can also use ISS Crypto GUI tool (https://www.nartac.com/Products/IISCrypto/Download) to view and configure scannel settings.
Leave a Comment