Steps to Enable TLS 1.2 on Windows

1. Modify the Registry to Enable TLS 1.2

TLS 1.2 must be enabled for both client and server components in the Windows registry. These components determine whether applications and services running on your system can use TLS 1.2.

You can apply the following steps either manually through the Registry Editor or by running a PowerShell script.

A. Enable TLS 1.2 Manually Using Registry Editor
  1. Press Win + R, type regedit, and hit Enter to open the Registry Editor.
  2. Navigate to the following registry keys for the Server:arduinoCopy codeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
  3. If the Server key doesn’t exist, create it by right-clicking on the TLS 1.2 key and choosing New > Key, then name it Server.
  4. In the Server key, create two new DWORD (32-bit) values:
    • Enabled: Set its value to 1.
    • DisabledByDefault: Set its value to 0.
  5. Now navigate to the Client settings:arduinoCopy codeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  6. Repeat the same steps for the Client key (if it doesn’t exist, create it), and add these two DWORD (32-bit) values:
    • Enabled: Set its value to 1.
    • DisabledByDefault: Set its value to 0.
B. Enable TLS 1.2 Using a PowerShell Script

You can automate the registry modification using PowerShell:

# Enable TLS 1.2 for Server and Client in the registry
$TLS12ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
$TLS12ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Create Server key if it doesn't exist
If (-Not (Test-Path $TLS12ServerKey)) { New-Item -Path $TLS12ServerKey -Force }
Set-ItemProperty -Path $TLS12ServerKey -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $TLS12ServerKey -Name "DisabledByDefault" -Value 0 -Type DWord

# Create Client key if it doesn't exist
If (-Not (Test-Path $TLS12ClientKey)) { New-Item -Path $TLS12ClientKey -Force }
Set-ItemProperty -Path $TLS12ClientKey -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $TLS12ClientKey -Name "DisabledByDefault" -Value 0 -Type DWord

2. Enable Strong Cryptography for .NET Framework

Some applications that use the .NET Framework need to have strong cryptography enabled to support TLS 1.2. You can configure this setting in the registry:

A. Manually Through Registry Editor
  1. Open the Registry Editor by pressing Win + R, typing regedit, and pressing Enter.
  2. Navigate to the following keys:
    • For 64-bit systems:Copy codeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • For 32-bit systems:Copy codeHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
  3. Create or modify the following DWORD (32-bit) values:
    • SchUseStrongCrypto: Set its value to 1.
    • SystemDefaultTlsVersions: Set its value to 1.
B. Using PowerShell Script

You can automate this registry change as well:

# Enable strong cryptography for .NET Framework
$netFrameworkKey64 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
$netFrameworkKey32 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"

# Set for 64-bit .NET Framework
Set-ItemProperty -Path $netFrameworkKey64 -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path $netFrameworkKey64 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord

# Set for 32-bit .NET Framework
Set-ItemProperty -Path $netFrameworkKey32 -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path $netFrameworkKey32 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord

3. Restart the Server

After making changes to the registry, it is important to restart the system to ensure that the changes take effect.

4. Verify TLS Settings

To confirm that TLS 1.2 is enabled, you can:

  • Check the Registry: Manually verify the values using Registry Editor or use the Get-ADSyncToolsTls12RegValue function from the script you provided to check the status of TLS settings.
  • Use PowerShell: You can also verify using PowerShell with this simple command:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name Enabled, DisabledByDefault
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name Enabled, DisabledByDefault

Additional Notes:

  • TLS 1.0 and TLS 1.1: It is recommended to disable TLS 1.0 and TLS 1.1 as these versions are considered insecure. You can disable them by navigating to their respective registry keys (TLS 1.0 and TLS 1.1) and setting Enabled to 0 and DisabledByDefault to 1.
  • Windows Updates: Ensure that the system is fully updated, as some older versions of Windows require additional updates to fully support TLS 1.2.

By following the above steps, you will have TLS 1.2 enabled for both the client and server side on Windows.

Tags
Junaid Ahmed
Junaid Ahmed

Junaid Ahmed is an enthusiastic Cybersecurity Manager and Azure Architect with a strong focus on cloud security, identity management, and passwordless adoption. He is passionate about helping organizations simplify their security approach, strengthen trust in the cloud, and embrace innovative technologies that drive both resilience and growth.

Articles: 35

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

CVE-2025-55241 (Actor Token / Entra ID) — What You Need to Know
Agile Ceremonies Format and Sample Agenda
Agile Testing
SLIs, SLOs, SLAs, DevOps and SRE