How to enable TLS 1.2 protocol in Windows?

In this article, we'll look at how to enable the Transport Layer Securit (TLS 1.2) protocol on various versions of Windows, including .Net and WinHTTP applications. The TLS 1.0 and TLS 1.1 protocols are deprecated, and if you have migrated all your services to TLS 1.2 or TLS 1.3, you can disable legacy protocol support on Windows clients and servers (Disabling TLS 1.0 and TLS 1.1 Using Group Policies). But before that, you need to make sure that TLS 1.2 is supported on all your clients.

In modern versions of Windows (Windows 11/10/8.1 and Windows Server 2022/2019/2016/2012R2), TLS 1.2 is enabled by default. But in previous versions of Windows (Windows 7, Windows Server 2008R2/2012), in order to enable TLS 1.2, you will have to perform a number of preliminary settings.

Windows XP and Vista do not support TLS 1.2.

• For example, to enable TLS 1.2 on Windows 7, you need to:Make sure you have Windows 7 SP1 installed;
• Download and manually install MSU update KB3140245 from the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245);

• Next, you need to download and install the MicrosoftEasyFix51044.msi patch (the patch adds parameters to the registry that provide support for TLS 1.2 in Windows 7/2008R2/2012);

Without these updates, Outlook on Windows 7 will fail to connect to a modern mail server with error: 0x800CCC1A - Your server does not support the type of encryption you specified. And when you open some sites, you may receive an error This site cannot provide a secure connection. 

• Restart your computer.

These registry settings are described in Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows (https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1 -and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392).

The following REG_DWORD registry settings will appear on the computer in the

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\

HKLM\...Protocols\TLS 1.2\Servers:

• DisabledByDefault = 0
• Enabled = 1

To make the TLS 1.2 protocol used by default for WinHttp API applications, you need to add the REG_DWORD parameter 

DefaultSecureProtocols = 0x00000A00 

to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp branch (on the 64-bit version of Windows in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Internet Settings\WinHttp).

Possible values ​​of the DefaultSecureProtocols parameter, which defines the allowed protocols for WinHTTP connections:

• 0x00000A0 is the default value that only allows SSL 3.0 and TLS 1.0 for WinHTTP;
• 0x0000AA0 - allow the use of TLS 1.1 and TLS 1.2 in addition to SSL 3.0 and TLS 1.0;
• 0x00000A00 - allow only TLS 1.1 and TLS 1.2;
• 0x00000800 - Only allow TLS 1.2.
• Starting with Windows 10 and Windows Server 2016, all versions of Windows support TLS 1.2 for communications over WinHTTP.

You can use the following PowerShell script to create these registry entries:

$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000800"
$regTLS12Client = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLS12Server = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"
$regTLSEnabled = "Enabled"
$regTLSEnableValue = "0x00000001"
# For Windows x86
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
# For Windows x64
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2”
New-Item -Path $regTLS12Client
New-Item -Path $regTLS12Server
New-ItemProperty -Path $regTLS12Client -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Client -Name $regTLSEnabled -Value $regTLSEnableValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Server -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-ItemProperty -Path $regTLS12Server -Name $regTLSEnabled -Value $regTLSEnableValue -PropertyType DWORD

Restart your computer:

Restart-Computer

What remains is to enable TLS 1.2 support for .NET Framework applications. To do this, you need to enable the forced use of system encryption protocols for .NET 3.5 and 4.x applications in the registry. If you are running older versions of NET Framework 4.5.1 or 4.5.2 on Windows Server 2012 R2/2012 or Windows 8.1, please install the latest updates for .Net Framework 4.5.1 first (they will add TLS 1.2 support to .Net).

The following are the registry settings that need to be configured for different versions of .Net:

• for .Net 3.5 and 2.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001

• for .Net 4.x

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001

• for .Net 4.6
  

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

For example, without these settings, you won't be able to connect to the PSGallery repositories from the PowerShell console on Windows Server 2012 R2 with errors:

• Install-Module: Unable to download from URI
• Unable to resolve package source

The problem here is that, by default, PowerShell tries to use the TLS 1.0 protocol to connect to PSGallery. As of April 2020, the PowerShell Gallery only allows connections to a NuGet provider using TLS 1.2.

There is also a free IISCrypto utility that allows you to enable/disable various TLS/SSL protocols and Schannel settings via a GUI (https://www.nartac.com/Products/IISCrypto/). Here you can choose which versions of TLS protocols you want to configure. If all the checkboxes opposite the Schannel protocols are gray, then Windows uses the standard settings. In my example, I enabled TLS 1.2 for the client and server using the PowerShell script discussed earlier. The IISCrypto utility now shows that TLS 1.2 is manually enabled.

IISCrypto does not allow you to change the TLS settings for .NET and WinHTTP.

In Windows Server 2022, you can use TLS 1.3 to enable HTTP/3 support for IIS sites.