Disable TLS 1.0 and TLS 1.1 on Windows 10 machines through GPO

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018. Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines. If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFC, TLS 1.1 RFC, TLS 1.2 RFC and TLS 1.3 RFC. Use the below methods if you want to disable TLS 1.0 and TLS 1.1 on Windows 10 PC’s:

There are two ways to disable TLS 1.0 and TLS 1.1

I) Using Registry Editor / Group Policy Preferences (GPP)

II) Using GPO Setting turn off encryption support

I) ✨Registry Editor / Group Policy Preferences (GPP)

You can use registry Setting SecureProtocols at  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.

SecureProtocols is a REG_DWORD value which you can set to below decimal value for enabling / disabling the protocols. For Enabling Only TLS 1.2 use the highlighted decimal value 2048. Once you tested this registry setting successfully on one machine. You can use Group Policy Preferences (GPP) to apply it to all the Windows Machine’s.

II) ✨You can use below GPO setting instead of Registry change to disable TLS 1.0 and TLS 1.1 and use Only TLS 1.2

GPO Setting Location: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page

Turn Off Encryption Support – Enable
Secure Protocol Combinations -> Only use TLS 1.2

Link the GPO to Computers OU and Keep Authenticated Users in the Security Filtering to allow it to apply it on each Windows 10 PC. You may need to reboot your machine for the policy to take affect. Once you reboot it, verify in the internet explorer if the TLS 1.0, TLS 1.1, SSL 3.0 has been disabled and only TLS 1.2 is being used for communication. If you want to go further to confirm this, use Wireshark to capture the network packets and confirm if TLS 1.2 is the only protocol used.

How the Policy looks like after its in affect on the machine:

Internet Explorer -> Settings -> Advanced Tab

Leave a Reply

Your email address will not be published. Required fields are marked *

error:
%d bloggers like this: