Disable TLS 1.0 and TLS 1.1 in Windows 10

TLS protocol is used to ensure privacy and data integrity when two applications communicate. SSL and TLS are both cryptographic protocols, as SSL does not provide a sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been discontinued. TLS 1.0 was released in 1999, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 in 2018.

If you’d like to learn more about these protocols, understand their differences, you can visit the Protocol RFCs (Request for Comments) at the following links: TLS 1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC, and TLS 1.3 RFC.

Options to Disable TLS 1.0/1.1 on Windows 10

1. By creating registry keys manually.
2. By creating a group policy object (GPO) in Active Directory.
3. By executing PowerShell commands.

Option 1: Disable TLS 1.0 and TLS 1.1 Using Registry

Create Registry Keys to Disable TLS 1.0

1. Press Windows key + R to open the Run dialog box.
2. Type regedit and press Enter to open Registry Editor.
3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
4. Right-click on the Protocols folder and select New > Key.
5. Name the new folder TLS 1.0 and create two subkeys under it: Client and Server.
6. Under both the Client and Server subkeys, create the following registry entries:
   • Create a new DWORD registry entry named DisabledByDefault and set its value to 1.
   • Create a new DWORD registry entry named Enabled and set its value to 0.

Create Registry Keys to Disable TLS 1.1

1. Press Windows key + R to open the Run dialog box.
2. Type regedit and press Enter to open Registry Editor.
3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
4. Right-click on the Protocols folder and select New > Key.
5. Name the new folder TLS 1.1 and create two subkeys under it: Client and Server.
6. Under both the Client and Server subkeys, create the
   • Create a new DWORD registry entry named DisabledByDefault and set its value to 1.
   • Create a new DWORD registry entry named Enabled and set its value to 0.

Option 2: Disable TLS 1.0 and TLS 1.1 Using GPO

1. Log in to a Domain controller as a Domain administrator.
2. Press Windows key + R to open the Run dialog box.
3. Type gpmc.msc and press Enter to open Group Policy Management Console.
4. In the Group Policy Management Console, expand the Group Policy Objects folder. Right-click on it and choose New.

5. Provide a Name of the GPO. For Example: Disable TLS 1.0 and TLS 1.1 Windows 10

6. Right-click on the Disable TLS 1.0 and TLS 1.1 Windows 10 Group Policy and select Edit.
7. Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
8. Right-click on Registry and select New > Registry Item.

9. Provide below values to create a registry Item:

• Action: Choose Update from the drop-down menu. Selecting Update will create the registry keys and entries if they are not already found on the target devices.
• Hive: Select HKEY_LOCAL_MACHINE
• Key Path: You can either browse to the registry path or provide the path directly.
• Value Name: We will be creating two registry entries per protocol. DisabledbyDefault and Enabled.
• Value type: Select REG_DWORD.
• Value type: 1 means the setting is Enabled and 0 means setting is Disabled.

10. Repeat the process to create registry keys for each protocol. Here are the registry keys you can create for each protocol:

Registry Keys to disable TLS 1.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable TLS 1.1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable SSL 2.0 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable SSL 3.0 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to Enable TLS 1.2 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Registry Keys to Enable TLS 1.3 [Optional]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

11. After you’ve created all the registry items in the Group Policy Management Console for the Disable TLS 1.0 and TLS 1.1 Windows 10 GPO, you can link the GPO to the Organizational Unit (OU) that contains the devices.

12. It’s important to keep in mind that this Group Policy Object contains settings in the Computer Configuration, which will apply to the devices. A computer restart will be necessary to ensure that the registry entries are created and take effect.

Option 3: Disable TLS 1.0 and TLS 1.1 Using PowerShell

You can disable TLS 1.0 and TLS 1.1 protocols using PowerShell as well. Refer to the blog post: Disable TLS1.0/1.1 using PowerShell for more details.