TLS (Transport Layer Security) 1.0 has been labelled as insecure for a few years now, unfortunately in most environments it’s still not disabled. Now days there are very few services that require it as 1.2 has long been it’s successor. In this article I will show you a quick guide on how to disable it in your environment using a GPO.

I will not cover how to create a GPO and were to apply it. This article is a quick guide for Windows Server Engineers that should already have a basic understanding of how to do that.

In short, create a new GPO using Group Policy manager, edit it and apply the following under Computer Configration >Preferences > Windows Settings > Registry.

Once applied to your server environment this will create and update existing the registry keys needed to disable TLS 1.0 and 1.1. A reboot for the server is required for this change to take affect.

Note: it is possible for this change to break services in your environment so proceed with caution.

If a service is found not to work after the change you can update the GPO key actions to Delete to remove the change or as a quick test on a single server you can run the following.

Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\' -Recurse
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\' -Recurse

Note: that once the GPO re-applies the key will be re added if you use this quick test method.

Additional References:

– https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem
– https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10
– https://www.petenetlive.com/KB/Article/0001675