Enabling TLS 1.2 on a Windows Server
Rackspace strongly recommends enabling the Transport Layer Security (TLS) protocol 1.2 or newer on Windows Server. As of the end of 2020, TLS versions 1.0 and 1.1 are no longer supported. This means that systems that don’t support TLS 1.2 or higher are now incapable of creating secure connections.
This article contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow the steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
Prerequisites
1- For Windows Server 2008 SP2, KB4019276 must be installed.
2- For Windows Server 2008 R2, Windows Server 2008 R2 Service Pack 1 KB976932 must be installed.
3- The .NET framework on your server should be 4.5 or newer.
How to Enable TLS 1.2 manually.
Per the TLS-SSL Settings article, for TLS 1.2 to be enabled and negotiated by Windows, the following registry locations, subkeys, and values must be set as follows:
- TLS 1.2 Client subkey
- Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
- DWORD name: DisabledByDefault
- DWORD value: 0
- DWORD name: Enabled
- DWORD value: 1
- Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
- TLS 1.2 Server subkey
- Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
- DWORD name: DisabledByDefault
- DWORD value: 0
- DWORD name: Enabled
- DWORD value: 1
- Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
How to Enable TLS 1.2 with Powershell.
Execute the following commands in Powershell to enable TLS 1.2:
# Make TSL 1.2 protocol registry keys.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
# Enable TLS 1.2 for client and server SCHANNEL communications.
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
NOTE: A reboot is required for the changes to go into effect.
Related articles
- Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default
- How to back up and restore the registry in Windows.
- Windows Update KB4019276
- Windows Update KB976932
- TLS-SSL Settings
Use the Feedback tab to make any comments or ask questions. You can also start a conversation with us.
Updated 5 months ago