Steps to Enable TLS 1.2 on Windows

1. Modify the Registry to Enable TLS 1.2

TLS 1.2 must be enabled for both client and server components in the Windows registry. These components determine whether applications and services running on your system can use TLS 1.2.

You can apply the following steps either manually through the Registry Editor or by running a PowerShell script.

A. Enable TLS 1.2 Manually Using Registry Editor
  1. Press Win + R, type regedit, and hit Enter to open the Registry Editor.
  2. Navigate to the following registry keys for the Server:arduinoCopy codeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
  3. If the Server key doesn’t exist, create it by right-clicking on the TLS 1.2 key and choosing New > Key, then name it Server.
  4. In the Server key, create two new DWORD (32-bit) values:
    • Enabled: Set its value to 1.
    • DisabledByDefault: Set its value to 0.
  5. Now navigate to the Client settings:arduinoCopy codeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  6. Repeat the same steps for the Client key (if it doesn’t exist, create it), and add these two DWORD (32-bit) values:
    • Enabled: Set its value to 1.
    • DisabledByDefault: Set its value to 0.
B. Enable TLS 1.2 Using a PowerShell Script

You can automate the registry modification using PowerShell:

powershellCopy code# Enable TLS 1.2 for Server and Client in the registry
$TLS12ServerKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
$TLS12ClientKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Create Server key if it doesn't exist
If (-Not (Test-Path $TLS12ServerKey)) { New-Item -Path $TLS12ServerKey -Force }
Set-ItemProperty -Path $TLS12ServerKey -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $TLS12ServerKey -Name "DisabledByDefault" -Value 0 -Type DWord

# Create Client key if it doesn't exist
If (-Not (Test-Path $TLS12ClientKey)) { New-Item -Path $TLS12ClientKey -Force }
Set-ItemProperty -Path $TLS12ClientKey -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $TLS12ClientKey -Name "DisabledByDefault" -Value 0 -Type DWord

2. Enable Strong Cryptography for .NET Framework

Some applications that use the .NET Framework need to have strong cryptography enabled to support TLS 1.2. You can configure this setting in the registry:

A. Manually Through Registry Editor
  1. Open the Registry Editor by pressing Win + R, typing regedit, and pressing Enter.
  2. Navigate to the following keys:
    • For 64-bit systems:Copy codeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • For 32-bit systems:Copy codeHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
  3. Create or modify the following DWORD (32-bit) values:
    • SchUseStrongCrypto: Set its value to 1.
    • SystemDefaultTlsVersions: Set its value to 1.
B. Using PowerShell Script

You can automate this registry change as well:

powershellCopy code# Enable strong cryptography for .NET Framework
$netFrameworkKey64 = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
$netFrameworkKey32 = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"

# Set for 64-bit .NET Framework
Set-ItemProperty -Path $netFrameworkKey64 -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path $netFrameworkKey64 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord

# Set for 32-bit .NET Framework
Set-ItemProperty -Path $netFrameworkKey32 -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path $netFrameworkKey32 -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord

3. Restart the Server

After making changes to the registry, it is important to restart the system to ensure that the changes take effect.

4. Verify TLS Settings

To confirm that TLS 1.2 is enabled, you can:

  • Check the Registry: Manually verify the values using Registry Editor or use the Get-ADSyncToolsTls12RegValue function from the script you provided to check the status of TLS settings.
  • Use PowerShell: You can also verify using PowerShell with this simple command:
powershellCopy codeGet-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name Enabled, DisabledByDefault
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name Enabled, DisabledByDefault

Additional Notes:

  • TLS 1.0 and TLS 1.1: It is recommended to disable TLS 1.0 and TLS 1.1 as these versions are considered insecure. You can disable them by navigating to their respective registry keys (TLS 1.0 and TLS 1.1) and setting Enabled to 0 and DisabledByDefault to 1.
  • Windows Updates: Ensure that the system is fully updated, as some older versions of Windows require additional updates to fully support TLS 1.2.

By following the above steps, you will have TLS 1.2 enabled for both the client and server side on Windows.

Tags
Junaid Ahmed
Junaid Ahmed

Junaid Ahmed is a Cloud Infrastructure and Identity Management expert with 10+ years of experience specializing in Azure Entra ID, ADFS, Hybrid Identity, and Azure Infrastructure Management. He has a proven track record of leading secure identity solutions, deploying high-value security projects, and troubleshooting complex Azure issues for global clients. Junaid excels in enhancing system performance, facilitating seamless collaboration across organizations, and delivering expert guidance on cloud migrations and infrastructure optimization. He seeks to leverage his expertise in a challenging Cloud Solution Architect role to drive success through innovative cloud solutions.

Articles: 30

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Managing Enterprise App Registrations in Entra ID
Agile Ceremonies Format and Sample Agenda
Agile Testing
SLIs, SLOs, SLAs, DevOps and SRE
WordPress Appliance - Powered by TurnKey Linux