Disable TLS 1.0 and TLS 1.1 on Windows 10

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. Use the below methods if you want to disable TLS 1.0 and TLS 1.1 on Windows 10 PC’s:

How to disable TLS 1.0 and TLS 1.1 on Windows 10

There are differnent ways to disable TLS 1.0 and TLS 1.1 on a windows 10 device. You can either disable TLS 1.0 and TLS 1.1 protocols manually by signing on to each device one by one or using a GPO object in Active directory. Below are the different ways you can use to disable TLS 1.0 and TLS 1.1:

  1. By creating registry keys manually on Windows 10 device.
  2. By creating a group policy object (GPO) in Active Directory.
  3. By executing Powershell commands on Windows 10 to disable TLS 1.0 and TLS 1.1.

1. Create registry keys on Windows 10 to disable TLS 1.0 and TLS 1.1

You can follow below steps to disable TLS 1.0 and TLS 1.1 manually on Windows 10 device using registry editor. Please note that changes in registry of a device requires administrator rights.

Create registry keys to disable TLS 1.0

  1. Login on a Windows 10 device.
  2. Go to Start and search for Registry Editor.
  3. Open Registry Editor
  4. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  5. Right click on Protocols folder and click on New -> Key.
  6. Name the Folder TLS 1.0 and create two subfolders under TLS 1.0 called Client and Server.
  7. Create below registry entries under Client and Server subfolders.
  8. Create DisabledByDefault DWORD registry entry and set its value to 1.
  9. Create Enabled DWORD registry entry and set its value to 0.
Create registry keys to disable TLS 1.0

Create registry keys to disable TLS 1.1

  1. Login on a Windows 10 device.
  2. Go to Start and search for Registry Editor.
  3. Open Registry Editor
  4. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  5. Right click on Protocols folder and click on New -> Key.
  6. Name the folder TLS 1.1 and create two subfolders under TLS 1.1 called Client and Server.
  7. Create below registry entries under Client and Server subfolders
  8. Create DisabledByDefault DWORD registry entry and set its value to 1.
  9. Create Enabled DWORD registry entry and set its value to 0.
Create registry keys to disable TLS 1.1

2. Create a GPO in Active Directory to disable TLS 1.0 and TLS 1.1

If you are managing Windows 10 devices using Active Directory then instead of manually signing on to each PC and creating registry entries to disable TLS 1.0 and TLS 1.1, you can create a group policy object and target / link the group policy object to the Organizational Unit (OU) containing Windows 10 devices.

Please follow below steps to create a Group Policy Object (GPO) in Active Directory to disable TLS 1.0 and TLS 1.1.

  1. Login on a domain controller as a domain administrator.
  2. Open Group policy management console (Go to Start -> Run and type gpmc.msc and press Enter)
  3. Expand Group Policy Objects Folder. Right-click on it and Select New.
Create a Group Policy to Disable TLS 1.0 and TLS 1.1 Windows 10
  1. Provide a Name of the GPO. For Example: Disable TLS 1.0 and TLS 1.1 Windows 10
Provide a Name of GPO Disable TLS 1.0 and TLS 1.1 Windows 10
  1. Right click on the Group policy “Disable TLS 1.0 and TLS 1.1 Windows 10” and click on Edit.
  1. Go to Computer Configuration -> Preferences -> Windows settings -> Registry.
  1. Right click on Registry -> click on New -> click on Registry Item.
Registry Items to Disable TLS 1.0 and TLS 1.1
  1. In the next step, we will create registry keys and registry entries to Disable TLS 1.0 and TLS 1.1. Its recommended to disable SSL 2.0 and SSL 3.0 as well. Most of the newer Windows operating systems have TLS 1.2 enabled by default. However, you can also explicity enable it using the registry keys.

Registry Keys to disable TLS 1.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable TLS 1.1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Registry Keys to Enable TLS 1.3 [Optional]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

After you click on Registry Item, A window will show where you can enter Information about the registry Item which you want to create. You need to provide below information about the registry Item:

  • Action: Select Update from the drop-down. Selecting Update will create the registry keys and registry entries if its not found on end users devices.
  • Hive: Select HKEY_LOCAL_MACHINE
  • Key Path: You can either browse to the registry path or provide a registry key to create / update.
  • Value Name: We will be creating two registry entries for each protocol. DisabledbyDefault and Enabled.
  • Value type: Select REG_DWORD.
  • Value type: Select 1 to Enable an 0 to disable.
Registry Item to disablt TLS Protocols

Go through the process of creating an entry for each registry Item. Below screenshot shows that we have disabled TLS 1.0 and TLS 1.1 protocols but also Enabled TLS 1.2 and TLS 1.3.

Registry Items to Disable TLS 1.0 and TLS 1.1 and Enable TLS 1.2 and TLS 1.3
  1. Once you create all the registry Items in the Group policy management console for Disable TLS 1.0 and TLS 1.1 Windows 10 GPO. You can link the GPO to the Organization Unit (OU) containing devices.
  1. Please note that as this group policy object contains settings in Computer configuration which will target the Devices. A restart of the computer will be required so that registry entries can be created.

3. Powershell commands to disable TLS 1.0 and TLS 1.1

Instead of creating the registry keys and registry entries manually on a windows 10 device. You can also use powershell commands to create those registry keys. This will save a lot of time specially if you want to disable TLS 1.0 and TLS 1.1 on a large number of devices. To know more about the Powershell commands you can follow the blog post: How To Disable TLS 1.0 And TLS 1.1 Using Powershell On Windows 10.

Disable TLS 1.0 and TLS 1.1 for Internet Explorer

There are two ways to disable TLS 1.0 and TLS 1.1 for Internet Explorer On a windows device.

  1. Using Registry Editor / Group Policy Preferences (GPP)
  1. Using GPO Setting turn off encryption support

1. Using Registry Editor to disable TLS 1.0 and TLS 1.1

You can use registry Setting SecureProtocols at  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.

SecureProtocols is a REG_DWORD value which you can set to below decimal value for enabling / disabling the protocols. For Enabling Only TLS 1.2 use the highlighted decimal value 2048.

Once you tested this registry setting successfully on one machine. You can use Group Policy
Preferences (GPP) to apply it to all the Windows Machine’s.

Registry Editor to disable TLS 1.0 and TLS 1.1

2. GPO setting to disable TLS 1.0 and TLS 1.1 on Windows 10

GPO Setting Location: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page

Turn Off Encryption Support – Enable
Secure Protocol Combinations -> Only use TLS 1.2

GPO setting to disable TLS 1.0 and TLS 1.1 on Windows 10

Link the GPO to Computers OU and Keep Authenticated Users in the Security Filtering to allow it to apply it on each Windows 10 PC. You may need to reboot your machine for the policy to take affect. Once you reboot it, verify in the internet explorer if the TLS 1.0, TLS 1.1, SSL 3.0 has been disabled and only TLS 1.2 is being used for communication.

If you want to go further to confirm this, use Wireshark to capture the network packets and confirm if TLS 1.2 is the only protocol used.

How the Policy looks like after its applied on the machine:

Verification of TLS1.0 and TLS1.1 disable in internet explorer

Conclusion

In this blog post, we have seen how to disable TLS 1.0 and TLS 1.1 on Windows 10 devices and Internet Explorer browser. Disabling SSL and TLS protocols using Intune is also possible by creating a Device Configuration Profile. You can also Disable TLS 1.0 and TLS 1.1 on a windows device using powershell commands.