In older Windows versions (Windows 7/XP or Windows Server 2008R2/2003) with Outlook 2010/2013/2016/2019, you may see the following error when trying to connect to a mail server:
0x800CCC1A - Your server does not support the connection encryption type you have specified. Try changing encryption method. Contact your mail server administrator or Internet service provider (ISP).
The error occurs when an Outlook client tries to connect to a mail server by using a non-supported encryption protocol.
Often, this problem occurs when your mail server supports only TLS 1.2 and 1.3 protocols. For example, Windows 7 by default supports only the legacy TLS 1.0 and 1.1 protocols, which are no longer used by public mail servers.
The Outlook client uses the WINHTTP transport to send or receive data over TLS. If TLS 1.2 is not supported or is disabled at the winhttp level, Outlook will not be able to connect to the server because of an unsupported encryption type.
To fix this problem, you need to enable TLS 1.2 support in Windows 7. Windows 7 supports TLS 1.2, but it is not enabled by default (unlike the newer OS versions – Windows 8, 10 and 11).
for Enable TLS 1.2 on Windows 7,
- Make sure Windows 7 SP1 is installed;
- Download and install updates manually KB3140245 From Microsoft Update Catalog (https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245,
- Download and install MicrosoftEasyFix51044.msi patch (https://download.microsoft.com/download/0/6/5/0658B1A7-6D2E-474F-BC2C-D69E5B9E9A68/MicrosoftEasyFix51044.msi,
This fix is described in Article Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows, The fix adds TLS 1.1 and TLS 1.2 support options to the registry on Windows Server 2012, Windows 7 SP1 and Windows Server 2008 R2 SP1 (described below).
- Restart your computer.
The patch mentioned above adds the following options to the registry:
a default secure protocol parameter with value 0x000000a00 In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.
In the 64-bit Windows version, you must make this setting under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.
0x0A0 The parameter leaves SSL 3.0 and TLS 1.0 enabled for WinHTTP, and also enables TLS 1.1 and TLS 1.2. If you want to allow clients to use only TLS 1.1 or TLS 1.2, change the value to 0xA00,
Under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ create new subkeys TLS 1.2 and TLS 1.1.
make Customer key in each registry section. Then open each client key and create a DWORD parameter DisabledByDefault with price 0x00000000,
To create these registry parameters, you can use the following PowerShell script:
$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000a00"
$regTLS11 = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
$regTLS12 = "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"
# For Windows x86
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
# For Windows x64
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
New-Item -Path $regTLS11
New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-Item -Path $regTLS12
New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
Learn more about how to disable legacy TLS versions on Windows.
You can check the TLS protocol versions supported by your mail server using the online service SSL Labs (
In this example, you can see that the mail server only supports TLS 1.2.
In Microsoft 365 (Office 365), the TLS 1.0 and TLS 1.1 protocols are not yet disabled by default.
In Outlook Settings, make sure STARTTLS (Available in all modern Outlook versions) or SSL/TLS is used to connect to the mail server. Make sure the option “This server requires an encrypted connection (SSL/TLS)” is enabled. Check IMAP/POP/SMTP port numbers.
Also, note that some antiviruses have the SSL/TLS inspection (filtering) option enabled by default. Try disabling this option in your antivirus software settings and check the connection to the mail server in Outlook.
Leave a Comment