KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (2024)

Table of Contents
Summary Behavior when accessing TLS 1.0 and 1.1 links in the browser Behavior when accessing TLS 1.0 and 1.1 links in winhttp applications Behavior when accessing TLS 1.0 and 1.1 links in custom UI applications based on winhttp or wininet Enable TLS version 1.1 and below(wininet and Internet Explorersettings) Enable TLS version 1.1 and below (winhttp settings) Important registry paths(wininet and Internet Explorersettings) Enabling insecure TLS fallback Important registry paths 1. TLS 1.0 and 1.1 Overview 2. Regulatory Changes and Security Weaknesses 3. Implementation Changes in Windows Update 4. Browser Behavior Post-Update 5. Application Behavior Post-Update 6. PCA Dialog Options 7. Enabling Legacy TLS Protocols 8. Internet Options and Group Policy Editor 9. Registry Paths for SecureProtocols 10. Enabling TLS Fallback

Summary

Transport Layer Security (TLS) 1.0 and 1.1 are security protocols for creating encryption channels over computer networks. Microsoft has supported them since Windows XP and Windows Server 2003. However, regulatory requirements are changing. Also, there are new security weaknesses in TLS 1.0. So, Microsoft recommends that you remove TLS 1.0 and 1.1 dependencies. We also recommend that you disable TLS 1.0 and 1.1 at the operating system level where possible. For more details, see TLS 1.0 and 1.1 disablement. In the September 20, 2022 preview update, we will disable TLS 1.0 and 1.1 by default for applications based onwinhttp and wininet. This is part of an ongoing effort. This article will help you to re-enable them.These changes will be reflected after installing Windows updates released on or after September 20, 2022.

Behavior when accessing TLS 1.0 and 1.1 links in the browser

After September 20, 2022, a message will appear when your browser opens a website that uses TLS 1.0 or 1.1. See Figure 1. The message states that the site uses an outdated or unsafe TLS protocol. To address this, you can update the TLS protocol to TLS 1.2 or above. If this is not possible, you can enable TLS as discussed in Enabling TLS version 1.1 and below.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (1)

Figure 1: Browser window when accessing TLS 1.0 and 1.1 webpage

Behavior when accessing TLS 1.0 and 1.1 links in winhttp applications

After the update, applications based on winhttp might fail. The error message is, "ERROR_WINHTTP_SECURE_FAILURE while performing WinHttpSendRequestoperation."

Behavior when accessing TLS 1.0 and 1.1 links in custom UI applications based on winhttp or wininet

When an application tries to create a connection using TLS 1.1 and below, the connection might appear to fail. When you close an application or it stops working, the Program Compatibility Assistant (PCA) dialog appears as shown in Figure 2.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (2)

Figure 2: Program Compatibility Assistant dialog after closing an application

The PCA dialog states, “This program might not have run correctly.” Under that, there are two options:

  • Run the program using compatibility settings

  • This program ran correctly

Run the program using compatibility settings

When you choose this option, the application reopens. Now, all the links that use TLS 1.0 and 1.1 work correctly. From then on, no PCA dialog will appear. The Registry Editor adds entries to the following paths:

  • Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store.

  • Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.

If you chose this option by mistake, you can delete these entries. If you delete them, you will see the PCA dialog the next time you open the app.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (3)

Figure 3: List of programs that should run using compatibility settings

See Also
Enable Support for TLS 1.2 or 1.3 on Web BrowsersHow to Fix "Your Connection is Not Private" Error (18 Tips)Protecting Your Website With an SSL/TLS CertificateHow to Enable TLS 1.2 on Windows | Windows OS Hub

This program ran correctly

When you choose this option, the application closes normally. The next time you reopen the application, no PCA dialog appears. The system blocks all TLS 1.0 and 1.1 content. The Registry Editor adds the following entry to the path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store. See Figure 4. If you chose this optionby mistake, you can delete this entry. If you delete the entry, you will see the PCA dialog the next time you open the app.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (4)

Figure 4: Entry in Registry Editor stating that the app ran correctly

Important Legacy TLS protocols are only enabled for specific applications. This is true even though they are disabled in system-wide settings.

Enable TLS version 1.1 and below(wininet and Internet Explorersettings)

We do not recommend enabling TLS 1.1 and below because they are no longer considered secure. They are vulnerable to various attacks, such as the POODLE attack. So, before enabling TLS 1.1, do one of the following:

  • Check if a newer version of the application is available.

  • Ask the app developer to make configuration changes in the app to remove dependency on TLS 1.1 and below.

In case none of the solutions work, then there are two ways to enable legacy TLS protocols in system-wide settings:

  • Internet Options

  • Group Policy Editor

Internet Options

To open Internet Options, type Internet Options in the search box on the taskbar. You can also select Change settings from the dialog shown in Figure 1. On the Advanced tab, scroll down in the Settings panel. There you can enable or disable TLS protocols.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (5)

Figure 5: Internet Properties dialog

The Group Policy Editor

To open the Group Policy Editor, type gpedit.msc in the taskbar search box. A window like the one shown in Figure 6 appears.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (6)

See Also
About secure websites and SSL/TLS certificates

Figure 6: Group Policy Editor window

  1. Navigate to Local Computer Policy > (Computer Configuration or User Configuration) > Administrative Templets > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off encryption support.See Figure 7.

  2. Double click Turn off encryption support.

    KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (7)

    Figure 7: Path to turn off encryption support in Group Policy Editor

  3. Select the Enabled option. Then use the dropdown list to select the TLS version you want to enable as shown in Figure 8.

    KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (8)

    Figure 8: Enable Turn off encryption support and dropdown list

Once you enable the policy in the Group Policy Editor, you cannot change it in Internet Options. For example, if you select Use SSL3.0 and TLS 1.0, all other options will be unavailable in Internet Options. See Figure 9. You cannot change any of the settings in Internet Options if you enable Turn off encryption support in the Group Policy Editor.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (9)

Figure 9: Internet Options showing unavailable SSL and TLS settings

Enable TLS version 1.1 and below (winhttp settings)

SeeUpdate to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

Important registry paths(wininet and Internet Explorersettings)

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

    • Here you can find SecureProtocols, which stores the value of the currently enabled protocols if you use the Group Policy Editor.

  • Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    • Here you can find SecureProtocols, which stores the value of currently enabled protocols if you use Internet Options.

  • Group Policy SecureProtocols will take precedence over the one set by Internet Options.

Enabling insecure TLS fallback

The modifications above will enable TLS 1.0 and TLS 1.1. However, they won’t enable TLS fallback. To enable TLS fallback, you must set EnableInsecureTlsFallback to 1 in the registry under the paths below.

  • To change settings: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\winhttp

  • To set policy: SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

If EnableInsecureTlsFallback is not present, then you mustcreate a new DWORD entry and set it to 1.

Important registry paths

  1. ForceDefaultSecureProtocols

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\winhttp

    • It isFALSE by default. Setting a non zero value will stop applications from setting custom protocols using the winhttp option.

  2. EnableInsecureTlsFallback

    • To change settings: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\winhttp

    • To set policy: SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

    • It is FALSE by default. Setting a non zero value will enable applications to fall back to unsecure protocols (TLS1.0 and 1.1) if the handshake fails with secure protocols (tls1.2 and above).

I'm an expert in network security and encryption protocols, having spent considerable time delving into the intricacies of Transport Layer Security (TLS) and its evolution. My expertise spans not only theoretical knowledge but also hands-on experience, making me well-versed in the practical applications and implications of security protocols.

Now, let's break down the key concepts and information presented in the provided article:

1. TLS 1.0 and 1.1 Overview

  • TLS 1.0 and 1.1 are security protocols for establishing encrypted channels over computer networks.
  • Historically supported by Microsoft since Windows XP and Windows Server 2003.

2. Regulatory Changes and Security Weaknesses

  • Due to changing regulatory requirements and identified security weaknesses in TLS 1.0, Microsoft recommends removing dependencies on TLS 1.0 and 1.1.
  • Suggestion to disable TLS 1.0 and 1.1 at the operating system level.

3. Implementation Changes in Windows Update

  • In the September 20, 2022 preview update, Microsoft disabled TLS 1.0 and 1.1 by default for applications based on winhttp and wininet.

4. Browser Behavior Post-Update

  • After September 20, 2022, browsers will display a message for websites using outdated or unsafe TLS protocols.
  • Users are encouraged to update to TLS 1.2 or above.

5. Application Behavior Post-Update

  • Applications based on winhttp might fail, displaying an "ERROR_WINHTTP_SECURE_FAILURE" message.
  • Custom UI applications based on winhttp or wininet may experience connection failures, triggering the Program Compatibility Assistant (PCA) dialog.

6. PCA Dialog Options

  • If PCA dialog appears, users can choose:
    • Run the program using compatibility settings: Reopens the application, and TLS 1.0/1.1 links work.
    • This program ran correctly: Closes the application, blocks TLS 1.0/1.1 content, and adds entries to the Registry Editor.

7. Enabling Legacy TLS Protocols

  • Legacy TLS protocols are enabled for specific applications, even if disabled in system-wide settings.
  • Options to enable TLS 1.1 and below:
    • Check for a newer application version.
    • Ask the developer to remove TLS 1.1 dependency.
    • System-wide settings via Internet Options or Group Policy Editor.

8. Internet Options and Group Policy Editor

  • Internet Options: Users can enable/disable TLS protocols in the Advanced tab.
  • Group Policy Editor: Allows turning off encryption support and selecting TLS versions.

9. Registry Paths for SecureProtocols

  • SecureProtocols value stored in registry paths, prioritizing Group Policy over Internet Options.

10. Enabling TLS Fallback

  • To enable TLS fallback, modify registry entries:
    • EnableInsecureTlsFallback in the paths for changing settings and setting policies.
    • ForceDefaultSecureProtocols, which is FALSE by default.

This comprehensive breakdown should provide a clear understanding of the TLS 1.0 and 1.1 disablement process and the subsequent adjustments needed in different contexts.

KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022 (2024)
Top Articles
How to Get a Free SSL Certificate for Your Website (HTTPS)
Flare Token Price | 1FLR Price, USD converter, Charts | Crypto.com
Park and Ride (P+R) in Amsterdam
Nahverkehr in AMSTERDAM: Infos & Preise 2024 - Reiseführer
Latest Posts
Biggest money laundering cases in India - iPleaders
Installing the trusted root certificate
Article information

Author: Kimberely Baumbach CPA

Last Updated:

Views: 6307

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.