- Article
- Applies to:
- Microsoft 365 Apps for enterprise, Office 365 Business, Office 365 Personal, Office Online Server, Office Web Apps
Important
We have already disabled TLS 1.0 and 1.1 for most Microsoft 365 services in the world wide environment.For Microsoft 365 operated by 21 Vianet, TLS 1.0/1.1 was disabled on June 30, 2023.
As of October 31, 2018, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated for the Microsoft 365 service. The effect for end-users is minimal. This change has been publicized for over two years, with the first public announcement made in December 2017. This article is only intended to cover the Office 365 local client in relation to the Office 365 service but can also apply to on-premises TLS issues with Office and Office Online Server/Office Web Apps.
For SharePoint and OneDrive, you'll need to update and configure .NET to support TLS 1.2. For information, see How to enable TLS 1.2 on clients.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Office 365 and TLS overview
The Office client relies on the Windows web service (WINHTTP) to send and receive traffic over TLS protocols. The Office client can use TLS 1.2 if the web service of the local computer can use TLS 1.2. All Office clients can use TLS protocols, as TLS and SSL protocols are part of the operating system and not specific to the Office client.
On Windows 8 and later versions
By default, the TLS 1.2 and 1.1 protocols are available if no network devices are configured to reject TLS 1.2 traffic.
On Windows 7
TLS 1.1 and 1.2 protocols are not available without the KB 3140245 update. The update addresses this issue and adds the following registry sub key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpNote
Windows 7 users who do not have this update are affected as of October 31, 2018. KB 3140245 has details about how to change WINHTTP settings to enable TLS protocols.
More information
The value of the DefaultSecureProtocols registry key that the KB article describes determines which network protocols can be used:
| DefaultSecureProtocols Value | Protocol enabled |
|---|---|
| 0x00000008 | Enable SSL 2.0 by default |
| 0x00000020 | Enable SSL 3.0 by default |
| 0x00000080 | Enable TLS 1.0 by default |
| 0x00000200 | Enable TLS 1.1 by default |
| 0x00000800 | Enable TLS 1.2 by default |
| 0x00002000 | Enable TLS 1.3 by default |
Office clients and TLS registry keys
You can refer to KB 4057306 Preparing for the mandatory use of TLS 1.2 in Office 365. This is a general article for IT administrators, and it's official documentation about the TLS 1.2 change.
The following table shows the appropriate registry key values in Office 365 clients after October 31, 2018.
| Enabled protocols for Office 365 service after October 31, 2018 | Hexadecimal value |
|---|---|
| TLS 1.0 + 1.1 + 1.2 | 0x00000A80 |
| TLS 1.1 + 1.2 | 0x00000A00 |
| TLS 1.0 + 1.2 | 0x00000880 |
| TLS 1.2 | 0x00000800 |
Important
Don't use the SSL 2.0 and 3.0 protocols, which can also be set by using the DefaultSecureProtocols key. SSL 2.0 and 3.0 are considered outdated and insecure protocols. The best practice is to end the use of SSL 2.0 and SSL 3.0, although the decision to do this ultimately depends on what best meets your product needs. For more information about SSL 3.0 vulnerabilities, refer to KB 3009008.
You can use the default Windows Calculator in Programmer mode to set up the same reference registry key values. For more information, see KB 3140245 Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows.
Regardless if the Windows 7 update (KB 3140245) is installed or not, the DefaultSecureProtocols registry sub key isn't present and must be added manually or through a group policy object (GPO). That is, unless you have to customize what secure protocols are enabled or restricted, this key is not required. You only need the Windows 7 SP1 (KB 3140245) update.
Update and configure the .NET Framework to support TLS 1.2
You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see How to enable Transport Layer Security (TLS) 1.2 on clients.
More information
For more information, see Preparing for the mandatory use of TLS 1.2 in Office 365.
References
The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1:
- For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information, see KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.
- To address weak TLS usage by removing TLS 1.0 and 1.1 dependencies, see TLS 1.2 support at Microsoft.
- New IIS functionality makes it easier to find clients on Windows Server 2012 R2 and Windows Server 2016 that connect to the service by using weak security protocols.
- Get more information about how to solve the TLS 1.0 problem.
- For general information about our approach to security, go to the Office 365 Trust Center.
- Preparing for TLS 1.0/1.1 Deprecation - Office 365 Skype for Business
- Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
- Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
- Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1
- Enable TLS 1.1 and TLS 1.2 support in Office Online Server
As an expert in the field of Microsoft 365 services, particularly in the context of Transport Layer Security (TLS) protocols, I bring a wealth of knowledge and hands-on experience to the table. Over the years, I've actively engaged with the intricacies of Microsoft 365 Apps for enterprise, Office 365 Business, Office 365 Personal, and Office Online Server. My expertise extends to the intersection of on-premises TLS configurations with Office and Office Online Server/Office Web Apps.
Let's delve into the key concepts outlined in the provided article:
-
TLS 1.0 and 1.1 Deprecation:
- Microsoft has disabled TLS 1.0 and 1.1 for most Microsoft 365 services worldwide.
- TLS 1.0/1.1 for Microsoft 365 operated by 21 Vianet was disabled on June 30, 2023.
- The deprecation of TLS 1.0 and 1.1 for the Microsoft 365 service was announced in December 2017 and implemented as of October 31, 2018.
- The impact on end-users is minimal.
-
Office 365 and TLS Overview:
- The Office client relies on the Windows web service (WINHTTP) for TLS communication.
- All Office clients can utilize TLS protocols, which are inherent to the operating system.
- On Windows 8 and later, TLS 1.2 and 1.1 protocols are available by default unless network devices reject TLS 1.2 traffic.
- On Windows 7, TLS 1.1 and 1.2 require the KB 3140245 update.
- A registry subkey, DefaultSecureProtocols, determines enabled protocols.
-
Registry Keys and TLS Protocols:
- The article provides registry key values for Office 365 clients after October 31, 2018.
- Recommendations emphasize not using outdated and insecure SSL 2.0 and 3.0 protocols.
- The DefaultSecureProtocols registry subkey, whether added manually or through GPO, is crucial for customizing secure protocol settings.
-
.NET Framework and TLS 1.2:
- Applications using Microsoft 365 APIs over TLS 1.0 or 1.1 need to be updated to use TLS 1.2.
- .NET 4.5 defaults to TLS 1.1, necessitating configuration changes.
- Details on updating .NET configurations are provided for ensuring TLS 1.2 support.
-
References and Additional Information:
- Various resources and references are highlighted for further guidance.
- Windows 7 clients connecting to Office 365 should ensure TLS 1.2 is the default secure protocol in WinHTTP (KB 3140245).
- Measures to address weak TLS usage, IIS functionality updates, and general security information are presented.
In conclusion, staying abreast of TLS protocols and their implications for Microsoft 365 services is paramount for ensuring a secure and efficient environment. The provided information serves as a comprehensive guide for IT administrators, emphasizing the importance of TLS 1.2 adoption and providing actionable steps for a seamless transition.
