Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog (2024)

You can disable or enable TLS 1.0 and 1.1 for Internet Explorer and EdgeHTML – the rendering engine for the WebView control. Microsoft announced the disablement of TLS 1.0 and 1.1 back in 2018.

In Oct 2018, Microsoft announced the disablement of Transport Layer Security (TLS) 1.0 and 1.1 by default in Microsoft browsers. The disablement by default is delayed, but it’s happening on the 13th of Sept 2022.

After Sept 2022 patch Tuesday, TLS 1.0 and 1.1 will be disabled by default on all the supported Microsoft browsers such as Internet Explorer and MS EdgeHTML. For MS Edge browser version 84 or later, this is already disabled by default.

Microsoft is not deprecating the TLS 1.0 and 1.1 but disabling them for all the officially supported MS browsers. Microsoft is giving the opportunity to organizations to enable or disable the TLS for their managed devices. You can use Group Policy settings or Intune Cloud Policies to disable or enable TLS 1.0 and TLS 1.1.

Enable Internet Explorer Mode in Microsoft Edge
Configure Edge Chromium Favorites Using Intune | Endpoint Manager
IE11 To Microsoft Edge Migration Adoption Kit | Free Download PowerPoint Email Templates

Do you Still need to keep TLS 1.0 and 1.1 enabled?

Do you Still need to keep TLS 1.0 and 1.1 enabled? Yes, this would be one of the first questions you should ask yourself. How many of your websites support only TLS 1.0 and 1.1?

I think there would be some legacy web applications in your organization (business critical – of course) that still need TLS 1.0 or TLS 1.1 along with Internet Explorer (IE) or MS Edge IE Mode to work. These are the applications going to cause some issues after 13th Sept 2022.

As per Aug 2022 SSL Labs report, 99.8% of the scanned websites support SSL 1.2 or above. This means most public websites are good to go with TLS 1.2 or above. However, internal enterprise web apps might have a different story to tell!

Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog (2)

What is Transport Layer Security (TLS) Protocol?

TLS is the protocol that helps protect communication between the browser (Client) and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use.

Registry Entries for Internet Explorer TLS Support

Let’s check the registry entries for Internet Explorer (aka IE and IE Mode for MS Edge). You can refer to the Microsoft Edge browser group policy post to enable TLS 1.0 and 1.1 – Microsoft Edge ADMX Group Policy Settings.

	Registry Path	Value	Value Name
Use TLS 1.0, TLS 1.1, and TLS 1.2	HKLM or HKCU Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	2688	SecureProtocols
Use TLS 1.0 and TLS 1.1	HKLM or HKCU Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	640	SecureProtocols

Disable TLS 1.0 and 1.1 using Group Policy

Microsoft will automatically disable TLS 1.0 and 1.1 for all Microsoft browsers after 13th Sept 2022. However, suppose your organization wants to ensure that all the managed Windows devices can use only the latest versions of TLS 1.2 or above. In that case, you can use the following group policy.

The following group policy helps to disable Transport Layer Security (TLS) 1.0 and 1.1.

Launch Group Policy Management Console.
Navigate Computers Configuration – Policies – Administrative Templates – Windows Components – Internet Explore – Internet Control Panel – Advanced Page.
Open the policy setting called “Turn off encryption support.”
Click on Enable.
And from the drop-down options, select -> Only Use TLS 1.2

NOTE! – If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods you select from the drop-down list. But not sure whether what will happen to sites running with TLS 1.3. Let me know in the comments.

Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog (5)

Intune Policy to Disable TLS 1.0 and 1.1

There is also an option to use Intune Policy to Disable TLS 1.0 and 1.1. There is an option in Intune to create a Settings Catalog Policy to disable TLS 1.0 and 1.1.

Sign in to theMicrosoft Endpoint Manager admin center.
SelectDevices>Configuration profiles>Create profile.
Selectplatform -> Windows 10 and Later.
Click onCreatebutton (and follow the guide to create Intune Settings Catalog Policy).

There are thousands of settings available in the settings catalog. To make it easier to search specific settings, use the built-in features shown in the diagram below.

Enable TLS 1.0 and 1.1 using Group Policy

The TLS 1.0 and 1.1 will be disabled by default on all the supported MS browsers, such as IU and MS EdgeHTML, after the 13th Sept 2022 patch Tuesday. If you need to enable TLS 1.0 and 1.1, you must use a group or Intune policy to enable it back after Sept 2022.

Some organizations still wanted to use TLS 1.0 and TLS 1.1 for some of the internal business-critical web applications. You must follow the steps.

Launch Group Policy Management Console.
Navigate Computers Configuration – Policies – Administrative Templates – Windows Components – Internet Explore – Internet Control Panel – Advanced Page.
Open the policy setting called “Turn off encryption support.”
Click on Enable.
And from the drop-down options select -> “Use TLS 1.0, TLS 1.1, and TLS 1.2.”

NOTE! – If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. Hence I have decided to use TLS 1.0, TLS 1.1, and TLS 1.2 options.

Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog (7)

Intune Policy to Enable TLS 1.0 and 1.1

You can enable TLS 1.0 and 1.1 protocols using Intune Settings Catalog ADMX policies. This similar method is used to disable TLS 1.0 and 1.1 in the above section. The Intune method is useful when you have Azure AD Joined Windows devices.

Follow the guide to creating Intune Settings Catalog Policy.

There are thousands of settings available in the settings catalog. To make it easier to search specific settings, use the built-in features shown in the diagram below.

I searched with the keyword “Turn off encryption support.”
Select relevant values (same as Group Policy above) from the drop-down options – Use TLS 1.0, TLS 1.1, and TLS 1.2.

NOTE! – I thought the option – Use TLS 1.0, TLS 1.1, and TLS 1.2 is the best option I could figure out from the Turn off encryption support group policy Settings. What do you think?

Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog (8)

Author

AnoopC Nairis Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

As a seasoned expert with a deep understanding of Microsoft technologies and device management, I've been actively involved in the IT field for over two decades. My expertise spans various aspects, including but not limited to SCCM 2012, Current Branch, and Intune. As a Microsoft MVP, I've consistently demonstrated my commitment to staying abreast of the latest developments in the industry.

The article you've shared delves into the intricacies of Transport Layer Security (TLS) and Microsoft's decision to disable TLS 1.0 and 1.1 in Internet Explorer and EdgeHTML. Let's break down the key concepts discussed in the article:

TLS 1.0 and 1.1 Disablement by Microsoft:
- Microsoft officially announced the disablement of TLS 1.0 and 1.1 in its browsers in October 2018.
- The default disablement was set to take effect on September 13, 2022.
- After the specified date, TLS 1.0 and 1.1 would be disabled by default on all supported Microsoft browsers, including Internet Explorer and MS EdgeHTML.
Options for Organizations:
- Microsoft provided organizations with the flexibility to enable or disable TLS for their managed devices.
- Group Policy settings or Intune Cloud Policies could be utilized for this purpose.
Considerations for Legacy Applications:
- The article emphasizes the importance of assessing whether legacy web applications in an organization still rely on TLS 1.0 or 1.1.
- It suggests that certain business-critical applications might encounter issues post the September 13, 2022 deadline.
TLS (Transport Layer Security) Protocol:
- TLS is a protocol that ensures secure communication between the browser (client) and the target server.
- The negotiation process involves selecting the most preferred protocol and version supported by both the browser and server.
Registry Entries for Internet Explorer TLS Support:
- Registry entries play a crucial role in configuring TLS support for Internet Explorer and MS Edge IE Mode.
- Specific registry paths and values are outlined for enabling or disabling TLS 1.0 and 1.1.
Group Policy Management:
- The article provides step-by-step instructions for using Group Policy to disable or enable TLS 1.0 and 1.1.
- A particular policy setting, "Turn off encryption support," is highlighted, allowing administrators to control TLS versions.
Intune Policy for TLS Configuration:
- Intune Settings Catalog Policy is introduced as an alternative method for configuring TLS settings.
- The guide includes steps for creating an Intune Settings Catalog Policy to disable or enable TLS 1.0 and 1.1.
Author's Credentials - AnoopC Nair:
- The article is authored by AnoopC Nair, a Microsoft MVP with over 20 years of experience in IT.
- AnoopC Nair is recognized as a Device Management Admin, Blogger, Speaker, and Local User Group HTMD Community leader.

In conclusion, the article provides valuable insights into the evolving landscape of TLS support in Microsoft browsers, offering practical solutions for organizations to adapt to these changes while considering the nuances of legacy applications.