TLS (Transport Layer Security) 1.0 has been labelled as insecure for a few years now, unfortunately in most environments it’s still not disabled. Now days there are very few services that require it as 1.2 has long been it’s successor. In this article I will show you a quick guide on how to disable it in your environment using a GPO.
I will not cover how to create a GPO and were to apply it. This article is a quick guide for Windows Server Engineers that should already have a basic understanding of how to do that.
In short, create a new GPO using Group Policy manager, edit it and apply the following under Computer Configration >Preferences > Windows Settings > Registry.
Once applied to your server environment this will create and update existing the registry keys needed to disable TLS 1.0 and 1.1. A reboot for the server is required for this change to take affect.
Note: it is possible for this change to break services in your environment so proceed with caution.
If a service is found not to work after the change you can update the GPO key actions to Delete to remove the change or as a quick test on a single server you can run the following.
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\' -Recurse
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\' -Recurse
Note: that once the GPO re-applies the key will be re added if you use this quick test method.
Additional References:
– https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem
– https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10
– https://www.petenetlive.com/KB/Article/0001675
Cant see the screenshot very well. Can you post it as text?
Hi Jon,
Try this link – https://philpug.com/wp-content/uploads/2021/12/image-4.png
Does the Order matter?
I don’t believe it should, no.
You shouldn’t need the “Create” entries in your Preferences object. “Update” will create the object if it’s not there already.
It’s not needed but advised if you’re not 100% if other policies have updated those Dwords in the past. Also, helpful if someone changes the Dwords on the server they will be revered back to the company standard.
No, not needed and not advised. There is nothing “Create” does that “Updates” doesn’t also do. There is no scenario where these create entries are needed. They are purely a waste of time, both for the admin setting them up, and the GPO engine to process.