How to enable TLS 1.2 on Windows? , Ranjan.info

In this article, we will see how to enable Transport Layer Security (TLS 1.2) Protocols on various Windows versions including cases for .Net and WinHTTP applications. TLS 1.0 and TLS 1.1 are deprecated protocol versions. If you’ve migrated all your services to TLS 1.2 or TLS 1.3, you can disable support for legacy TLS versions on your Windows Server and clients (How to disable TLS 1.0 and TLS 1.1 using GPOs) . However, before doing this, make sure that all your clients support TLS 1.2.

In modern Windows versions (Windows 11/10/8.1 or Windows Server 2022/2019/2016/2012R2), TLS 1.2 is enabled by default. In previous Windows versions (Windows 7, Windows Server 2008R2/2012), you must configure some settings before TLS 1.2 can be enabled.

Windows XP and Vista do not support TLS 1.2.

For example, to enable TLS 1.2 in Windows 7 and Windows Server 2008 R2:

1. Make sure Windows 7 Service Pack 1 is installed;
2. Download and manually install the MSU update KB3140245 From the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245,
3. then download and install MicrosoftEasyFix51044.msi (The patch adds a registry option to enable TLS 1.2 support on Windows 7/2008R2/2012);
4. Restart your computer.

These registry options are described in the article Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ,https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in- windows-c4bd73d2-31d7-761e-0178-11268bb10392,

The following REG_DWORD registry items will appear on your computer in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\ And HKLM\...Protocols\TLS 1.2\Servers,

• DisabledByDefault = 0
• active = 1

To use TLS 1.2 by default for WinHttp API apps, add DefaultSecureProtocols = 0x00000A00 for REG_DWORD parameter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp (on Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp,

Here are the possible values ​​for the DefaultSecureProtocols option that defines the protocols allowed for WinHTTP connections:

• 0x00000A0 – A default value allowing SSL 3.0 and TLS 1.0 for WinHTTP only
• 0x0000AA0 – Allows TLS 1.1 and TLS 1.2 to be used in addition to SSL 3.0 and TLS 1.0
• 0x00000A00 – Allows only TLS 1.1 and TLS 1.2
• 0x00000800 – allows only TLS 1.2

Starting with Windows 10 and Windows Server 2016, all versions of Windows support TLS 1.2 for WinHTTP.

You can use the following PowerShell script to create these registry parameters:

$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000800"
$regTLS12Client = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLS12Server = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"
$regTLSEnabled = "Enabled"
$regTLSEnableValue = "0x00000001"
# for Windows x86
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
# for Windows x64
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2”
New-Item -Path $regTLS12Client
New-Item -Path $regTLS12Server
New-ItemProperty -Path $regTLS12Client -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Client -Name $regTLSEnabled -Value $regTLSEnableValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Server -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Server -Name $regTLSEnabled -Value $regTLSEnableValue -PropertyType DWORD

Restart your computer using the command:

Restart-Computer

Then you need to enable TLS 1.2 support for .NET Framework apps. To do this, you need to enable the System Encryption Protocol for .NET 3.5 and 4.x apps in the registry. If you are using older .NET Framework versions like 4.5.1 or 4.5.2 on Windows Server 2012 R2/2012 or Windows 8.1, first install the latest update for .Net Framework 4.5.1 (they are available for .NET Will add TLS 1.2 support) ).

Find below the registry option to be configured for different .Net versions:

For .NET 3.5 or 2.0:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

For .NET 4.х:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

NET 4.6 for:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Besides, there is a free IISCrypto tool, which is a GUI (https://www.nartac.com/Products/IISCrypto/, Here you can choose which TLS versions you want to enable. If all the checkboxes next to the Schannel protocol are inactive (greyed out), then Windows is using the default settings. In my example, I enabled TLS 1.2 for the server and client using the PowerShell script shown above. IISCrypto is now showing that TLS 1.2 was manually enabled.

IISCrypto does not allow changing TLS settings for .NET or WinHTTP.