How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (2024)

Table of Contents
Enable TLS 1.2 on Windows Servers 2008 SP2 or later Enable TLS 1.2 on .NET Framework 3.5 (including 2.0) Enable TLS 1.2 as default for WinHTTP Further Reading Download FAQs

Transport Layer Security (TLS) are cryptographic protocols designed to provide communications security over a computer network, typically between a website and a browser.

TLS 1.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be fixed or patched, therefore all companies, especially banks and other financial institutions who are notoriously slow in upgrading theirs systems, need to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and the older TLS 1.0.

As of 30 June 2018, SSL and TLS 1.0 should be disabled and more secure encryption protocol such as TLS 1.2 (or at the minimum TLS 1.1) is required to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

The next question then how on do we enable TLS 1.2 on Windows Servers? Especially on older servers such as Windows Server 2008 as many companies are not on the latest and greatest operating systems?

This post will address what to look for and how to enable TLS 1.2 as the default protocol for Windows Server 2012 R2 or older.

IMPORTANT: As always and it’s worth repeating, you need to backup your current registry settings before attempting any of these changes on your servers.

Enable TLS 1.2 on Windows Servers 2008 SP2 or later

The blanket statement to enable your TLS 1.2 on your server from Windows Server 2008 SP2 or later. Microsoft provided an update to add support for TLS 1.1 and TLS 1.2 for Windows Server 2008, but it requires Windows Server 2008 SP2 installed.

So just to state the obvious, TLS 1.1 and TLS 1.2 are not supported for 32-bit Windows Server 2008 SP1.

  1. Launch regedit.exe.

  2. In registry, go to:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  3. Create a new DWORD entry with a name TLS 1.2 and create another subkey Client and Server.

  4. Under the subkey Server, create another DWORD Enabled with a value of 1.

    See Also
    Enable Support for TLS 1.2 or 1.3 on Web BrowsersHow to Fix "Your Connection is Not Private" Error (18 Tips)Protecting Your Website With an SSL/TLS CertificateKB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022

  5. Still under the subkey Server, create a DWORD DisabledByDefault with a value of 0.

  6. You must create a subkey DisabledByDefault entry in the appropriate subkey (Client, Server) and set the DWORD value to 0 since this entry is set to 1 by default.

    How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (1)

  7. Reboot the server and test.

Enable TLS 1.2 on .NET Framework 3.5 (including 2.0)

.NET Framework 3.5 or earlier did not originally provide support of applications to use TLS System Default Versions as a cryptographic protocol. However, for Windows Server 2012 R2, check if KB3154520 is installed (or KB3154519 for Windows Server 2012; KB3154518 for Windows Server 2008 R2; KB3154517 for Windows Server 2008 SP2).

How to check the KB updates

  1. Right-click on the Windows button and select Programs and Features.

    How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (2)

  2. On Programs and Features window, click onthe View installed updates on the left pane.

    How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (3)

  3. You will see a list of the updates that you can narrow down or do a very specific search by using the Search Installed Updates box. You can type in the KB number (i.e., “KB3154520”).

    How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (4)

  4. If the corresponding KB is already installed, we just need to enable it via registry change. Otherwise, you need to install the patch from either of the links for Windows Server 2012 R2 (or use the same corresponding links above for earlier versions of Windows Server).

    See Also
    How to Enable TLS 1.2 on Windows | Windows OS Hub

Registry Change

  1. Launch regedit.exe.

  2. Go to:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727

  3. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  4. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  5. Go to:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

  6. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  7. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  8. For 64-bit OS, the same changes also needed for the following locations:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727

  9. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  10. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  11. Go to:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

  12. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  13. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  14. Test.

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (5)

Enable TLS 1.2 as default for WinHTTP

This may be applicable for any Classic ASP or VB6 applications that use WinHTTP. Prior to Windows 10 and Windows Server 2016, TLS 1.1 or 1.2 is not enabled by default for client-server communications through WinHTTP.

To set TLS 1.2 by default, do the following:

  1. Create a registry entry DefaultSecureProtocols on the following location:

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  2. Set the DWORD value to 800 for TLS 1.2.

  3. For 64-bit OS, repeat step 1 and 2 on the following location:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  4. Reboot the server and test.

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (6)

Windows 10 and Windows Server 2016/2019 support TLS 1.2 for client-server communications by using WinHTTP.

Further Reading

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
TLS/SSL Settings
How to enable TLS 1.2 for Configuration Manager
Transport Layer Security (TLS) best practices with the .NET Framework
Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
How to enable TLS 1.2 on the site servers and remote site systems
Use Case Scenario: Known issues connecting SSRS Server 2016 (new) to SQL Server 2008 (old) with TLS

Download

Solving the TLS 1.0 Problem (MS Word document)

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers | IT Nota (2024)

FAQs

How to enable TLS 1.2 on Windows servers? ›

Resolution
  1. Go to the following key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
  2. Right-click the right pane, and click on New.
  3. Select Key.
  4. Name the new key TLS 1.2 and click on it.
  5. Click on New.
  6. Create a new key called Client.
  7. Right-click the client key and click on New.
Aug 7, 2023

Read On
How to make TLS 1.2 default? ›

Google Chrome
  1. Open Google Chrome.
  2. Click Alt F and select Settings.
  3. Scroll down and select Show advanced settings...
  4. Scroll down to the Network section and click on Change proxy settings...
  5. Select the Advanced tab.
  6. Scroll down to Security category, manually check the option box for Use TLS 1.1 and Use TLS 1.2.
  7. Click OK.
Nov 1, 2023

Discover More Details
How to confirm TLS 1.2 is enabled? ›

In the Windows menu search box, type Internet options. Under Best match, click Internet Options. In the Internet Properties window, on the Advanced tab, scroll down to the Security section. Check the User TLS 1.2 checkbox.

Continue Reading
Is TLS 1.2 enabled by default on Windows Server 2012 R2? ›

TLS 1.2 is enabled by default at the operating system level. Once you ensure that the . NET registry values are set to enable TLS 1.2 and verify the environment is properly utilizing TLS 1.2 on the network, you may want to edit the SChannel\Protocols registry key to disable the older, less secure protocols.

See Details
Is TLS 1.2 enabled by default on Windows Server? ›

At the operating system level (in Windows 11/10/8/1/Windows Server 2012R2/2016/2019/2022), TLS 1.2 is enabled by default. In some old Windows versions like Windows 7 and Windows Server 2012, they require you to configure some settings before enabling TLS 1.2.

Find Out More
How to check if TLS is enabled on Windows Server? ›

-Press the Windows key + R to start Run, type regedit, and press Enter or click OK. -If you can't find any of the keys or if their values are not correct, then TLS 1.2 is not enabled. I hope this information helps.

Tell Me More
How to check if TLS 1.2 is enabled on Windows Server? ›

Click Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window should be opened. Check if the subkey of TLS v1. 2 is enabled for both server and client.

Show Me More
How to set TLS settings to default? ›

From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > TLS (HTTPS) Options > Reset all settings to platform defaults.

Explore More
How to enable TLS 1.2 on Windows server using PowerShell? ›

Guidelines for enabling TLS 1.2 on clients

Update and configure your . NET Framework installation to support TLS 1.2. Make sure that applications and PowerShell (that use Microsoft Graph and Microsoft Graph PowerShell) scripts are hosted and run on a platform that supports TLS 1.2.

Continue Reading
How to check if TLS 1.2 is enabled in CMD? ›

Using the Command Prompt

To do this, open the command prompt by clicking the Windows start button, typing “cmd” and then pressing enter. Once the command prompt window is open, type “netsh trace show tls” and press enter. This will show you the TLS protocol version that is being used.

Show Me More

Does TLS 1.2 need to be enabled? ›

Enabling TLS 1.2

To correctly enable Configuration Manager to support TLS 1.2 for all secure communications, you must enable TLS 1.2 for all required components. The required components depend on your environment and the Configuration Manager features that you use.

Read The Full Story
How to enable TLS 1.2 in Windows Server 2012 R2? ›

Right-click on the Protocols folder, select New, then Key using the dropdown. It will create a new folder and rename this folder to TLS 1.2. 5. Right-click on key TLS 1.2 and add two new keys Inside it and rename the two new keys as below.

See Details
How do I know if TLS 1.2 is enabled on Windows Server 2012 R2? ›

In that case run the IIScrypto tool. It shows what protocols and ciphers are enabled. If TLS 1.2 is not enabled then check the box and reboot. TLS 1.2 is now enabled for the server.

Get More Info Here
Is TLS 1.2 enabled by default on Windows Server 2016? ›

0, 1.1 and 1.2 both enabled on server by default. You can get this information from Microsoft Learn. You can check it from control panel. If you still want to check it from the registry, it may difficult to check because the registry is more used to disable a certain TLS version.

Continue Reading
How to enable TLS 1.1 TLS 1.2 on Windows Server 2008 r2? ›

Step 2: Enable TLS 1.1 and TLS 1.2

2.1 Open registry on your server by running 'regedit' in run window and navigate to below location. 2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories. 2.3 Now create two keys Client and Server under both TLS keys.

View More
How do I enable TLS 1.2 and TLS 1.3 on Windows Server? ›

Method 1 : Enable TLS 1.2 and TLS 1.3 manually using Registry
  1. Open 'Run', type 'regedit' and click 'OK'.
  2. In Registry Editor, navigate to the path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. ...
  3. Rename the registry key as 'TLS 1.2'.
Nov 14, 2023

View Details
Top Articles
How to Cancel a Credit Card - cardsavvyhub
Boost Your Credit History with Tradelines: A Complete Guide
Ann DeVries on LinkedIn: I’m happy to share that I’m starting a new position as Head of Strategic… | 120 comments
Our Online Trading Fees, Margin Interest Rates & Misc. Fees
Latest Posts
5 Best Tradeline Companies to Boost Your Credit
30 Things That Are An Utter Waste Of Money, As Listed By Folks In This Online Thread
Article information

Author: Amb. Frankie Simonis

Last Updated:

Views: 6806

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.