How to Disable TLS 1.0 and TLS 1.1 on Windows Servers

The TLS protocol is used to ensure privacy and data integrity when two applications communicate. SSL and TLS are both cryptographic protocols, but because SSL does not provide a sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been discontinued. TLS 1.0 was released in 1999, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 in 2018.

If you’d like to learn more about these protocols, understand their differences, and explore security enhancements, you can visit the Protocol RFCs (Request for Comments) at the following links: TLS 1.0 RFCTLS 1.1 RFCTLS 1.2 RFC, and TLS 1.3 RFC.

There are two ways to disable TLS 1.0 and TLS 1.1 on Windows Servers. Let’s explore both of these options.

Option 1 – Create a GPO in Active Directory to Disable TLS 1.0 and TLS 1.1

We will create a Group Policy Object in Active Directory to disable TLS 1.0 and TLS 1.1. To achieve this, you’ll need to create the specified registry keys and entries for controlling TLS protocols. Below are the steps to disable TLS 1.0 and TLS 1.1 on Windows servers.

Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1

Please follow the steps below to create a Group Policy Object in Active Directory and disable TLS 1.0 and TLS 1.1 protocols.

  1. Log in to a domain controller as a domain administrator.
  2. Press Windows + R to open the Run dialog box.
  3. Type gpmc.msc and press Enter to open the Group Policy Management Console.
  4. Expand the “Group Policy Objects” folder, right-click on it, and select “New“.
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
  1. Provide a Name of the GPO. For Example: Disable TLS 1.0 and TLS 1.1 Windows servers.
  2. Right-click on the Group Policy named ‘Disable TLS 1.0 and TLS 1.1 Windows Servers’ and select Edit.
  3. Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
  4. Right-click on Registry > Choose New > Select Registry Item.
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
  1. Once you’ve clicked on “Registry Item” a window will appear where you can enter details about the registry item you want to create. You’ll need to provide the following information about the registry item.

In the next step, we will create registry keys and entries to disable TLS 1.0 and TLS 1.1. It is recommended to also disable SSL 2.0 and SSL 3.0. Most newer Windows operating systems have TLS 1.2 enabled by default. However, if you wish to control TLS 1.2 and TLS 1.3, you can use the provided registry keys for those versions.

  • Action: Choose “Update” from the drop-down menu. Selecting “Update” will create the registry keys and entries if they are not already found on the target devices.
  • Hive: Select HKEY_LOCAL_MACHINE
  • Key Path: You can either browse to the registry path or provide the path directly.
  • Value Name: We will be creating two registry entries per protocol. DisabledbyDefault and Enabled.
  • Value type: Select REG_DWORD.
  • Value type: 1 means the setting is Enabled and 0 means the setting is Disabled.
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
Steps to Create a GPO for Disabling TLS 1.0 and TLS 1.1
  1. Repeat the process to create registry keys for each protocol. Here are the registry keys you can create for each protocol.

Registry Keys to disable TLS 1.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable TLS 1.1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable SSL 2.0 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to disable SSL 3.0 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Registry Keys to Enable TLS 1.2 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Registry Keys to Enable TLS 1.3 [Optional]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000
  1. After you’ve created all the registry items in the Group Policy Management Console for the “Disable TLS 1.0 and TLS 1.1 Windows 10” GPO, you can link the GPO to the Organizational Unit (OU) that contains the devices.
  1. It’s important to keep in mind that this Group Policy Object contains settings in the Computer Configuration, which will apply to the devices. A computer restart will be necessary to ensure that the registry entries are created and take effect.

Option 2 – Disable TLS 1.0 and TLS 1.1 using the IIS Crypto Tool

If your Windows servers are not domain-joined or you prefer not to create a Group Policy Object in Active Directory to disable deprecated SSL and TLS protocols, an alternative option is to download and install the IIS Crypto tool on the Windows server. With this tool, you can manually select the checkboxes to disable or enable SSL/TLS protocols.

Follow the steps below to disable TLS 1.0 and TLS 1.1 using the IIS Crypto Tool:

  1. Log in to Windows Server using administrator credentials.
  2. Download the IIS Crypto GUI tool.
  3. Launch the IIS Crypto tool as an administrator.
  4. Uncheck SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 from Server Protocols.
  5. Uncheck SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 from Client Protocols.
  6. Reboot the server.
  7. Repeat Steps 1 to 6 on each server where you want to disable deprecated SSL and TLS protocols.
Disable TLS 1.0 and TLS 1.1 using the IIS Crypto Tool
Disable TLS 1.0 and TLS 1.1 using the IIS Crypto Tool

Conclusion

In this blog post, we explored how to disable TLS 1.0 and TLS 1.1 on Windows servers. It is highly recommended to disable SSL 2.0 and SSL 3.0 as well. While newer Windows server operating systems have TLS 1.2 and TLS 1.3 enabled by default, you can still control these protocols using the provided registry keys.

If you have only a couple of servers or prefer not to create an Active Directory group policy, or if your Windows servers are standalone and not domain-joined, you can utilize the IIS Crypto tool to disable deprecated SSL and TLS protocols.

Leave a Comment