Enable TLS 1.1 and TLS 1.2 on Windows 7 and Windows 8 – OS + Regedit patches A small guide explaining how to activate the secure TLS 1.1 and 1.2 protocols on Windows 7 and Windows 8 and fix a critical security risk, and two useful patches you can download to ease up the process

Enable TLS 1.1 and TLS 1.2 on Windows 7 and Windows 8 - OS + Regedit patches

As you might already know, TLS version 1.0 is not safe anymore and should be disabled, just like SSL 2.0 and SSL 3.0: if you want to know why you can either read this post, which summarizes pretty much you have to know, or recover some info regarding the three biggest attacks that managed to exploit the various TLS 1.0 vulnerabilities discovered within 2011 and 2014: BEAST, Heartbleed and POODLE.

Anyway, if you have a recent version of Windows – such as Windows 10 – you won’t be affected by this issue, provided you always install the OS updates through the official channels. Conversely, if you’re still using Windows 7 or Windows 8, you might have to perform some manual tasks in order to get rid of that outdated TLS version: on these systems, all applications created in WinHTTP (Windows HTTP Services) such as MS Outlook, MS Word, and the likes will use TLS 1.0 support, which is the default encryption standard for these OSes. As a result, if you attempt to establish a secure connection from your Outlook client to a “TLS secured” server, there is a high chance that MS Outlook will display one of the following error messages:

The server does not support the specified connection encryption type.

 

Your server does not support the connection encryption type you have specified.

Luckily enough, this can be fixed by telling your OS to never use TLS 1.0 anymore, and stick with TLS 1.1 and 1.2 by default. Here’s a small guide explaining how you can do that.

Install the KB3140245 Security Patch

The first thing to do is to download and install the Windows KB3140245: you can do that using Windows Update, since it’s available as an optional update, or manually download it from the following official website:

This will equip your OS with TLS versions 1.1 and 1.2.

Updating your Windows Registry file

The next step you need to do is to patch your Windows Registry file, so that your OS will actually use the new TLS protocol versions (1.2, and 1.1 as a fallback) instead of the outdated and vulnerable 1.0 one. This can be done either automatically (with an official Microsoft-released patch file) or by manually editing the registry file using regedit or our own TLS12fix.reg file.

Microsoft Patch File

The Microsoft patch file is called MicrosoftEasyFix51044.msi and can be downloaded from this url:

If you’re doing this to face a common MS Outlook scenario, downloading and executing this file is all that you need to fix your issue.

Manual update

If you’re an experienced user this probably is the recommended approach, since it allows you to choose which protocol to enable or not.

#1. Setting the default TLS protocols

The first thing you do is to create a new DWORD key called DefaultSecureProtocols in the following sections of your registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The HEX value to set depends on which protocol(s) you would like to enable by default:

  • To enable TLS 1.0, TLS 1.1 and TLS 1.2, set the value to 00000A80 (not recommended- that’s what you want to avoid).
  • To enable TLS 1.1 and TLS 1.2 only, thus disabling TLS 1.0, set the value to 00000A00. This is the recommended approach as of today (might change in the future if TLS 1.1 becomes outdated as well).
  • To enable TLS 1.1 only, set the value to 00000200.
  • To enable TLS 1.2 only, set the value to 00000800.

If you want to know more about these settings, take a look at this official Microsoft page, which explains everything and also adds some valuable info about the whole topic.

#2. Enable TLS 1.1 and 1.2 at the SChannel component level

The second thing to do, as explained in this TechNet article, is to create another DWORD key called DisabledByDefault in the following sections of your registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

And set a value of 0 (zero).

Registry Patch File(s)

If you don’t want to manually edit your Windows Registry file using regedit, you can download use these registry patch files which we made, that will automatically set all the above registry keys with a single click.

Conclusion

That’s it, at least for now: I sincerely hope that this post will be useful for those system administrators, power users and enthusiasts who want (or need) to patch their system to get rid of TLS 1.0 and fix this security vulnerability for good.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.