Muokkaa

Jaa


TLS 1.0 and TLS 1.1 deprecation in Windows

The internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1 due to several security issues. Starting with Windows 11 Insiders Preview and Windows Server Insiders Preview releases in 2024, they will be disabled by default. This change applies to both client and server devices but won't impact in-market Operating System versions.

TLS 1.0 and TLS 1.1 have already been disabled by Microsoft 365 products as well as WinHTTP and WinINet API surfaces. Most newer versions of applications support TLS 1.2 or higher protocol versions. Therefore, if an application starts failing after this change, the first step is to look for a newer version of the application that has TLS 1.2 or TLS 1.3 support.

To learn more about this deprecation, see RFC 8996.

Re-enabling TLS 1.0 and 1.1

Caution

Directly editing the registry isn't recommended unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC). If you must edit the registry, use extreme caution.

The following DWORD registry values can be created to enable TLS 1.0 and 1.1 versions system-wide:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled

Setting these DWORD values to 1 enables TLS 1.0 and 1.1 for TLS clients and servers. To revert these changes, delete the above registry values.

The following Powershell script can be used to re-enable TLS 1.0 and 1.1:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 1 -Type DWord

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 1 -Type DWord

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 1 -Type DWord

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 1 -Type DWord

To learn more about TLS registry settings, see Transport Layer Security (TLS) registry settings.

Note

Support for legacy TLS versions 1.0 and 1.1 may be removed completely in the future.

Known issues

The following Windows applications rely on TLS 1.0 or TLS 1.1 and are expected to fail or lose some functionality. The provided list is not exhaustive. If other applications show issues, we recommend checking with the software vendor for an updated version.

Application Impacted Version Fixed Version
ACDSee Photo Studio 2018 2023
Adguard 6.4, 7.12 7.15
ArcGIS 10.3 11.1
Arma 3 3 3
Blio e-Reader 3.4.1 Not Available
BlueStacks 3 (蓝叠3) 5.10 5.13
BlueStacks X 0.21.0.1063 10.4.0.1034
CCB Security Client (中国建设银行E路航网银安全组件) 3.3.9.7 Not Available
CorelDRAW Graphics Suite X6 16 24.5.0.731 (2022)
Driver Support 10.1.6.14 SolveIQ
DRUKI Gofin 3.17.94.0 Not Available
ESET NOD32 Antivirus 5.0.94.0 10.0.390.0
EVault Data Protection 7.01.6125 Not Available
Jaws for Windows 2019.1903.47 2023.2307.37
K7 Enterprise Security 4.1.0.116 4.5.1.121
LANGuard 12.7 12.10
Microsoft Office 2008 Professional Accounting Express 2008 Not Available
Project Plan 365 23.8.1204.14137 23.30.1225.39313
Quick Heal Total Security 23.00 (14.1.0.10) Not Available
Safari 5.1.7 5.1.7
Splice 4.0.35686 4.3.98750
SQL Server 2012, 2014, 2016 2014, 2016 patched, see KB3135244
Turbo Tax 2011, 2012, 2014, 2015, 2016, 2017, 2018 2022
UltraViewer 6.6.37 6.6.63
UPlay 22.1 Ubisoft Connect
vWorkspace 8.6.1 Not Available
WebCompanion 11.7 12.1
Xbox One SmartGlass 2.2.1702.2004 Not Available
火萤视频桌面 (Qiffa) 5.2.5.9 Not Available

Developer guidance

Additional information for developers and enterprise administrators using Security Support Provider Interface (SSPI) can be found at TLS 1.0 and TLS 1.1 soon to be disabled in Windows