Transport Layer Security (TLS) – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.
Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.
If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC.
Similar other blog posts:
- Disable TLS 1.0 And TLS 1.1 On Windows 10 Machines Through GPO
- Disable TLS 1.0 And TLS 1.1 On Nginx Server
- How To Disable TLS 1.0 And TLS 1.1 Using Powershell On Windows 10.
Intune Policy to Disable TLS 1.0 and TLS 1.1
If you are managing windows 10 and Windows 11 devices using Intune, you can create a device configuration profile and to turn off TLS 1.0 and TLS 1.0. You can also use Registry Keys or If your organization is using On-Prem Active directory then you can also create a Group Policy Object to disable TLS 1.0 and TLS 1.1 on target devices.
In this blog post, we will see how you can disable TLS 1.0 and TLS 1.1 using Microsoft Intune Device configuration profile. Let’s check the steps:
- Login on Microsoft Endpoint Manager Admin Center
- Go to Devices -> Configuration profiles.
- Click on + Create Profile.
- Select Platform as Windows 10 and later.
- Select Profile Type as Settings catalog.
Basics Tab
Provide a Name and Description of the Policy.
- Name: Disable TLS 1.0 and TLS 1.1 on Windows devices for Internet Explorer / MSEdgeHTML.
- Description: This Device configuration profile will disable TLS 1.0 and TLS 1.1 on targeted devives
Configuration Settings
On the configuration Settings page. Click on + Add settings link and search for turn off encryption support.
- You will find Turn off encryption support setting under the Category: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.
- Select Turn off encryption support and Secure Protocol combinations.
- Toggle the switch to Enabled for Turn off encryption support and from the drop down of Secure Protocol combinations, Select Only use TLS 1.2. Click on Next to proceed.
Assignments Tab
Assign this Device configuration profile to either an Azure active directory security group which contains users or devices. You can also click on + Add all devices to add apply this profile to All Intune managed devices.
Review + Create
Review the Device configuration profile and then click on Create button to create this policy.
End User Experience
Let’s check what happens at end user machine after this policy is applied. It will take some time for Policy to get applied on the device. To speed up the process, you can also manually force Intune sync on the device if you are testing. Else you can wait for Device check-in process to complete.
How to verify if the TLS1.0 and TLS 1.1 has been disabled in Internet Explorer ?
- Login on Windows 10 or Windows 11 device.
- Go to Control Panel and search for Internet Options.
- Click on Internet Options and go to Advanced tab.
- Scroll down on the Settings to find TLS options.
- Use SSL 3.0, Use TLS 1.0 and Use TLS 1.1 will be disabled and greyed out
- Use TLS 1.2 will be enabled.
How to Enable TLS 1.0 and TLS 1.1 using Intune
If you are facing any issues after disabling TLS 1.0 and TLS 1.1, you can easily roll back the change by unassigning the Disable TLS 1.0 and TLS 1.1 Device configuration profile.
You can also use the modify the Device configuration profile created earlier and change the setting Turn off encryption support -> Secure Protocol combinations to Use TLS1.0, TLS 1.1 and TLS1.2.
Conclusion
We have seen how you can create a Device configuration profile in Intune and target Windows 10 and Windows 11 devices to turn off encryption support for TLS 1.0 and TLS 1.1 using Intune. This will target Internet Explore / MSEdgeHTML browser support for disabling TLS protocols.
