In older versions of Windows (Windows 7/XP or Windows Server 2008R2/2003) with Outlook 2010/2013/2016/2019, when setting up a connection to the mail server, you may encounter an error:
0x800CCC1A - Your server does not support the type of encryption you specified.
Your server does not support the connection encryption type you have specified. Try changing encryption method. Contact your mail server administrator or Internet service provider (ISP).
The error is due to the fact that the Outlook client is trying to connect to the mail server using an unsupported protocol.
Most often, this problem occurs if the mail server only supports TLS 1.2 and 1.3 protocols. For example, Windows 7 (discontinued) only supports TLS 1.0 and 1.1 by default, which are considered obsolete and almost never used on mail servers.
The Office client uses the WINHTTP transport to send and receive data over TLS. If TLS 1.2 is not supported or disabled at the winhttp level, Outlook will not be able to connect to the server due to an unsupported encryption type.
To fix this problem, you need to enable TLS 1.2 support in Windows 7. Windows 7 supports TLS 1.2, but it is not enabled by default (unlike newer versions of Windows 8+).
To enable TLS 1.2 on Windows 7:
- Make sure you have Windows 7 SP1 installed;
- Download and manually install update KB3140245 from the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245);
- Download and install the MicrosoftEasyFix51044.msi patch (https://download.microsoft.com/download/0/6/5/0658B1A7-6D2E-474F-BC2C-D69E5B9E9A68/MicrosoftEasyFix51044.msi).
This fix is described in the Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows article). The patch adds settings to the registry that will provide support for TLS 1.1 and TLS 1.2 on Windows Server 2012, Windows 7 SP1 and Windows Server 2008 R2 SP1 (described below).
- Restart your computer.
The above patch adds the following parameters to the registry branches:
Parameter of type DefaultSecureProtocols in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp branch with value 0x00000a00.
On the x64 bit version of Windows, you need to create this setting in the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.
The 0x0A0 option leaves WinHTTP enabled for SSL 3.0 and TLS 1.0, and optionally enables TLS 1.1 and TLS 1.2. If you want to allow the client to use only TLS 1.1 and TLS 1.2, you need to change the value to 0xA00.Create new TLS 1.2 and TLS 1.1 subkeys under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
Within each new section, create a Client branch . Within each Client branch, create a DisabledByDefault DWORD value with a value of 0x00000000.
To create these registry settings, you can use the following PowerShell script:
$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"You can check the versions of TLS protocols supported by your mail server using the SSL Labs online service (https://www.ssllabs.com/ssltest/analyze.html?d=mail.site.io)
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000a00"
$regTLS11 = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
$regTLS12 = "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"
# Для Windows x86
New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
# Для Windows x64
New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD
New-Item -Path $regTLS11
New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
New-Item -Path $regTLS12
New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD
In this example, you can see that the mail server only supports TLS 1.2.
In Microsoft 365 (Office 365), TLS 1.0 and TLS 1.1 are not yet disabled by default. Microsoft announces periodically that they will be disabled for all users in the near future.
Check in Outlook settings that STARTTLS (available in new versions of Outlook) or SSL/TLS is used to connect to the mail server. Make sure the This server requires an encrypted connection (SSL/TLS) option is enabled . Check the IMAP/POP/SMTP port numbers.
Also note that some antiviruses have the SSL/TLS inspection (filtering) option enabled by default. Try disabling this option in the antivirus settings and check the connection to the mail server in Outlook.